Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 04 Aug 2014 23:56:40 -0700
From: Ben Reser <>
To: OSS Security List <>
Subject: Re: Re: Possible CVE request: subversion MD5 collision
 authentication leak

On 8/4/14 6:38 PM, Michael Samuel wrote:
> Just to clarify - does the attacker have control of both $REALM parameters?

Only their own server.  If they had access to the server they were attacking
they would presumably have access to the repository directly and could do
anything they wanted already.

> A chosen prefix collision still requires the attacker provide both
> inputs (or at-least the suffix to both inputs).

I stand corrected.  Re-read the documentation at the link I shared earlier and
you're right you need to be able to modify the suffix on both sides of the

Which means that yes this is theoretical.

Thanks for setting me right.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.