openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #15568
Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
On 08/08/12 10:58, Eric Windisch wrote:
>>
>> This might be kind-of okay if it uses libguestfs, but I'd need to
>> look more closely at libguestfs before considering it safe. If it
>> is only updating vfat, another option is mtools which is entirely
>> userspace and can be run with some safety on the host.
>
> I just realized you said glance… I'm assuming these are probably
> ext2/3/4 or other Linux filesystems. Libguestfs might be the best
> option, besides simply not having that feature.
Yeah, my reading of the code is that any image format the compute node
knows how to mount could be used in glance, and will then be transcoded
to vfat or iso9660 before being handed to the guest.
Mikal
References