[Openstack] [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
Michael Still
michael.still at canonical.com
Wed Aug 8 01:11:52 UTC 2012
On 08/08/12 10:58, Eric Windisch wrote:
>>
>> This might be kind-of okay if it uses libguestfs, but I'd need to
>> look more closely at libguestfs before considering it safe. If it
>> is only updating vfat, another option is mtools which is entirely
>> userspace and can be run with some safety on the host.
>
> I just realized you said glanceā¦ I'm assuming these are probably
> ext2/3/4 or other Linux filesystems. Libguestfs might be the best
> option, besides simply not having that feature.
Yeah, my reading of the code is that any image format the compute node
knows how to mount could be used in glance, and will then be transcoded
to vfat or iso9660 before being handed to the guest.
Mikal
More information about the Openstack
mailing list