[Cryptography] SHA-1 collision broke SVN
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Feb 25 20:31:33 EST 2017
Looks like the SHA-1 collision claimed its first casualty:
https://arstechnica.com/security/2017/02/watershed-sha1-collision-just-broke-the-webkit-repository-others-may-follow/
specifically:
https://bugs.webkit.org/show_bug.cgi?id=168774#c27
It seems that the git-svn mirror stopped updating at r212950, and the bots
all are red, the svn client prints an error that looks like:
0svn: E200014: Checksum mismatch for [...] shattered-2.pdf'
(the trail of fail continues after that point in the thread).
However, this is really just bad programming rather than a crypto attack, that
SVN can completely bork itself when it hits a non-unique ID. It looks like
SVN uses a NoSQL store called FSFS, rather than an SQL store for which the
first CREATE UNIQUE INDEX would have prevented the problem.
(Insert "MongoDB is Web Scale" link here, I guess FSFS is too).
Peter.
More information about the cryptography
mailing list