[tahoe-lafs-trac-stream] [tahoe-lafs] #1528: escalation of authority from knowing a storage index to being able to delete corresponding shares (was: placeholder ticket)

Tue Sep 13 11:48:36 PDT 2011

#1528: escalation of authority from knowing a storage index to being able to
delete corresponding shares
-------------------------+-------------------------------------------------
     Reporter:  zooko    |      Owner:  davidsarah
         Type:  defect   |     Status:  new
     Priority:           |  Milestone:  1.8.3
  critical               |    Version:  1.9.0a1
    Component:  code-    |   Keywords:  security preservation anti-
  storage                |  censorship storage leases
   Resolution:           |
Launchpad Bug:           |
-------------------------+-------------------------------------------------
Changes (by davidsarah):

 * owner:  nobody => davidsarah
 * status:  reopened => new

Old description:

> I want to know what ticket # I'm going to get when I open this ticket.

New description:

 The Tahoe-LAFS core team has discovered a bug in Tahoe-LAFS v1.8.2 and all
 earlier versions starting with Tahoe-LAFS v1.3.0 that could allow users to
 unauthorizedly delete immutable files in some cases.

 In Tahoe-LAFS, each file is encoded into a redundant set of "shares" (like
 in RAID-5 or RAID-6), and each share is stored on a different server.
 There is a secret string called the "cancellation secret" which is stored
 on the server by being appended to the end of the share data. The bug is
 that the server allows a client to read past the end of the share data and
 thus learn the cancellation secret. A client that knows the cancellation
 secret can use it to cause that server to delete the shares it stores of
 that file.

 We have prepared a set of patches that do three things:

 1. Fix the bounds violation in reading of immutable files that allowed the
 clients to learn the cancellation secrets.

 2. Remove the function that takes a cancellation secret and deletes
 shares. This function (named "remote_cancel_lease") was not actually used,
 as all users currently rely on a different mechanism for deleting unused
 data (a garbage collection mechanism in which unused shares get deleted by
 the server once no client has renewed its lease on them in more than a
 month).

 3. Fix some similar bounds violations in mutable files that could
 potentially lead to similar vulnerability. This vulnerability is probably
 not a concern in practice, because it doesn't arise unless the legitimate,
 authorized client deliberately writes a "hole" into the mutable file (by
 seeking past the end of the current data and not writing over all the
 bytes thus uncovered). No extant version of Tahoe-LAFS does this, so
 presumably no legitimate user would be exposed to that vulnerability.

--

Comment:

 Reassigning to me to apply the fix to trunk.

-- 
Ticket URL: <http://tahoe-lafs.org/trac/tahoe-lafs/ticket/1528#comment:5>
tahoe-lafs <http://tahoe-lafs.org>
secure decentralized storage