yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2006490] Fix included in openstack/glance zed-eom

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2006490@xxxxxxxxxxxxxxxxxx>
Date: Mon, 29 Apr 2024 18:45:32 -0000
Reply-to: Bug 2006490 <2006490@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This issue was fixed in the openstack/glance zed-eom  release.

** Changed in: glance/zed
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/2006490

Title:
  Limit CaptureRegion sizes in format_inspector for VMDK and VHDX

Status in Glance:
  Fix Released
Status in Glance xena series:
  New
Status in Glance yoga series:
  In Progress
Status in Glance zed series:
  Fix Released

Bug description:
  VMDK:
  When parsing a VMDK file to calculate its size, the format_inspector
  determines the location of the Descriptor section by reading two
  uint64 from the headers of the file and uses them to create the
  descriptor CaptureRegion.

  It would be possible to craft a VMDK file that commands the
  format_inspector to create a very big CaptureRegion, thus exhausting
  resources on the glance-api process.

  VHDX:
  It is a bit more involved, but similar: when looking for the
  VIRTUAL_DISK_SIZE metadata, the format_inspector was creating an
  unbounded CaptureRegion.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/2006490/+subscriptions

References

[Bug 2006490] [NEW] Limit CaptureRegion sizes in format_inspector for VMDK and VHDX
From: Abhishek Kekane, 2023-02-07