SoylentNews

Fnord666 [soylentnews.org] writes:

Thursday's watershed attack on the widely used SHA1 hashing function [arstechnica.com] has claimed its first casualty: the version control system used by the WebKit browser engine, which became completely corrupted [webkit.org] after someone uploaded two proof-of-concept PDF files that have identical message digests.

The bug resides in Apache SVN, an open source version control system that WebKit and other large software development organizations use to keep track of code submitted by individual members. Often abbreviated as SVN, Subversion uses SHA1 to track and merge duplicate files. Somehow, SVN systems can experience a severe glitch when they encounter the two PDF files published Thursday, proving that real-world collisions on SHA1 are now practical.

On Friday morning, the researchers updated their informational website [shattered.io] to add the frequently asked question "Is SVN affected?" The answer:

"Yes - please exercise care, as SHA-1 colliding files are currently breaking SVN repositories. Subversion servers use SHA-1 for deduplication and repositories become corrupted when two colliding files are committed to the repository. This has been discovered in WebKit's Subversion repository and independently confirmed by us. Due to the corruption the Subversion server will not accept further commits."

Source: ArsTechnica [arstechnica.com]

Original Submission