(This bug was found by Matthew Booth during routine code review)
We found a security issue which affects libguestfs programs in some circumstances. Since we don't pass the disk format through to qemu, a malicious guest backed by raw-format storage might craft a qcow2 header into its own disk. QEmu would interpret this, and qcow2 offers a wide range of features such as accessing arbitrary backing files from the host, allowing the guest to read a host file (under rather narrow conditions, see below).
All versions of virt-v2v are vulnerable. virt-inspector is vulnerable for versions <= 1.5.3. Other programs that use libguestfs may be vulnerable.
You should review the bug below carefully to find out if you could be affected, particularly the Description and Comment 1:
https://bugzilla.redhat.com/show_bug.cgi?id=643958
A CVE has been allocated to this bug:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=+CVE-2010-3851
No fix is available at present, but we are working on one. In the meantime, avoid using libguestfs / tools on:
- untrusted, malicious guests that use raw-format storage - where you are running commands from these guests (http://libguestfs.org/guestfs.3.html#running_commands)
Rich.