)]}'
{
  "commit": "2e909d7ca95e6d395bd282a5bbf775c4b4eac10f",
  "tree": "713be62567608e16041db2d60ff3b4d4c6a2e39e",
  "parents": [
    "1bd7bfbc2ba3ed767eaff3bd73f598e877b30f28"
  ],
  "author": {
    "name": "Eric Blake",
    "email": "eblake@redhat.com",
    "time": "Mon Sep 15 16:37:27 2025 -0500"
  },
  "committer": {
    "name": "Kevin Wolf",
    "email": "kwolf@redhat.com",
    "time": "Tue Nov 11 22:06:09 2025 +0100"
  },
  "message": "qcow2, vmdk: Restrict creation with secondary file using protocol\n\nEver since CVE-2024-4467 (see commit 7ead9469 in qemu v9.1.0), we have\nintentionally treated the opening of secondary files whose name is\nspecified in the contents of the primary file, such as a qcow2\ndata_file, as something that must be a local file and not a protocol\nprefix (it is still possible to open a qcow2 file that wraps an NBD\ndata image by using QMP commands, but that is from the explicit action\nof the QMP overriding any string encoded in the qcow2 file).  At the\ntime, we did not prevent the use of protocol prefixes on the secondary\nimage while creating a qcow2 file, but it results in a qcow2 file that\nrecords an empty string for the data_file, rather than the protocol\npassed in during creation:\n\n$ qemu-img create -f raw datastore.raw 2G\n$ qemu-nbd -e 0 -t -f raw datastore.raw \u0026\n$ qemu-img create -f qcow2 -o data_file\u003dnbd://localhost:10809/ \\\n  datastore_nbd.qcow2 2G\nFormatting \u0027datastore_nbd.qcow2\u0027, fmt\u003dqcow2 cluster_size\u003d65536 extended_l2\u003doff compression_type\u003dzlib size\u003d2147483648 data_file\u003dnbd://localhost:10809/ lazy_refcounts\u003doff refcount_bits\u003d16\n$ qemu-img info datastore_nbd.qcow2 | grep data\n$ qemu-img info datastore_nbd.qcow2 | grep data\nimage: datastore_nbd.qcow2\n    data file:\n    data file raw: false\n    filename: datastore_nbd.qcow2\n\nAnd since an empty string was recorded in the file, attempting to open\nthe image without using QMP to supply the NBD data store fails, with a\nsomewhat confusing error message:\n\n$ qemu-io -f qcow2 datastore_nbd.qcow2\nqemu-io: can\u0027t open device datastore_nbd.qcow2: The \u0027file\u0027 block driver requires a file name\n\nAlthough the ability to create an image with a convenience reference\nto a protocol data file is not a security hole (unlike the case with\nopen, the image is not untrusted if we are the ones creating it), the\nabove demo shows that it is still inconsistent.  Thus, it makes more\nsense if we also insist that image creation rejects a protocol prefix\nwhen using the same syntax.  Now, the above attempt produces:\n\n$ qemu-img create -f qcow2 -o data_file\u003dnbd://localhost:10809/ \\\n  datastore_nbd.qcow2 2G\nFormatting \u0027datastore_nbd.qcow2\u0027, fmt\u003dqcow2 cluster_size\u003d65536 extended_l2\u003doff compression_type\u003dzlib size\u003d2147483648 data_file\u003dnbd://localhost:10809/ lazy_refcounts\u003doff refcount_bits\u003d16\nqemu-img: datastore_nbd.qcow2: Could not create \u0027nbd://localhost:10809/\u0027: No such file or directory\n\nwith datastore_nbd.qcow2 no longer created.\n\nSigned-off-by: Eric Blake \u003ceblake@redhat.com\u003e\nMessage-ID: \u003c20250915213919.3121401-6-eblake@redhat.com\u003e\nReviewed-by: Kevin Wolf \u003ckwolf@redhat.com\u003e\nSigned-off-by: Kevin Wolf \u003ckwolf@redhat.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "ec72e2721439635bcd87227d9969e0b639492047",
      "old_mode": 33188,
      "old_path": "block/qcow2.c",
      "new_id": "cb0bdb32eca5d616580b96331b7287915415ca1e",
      "new_mode": 33188,
      "new_path": "block/qcow2.c"
    },
    {
      "type": "modify",
      "old_id": "eb3c174eca44a071d9eaab2cca6c6178f8a49eb0",
      "old_mode": 33188,
      "old_path": "block/vmdk.c",
      "new_id": "3b35b63cb5982364f40192eeb2c8585a0265ee40",
      "new_mode": 33188,
      "new_path": "block/vmdk.c"
    }
  ]
}
