[CentOS] Checksums for git repo content?

Warren Young warren at etr-usa.com
Fri Feb 24 00:31:21 UTC 2017


On Feb 23, 2017, at 12:55 PM, Lamar Owen <lowen at pari.edu> wrote:
> 
> On 02/09/2017 03:12 PM, Johnny Hughes wrote:
>> The patch files are in git as text files, right?  Why would you need
>> checksums of those? That is the purpose of git, right?
>> 
> Not to stir up a hornets' nest, but how does Google's announcement at https://shattered.it affect this now?

To replace pre-existing checkins in place, you have to execute what’s called a second-preimage attack, which is much, much harder than the collision attack presented by Google.

The collision attack gives you the freedom to change both files until they match, whereas fixing one of the artifacts ahead of time requires you to pull off a second-preimage attack.  Since the fear up-thread is about whether we can trust what’s already in the CentOS Git repos, only a second-preimage attack will do.

There is a way to use a collision attack against Git or similar systems:

    https://news.ycombinator.com/item?id=13715887

However, realize that in this context, it means you’d have to:

1. Get the Red Hat or CentOS folks to accept the good version of your patch.  (i.e. The benign version of the evil patch you want to get into RHEL and CentOS.)

2. Hope that the committer doesn’t modify your patch before committing it, thus breaking the match to the evil version you spent $100k and a month of time creating.

3. MITM the Git sync protocol between git.centos.org and the target site to inject your evil version into the sync stream.  Since git.centos.org redirects to HTTPS by default and issues HTTPS URLs for you to clone from, this means you also have to break TLS, since unbroken TLS prevents MITM attacks.  That, or someone has to *aim* while shooting themselves in the foot, going out of their way to remove the “s” from the URL.

4. Since git.centos.org is apparently not mirrored, you have to execute this attack between git.centos.org and all end users of their service that you wish to attack, rather than poison one or more of the mirrors by MITMing the mirror’s connection back to git.centos.org.

So yeah, it’s still Difficult.™

All of this is not to say that Git doesn’t have a problem.  They do.  It’s just that the problem in question doesn’t affect the integrity of git.centos.org, as far as I can see.


More information about the CentOS mailing list