[darcs-users] patch file naming

Zooko O'Whielacronx zooko at zooko.com
Fri Mar 19 17:15:31 UTC 2004


I'm trying to understand the potential problem.

Darcs decides whether a patch has already been applied by comparing the patches
"name", which is a secure hash of some metadata.

Since the name does not (perhaps can not) be securely bound to the actual
contents of the patch, an attacker could trick a darcs repository into thinking
that it had applied a patch, when instead it had applied a different patch of
the same name.

This could open up the way for a malicious person to insert code into my source
code which is different than the code I think he is inserting.  That is: he
could send me a darcs patch, I could examine it and conclude that it does
something safe and useful, and apply it to my repository, but because the
repository has been corrupted by an earlier application of a misnamed patch,
when I apply it the result is different than I expected.

That this could be a real problem is demonstrated by the recent unsuccessful
attempt to introduce a backdoor into the Linux kernel source:

http://lwn.net/Articles/57135/

Judging by that article, the only reason the backdoor was discovered was that
the attacker pushed it into CVS, and CVS is never used for incoming changes to
the Linux kernel -- it is only used as a read-only mirror of the BitKeeper
stuff.

Is this all correct so far?

Regards,

Zooko





More information about the darcs-users mailing list