612222 – <dev-vcs/subversion-{1.8.18, 1.9.6}: SHA-1 collision causes repository breakage

Bug 612222 - <dev-vcs/subversion-{1.8.18, 1.9.6}: SHA-1 collision causes repository breakage

Summary: <dev-vcs/subversion-{1.8.18, 1.9.6}: SHA-1 collision causes repository breakage

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2017-03-10 16:31 UTC by Agostino Sarubbo
Modified:	2017-09-01 17:52 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-03-10 16:31:33 UTC

From ${URL} :

It was found that commiting a file with the same SHA-1 hash as a file already in the repository would break the repository.

Upstream bug:

https://issues.apache.org/jira/browse/SVN-4673

Upstream patches:

https://svn.apache.org/viewvc?view=revision&revision=1785053
https://svn.apache.org/viewvc?view=revision&revision=1785734
https://svn.apache.org/viewvc?view=revision&revision=1785737
https://svn.apache.org/viewvc?view=revision&revision=1785738
https://svn.apache.org/viewvc?view=revision&revision=1785754

References:

https://arstechnica.com/security/2017/02/watershed-sha1-collision-just-broke-the-webkit-repository-others-may-follow/
https://lists.webkit.org/pipermail/webkit-dev/2017-February/028795.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2017-09-01 17:52:58 UTC

GLSA Vote: No