Watershed SHA1 collision just broke the WebKit repository, others may follow

by
Dan Goodin
from Ars Technica - All content on (#2DVF3)
broken-monitor-800x534.jpg

Enlarge (credit: youngthousands)

Thursday's watershed attack on the widely used SHA1 hashing function has claimed its first casualty: the version control system used by the WebKit browser engine, which became completely corrupted after someone uploaded two proof-of-concept PDF files that have identical message digests.

The bug resides in Apache SVN, an open source version control system that WebKit and other large software development organizations use to keep track of code submitted by individual members. Often abbreviated as SVN, Subversion uses SHA1 to track and merge duplicate files. Somehow, SVN systems can experience a severe glitch when they encounter the two PDF files published Thursday, proving that real-world collisions on SHA1 are now practical.

On Friday morning, the researchers updated their informational website to add the frequently asked question "Is SVN affected?" The answer:

Read 3 remaining paragraphs | Comments

index?i=rArHR0RsiZ8:12hz5sDQjrs:V_sGLiPB index?i=rArHR0RsiZ8:12hz5sDQjrs:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments