Author: Peter Todd 2017-02-23 18:14:09
Published on: 2017-02-23T18:14:09+00:00
The SHA1 collision attack on Git does not only affect maintainers making maliciously colliding Git commits, but also third-party submissions containing commits, trees, and files for which collisions have been found. The attack is likely to be exploitable in practice with binary files as reviewers may not notice garbage at the end of a file needed for the attack. If the attack can be extended to constrained character sets like Unicode or ASCII, it could become a problem. A pair of files with the same SHA1 hash can be prepared, taking into account the header that Git prepends when hashing files. Then, the pull request to a project with the "clean" version of the file should be submitted. Once the maintainer merges the pull request, possibly PGP signing the git commit, the signature can be taken and distributed with the same repo, but with the malicious version of the file replaced by the "clean" one. This raises security concerns.
Updated on: 2023-06-11T21:49:12.216069+00:00