oss-sec mailing list archives
Re: Re: CVE request for vulnerability in OpenStack Glance
From: Tristan Cacqueray <tdecacqu () redhat com>
Date: Wed, 18 Nov 2015 20:54:45 +0000
On 11/18/2015 02:11 PM, cve-assign () mitre org wrote:
Glance computes cryptographic signature using MD5 hash of the image. By crafting a malicious image that produces a MD5 collision, a Glance backend operator may subvert the signature verification process, resulting in a corrupted image.https://launchpad.net/bugs/1516031Use CVE-2015-8234.
Thank you.
We're willing to let the OpenStack VMT have CVEs for mostly arbitrary types of issues that they want OpenStack customers to treat as vulnerabilities. http://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html possibly suggests that the behavior represents an intended intermediate step of feature development: "An alternative to using the existing MD5 hash algorithm is to create a separate configurable hash for use with verifying/creating the signature. However, creating a separate hash negatively affects the performance, without providing much benefit. Note that since there are preferable hash algorithms to MD5 that are more secure, a separate change is being proposed to allow for the configuring of this hash algorithm. This will not be included as a part of this change, in the interest of having a straightforward initial implementation." If so, then we think vendors typically wouldn't want CVEs in these types of situations, unless the intermediate step actually made something worse than before the feature development started.
This is indeed a corner case, though since glance 11.0.0 is shipping a broken image verification procedure, it seemed appropriate to assign this bug a CVE number. Regards, -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request for vulnerability in OpenStack Glance Tristan Cacqueray (Nov 17)
- Re: CVE request for vulnerability in OpenStack Glance cve-assign (Nov 18)
- Re: Re: CVE request for vulnerability in OpenStack Glance Tristan Cacqueray (Nov 18)
- Re: CVE request for vulnerability in OpenStack Glance cve-assign (Nov 18)