Project

General

Profile

Actions

Bug #18356

closed

Please replace use of unsafe MD5 with another digest algorithm

Added by pvalena (Pavel Valena) almost 3 years ago. Updated almost 3 years ago.

Status:
Third Party's Issue
Assignee:
-
Target version:
-
[ruby-core:106208]

Description

Similarly to https://bugs.ruby-lang.org/issues/18272

Context

When working on a new version of RHEL (with Ruby 3.0), the requirement is to have a better security (remove unsafe digests or limit the use for non-security purposes). This would be achieved with using OpenSSL 3.0 as well, which will have a raised security level by default, forbidding the use of unsafe digests.

Issue

MD5 does not conform to the security requirements, and its replacement would be preferred.
Currently, the following files indicate it's use:

rubygems/package.rb:    return super unless gem.start.include? 'MD5SUM ='
bundler/compact_index_client/cache.rb:          name += "-#{SharedHelpers.digest(:MD5).hexdigest(name).downcase}"
bundler/compact_index_client/updater.rb:          SharedHelpers.digest(:MD5).hexdigest(File.read(path))
bundler/source/rubygems/remote.rb:            uri_digest = SharedHelpers.digest(:MD5).hexdigest(uri_parts.compact.join("."))
bundler/vendor/thor/lib/thor/runner.rb:      :filename   => Digest::MD5.hexdigest(name + as),

Alternative solution

The use for non-security purposes might be indicated with setting an internal variable (when using OpenSSL implementation), which would allow the use of MD5 (although forbidden via OpenSSL setting). Do you think this would be possible?

Question

AFAICT in Ruby it is used for non-security purposes only. Could you confirm that?

Additional information

The tests failed on digests/md5 removal:
https://gist.github.com/pvalena/ce6af993c6fe7c825cc41be81e1944ad


Related issues 1 (0 open1 closed)

Related to Ruby master - Feature #18272: Please replace unsafe SHA1 with another digest algorithmThird Party's IssueActions
Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0