yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1534232] Re: Glance is still using outdated md5 for image signing

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tdecacqu@xxxxxxxxxx>
Date: Mon, 18 Jan 2016 15:28:13 -0000
Reply-to: Bug 1534232 <1534232@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1516031 ***
    https://bugs.launchpad.net/bugs/1516031

** Information type changed from Private Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

** This bug has been marked a duplicate of bug 1516031
   Use of MD5 in OpenStack Glance image signature (CVE-2015-8234)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1534232

Title:
  Glance is still using outdated md5 for image signing

Status in Glance:
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added to the
  bug as attachments.

  --

  Glance is still using md5 for image signing. MD5 is outdated and
  should not be used for security reason. It makes it possible for
  malicious users to generate malicious image  with same hash values.

  https://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html
  Glance already supports computing checksums of images when an image is uploaded, and this checksum is stored with the image. This same hash (which by default is MD5) will be used for the signature verification.

  In the code:
  https://github.com/openstack/glance/blob/2682dfe2000604bd1a77cfad5ad259f084a1359f/glance/image_cache/__init__.py

  line 242:
   def cache_tee_iter(self, image_id, image_iter, image_checksum):
          try:
              current_checksum = hashlib.md5()

              with self.driver.open_for_write(image_id) as cache_file:
                  for chunk in image_iter:
                      try:
                          cache_file.write(chunk)
                      finally:
                          current_checksum.update(chunk)
                          yield chunk
                  cache_file.flush()

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1534232/+subscriptions