1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
|
Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <petr@praus.net>) id 1UMkWs-0005sM-3V
for bitcoin-development@lists.sourceforge.net;
Mon, 01 Apr 2013 19:36:30 +0000
Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of praus.net
designates 209.85.215.42 as permitted sender)
client-ip=209.85.215.42; envelope-from=petr@praus.net;
helo=mail-la0-f42.google.com;
Received: from mail-la0-f42.google.com ([209.85.215.42])
by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1UMkWp-00038t-Jt
for bitcoin-development@lists.sourceforge.net;
Mon, 01 Apr 2013 19:36:30 +0000
Received: by mail-la0-f42.google.com with SMTP id fe20so2431151lab.29
for <bitcoin-development@lists.sourceforge.net>;
Mon, 01 Apr 2013 12:36:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
h=x-received:mime-version:x-originating-ip:in-reply-to:references
:from:date:message-id:subject:to:cc:content-type:x-gm-message-state;
bh=sR0SBDTZptBiS7LVp2F842T0+wbHvs2+uryHQF4eYbg=;
b=g1JqmCZYkemcKVfDwWY+5dnOGsL6gPjQwwDhF2ISJgFYXUeayErNVRvDOrsM0U5VIn
fNfsRPtK0QD5ITllSZfnPkx0jJ0dVndOcFXHcn9KSJQE2DfvyhVjHoyDjYDuAF8u484E
EegczJCQ4Cx71P0rVjtC6xkpGetcGboNc2rvQxoJUZR7ipK1cwnTtSSFMB824QACvx8v
w+xS3QtMX9rjpdRn9lWtTICpbbZCypeLJ0tpWSLVPQ5tHXsnZxGp/oaYlBdcp7xpCdU/
WFPr7lW8T7V6lgB+EltbNPbAUchXIrhSc96Ar3hdaR+5x/0UvbLf5pQzpHL6UhpRzEtK
dGkA==
X-Received: by 10.112.137.135 with SMTP id qi7mr6173958lbb.117.1364840928259;
Mon, 01 Apr 2013 11:28:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.112.35.107 with HTTP; Mon, 1 Apr 2013 11:28:28 -0700 (PDT)
X-Originating-IP: [129.62.151.28]
In-Reply-To: <CAKaEYhK5ZzP8scbhyzkEU+WdWjwMBDzkgF+SrC-Mdjgo9G9RnA@mail.gmail.com>
References: <CAKaEYhK5ZzP8scbhyzkEU+WdWjwMBDzkgF+SrC-Mdjgo9G9RnA@mail.gmail.com>
From: Petr Praus <petr@praus.net>
Date: Mon, 1 Apr 2013 13:28:28 -0500
Message-ID: <CACezXZ94oDX1O7y7cgh+HvDj4QiDWmy1NVQ4Ahq=gmzhgmUaHQ@mail.gmail.com>
To: Melvin Carvalho <melvincarvalho@gmail.com>
Content-Type: multipart/alternative; boundary=089e012292fab445c404d950ca84
X-Gm-Message-State: ALoCoQkfesYoec5eDmoJszr+gKLm1CcSeoesvz7Dx35uLe0cuApOAGpWeVKoGsNsXf8ItdzZTaKw
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1UMkWp-00038t-Jt
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] bitcoin pull requests
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2013 19:36:30 -0000
--089e012292fab445c404d950ca84
Content-Type: text/plain; charset=UTF-8
An attacker would have to find a collision between two specific pieces of
code - his malicious code and a useful innoculous code that would be
accepted as pull request. This is the second, much harder case in the
birthday problem. When people talk about SHA-1 being broken they actually
mean the first case in the birthday problem - find any two arbitrary values
that hash to the same value. So, no I don't think it's a feasible attack
vector any time soon.
Besides, with that kind of hashing power, it might be more feasible to
cause problems in the chain by e.g. constantly splitting it.
On 1 April 2013 03:26, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
> I was just looking at:
>
> https://bitcointalk.org/index.php?topic=4571.0
>
> I'm just curious if there is a possible attack vector here based on the
> fact that git uses the relatively week SHA1
>
> Could a seemingly innocuous pull request generate another file with a
> backdoor/nonce combination that slips under the radar?
>
> Apologies if this has come up before ...
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel® Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game
> on Steam. $5K grand prize plus 10 genre and skill prizes.
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
--089e012292fab445c404d950ca84
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">An attacker would have to find a collision between two spe=
cific pieces of code - his malicious code and a useful innoculous code that=
would be accepted as pull request. This is the second, much harder case in=
the birthday problem. When people talk about SHA-1 being broken they actua=
lly mean the first case in the birthday problem - find any two arbitrary va=
lues that hash to the same value. So, no I don't think it's a feasi=
ble attack vector any time soon.<div style>
<br></div><div style>Besides, with that kind of hashing power, it might be =
more feasible to cause problems in the chain by e.g. constantly splitting i=
t.</div></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote"=
>
On 1 April 2013 03:26, Melvin Carvalho <span dir=3D"ltr"><<a href=3D"mai=
lto:melvincarvalho@gmail.com" target=3D"_blank">melvincarvalho@gmail.com</a=
>></span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 =
0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir=3D"ltr"><div><div><div>I was just looking at:<br><br><a href=3D"ht=
tps://bitcointalk.org/index.php?topic=3D4571.0" target=3D"_blank">https://b=
itcointalk.org/index.php?topic=3D4571.0</a><br><br></div>I'm just curio=
us if there is a possible attack vector here based on the fact that git use=
s the relatively week SHA1<br>
<br></div>Could a seemingly innocuous pull request generate another file wi=
th a backdoor/nonce combination that slips under the radar?<br><br></div>Ap=
ologies if this has come up before ...<br></div>
<br>-----------------------------------------------------------------------=
-------<br>
Own the Future-Intel&reg; Level Up Game Demo Contest 2013<br>
Rise to greatness in Intel's independent game demo contest.<br>
Compete for recognition, cash, and the chance to get your game<br>
on Steam. $5K grand prize plus 10 genre and skill prizes.<br>
Submit your demo by 6/6/13. <a href=3D"http://p.sf.net/sfu/intel_levelupd2d=
" target=3D"_blank">http://p.sf.net/sfu/intel_levelupd2d</a><br>___________=
____________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
<br></blockquote></div><br></div>
--089e012292fab445c404d950ca84--
|
