Your message dated Tue, 23 Jul 2024 03:00:45 +0200
with message-id <abf2df82-0ca7-42b6-8b77-a5e43e3a3...@debian.org>
and subject line fixed
has caused the Debian Bug report #1074763,
regarding CVE-2024-32498: Arbitrary file access through custom QCOW2 external
data
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1074763: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074763
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cinder
Version: 2:21.1.0-3
Severity: grave
Tags: patch
Title: Arbitrary file access through custom QCOW2 external data
Reporter: Martin Kaesberger
Products: Cinder, Glance, Nova
Description:
Martin Kaesberger reported a vulnerability in QCOW2 image processing
for Cinder, Glance and Nova. By supplying a specially created QCOW2
image which references a specific data file path, an authenticated
user may convince systems to return a copy of that file's contents
from the server resulting in unauthorized access to potentially
sensitive data. All Cinder deployments are affected; only Glance
deployments with image conversion enabled are affected; all Nova
deployments are affected.
Original private report: https://launchpad.net/bugs/2059809
--- End Message ---
--- Begin Message ---
This has been fixed, at least in unstable. Let's allow the package to
migrate.
Thomas
--- End Message ---
