ironic/ironic/drivers/modules
Julia Kreger c996aafa6d CVE-2024-44982: Harden all image handling and conversion code
It was recently learned by the OpenStack community that running qemu-img
on untrusted images without a format pre-specified can present a
security risk. Furthermore, some of these specific image formats have
inherently unsafe features. This is rooted in how qemu-img operates
where all image drivers are loaded and attempt to evaluate the input data.
This can result in several different vectors which this patch works to
close.

This change imports the qemu-img handling code from Ironic-Lib into
Ironic, and image format inspection code, which has been developed by
the wider community to validate general safety of images before converting
them for use in a deployment.

This patch contains functional changes related to the hardening of these
calls including how images are handled, and updates documentation to
provide context and guidance to operators.

Closes-Bug: 2071740
Change-Id: I7fac5c64f89aec39e9755f0930ee47ff8f7aed47
Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
2024-09-04 15:18:58 -07:00
..
ansible CVE-2024-44982: Harden all image handling and conversion code 2024-09-04 15:18:58 -07:00
drac idrac: inherit driver interface from redfish 2024-08-28 08:47:32 -05:00
ibmc Remove ibmc hardware type 2024-06-18 16:33:35 -07:00
ilo Drop fallback to unmanaged inspection for virtual media and UEFI boot 2024-03-18 10:26:47 +01:00
inspector Fix log statement about starting inspection 2024-06-27 10:16:10 -04:00
intel_ipmi Follow-up to the IntelIPMIHardware patch 2019-07-26 15:51:20 +05:30
irmc [codespell] Fixing Spelling Mistakes 2024-02-12 19:58:56 +00:00
network Merge "[codespell] Fixing Spelling Mistakes" 2024-03-14 17:13:05 +00:00
redfish Merge "add virtual media GET api" 2024-08-16 22:40:24 +00:00
storage Update error message 2024-08-12 14:10:00 +01:00
xclarity Remove deprecated xclarity hardware type 2024-06-18 16:33:00 -07:00
__init__.py Remove copyright from empty files 2014-01-07 21:05:01 +08:00
agent_base.py Fix execution of node servicing steps exposed by IPA's HardwareManager 2024-06-18 02:22:03 -07:00
agent_client.py [codespell] Fixing Spelling Mistakes 2024-02-12 19:58:56 +00:00
agent_power.py Use driver_internal_info methods for other drivers 2022-01-05 16:05:46 +13:00
agent.py Fix the confusion around service_reboot/servicing_reboot 2024-04-12 18:09:54 +02:00
boot_mode_utils.py Add missing space to log message 2022-09-28 10:00:01 +02:00
boot.ipxe Exit ipxe script if enable_netboot_fallback failed 2022-08-01 17:26:49 -07:00
console_utils.py Relaxing console pid looking 2023-02-15 17:32:23 +00:00
deploy_utils.py CVE-2024-44982: Harden all image handling and conversion code 2024-09-04 15:18:58 -07:00
fake.py RedfishFirmware Interface 2023-09-20 13:09:38 -03:00
image_cache.py CVE-2024-44982: Harden all image handling and conversion code 2024-09-04 15:18:58 -07:00
image_utils.py Inject a randomized publisher id 2024-04-28 00:21:06 +00:00
initial_grub_cfg.template grub: directly load linked config file 2024-07-08 14:46:27 +00:00
inspect_utils.py Add node auto-discovery support for in-band inspection 2024-02-02 09:24:52 +01:00
ipmitool.py Flexible IPMI credential persistence method configuration 2024-06-21 18:11:54 +01:00
ipxe_config.template Merge "Finally remove support for netboot and the boot_option capability" 2022-08-05 16:47:32 +00:00
ipxe.py Add HTTP versions of network boot interfaces 2024-02-09 13:13:19 -08:00
ks.cfg.template CI: anaconda: permit tls certificate validation bypass 2022-08-17 12:59:32 -07:00
noop_mgmt.py Add "noop" management and use it in the "ipmi" hardware type 2018-08-07 13:25:50 +00:00
noop.py Firmware Interface 2023-07-11 07:39:15 -03:00
pxe_base.py Better handle missing inspection_network 2024-08-22 15:32:22 +02:00
pxe_config.template Finally remove support for netboot and the boot_option capability 2022-08-02 12:47:31 +02:00
pxe_grub_config.template GRUB conf template compatibility with arm server 2024-06-03 17:02:21 +01:00
pxe.py Add HTTP versions of network boot interfaces 2024-02-09 13:13:19 -08:00
ramdisk.py [codespell] Fixing Spelling Mistakes 2024-02-12 19:58:56 +00:00
snmp.py Fix auth_protocol and priv_protocol for SNMP v3 2023-03-01 16:44:40 -08:00