Thursday's watershed attack on the widely used SHA1 hashing function has claimed its first casualty: the version control system used by the WebKit browser engine, which became completely corrupted after someone uploaded two proof-of-concept PDF files that have identical message digests.
The bug resides in Apache SVN, an open source version control system that WebKit and other large software development organizations use to keep track of code submitted by individual members. Often abbreviated as SVN, Subversion uses SHA1 to track and merge duplicate files. Somehow, SVN systems can experience a severe glitch when they encounter the two PDF files published Thursday, proving that real-world collisions on SHA1 are now practical.
On Friday morning, the researchers updated their informational website to add the frequently asked question "Is SVN affected?" The answer:
"Yes - please exercise care, as SHA-1 colliding files are currently breaking SVN repositories. Subversion servers use SHA-1 for deduplication and repositories become corrupted when two colliding files are committed to the repository. This has been discovered in WebKit's Subversion repository and independently confirmed by us. Due to the corruption the Subversion server will not accept further commits."
Source: ArsTechnica
(Score: 2) by bradley13 on Monday February 27 2017, @09:52AM (1 child)
Ok, it's Linus saying not to worry. Still, I don't like his reasoning:
"I haven't seen the attack details, but I bet"
So he doesn't actually know how the attack works, beyond it being a hash-collision via PDFs.
"we have a separate size encoding makes it much
harder to do on git objects"
But he doesn't know how the attack works: if you can provoke a collision, there's actually no reason to suppose you can't provoke a collision while controlling document size. May take a bit longer, that's all.
"we can probably easily add some extra sanity checks..."
That really does not sound very reassuring at all. Sitting in a boat with a hole in the bottom: "we can probably easily stuff some old socks in the hole".
Everyone is somebody else's weirdo.
(Score: 2) by ticho on Monday February 27 2017, @12:20PM
Fair enough, but that was just the initial reaction. The linked thread then develops into an indepth discussion about how git is or can be affected by collisions, and how to improve the resilience. An interesting read, if you can spare the time (90+ messages, some of them quite meaty).