From: Nicolas Pitre <nico@cam.org>
To: "Shawn O. Pearce" <spearce@spearce.org>
Cc: git@vger.kernel.org
Subject: Re: New index-pack "keep" violates "never overwrite"
Date: Tue, 20 Mar 2007 15:07:22 -0400 (EDT) [thread overview]
Message-ID: <alpine.LFD.0.83.0703201454280.18328@xanadu.home> (raw)
In-Reply-To: <20070320053813.GC29288@spearce.org>
On Tue, 20 Mar 2007, Shawn O. Pearce wrote:
> This is something that has been bothering me for several weeks now.
>
> Waaaaaaay back Git was considered to be secure as it never overwrote
> an object it already had. This was ensured by always unpacking the
> packfile received over the network (both in fetch and receive-pack)
> and our already existing logic to not create a loose object for an
> object we already have.
>
> Lately however we keep "large-ish" packfiles on both fetch and push
> by running them through index-pack instead of unpack-objects. This
> would let an attacker perform a birthday attack.
This has been nagging me as well since I made the index-pack changes.
But I dismissed that possibility as pure paranoia.
[...]
> The fix does appear to be simple. Just don't write the existing
> object to the output packfile. But really that is a lot more like
> what unpack-objects does: buffer deltas we cannot resolve yet, and
> only write out what we cannot find through our ODB. The logic in
> index-pack ain't built for that...
Nah. You would have to fix every delta base offsets up etc. and make
the whole thing into a complex mess.
Instead, we only have to check for the local presence of every objects
in the pack, and when one packed object does exist locally and
doesn't match the pack content we simply need to bail out with great
distress. If we really get a SHA1 collision, evil or not, we simply
just cannot continue as if nothing happened.
Patch to follow...
Nicolas
next prev parent reply other threads:[~2007-03-20 19:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-20 5:38 New index-pack "keep" violates "never overwrite" Shawn O. Pearce
2007-03-20 19:07 ` Nicolas Pitre [this message]
2007-03-20 19:32 ` [PATCH] don't ever allow SHA1 collisions to exist by fetching a pack Nicolas Pitre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LFD.0.83.0703201454280.18328@xanadu.home \
--to=nico@cam.org \
--cc=git@vger.kernel.org \
--cc=spearce@spearce.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).