yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1942270] [NEW] glance use insecure cryptographic algorithm: md5, to verify image integrity.

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Kevin Li <1942270@xxxxxxxxxxxxxxxxxx>
Date: Wed, 01 Sep 2021 01:27:38 -0000
Reply-to: Bug 1942270 <1942270@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

OpenStack components default use md5 checksum image.SHA256, SHA512, or other more secure algorithms should be used.
  Pre-conditions: NA
  Step-by-step reproduction steps: NA
  Expected output: NA
  Actual output: NA

Version: Train

Environment: NA

Perceived severity: NA

Tags (Affected component): NA

Attachments: glance uses MD5 as the checksum by default.
For example: 
glance/image_cache/__init__.py
  def cache_tee_iter(self, image_id, image_iter, image_checksum):
    try:
        current_checksum = hashlib.md5()

        with self.driver.open_for_write(image_id) as cache_file:
            for chunk in image_iter:
                try:
                    cache_file.write(chunk)
                finally:
                    current_checksum.update(chunk)
                    yield chunk
            cache_file.flush()

            if (image_checksum and
                    image_checksum != current_checksum.hexdigest()):
                msg = _("Checksum verification failed. Aborted "
                        "caching of image '%s'.") % image_id
                raise exception.GlanceException(msg)

** Affects: glance
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1942270

Title:
  glance use insecure cryptographic algorithm: md5, to verify image
  integrity.

Status in Glance:
  New

Bug description:
  OpenStack components default use md5 checksum image.SHA256, SHA512, or other more secure algorithms should be used.
    Pre-conditions: NA
    Step-by-step reproduction steps: NA
    Expected output: NA
    Actual output: NA

  Version: Train

  Environment: NA

  Perceived severity: NA

  Tags (Affected component): NA

  Attachments: glance uses MD5 as the checksum by default.
  For example: 
  glance/image_cache/__init__.py
    def cache_tee_iter(self, image_id, image_iter, image_checksum):
      try:
          current_checksum = hashlib.md5()

          with self.driver.open_for_write(image_id) as cache_file:
              for chunk in image_iter:
                  try:
                      cache_file.write(chunk)
                  finally:
                      current_checksum.update(chunk)
                      yield chunk
              cache_file.flush()

              if (image_checksum and
                      image_checksum != current_checksum.hexdigest()):
                  msg = _("Checksum verification failed. Aborted "
                          "caching of image '%s'.") % image_id
                  raise exception.GlanceException(msg)

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1942270/+subscriptions