•  
      request #10015 SHA-1 colliding files can break Subversion repository
    Infos
    #10015
    Thomas Gerbet (tgerbet)
    2017-04-11 12:26
    2017-02-24 23:23
    10304
    Details
    SHA-1 colliding files can break Subversion repository

    A Subversion repository can be broken by SHA-1 colliding files.

    Impact

    An attacker with commit rights to a repo can prevent access to legitimate users.
    CVSS3 score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

    Exploitation

    The issue can be demonstrated this way:

    1. Create a new repository
    2. Checkout this repository
    3. Create a directory named d1 and add the two attached files of this request into this directory
    4. Add the directory d1 to the repo and commit (svn add d1 && svn commit)
    5. Try to checkout the repository

    References

    First publicly known issue due to this vulnerability (Webkit repo): https://bugs.webkit.org/show_bug.cgi?id=168774&comment=c27#c27
    How SHA-1 collisions can be generated: https://shattered.it/

    SCM/Subversion
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-04-11
    Attachments
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-02-24 23:50
    For the record, while being a security issue this request has been left publicly accessible before a fix is available since the vulnerability has been widely disclosed.

    From a technical point of view this is caused by a deduplication feature of SVN (rep sharing) to save disk space. They use a SHA-1 digest to differentiate unique files which cause the failure in case of a collision. More explanation on how it works can be found here: https://svn.apache.org/repos/asf/subversion/trunk/subversion/libsvn_fs_fs/structure

    A fix is as today not available in Subversion, the vulnerability can be mitigated tough:
    * disabling the deduplication feature solve the issue on new repo at the cost of disk space (enable-rep-sharing = false in fsfs.conf, see https://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_fs_fs/fs_fs.c?revision=1784336&view=markup#l861)
    * a pre-commit hook has been proposed to protect against known SHA-1 collisions: https://svn.apache.org/viewvc/subversion/trunk/tools/hook-scripts/reject-known-sha1-collisions.sh?view=markup&pathrev=1784336

    The pre-commit hook mitigation is easy enough to implement and to deploy in the Tuleap context to be considered.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes