Some GitHub security advisories have appeared today for LXD:
- GHSA-ppq7-4492-5552 Backup snapshot import bypasses project restrictions · Advisory · canonical/lxd
- GHSA-j93m-3j9p-m5m8 CreateCustomVolumeFromBackup nil-pointer dereference on volumes[0].snapshots[\*].expires\_at · Advisory · canonical/lxd
- GHSA-pjff-c2wc-f6jm Arbitrary file write on client due to trusted image hash · Advisory · canonical/lxd
- GHSA-fmc8-p6q7-75cc Argument injection in backup compression algorithm leading to AFW and ACE · Advisory · canonical/lxd
- GHSA-vghh-5rfx-xhq8 Arbitrary file read+write on host via rootfs/ symlink in malicious image · Advisory · canonical/lxd
- GHSA-jpf8-86f3-wp38 Arbitrary file read+write on host via templates/ symlink in malicious image · Advisory · canonical/lxd
- GHSA-9j25-mm2h-2f76 Arbitrary file write on host via \
exec-output\\symlink in crafted image · Advisory · canonical/lxd - GHSA-47w9-6r3f-938g Restricted project bypass leading to arbitrary command execution · Advisory · canonical/lxd
- GHSA-hhf9-qw4v-72xp Cross-guest volume hijack via DevLXD device patch · Advisory · canonical/lxd
- GHSA-7mr3-28h5-m5vx Project restriction bypass for custom volume copy across projects · Advisory · canonical/lxd
- GHSA-qx75-2p3r-pwm5 Project restriction bypass in instance copy across projects · Advisory · canonical/lxd
Golang is not my area of expertise, but using GitHub Copilot on #7 (GHSA-9j25-mm2h-2f76) as a sample, the bot seems to think this one could be applicable to Incus: https://gist.github.com/evanjrowley/9abbb81ed89ae2af1f895a3f45d2e4b7
