Glance

Glance is still using outdated md5 for image signing

Bug #1534232 reported by Michael Xin on 2016-01-14

This bug report is a duplicate of: Bug #1516031: Use of MD5 in OpenStack Glance image signature (CVE-2015-8234). Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	New	Undecided	Unassigned
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

Glance is still using md5 for image signing. MD5 is outdated and should not be used for security reason. It makes it possible for malicious users to generate malicious image with same hash values.

https://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html
Glance already supports computing checksums of images when an image is uploaded, and this checksum is stored with the image. This same hash (which by default is MD5) will be used for the signature verification.

In the code:
https://github.com/openstack/glance/blob/2682dfe2000604bd1a77cfad5ad259f084a1359f/glance/image_cache/__init__.py

line 242:
def cache_tee_iter(self, image_id, image_iter, image_checksum):
try:
current_checksum = hashlib.md5()

            with self.driver.open_for_write(image_id) as cache_file:
                for chunk in image_iter:
                    try:
                        cache_file.write(chunk)
                    finally:
                        current_checksum.update(chunk)
                        yield chunk
                cache_file.flush()

See original description

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2016-01-14:

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Is this a duplicate of bug 1516031, and is this affecting stable/release ?

Changed in ossa:
status:	New → Incomplete
description:	updated

Revision history for this message

Jeremy Stanley (fungi) wrote on 2016-01-14:

Regardless, the fact that Glance uses MD5 for image signatures in currently supported stable releases is already widely publicized in https://wiki.openstack.org/wiki/OSSN/OSSN-0061 so there's no need for this bug to be reported in private. I recommend switching it to public and either marking it as a duplicate if appropriate or security hardening opportunity otherwise.

Tristan Cacqueray (tristan-cacqueray) on 2016-01-18

information type:	Private Security → Public
Changed in ossa:
status:	Incomplete → Won't Fix

Jeremy Stanley (fungi) on 2018-04-27

description:

updated

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1516031 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.