Re: Re: CVE request for vulnerability in OpenStack Glance

[Tristan Cacqueray <tdecacqu () redhat com>]

On 11/18/2015 02:11 PM, cve-assign () mitre org wrote:
> > Glance computes cryptographic signature using MD5 hash of the
> > image. By crafting a malicious image that produces a MD5 collision, a
> > Glance backend operator may subvert the signature verification process,
> > resulting in a corrupted image.
>
> > https://launchpad.net/bugs/1516031
>
> Use CVE-2015-8234.
Thank you.

> We're willing to let the OpenStack VMT have CVEs for mostly arbitrary
> types of issues that they want OpenStack customers to treat as
> vulnerabilities.
> http://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html
> possibly suggests that the behavior represents an intended
> intermediate step of feature development: "An alternative to using the
> existing MD5 hash algorithm is to create a separate configurable hash
> for use with verifying/creating the signature. However, creating a
> separate hash negatively affects the performance, without providing
> much benefit. Note that since there are preferable hash algorithms to
> MD5 that are more secure, a separate change is being proposed to allow
> for the configuring of this hash algorithm. This will not be included
> as a part of this change, in the interest of having a straightforward
> initial implementation." If so, then we think vendors typically
> wouldn't want CVEs in these types of situations, unless the
> intermediate step actually made something worse than before the
> feature development started.
This is indeed a corner case, though since glance 11.0.0 is shipping a
broken image verification procedure, it seemed appropriate to assign
this bug a CVE number.

Regards,

--
Tristan Cacqueray
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: OpenPGP digital signature