Package: tahoe-lafs Version: 1.8.2-3 Severity: important Tags: security Upstream released a new minor version after the discovery of a vulnerability in the 1.8.2 and older version.
Here's the announcement explaining the insights: Dear Security Team, The Tahoe-LAFS core team has discovered a bug in Tahoe-LAFS v1.8.2 and all earlier versions starting with Tahoe-LAFS v1.3.0 that could allow users to unauthorizedly delete immutable files in some cases. In Tahoe-LAFS, each file is encoded into a redundant set of "shares" (like in RAID-5 or RAID-6), and each share is stored on a different server. There is a secret string called the "cancellation secret" which is stored on the server by being appended to the end of the share data. The bug is that the server allows a client to read past the end of the share data and thus learn the cancellation secret. A client which knows the cancellation secret can use it to cause that server to delete the shares it stores of that file. We have prepared a set of patches (attached) which do three things: 1. Fix the bounds violation in reading of immutable files which allowed the clients to learn the cancellation secrets. 2. Remove the function which takes a cancellation secret and deletes shares. This function (named "remote_cancel_lease") was not actually used, as all users currently rely on a different mechanism for deleting unused data (a garbage collection mechanism in which unused shares get deleted by the server once no client has renewed its lease on them in more than a month). 3. Fix some similar bounds violations in mutable files that could potentially lead to similar vulnerability. This vulnerability is probably not a concern in practice, because it doesn't arise unless the legitimate, authorized client deliberately writes a "hole" into the mutable file (by seeking past the end of the current data and not writing over all the bytes thus uncovered). No extant version of Tahoe-LAFS does this, so presumably no legitimate user would be exposed to that vulnerability. We intend to release and announce Tahoe-LAFS v1.8.3, containing only these bugfixes compared to Tahoe-LAFS v1.8.2, and we'd like to synchronize with you as much as possible in order to minimize the window of time after this issue is publicly known and before Tahoe-LAFS users can easily upgrade to a fixed version. The patches backport cleanly to Tahoe-LAFS v1.7.1 and to Tahoe-LAFS v1.6.1, which had exactly the same issues. We would actually encourage you to upgrade to any older stable releases of Tahoe-LAFS to the latest v1.8.3, because our very strong policy of backward compatibility and quality control means that this is unlikely to impose any surprises on your users. Nonetheless, we recognize that you may prefer to backport the patches to older versions of Tahoe-LAFS that you maintain. Please let us know how to facilitate your adoption of these security fixes. We intend to release these new versions of Tahoe-LAFS as soon as possible -- hopefully by the end of Tuesday, the 13th of September, 2011. Regards, Zooko Wilcox-O'Hearn on behalf of the Tahoe-LAFS team -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
