Bug 1227063 (CVE-2024-32498)

Created attachment 875704 [details]
Attached patches

Martin Kaesberger reported a vulnerability in QCOW2 image processing
for Cinder, Glance and Nova. By supplying a specially created QCOW2
image which references a specific data file path, an authenticated
user may convince systems to return a copy of that file's contents
from the server resulting in unauthorized access to potentially
sensitive data. All Cinder deployments are affected; only Glance
deployments with image conversion enabled are affected; all Nova
deployments are affected.

Affects:
  - Cinder <22.1.3, >=23.0.0 <23.1.1, ==24.0.0
  - Glance <26.0.1, ==27.0.0, >=28.0.0 <28.0.2
  - Nova <27.3.1, >=28.0.0 <28.1.1, >=29.0.0 <29.0.3

Note:
The unmaintained/yoga and unmaintained/zed branches are not under
official maintenance and will receive no new point releases, but
some patches for them are provided as a courtesy where possible.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date.

CVE: CVE-2024-32498

Proposed public disclosure date/time: 2024-06-27, 1500UTC

Please do not make the issue public (or release public patches)
before this coordinated embargo date.

Original private report: https://launchpad.net/bugs/2059809

For access to read and comment on this report, please reply to me
with your Launchpad username and I will subscribe you.