Skip to content

Insecure MD5 usage in Multiprocessing.connection #100755

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bdrodes opened this issue Jan 4, 2023 · 2 comments
Closed

Insecure MD5 usage in Multiprocessing.connection #100755

bdrodes opened this issue Jan 4, 2023 · 2 comments
Labels
topic-multiprocessing type-feature A feature request or enhancement type-security A security issue

Comments

@bdrodes
Copy link

bdrodes commented Jan 4, 2023
edited by bedevere-bot
Loading

Feature or enhancement

Remove insecure use of md5 in Multiprocessing.connection

Pitch

We discovered uses off the md5 hash, which has been proven insecure for more than a decade, in the Multiprocessing.connection library in the methods deliver_challenge and answer_challenge. This usage was apparently added in 2013 since the default implicit hashing mode for hmac.new was deprecated at that time. hmac.new previously defaulted to MD5 if a hashing algorithm was not specified. The 2013 change brings to code back to consistency with its prior use, but that use is insecure. It should be trivial to change the two uses in this library to a SHA2/3 secure hashing function (e.g., SHA512).

Failure to update the hashing algorithm may require organizations to fully cease use of the Multiprocessing library or components of the library to meet industry security standards with respect to acceptable uses of hashing algorithms.

Linked PRs
@bdrodes bdrodes added the type-feature A feature request or enhancement label Jan 4, 2023
@sobolevn sobolevn added the type-security A security issue label Jan 5, 2023
@bedevere-bot bedevere-bot mentioned this issue Jan 5, 2023
Closed
@CAM-Gerlach
Copy link
Member

CAM-Gerlach commented Jan 5, 2023
edited
Loading

Thanks. To note, this is a duplicate of #61460 , and resolved will be resolved by either PR #20380 or #99425 .

Just to mention, #61460 (comment) notes that MD5 is being used as a HMAC here rather than for cryptographic signatures (the latter of which it is, of course, thoroughly broken), so while it should still be moved away from, it is not in practice an actual major security vulnerability at present.

@CAM-Gerlach CAM-Gerlach mentioned this issue Jan 5, 2023
Closed
@CAM-Gerlach
Copy link
Member

Closed as confirmed duplicate of #61460 . Feel free to comment further over there, thanks.

@CAM-Gerlach CAM-Gerlach closed this as not planned Won't fix, can't repro, duplicate, stale Jan 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic-multiprocessing type-feature A feature request or enhancement type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sobolevn @bdrodes @CAM-Gerlach @AlexWaygood