ironic/ironic
Julia Kreger c996aafa6d CVE-2024-44982: Harden all image handling and conversion code
It was recently learned by the OpenStack community that running qemu-img
on untrusted images without a format pre-specified can present a
security risk. Furthermore, some of these specific image formats have
inherently unsafe features. This is rooted in how qemu-img operates
where all image drivers are loaded and attempt to evaluate the input data.
This can result in several different vectors which this patch works to
close.

This change imports the qemu-img handling code from Ironic-Lib into
Ironic, and image format inspection code, which has been developed by
the wider community to validate general safety of images before converting
them for use in a deployment.

This patch contains functional changes related to the hardening of these
calls including how images are handled, and updates documentation to
provide context and guidance to operators.

Closes-Bug: 2071740
Change-Id: I7fac5c64f89aec39e9755f0930ee47ff8f7aed47
Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
2024-09-04 15:18:58 -07:00
..
api CVE-2024-44982: Harden all image handling and conversion code 2024-09-04 15:18:58 -07:00
cmd Fix conductor startup warning message 2024-08-15 11:11:29 +00:00
common CVE-2024-44982: Harden all image handling and conversion code 2024-09-04 15:18:58 -07:00
conductor add virtual media GET api 2024-08-08 13:33:14 +05:30
conf CVE-2024-44982: Harden all image handling and conversion code 2024-09-04 15:18:58 -07:00
db Self-Service via Runbooks 2024-08-02 05:44:29 +01:00
dhcp Improve logging in the dnsmasq DHCP provider 2023-11-28 16:45:25 +01:00
drivers CVE-2024-44982: Harden all image handling and conversion code 2024-09-04 15:18:58 -07:00
hacking Upgrade to latest hacking - v6 2023-04-21 12:15:07 -07:00
objects Self-Service via Runbooks 2024-08-02 05:44:29 +01:00
pxe_filter Add inspection PXE filter service 2024-02-28 18:13:56 +01:00
tests CVE-2024-44982: Harden all image handling and conversion code 2024-09-04 15:18:58 -07:00
__init__.py Move eventlet monkey patch code 2017-03-02 13:48:18 +02:00
version.py Correct version.py and update current version string 2014-03-21 13:50:05 -07:00