Earlier today, the first known SHA1 collision was presented:
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
http://shattered.io/
It turns out that adding these two PDF files to a svn repository makes
it impossible to checkout the repository properly if both files exist in
the repo. This script demonstrates what happens:
--- CUT
#!/bin/sh
if test -e repo -o -e wc1 -o -e wc2; then
echo repo, wc1 or wc2 already exist >&2
exit 1
fi
svnadmin create repo
svn co file://$(pwd)/repo wc1
cd wc1
wget https://shattered.it/static/shattered-1.pdf
wget https://shattered.it/static/shattered-2.pdf
svn add *.pdf
svn ci -m "Add files with identical SHA1"
cd ..
svn co file://$(pwd)/repo wc2
--- CUT
This happens:
$ ./runme
Checked out revision 0.
--2017-02-23 20:41:05-- https://shattered.it/static/shattered-1.pdf
Resolving shattered.it (shattered.it)... 216.239.38.21, 216.239.36.21, 216.239.32.21, ...
Connecting to shattered.it (shattered.it)|216.239.38.21|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 422435 (413K) [application/pdf]
Saving to: ‘shattered-1.pdf’
shattered-1.pdf 100%[===============>] 412.53K --.-KB/s in 0.04s
2017-02-23 20:41:05 (10.9 MB/s) - ‘shattered-1.pdf’ saved [422435/422435]
--2017-02-23 20:41:05-- https://shattered.it/static/shattered-2.pdf
Resolving shattered.it (shattered.it)... 216.239.38.21, 216.239.36.21, 216.239.32.21, ...
Connecting to shattered.it (shattered.it)|216.239.38.21|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 422435 (413K) [application/pdf]
Saving to: ‘shattered-2.pdf’
shattered-2.pdf 100%[===============>] 412.53K --.-KB/s in 0.04s
2017-02-23 20:41:06 (9.03 MB/s) - ‘shattered-2.pdf’ saved [422435/422435]
A (bin) shattered-1.pdf
A (bin) shattered-2.pdf
Adding (bin) shattered-1.pdf
Adding (bin) shattered-2.pdf
Transmitting file data ..
Committed revision 1.
A wc2/shattered-1.pdf
svn: E200014: Checksum mismatch for '/home/sunny/src/git/svn-sha1/wc2/shattered-2.pdf':
expected: 5bd9d8cabc46041579a311230539b8d1
actual: ee4aa52b139d925f8d8884402b0a750c
$
Tested with svn-1.8.10, which is the default svn in Debian 8.7, newest
stable. shattered-1.pdf is checked out, but not shattered-2.pdf.
This is the only known SHA-1 collision at the moment, but Google will
release the collision code in 90 days, so we can expect this not to last
forever.
Regards,
Øyvind
+-| Øyvind A. Holm <sunny_at_sunbase.org> - N 60.37604° E 5.33339° |-+
| OpenPGP: 0xFB0CBEE894A506E5 - http://www.sunbase.org/pubkey.asc |
| Fingerprint: A006 05D6 E676 B319 55E2 E77E FB0C BEE8 94A5 06E5 |
+------------| cb5c25a6-fa01-11e6-8cd8-db5caa6d21d3 |-------------+
Received on 2017-02-23 21:02:33 CET