From 867d1dd8b6e4f5774257a98c7c33061fbbbde973 Mon Sep 17 00:00:00 2001
From: Pranali Deore <pdeore@redhat.com>
Date: Thu, 4 Jul 2024 09:59:18 +0000
Subject: [PATCH] Add releasenote for CVE-2024-32498 fix

Related-Bug: #2059809
Change-Id: I3259dd013ba5e3fefd0e172bf0e7cc502158c8db
---
 ...isallow-qcow2-datafile-5d5ff4dbd590c911.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 releasenotes/notes/bug-2059809-disallow-qcow2-datafile-5d5ff4dbd590c911.yaml

diff --git a/releasenotes/notes/bug-2059809-disallow-qcow2-datafile-5d5ff4dbd590c911.yaml b/releasenotes/notes/bug-2059809-disallow-qcow2-datafile-5d5ff4dbd590c911.yaml
new file mode 100644
index 0000000000..719c9b48fe
--- /dev/null
+++ b/releasenotes/notes/bug-2059809-disallow-qcow2-datafile-5d5ff4dbd590c911.yaml
@@ -0,0 +1,17 @@
+---
+security:
+  - |
+    Images in the qcow2 format with an external data file are now
+    rejected from glance because such images could be used in an
+    exploit to expose host information. See `Bug #2059809
+    <https://bugs.launchpad.net/glance/+bug/2059809>`_ for details.
+fixes:
+  - |
+    `Bug #2059809 <https://bugs.launchpad.net/glance/+bug/2059809>`_:
+    Fixed issue where a qcow2 format image with an external data file
+    could expose host information. Such an image format with an external
+    data file will be rejected from glance. To achieve the same,
+    format_inspector has been extended by adding safety checks for qcow2
+    and vmdk files in glance. Unsafe qcow and vmdk files will be rejected
+    by pre-examining them with a format inspector to ensure safe
+    configurations prior to any qemu-img operations.