Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 04 Aug 2014 23:56:40 -0700
From: Ben Reser <>
To: OSS Security List <>
Subject: Re: Re: Possible CVE request: subversion MD5 collision
 authentication leak

On 8/4/14 6:38 PM, Michael Samuel wrote:
> Just to clarify - does the attacker have control of both $REALM parameters?

Only their own server.  If they had access to the server they were attacking
they would presumably have access to the repository directly and could do
anything they wanted already.

> A chosen prefix collision still requires the attacker provide both
> inputs (or at-least the suffix to both inputs).

I stand corrected.  Re-read the documentation at the link I shared earlier and
you're right you need to be able to modify the suffix on both sides of the

Which means that yes this is theoretical.

Thanks for setting me right.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.