From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 2268CC09 for ; Thu, 23 Feb 2017 21:28:10 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from outmail149055.authsmtp.co.uk (outmail149055.authsmtp.co.uk [62.13.149.55]) by smtp1.linuxfoundation.org (Postfix) with ESMTP id 3B08816F for ; Thu, 23 Feb 2017 21:28:06 +0000 (UTC) Received: from mail-c247.authsmtp.com (mail-c247.authsmtp.com [62.13.128.247]) by punt21.authsmtp.com (8.14.2/8.14.2/) with ESMTP id v1NLS5lE035668; Thu, 23 Feb 2017 21:28:05 GMT Received: from petertodd.org (ec2-52-5-185-120.compute-1.amazonaws.com [52.5.185.120]) (authenticated bits=0) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id v1NLS3Po008966 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 23 Feb 2017 21:28:04 GMT Received: from [127.0.0.1] (localhost [127.0.0.1]) by petertodd.org (Postfix) with ESMTPSA id 5178E40932; Thu, 23 Feb 2017 21:28:03 +0000 (UTC) Received: by localhost (Postfix, from userid 1000) id A946C20245; Thu, 23 Feb 2017 16:28:02 -0500 (EST) Date: Thu, 23 Feb 2017 16:28:02 -0500 From: Peter Todd To: Bitcoin Protocol Discussion Message-ID: <20170223212802.GA7608@savin.petertodd.org> References: <20170223181409.GA6085@savin.petertodd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="OXfL5xGRrasGEqWY" Content-Disposition: inline In-Reply-To: <20170223181409.GA6085@savin.petertodd.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-Server-Quench: f6394e06-fa0e-11e6-bcdf-0015176ca198 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR aAdMdAEUHlAWAgsB AmEbWVVeUlV7WWc7 bghPaBtcak9QXgdq T0pMXVMcUgQWfX8C ZkEeUhF7cQMIfn51 Zwg0WHNSWBF6c1sr E04BCGwHMGF9OjNL Bl1YdwJRcQRMLU5E Y1gxNiYHcQ5VPz4z GA41ejw8IwAXEwR8 G0kGKlYWQF0KGTgn DxULHjhnMkwZDzsu KxorMFcWGEtZLkJ6 OEc9UFETKFcYG28W A0FMGiMcP1AbWysm FkcSW0kCWD9AWjsU GBAwJVdNCz1URiNZ AkZfUHkA X-Authentic-SMTP: 61633532353630.1038:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 52.5.185.120/25 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: cryptography@metzdowd.com Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2017 21:28:10 -0000 --OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 23, 2017 at 01:14:09PM -0500, Peter Todd via bitcoin-dev wrote: > Worth noting: the impact of the SHA1 collison attack on Git is *not* limi= ted > only to maintainers making maliciously colliding Git commits, but also > third-party's submitting pull-reqs containing commits, trees, and especia= lly > files for which collisions have been found. This is likely to be exploita= ble in > practice with binary files, as reviewers aren't going to necessarily noti= ce > garbage at the end of a file needed for the attack; if the attack can be > extended to constricted character sets like unicode or ASCII, we're in tr= ouble > in general. >=20 > Concretely, I could prepare a pair of files with the same SHA1 hash, taki= ng > into account the header that Git prepends when hashing files. I'd then su= bmit > that pull-req to a project with the "clean" version of that file. Once the > maintainer merges my pull-req, possibly PGP signing the git commit, I the= n take > that signature and distribute the same repo, but with the "clean" version > replaced by the malicious version of the file. Thinking about this a bit more, the most concerning avenue of attack is lik= ely to be tree objects, as I'll bet you you can construct tree objs with garbag= e at the end that many review tools don't pick up on. :( --=20 https://petertodd.org 'peter'[:-1]@petertodd.org --OXfL5xGRrasGEqWY Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJYr1PfAAoJECSBQD2l8JH7Ps4H/3b5d2Npej0JLtj4K9GGIDeq q1mvGH8ofijSnbVgSUeLiE7z4llKe47ITAAS7ZxfSgCkrIWI9tCLE4HQWmRQjXH2 fySPVvEy+GJkmwE5wJ1v2vPYnG++JyjeVeM/iaV1pUjNhFMS2vVDuUd9esqwgSwI XwBvn/4VRYxGUb8UQvgHuLb246/3q1ACgq2EO9hIIvMC9jRCCdTuf4xeiVegqEVM PpfXNw9cdx3PbYgObzan5aOA3Uw+pRywfyQAsKucl8PBEqnzuOI1bp2UwNfhiQZO EaoejM2oRhRe03CUeSx/ueYjnIcI2SKftxv3eyp2FaXOi6IsPLuLpLqpSadm+sA= =lv4H -----END PGP SIGNATURE----- --OXfL5xGRrasGEqWY--