Date: Mon, 4 Aug 2014 21:38:43 +0200 From: Tomas Hoger <thoger@...hat.com> To: Ben Reser <ben@...er.org> Cc: Marcus Meissner <meissner@...e.de>, OSS Security List <oss-security@...ts.openwall.com> Subject: Re: Re: Possible CVE request: subversion MD5 collision authentication leak On Fri, 01 Aug 2014 07:47:53 -0700 Ben Reser wrote: > On 8/1/14 3:12 AM, Marcus Meissner wrote: > > The subversion list has fixed a md5 collision attack possibility. > > > > http://mail-archives.apache.org/mod_mbox/subversion-dev/201407.mbox/%3C53DAB4A7.8030004%40reser.org%3E > > > > http://svn.apache.org/r1550691 > > http://svn.apache.org/r1550772 > > > > The referenced E-Mail speaks about CVE request, so not sure who > > will assign one. > > Already got one (the request was directed at security@...che.org who > hand them out to us): CVE-2014-3528. I believe the attack here is supposed to create a collision against MD5 sums used as names of files under ~/.subversion/auth/svn.simple/. However, as attacker does not control realm strings for any of the trusted repositories, that would require preimage attack. The lack of (publicly) known efficient preimage attacks against MD5 should imply such attack is still only theoretical. -- Tomas Hoger / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ