On Wed, 30 Dec 2015 19:38:35 +0100
Björn Persson <Bjorn(a)xn--rombobjrn-67a.se> wrote:
Tim Lauridsen wrote:
> How do i handle a situation where someone, without my knowledge
> uploads new sources to one of my projects. It could be a security
> problem ?
While I trust that Francesco had only good intentions, the general
question remains: Is it possible to modify a package without commit
access by uploading a modified source tarball to the lookaside cache?
Not that I can see.
Without commit access to Git the attacker couldn't edit the
sources
file, so – assuming that everything that uses the lookaside cache
bothers to verify the checksum – the attacker would have to forge a
tarball that has the same MD5 hash as the original. That is an attack
on the second-preimage resistance of MD5.
I don't think even that would work, as you cannot upload new sources
with the same md5sum as an existing upload. It would just tell you
it's already uploaded.
Practical collision attacks on MD5 have existed for more than a
decade, but to the best of my knowledge no practical second-preimage
attack is known yet. Thus it's probably not practically possible to
do this at this time, except maybe to certain well-funded government
agencies around the world, who may have made further advances
attacking MD5 than the open cryptographic community has.
But still, why are we still using MD5?
It's being worked on, we just haven't gotten there yet...
See:
https://fedorahosted.org/rel-eng/ticket/5846
kevin