Re: [PATCH v3 4/4] qemu-img: Deprecate use of -b without -F

On Fri, Mar 06, 2020 at 04:51:21PM -0600, Eric Blake wrote: > Creating an image that requires format probing of the backing image is > inherently unsafe (we've had several CVEs over the years based on

> > +qemu-img backing file without format (since 5.0.0) > +'''''''''''''''''''''''''''''''''''''''''''''''''' > + > +The use of ``qemu-img create``, ``qemu-img rebase``, ``qemu-img > +convert``, or ``qemu-img amend`` to create or modify an image that > +depends on a backing file now recommends that an explicit backing > +format be provided. This is for safety: if qemu probes a different > +format than what you thought, the data presented to the guest will be > +corrupt; similarly, presenting a raw image to a guest allows a > +potential security exploit if a future probe sees a non-raw image > +based on guest writes. To avoid the warning message, or even future > +refusal to create an unsafe image, you must pass ``-o backing_fmt=`` > +(or the shorthand ``-F`` during create) to specify the intended > +backing format. You may use ``qemu-img rebase -u`` to retroactively > +add a backing format to an existing image. However, be aware that > +there are already potential security risks to blindly using ``qemu-img > +info`` to probe the format of an untrusted backing image, when > +deciding what format to add into an existing image. Nit: s/qemu/QEMU/g/ Ultra Nit: should this paragraph be broken down into two? Experience tells people usually feel deterred read "substantial paragraphs" :-)