Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Nov 2015 09:11:20 -0500 (EST)
From: cve-assign@...re.org
To: tdecacqu@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for vulnerability in OpenStack Glance

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Glance computes cryptographic signature using MD5 hash of the
> image. By crafting a malicious image that produces a MD5 collision, a
> Glance backend operator may subvert the signature verification process,
> resulting in a corrupted image.
> 
> https://launchpad.net/bugs/1516031

Use CVE-2015-8234.

We're willing to let the OpenStack VMT have CVEs for mostly arbitrary
types of issues that they want OpenStack customers to treat as
vulnerabilities.
http://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html
possibly suggests that the behavior represents an intended
intermediate step of feature development: "An alternative to using the
existing MD5 hash algorithm is to create a separate configurable hash
for use with verifying/creating the signature. However, creating a
separate hash negatively affects the performance, without providing
much benefit. Note that since there are preferable hash algorithms to
MD5 that are more secure, a separate change is being proposed to allow
for the configuring of this hash algorithm. This will not be included
as a part of this change, in the interest of having a straightforward
initial implementation." If so, then we think vendors typically
wouldn't want CVEs in these types of situations, unless the
intermediate step actually made something worse than before the
feature development started.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWTIaEAAoJEL54rhJi8gl5RcUQAJco0tIOIRgX2L2tTRl5bIf7
3zDfImyuT18rF7TjlVuz9Wzi5cjOtGiBp32Oh136PEr8qs8iYK7lvtDuELRSosPO
rFDZHlLcb4R7NCd2DDTzdgoNtkNxdf7+ReE+JrWIF0FhKFgSrcSDKtuZRuwP+z1r
w84imyW+ajlQ0okddJQ897qqFihBfPnsavEmy8J5RCv9REhUzI7bm1L3A5T2u5tb
CTFv+Xb1o5moWr4bQUbq8gCqRIULQThmEvG+pDJlcGW/gekHeH/szsIucV5KrJRq
a1l1hs0xW3WekEkbjf0PXj4vVhaAPqckKHlHA70Y47T/4SRa3RFmKrmUbiFUe+y/
UrkvZHA/tXE8kbJZyV+I45bEL1P24sLlgGjgs26oZueuDJwVyMFUq01pcqXsWRHP
wPOX6hu45iq4cEfztIaWCet9mh30fovhsJ3JTJLBBOIhzqFrH1Vqi3+Y4+pyJEv8
ZbpTbS5L/EB2HmuJYWgS8E0MwMfL1kOPoCBRwmEicvUKlW96m0hIKZEuu3Evuksu
ND//xDPNIQGNXQPDzjC+Aqu+EFkyfNIA6q/yajqkA0KYWrkow2hW+9B/5ae/PFPR
jDUFY6MQCUlUG7ONsZHq29CPPNl2giEQJ7ZD6mV8C/rLs10DHFdxpgwrMTmTL/No
P0i85+nLMb1X5MmiIKoi
=eUaC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.