[New-bugs-announce] [issue17258] multiprocessing.connection challenge implicitly uses MD5

Dave Malcolm report at bugs.python.org
Wed Feb 20 21:11:36 CET 2013

New submission from Dave Malcolm:

Within multiprocessing.connection, deliver_challenge() and
answer_challenge() use hmac for a challenge/response.

hmac implicitly defaults to using MD5.

MD5 should no longer be used for security purposes.  See e.g. 

This fails in a FIPS-compliant environment (e.g. with the patches I
apply to hashlib in issue 9216).

There's thus a possibility of an attacker defeating the multiprocessing

I'm attaching a patch which changes multiprocessing to use a clearly
identified algorithm (for the day when it needs changing again),
hardcoding it as "sha256"; presumably all processes within a
multiprocess program that share authkey can share the algorithm.

It's not clear to me whether hmac.py should also be changed (this would
seem to have tougher backwards-compat concerns).

[Note to self: I'm tracking this downstream for RHEL as
https://bugzilla.redhat.com/show_bug.cgi?id=879695 (this bug is
currently only visible to RH employees)]

components: Library (Lib)
files: avoid-implicit-usage-of-md5-in-multiprocessing.patch
keywords: patch
messages: 182547
nosy: dmalcolm, sbt
priority: normal
severity: normal
stage: patch review
status: open
title: multiprocessing.connection challenge implicitly uses MD5
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4, Python 3.5
Added file: http://bugs.python.org/file29134/avoid-implicit-usage-of-md5-in-multiprocessing.patch

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list