[Cryptography] SHA-1 collision broke SVN
John Ioannidis
jayeye at gmail.com
Sun Feb 26 09:17:24 EST 2017
On Sat, Feb 25, 2017 at 8:31 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz>
wrote:
> Looks like the SHA-1 collision claimed its first casualty:
>
> https://arstechnica.com/security/2017/02/watershed-
> sha1-collision-just-broke-the-webkit-repository-others-may-follow/
>
> specifically:
>
> https://bugs.webkit.org/show_bug.cgi?id=168774#c27
>
> It seems that the git-svn mirror stopped updating at r212950, and the
> bots
> all are red, the svn client prints an error that looks like:
>
> 0svn: E200014: Checksum mismatch for [...] shattered-2.pdf'
>
> (the trail of fail continues after that point in the thread).
>
> However, this is really just bad programming rather than a crypto attack,
> that
> SVN can completely bork itself when it hits a non-unique ID. It looks like
> SVN uses a NoSQL store called FSFS, rather than an SQL store for which the
> first CREATE UNIQUE INDEX would have prevented the problem.
>
For additional hilarity, look at the mitigation: they just ban the
offending hash!
(OK, in all fairness, this *is* the fastest way to prevent some other clown
without adequate computational resources from messing up more svn repos.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170226/f09a492a/attachment.html>
More information about the cryptography
mailing list