yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1389772] Re: Glance image hash use MD5

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brian Rosmaita <1389772@xxxxxxxxxxxxxxxxxx>
Date: Thu, 20 Oct 2022 16:18:03 -0000
Reply-to: Bug 1389772 <1389772@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Glance uses os_hash_algo and os_hash_value since Rocky (default
os_hash_algo is sha512).  Legacy 'checksum' field is populated for
backward compatibility.

** Changed in: glance
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1389772

Title:
  Glance image hash use MD5

Status in Glance:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Apparently, Glance still use MD5 to hash image. Considering the recent
  disclosed attack[1] (that supposedly allow to generate chosen colision
  in an effective amount of time), it's safe to assume MD5 is broken to
  verify anything...

  If someone is able to generate another image with the same hash, I
  guess it will appear as another entry in "glance list", but then
  beside the glance uuid, there is no other way to identify the
  malicious one right ?

  I guess it would be a nice security hardening change to, at least,
  allow the configuration of hash algorithm.

  [1]: http://natmchugh.blogspot.co.uk/2014/10/how-i-created-two-images-
  with-same-md5.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1389772/+subscriptions