From: Aaron Schrab <aaron@schrab.com>
To: Jeff King <peff@peff.net>
Cc: Shawn Pearce <spearce@spearce.org>,
Michael Hirshleifer <111mth@caltech.edu>,
git <git@vger.kernel.org>
Subject: Re: Possible vulnerability to SHA-1 collisions
Date: Tue, 27 Nov 2012 18:30:17 -0500 [thread overview]
Message-ID: <20121127233016.GC3937@pug.qqx.org> (raw)
In-Reply-To: <20121127230753.GA22730@sigill.intra.peff.net>
At 18:07 -0500 27 Nov 2012, Jeff King <peff@peff.net> wrote:
>PS I also think the OP's "sockpuppet creates innocuous bugfix" above is
> easier said than done. We do not have SHA-1 collisions yet, but if
> the md5 attacks are any indication, the innocuous file will not be
> completely clean; it will need to have some embedded binary goo that
> is mutated randomly during the collision process (which is why the
> md5 attacks were demonstrated with postscript files which _rendered_
> to look good, but contained a chunk of random bytes in a spot ignored
> by the postscript interpreter).
I don't think that really saves us though. Many formats have parts of
the file which will be ignored, such as comments in source code. With
the suggested type of attack, there isn't a requirement about which
version of the file is modified. So the attacker should be able to
generate a version of a file with an innocuous change, get the SHA-1 for
that, then add garbage comments to their malicious version of the file
to try to get the same SHA-1.
next prev parent reply other threads:[~2012-11-27 23:30 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-24 11:12 Possible vulnerability to SHA-1 collisions Michael Hirshleifer
2012-11-24 18:09 ` Shawn Pearce
2012-11-27 23:07 ` Jeff King
2012-11-27 23:30 ` Aaron Schrab [this message]
2012-11-28 0:27 ` Jeff King
2012-11-28 9:35 ` Andreas Ericsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121127233016.GC3937@pug.qqx.org \
--to=aaron@schrab.com \
--cc=111mth@caltech.edu \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
--cc=spearce@spearce.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).