yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #87042
[Bug 1942270] [NEW] glance use insecure cryptographic algorithm: md5, to verify image integrity.
Public bug reported:
OpenStack components default use md5 checksum image.SHA256, SHA512, or other more secure algorithms should be used.
Pre-conditions: NA
Step-by-step reproduction steps: NA
Expected output: NA
Actual output: NA
Version: Train
Environment: NA
Perceived severity: NA
Tags (Affected component): NA
Attachments: glance uses MD5 as the checksum by default.
For example:
glance/image_cache/__init__.py
def cache_tee_iter(self, image_id, image_iter, image_checksum):
try:
current_checksum = hashlib.md5()
with self.driver.open_for_write(image_id) as cache_file:
for chunk in image_iter:
try:
cache_file.write(chunk)
finally:
current_checksum.update(chunk)
yield chunk
cache_file.flush()
if (image_checksum and
image_checksum != current_checksum.hexdigest()):
msg = _("Checksum verification failed. Aborted "
"caching of image '%s'.") % image_id
raise exception.GlanceException(msg)
** Affects: glance
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1942270
Title:
glance use insecure cryptographic algorithm: md5, to verify image
integrity.
Status in Glance:
New
Bug description:
OpenStack components default use md5 checksum image.SHA256, SHA512, or other more secure algorithms should be used.
Pre-conditions: NA
Step-by-step reproduction steps: NA
Expected output: NA
Actual output: NA
Version: Train
Environment: NA
Perceived severity: NA
Tags (Affected component): NA
Attachments: glance uses MD5 as the checksum by default.
For example:
glance/image_cache/__init__.py
def cache_tee_iter(self, image_id, image_iter, image_checksum):
try:
current_checksum = hashlib.md5()
with self.driver.open_for_write(image_id) as cache_file:
for chunk in image_iter:
try:
cache_file.write(chunk)
finally:
current_checksum.update(chunk)
yield chunk
cache_file.flush()
if (image_checksum and
image_checksum != current_checksum.hexdigest()):
msg = _("Checksum verification failed. Aborted "
"caching of image '%s'.") % image_id
raise exception.GlanceException(msg)
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1942270/+subscriptions