Author: Peter Todd 2017-02-23 21:28:02
Published on: 2017-02-23T21:28:02+00:00
Peter Todd, a core Bitcoin developer, has warned that the recent SHA-1 collision attack on Git is not limited to maintainers making maliciously colliding Git commits but also third-party's submitting pull-reqs containing commits, trees and files for which collisions have been found. This could be exploitable in practice with binary files, as reviewers are unlikely to notice garbage at the end of a file needed for the attack. Todd explains that he could prepare a pair of files with the same SHA-1 hash, taking into account the header that Git prepends when hashing files, and submit it via a pull-req to a project with the "clean" version of that file. Once the maintainer merges the pull-req, possibly PGP signing the git commit, Todd could take that signature and distribute the same repo, but with the "clean" version replaced by the malicious version of the file. Todd notes that tree objects are likely to be the most concerning avenue of attack, as many review tools don't pick up on garbage data at the end of these objects.
Updated on: 2023-06-11T21:49:52.322817+00:00