[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Files with identical SHA1 breaks the repo

From: Øyvind A. Holm <sunny_at_sunbase.org>
Date: Thu, 23 Feb 2017 21:02:28 +0100

Earlier today, the first known SHA1 collision was presented:

  https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
  http://shattered.io/

It turns out that adding these two PDF files to a svn repository makes
it impossible to checkout the repository properly if both files exist in
the repo. This script demonstrates what happens:

--- CUT
#!/bin/sh

if test -e repo -o -e wc1 -o -e wc2; then
  echo repo, wc1 or wc2 already exist >&2
  exit 1
fi
svnadmin create repo
svn co file://$(pwd)/repo wc1
cd wc1
wget https://shattered.it/static/shattered-1.pdf
wget https://shattered.it/static/shattered-2.pdf
svn add *.pdf
svn ci -m "Add files with identical SHA1"
cd ..
svn co file://$(pwd)/repo wc2
--- CUT

This happens:

  $ ./runme
  Checked out revision 0.
  --2017-02-23 20:41:05-- https://shattered.it/static/shattered-1.pdf
  Resolving shattered.it (shattered.it)... 216.239.38.21, 216.239.36.21, 216.239.32.21, ...
  Connecting to shattered.it (shattered.it)|216.239.38.21|:443... connected.
  HTTP request sent, awaiting response... 200 OK
  Length: 422435 (413K) [application/pdf]
  Saving to: ‘shattered-1.pdf’

  shattered-1.pdf 100%[===============>] 412.53K --.-KB/s in 0.04s

  2017-02-23 20:41:05 (10.9 MB/s) - ‘shattered-1.pdf’ saved [422435/422435]

  --2017-02-23 20:41:05-- https://shattered.it/static/shattered-2.pdf
  Resolving shattered.it (shattered.it)... 216.239.38.21, 216.239.36.21, 216.239.32.21, ...
  Connecting to shattered.it (shattered.it)|216.239.38.21|:443... connected.
  HTTP request sent, awaiting response... 200 OK
  Length: 422435 (413K) [application/pdf]
  Saving to: ‘shattered-2.pdf’

  shattered-2.pdf 100%[===============>] 412.53K --.-KB/s in 0.04s

  2017-02-23 20:41:06 (9.03 MB/s) - ‘shattered-2.pdf’ saved [422435/422435]

  A (bin) shattered-1.pdf
  A (bin) shattered-2.pdf
  Adding (bin) shattered-1.pdf
  Adding (bin) shattered-2.pdf
  Transmitting file data ..
  Committed revision 1.
  A wc2/shattered-1.pdf
  svn: E200014: Checksum mismatch for '/home/sunny/src/git/svn-sha1/wc2/shattered-2.pdf':
     expected: 5bd9d8cabc46041579a311230539b8d1
       actual: ee4aa52b139d925f8d8884402b0a750c

  $

Tested with svn-1.8.10, which is the default svn in Debian 8.7, newest
stable. shattered-1.pdf is checked out, but not shattered-2.pdf.

This is the only known SHA-1 collision at the moment, but Google will
release the collision code in 90 days, so we can expect this not to last
forever.

Regards,
Øyvind

+-| Øyvind A. Holm <sunny_at_sunbase.org> - N 60.37604° E 5.33339° |-+
| OpenPGP: 0xFB0CBEE894A506E5 - http://www.sunbase.org/pubkey.asc |
| Fingerprint: A006 05D6 E676 B319 55E2 E77E FB0C BEE8 94A5 06E5 |
+------------| cb5c25a6-fa01-11e6-8cd8-db5caa6d21d3 |-------------+

Received on 2017-02-23 21:02:33 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.