|
Message-Id: <20151118141120.ABCDC6C09AF@smtpvmsrv1.mitre.org> Date: Wed, 18 Nov 2015 09:11:20 -0500 (EST) From: cve-assign@...re.org To: tdecacqu@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request for vulnerability in OpenStack Glance -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Glance computes cryptographic signature using MD5 hash of the > image. By crafting a malicious image that produces a MD5 collision, a > Glance backend operator may subvert the signature verification process, > resulting in a corrupted image. > > https://launchpad.net/bugs/1516031 Use CVE-2015-8234. We're willing to let the OpenStack VMT have CVEs for mostly arbitrary types of issues that they want OpenStack customers to treat as vulnerabilities. http://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html possibly suggests that the behavior represents an intended intermediate step of feature development: "An alternative to using the existing MD5 hash algorithm is to create a separate configurable hash for use with verifying/creating the signature. However, creating a separate hash negatively affects the performance, without providing much benefit. Note that since there are preferable hash algorithms to MD5 that are more secure, a separate change is being proposed to allow for the configuring of this hash algorithm. This will not be included as a part of this change, in the interest of having a straightforward initial implementation." If so, then we think vendors typically wouldn't want CVEs in these types of situations, unless the intermediate step actually made something worse than before the feature development started. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWTIaEAAoJEL54rhJi8gl5RcUQAJco0tIOIRgX2L2tTRl5bIf7 3zDfImyuT18rF7TjlVuz9Wzi5cjOtGiBp32Oh136PEr8qs8iYK7lvtDuELRSosPO rFDZHlLcb4R7NCd2DDTzdgoNtkNxdf7+ReE+JrWIF0FhKFgSrcSDKtuZRuwP+z1r w84imyW+ajlQ0okddJQ897qqFihBfPnsavEmy8J5RCv9REhUzI7bm1L3A5T2u5tb CTFv+Xb1o5moWr4bQUbq8gCqRIULQThmEvG+pDJlcGW/gekHeH/szsIucV5KrJRq a1l1hs0xW3WekEkbjf0PXj4vVhaAPqckKHlHA70Y47T/4SRa3RFmKrmUbiFUe+y/ UrkvZHA/tXE8kbJZyV+I45bEL1P24sLlgGjgs26oZueuDJwVyMFUq01pcqXsWRHP wPOX6hu45iq4cEfztIaWCet9mh30fovhsJ3JTJLBBOIhzqFrH1Vqi3+Y4+pyJEv8 ZbpTbS5L/EB2HmuJYWgS8E0MwMfL1kOPoCBRwmEicvUKlW96m0hIKZEuu3Evuksu ND//xDPNIQGNXQPDzjC+Aqu+EFkyfNIA6q/yajqkA0KYWrkow2hW+9B/5ae/PFPR jDUFY6MQCUlUG7ONsZHq29CPPNl2giEQJ7ZD6mV8C/rLs10DHFdxpgwrMTmTL/No P0i85+nLMb1X5MmiIKoi =eUaC -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.