On Thu, Nov 10, 2011 at 01:48:53PM +0000, Mark McLoughlin wrote: > Thanks for all that Rich. My takeaways are: > > 1) The current file injection and disk resizing code in OpenStack > doesn't provide sufficient protection against the possibility of > users exploiting vulnerabilities in the kernel or core OS userspace > utilities. > > However, there's no known vulnerability here that needs an urgent > response (e.g. filing a CVE) - i.e. it's not like the issue with > using qemu's disk format auto-detection. > > 2) Restricting the set of guest filesystems we support would > eliminate one of the most likely sources of potential > vulnerabilities. > > 3) Using libguestfs (and later, using it over libvirt/svirt) would > provide much greater protection along with the potential to > support things like LVM inside guest images.
Agreed. I looked at their use of qemu / format detection, and it appears safe: I tried to upload an image with backing file = /etc/passwd. You can upload such an image to glance. But when you try to attach it to a guest, any use of backing files is rejected by a correct test in nova/virt/images.py. I also looked at whether they pass the correct format field through to libvirt (and thus to qemu), and they do. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into Xen guests. http://et.redhat.com/~rjones/virt-p2v _______________________________________________ Libguestfs mailing list Libguestfs@redhat.com https://www.redhat.com/mailman/listinfo/libguestfs
