|
Message-ID: <564CE595.70209@redhat.com>
Date: Wed, 18 Nov 2015 20:54:45 +0000
From: Tristan Cacqueray <tdecacqu@...hat.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Re: CVE request for vulnerability in OpenStack
Glance
On 11/18/2015 02:11 PM, cve-assign@...re.org wrote:
>> Glance computes cryptographic signature using MD5 hash of the
>> image. By crafting a malicious image that produces a MD5 collision, a
>> Glance backend operator may subvert the signature verification process,
>> resulting in a corrupted image.
>
>> https://launchpad.net/bugs/1516031
>
> Use CVE-2015-8234.
>
Thank you.
> We're willing to let the OpenStack VMT have CVEs for mostly arbitrary
> types of issues that they want OpenStack customers to treat as
> vulnerabilities.
> http://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html
> possibly suggests that the behavior represents an intended
> intermediate step of feature development: "An alternative to using the
> existing MD5 hash algorithm is to create a separate configurable hash
> for use with verifying/creating the signature. However, creating a
> separate hash negatively affects the performance, without providing
> much benefit. Note that since there are preferable hash algorithms to
> MD5 that are more secure, a separate change is being proposed to allow
> for the configuring of this hash algorithm. This will not be included
> as a part of this change, in the interest of having a straightforward
> initial implementation." If so, then we think vendors typically
> wouldn't want CVEs in these types of situations, unless the
> intermediate step actually made something worse than before the
> feature development started.
>
This is indeed a corner case, though since glance 11.0.0 is shipping a
broken image verification procedure, it seemed appropriate to assign
this bug a CVE number.
Regards,
--
Tristan Cacqueray
OpenStack Vulnerability Management Team
Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.