Comment 2 for bug 1516031
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote Re: Use of MD5 in OpenStack Glance image signature | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
The flaw sounds legit, however the attack surface is a bit shallow:
IIUC the image signature verifies image read from a malicious backend.
End user of Glance are not really affected since they will requests the API either an image name or UUID, which are not protected by signature mechanisms afaik.
Thus the attack scenario must involves a malicious glance backend operators.
Though since this is a flawed security mechanism, it surely warrants an CVE, but not necessarly an OSSA. What do you think ?