Opened at 2012-01-09T04:44:37Z
Last modified at 2012-01-19T05:56:19Z
#1654 closed defect
placeholder — at Version 1
Reported by: | warner | Owned by: | nobody |
---|---|---|---|
Priority: | supercritical | Milestone: | 1.9.1 |
Component: | code-mutable | Version: | 1.9.0 |
Keywords: | integrity mutable | Cc: | |
Launchpad Bug: |
Description (last modified by zooko)
This is the ticket where we will track the details of a failure of assurance of integrity. For now, here is the announcement:
Hash: SHA1
Dear Tahoe-LAFS Users:
Kevan Carstensen of the Tahoe-LAFS core team has discovered a security vulnerability in Tahoe-LAFS v1.9.0 which would allow a sufficiently clever attacker to corrupt the retrieval of mutable files or directories which are retrieved with v1.9.0 or, in some cases, to corrupt the stored copy of mutable files or directories which are updated with v1.9.0.
The recommended defensive action for all users is to downgrade to v1.8.3, or to refrain from using mutable files (either SDMF or MDMF) with 1.9.0.
A FAQ about downgrading from 1.9.0 to 1.8.3, which was written before we discovered this critical security vulnerability, is here:
https://tahoe-lafs.org/pipermail/tahoe-dev/2011-December/006905.html
The FAQ is no longer accurate about 1.9.0 being free of dangerous flaws, but it is still accurate about 1.8.3 being free of compatibility problems.
We'll be providing a patch soon. We are still writing tests for it and searching for other similar bugs and so on. Of course, as soon as we release the patch, this will inform any attackers of exactly what they could do to users of 1.9.0. Therefore, if there are any users who are especially security-sensitive, then they should downgrade to 1.8.3 before we release the patch, or else they should suspend their use of mutable files and directories until we released the patch and they've applied it.
Once we are ready to publish the details of the issue we will post them to this issue tracker ticket:
https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1654
Please feel free to contact me with any questions or concerns, using GPG encryption. Please Cc: Brian Warner, David-Sarah Hopwood, and Kevan Carstensen on all such email.
Regards,
Zooko Wilcox-O'Hearn, on behalf of the Tahoe-LAFS core team
GPG fingerprints:
Brian Warner <warner-tahoe@…> 967E FE06 6998 7241 1A77 DF36 D43B 4C9C 7322 5AAF David-Sarah Hopwood <david-sarah@…> 3D6A 08E9 1262 3E9A 00B2 1BDC 067F 4920 98CF 2762 Kevan Carstensen <kevan@…> 7E1E 99DB 97B1 DD5F 8154 5973 8E6B 2106 2425 D7AE Zooko Wilcox-O'Hearn <zooko@…> A60B 7EE1 7164 D0C5 F137 3868 5F22 F428 242B E85F
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
mQGiBEMB9ZARBACsDthnNvgj8ZnP33ViSgxg1ruCiuCGGStk06nLLFCiqgpym2sW 10DCajYcIbWw3LtPKetp14xj+p+4wvtej5+LP+gsQ5N+O9zLhaBAbc9aC7jn3xHE 2RsHPKbqvfCx/FNp3HvKRIhZdzRgKjFTRMp3O9DNcfD9/tgK8RPzVH75twCgzN3N 9oVoxGbfxAaToY1QAJeaDGED/3lw92sABU9SiFs8u3dJHsqEtWjVVAU1Ung2AeVp hF05OgRrPR3PpAaF2GsFOmf2dSiexk8uN+cleqX3sWgQ02hH+Ppv9hT1ycAOIMCE 31g6TTtLMpWTcAcyxecNBVU5XBYOfIsQzULS0v0WvUGAQfQ3GXxFwei3RMtUBLAR 7Xn+BACW66N9+u2V7N9wPCI2DjN7wZGQs2mH0Ngr/lDk1t4GHD6n6qRP1UczT5cf wLcn1T9DeBBCZ7G9qdkCl5/9zGEZ/oOs+qFxKQ/1r99HKDxl+v1Er88BSCaXJ0W8 iEu08agtTYVeSHa1yoRw/OYgeShyvAi6UiJNU80EtQOVxPR1WrQuWm9va28gTydX aGllbGFjcm9ueCAoSGFja2VyKSA8em9va29Aem9va28uY29tPohgBBMRAgAgAhsD Ah4BAheABQJJr8YEBgsJCAcDAgQVAggDBBYCAwEACgkQXyL0KCQr6F/ljACdH5YY Idzah/onhltusit9C3ZhCoAAnjtP2BCp45dKLgVtVNVYGDro0cx3tC9ab29rbyBX aWxjb3gtTydIZWFybiAoSGFja2VyKSA8em9va29Aem9va28uY29tPohgBBMRAgAg BQJJr8aZAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQXyL0KCQr6F/q/ACe IT1ra2rEo9DTvkyuyopMB+gmLGkAnRT5HlTzgWR5IWXebupMIM4+uBvQuQENBEMB 9ZEQBACEk0DKOZsds2a8+wgNzCnZwxJPtdJBXogwtTaB7XnvsqBrkTw12begWck/ 2k4PhNwHlrKszfz8tzhQGUuMiZqhrvDqhPozqIWWPSJtJgJSqS7OaFDJncNdFRDP 3aggkER9J2YjVB23Ig88zIFxvzh6b57MJZhnhJyqYE74DklZawADBQP/WyQTF1JT Iv4cbNDHNSihtp/Q+L0cNJvT23/4jAN/P1KCWui5M7QV4PBjjS6h/raXJ1gKh/G0 YXB8APbUvSNdVySVg3fBoNK/okcKspxUNTusK6it7gZ7PtMNvuOudiIbVrfjXQlQ s0gqDxht8aH0Br41+VsaTc8oaSLTUK7VdWqISQQYEQIACQUCQwH1kQIbDAAKCRBf IvQoJCvoX/rMAJ9QAMLP+zCP0Wmxw6MpQMjLqA4bRwCeO/TYWIA1onjBfV/qAYQ0 /U0x8sOZAaIESa2nNREEAKJ8GS7J2BpNkqVry+t0ZhB8+ziFyTflOID2kPFAej+4 ez/jMMzP4DU4zFmCFmwreZZMA+36WKLY4OsB77amm8PhY5D0DTEjYMFWJUi2j4Sn 7URPNT74wia0QamPRd80wnn2li+KNVImeGHkjzj9HXl1VaJO2vqoOyOEyAkvdscr AKCL/QCX7WPaHKar0VEabVISGMTt0QQAmLeZDCGaUhmAx2ymizhisqvO/v3wQCIw lLctxcQG/YE/c+NFrn29UNwpzpLbRH5KDDopNXfHfDs+haQXJ+AQ9iO5xyDfrumy cTpsN/K02kz2uiy9pfWQff7inUwhNGcigJEkW55+qbBmsmSf6cqDixIn9fuSQBQH PthDdiiNUz4D/iTvdwIiqYSF4bOBEcEtNEnMc0a+AnCi3pn3ZNu/vkKVXATXpHwE fIc4SwdTzkMERF5e6RF+PCtBS4BeSo5m9HgrG94RCu074EQG0YWlBowHfo76KwTD DYwMeKoIHArWkmz18CmDDnNXxGfDbCY4HVveCrTIEUl/+wUo2u94omNDtChCcmlh biBXYXJuZXIgKGVtYWlsKSA8d2FybmVyQGxvdGhhci5jb20+iGAEExECACAFAkmt pzUCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRDUO0yccyJar1lvAKCGzZ4T VF7NbGc4wAmIKNuNjyn7zwCfYs6dcHujZY/C/846a87Ax7viCW25Ag0ESa2nNRAI AI9UFWTfqk/0ZgiBfkq/A8hsCl06oOhxjECLKt5dUmPzYio7YwL02xKfWH2geYx4 v2/QSHBOjF1UX91Deb4MReepD7uMcybVv0368vAIbj9Mvb1MNXKDKy39wm3aGbuJ WCLsEawOo/nDbrmGcIGAAgQenP08peGZzvCKkoSNxnxc4Z4KrygqgQBNKxNFM3ZR /zOU9w8F9qV76WwcSHYpX290Vq5oL2WBdRy7lkI586Lubv0TbiIFN9ebuTGwcuYl jT1QdJby8Ux8DdJOhb5TiliZ17R1C/M7290Gf7xZ4/CM01ty80oi25w8AoW0AjBL FuPu0twR4UfSy5EYFlg6g0sAAwYH/3m3BQHWMHcXqgLBh38V8cn4qSuNZEAkw4Mp HgDUJJJhWgV9HA4rU3TMBoR5IVcvSYn71tCJTgVzDq+Aid6PbOp5ovz9B8toKKmu 1vDzdd8NXSH0ymI1oPOL2GZ3Cge7WRkq7yGMfsoRGA87ObS/Siji6vwTSPx9rOc9 IhObIpNns9cdYqijXWtGDrmHw/VrNfd5hsgjg1ElWgnWoU4TEwNBxlp/XBLnUExf PmX2/up6/h3eAD7LfE47e2pmSfWeOSNfve42Fgevl7vf/7fHYaYP3hdnY8tO8Fvy 8XPwC1yuCQaOYRBTW9mXA98kttRPd4c+LUpIGILBxyDWUubXFiuISQQYEQIACQUC Sa2nNQIbDAAKCRDUO0yccyJar7oqAJ9PWosueCwCt8dXD2TO0h5hNXwY8gCfTlMw qfNtn6X8Gm0dRHQm2j1UhtCZAQ0ETX+nlwEIAL+XBjMjo1reeuHxUhFYNgBk1hlu Jl39Co1oPsFLLKM4zUR5/m6ooqcltsiBxE5waOlX+ha1evKxd7ykY6AM8QFcjq4l CGWbvSlO57493t5PlWBAyCBUc0WK15ZH6vcPPbvYPuW5tZDkiL3VrQcb9MsZ3CYE 0UWrFlpc22kYT+9QrgX1fGNtVgEp/ZTbWzfBoMAW7i6ZGstDB38zI7D+RMkenQDn Mjvt8+jj1XaDfw/7OTPnBmwCGw9sE3JgXbfLW1jUsURBbCYz1tNwVA/DOrMiVsdw 1eoezHlFdqmujAeAsm4PEQaoSDD30H4qah6TIPYEU6d1bWLFEGhczsHaLzMAEQEA AbQvRGF2aWQtU2FyYWggSG9wd29vZCA8ZGF2aWQtc2FyYWhAamFjYXJhbmRhLm9y Zz6JAT4EEwECACgFAk1/p5cCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4B AheAAAoJEAZ/SSCYzydiSwMH+wW4St0+QHHplPLk1arm0osCSxxFnXTTllu7bhuN M9GOjw+5d9Ns1NU2Za8G9oQ0p2Zk2htnS5f8vMk8p/UJDU84V0WntjSjcFToEW0r EtTxNfcNDdN0ZMUM9GOIrq7rkFVMtsgL+cKmB84kU6K5oxAHdoRsLg5IQgcAAfVZ /uZ+l6Huoxx7u/rDCG7CWlRqCXbfvCv9BREYHmDMC+MStwnklOT6xeRvPj34ryTO fhnMuSZAQlTtqXJku9ewrlJWdJCFu2+IhjXwQN1Abhbzprgp6A4Hzn5aot1njrjd /O2JKi/L8N2JSH/6xZzcbcDi2ub5au5T3/c0sso4+1+VXCe5AQ0ETX+nlwEIAKrt IH+d59ZShS1mtLim8dz+Mh/uM8aU2AmJSULht4IKpf1DfcnWp5Nz6V4slvqKpBr5 TvJbKhPmI62hhzudUwNvsNTsCESolcgEoSmNMzEjwb1IK1h+GKNa5KEF/pPxCfg1 yhA8ercRgaj8ss1Py0h/5/Y7sWCqEPHPujb0QGiNzSik1caSIXK2cieNqdLaz3+Q 6cPLzyOip5ZLxAoD7ae2fWUIUAEa7qCbAkh9GWw5Lv4RT8c+Gm5SINnpywHyoDNC e2cU4/3xWhPrGdgADMU8DWHFgN8FKOpWMrLqhVXbh45d8JvoGYyx1AfAVaFiQJsi e4z3waQlyf2tqmXPfH8AEQEAAYkBJQQYAQIADwUCTX+nlwIbDAUJCWYBgAAKCRAG f0kgmM8nYteMCACnD6PGPZnbspvQ2xAQAEK8b+Pq2jT6GQjrGoz8rthtcgj8PNCt +9gsah2vOV+HCzZ2vWfqZ7uegtfA/AoJQUnLY5cAxet/8fLmLRsJrBj3bDDQiGlL KL79JkcWyDZn6PZfrTdqg6rkjdLD4J56V50R5Yc7RWUnKcsdHldIEK2pB9lZjEQX cFVcN5q6ra0tE+Yj4xTqBQV049UHj/Qzci+FfyT+FIVbRvMA0cE159dvd3QpKADD WpONiXK3XNSmO6faiJ/dL2mLzJfg8CwmrosYowG4XzY3cAHNDWdc77WVpyAs2B5T YUmeq28HKjmhVVptvfN4Ik+VV2XPo6PW1XaTmQSuBE4Ds6ARDADcHG/8jznjC275 /cuDLUSKpcZqOMNf+A+ASw8LK895xoLJaySvYMbPzFpY+OO+VY8clw/c7NVnNUOs n2QprL02slTyN/+v1X9rnz0XsHI8G3dfZwTWYoxVdCosgEeaoinQLpn8OX2p+KVw J6llzYKBbDKnlcMFMarlzKFeHfT4z8Zg9XMtHXkjxCCQTfOwHgZWxmQSvQcmK5EN Dui7oRJQkPTdcTxMUe4gaCcuwQL7hHsaSfaDeX/mGoo7gNn9mPy/VrcHBNEZtWcQ C2KSVJpdyOAGZ4i6qzExWyWL72+/PO1dGttYh2+2hHDyXDMdaF0E01yOkQ8zX6GR zzLQIftnZvk7gj34ITouulTGwPGgF5X7JTpm+UVxPiZJdk4Q+XH3oUgzP8uiZbSY oVO+tgSForlmFAUYkB+N5M1wPxA3/6mVVomb64roK7QO+Wy7tkpZAdJsQU1h/cec sfu/y+UbIafJAUk6oBRdjxBRV3cKWvbG44ShUHo2jD8XSwNCdp8BAIAyGSN6qAW2 Ai9FSZ4CDhD6fhiuiubtn4wXbS3ZHtXtDACPel5qDFdh6UM1ayvIgrihIucAV3b7 2ruy+XR28Ep5KMIk/MTwynAkNZRXrH4C9HF2emYYOxBw1Q0XiR3qneI9/mV18P0x 7D/0NCeMzNPfavXFncEWVpVuUAsVp9aJU5FiCnMtozg/Xep3LD4hngSIg9P33q+I nVaPnBSUPtIBdIkcNq5n3R9TDTbr5XaZzd3A+VJcQios3S4yh4Hdzy4OR24L7BE5 GqfEF/irKqKd9jZAS2wQMY1dW/yGOPKSoaALSV4cIpyugBhtO2Ub4fWQ5jGAhSHz uj1M6IbsB/z/nMkM0uxqJH1EMbWWVJwaFcMbLhsvTnigwYwrHWzNVCpGRcedsBTz fZMIzUFEdZyde9LlbYEP3KEBVo+I+Sdv+aPvo336T8L4RO9Aqr0ONU3/PV8MnLVu fwbzwMFaQrLxQn7kBRsGLYWY3SDdugQ0P7HonMTFpASgnZtOUqvXavoJoyrgIKGD 1/8iRhBhmzNU4Hi28mKN5oDU4S7OfCW/OL8L/2P3uwmTpK9yKxAmgdQlm600wufO S8HbIOK+hNz88SCYBniHR7jbDegQx+XNZuSRQisjyCoO7scv5p51/O35qzs6aBSd gTIWH0AkUiDg3HJH1P1MXgYO38JikX+0zks3o50ESwF2U75FPw4Ys9kt0Xv9UuBN +lx3MyF3CX9ZoPtClP7PCtKl6pL7W0iMndSnGxMst8pgqvXwHMA4b9rC1rO+8ByG v5uYy65HIXIjHjf5RXFwXvdnz7Vt0iZqbMyyNGHkvQO/QMWRN7q+JTD9o+lxSkRT haKVqhimdggqtF2TSytwsXn/gax5hTqHvL4bpIjvP+m+ZTPzAm9eON+PmRZtkod2 xCHx3r7HU9CcVvZZ7HrMG1hEg2BPZgxpNqUoydzTIVVqZABgRyIZt0S7o8PDpxU8 7sN15GwVaWee7Yp05GifbYCMRw7s3bXKTT/U3iDvoXZNQ8NyVg4Yw46sFlcpIGoD VP76yeIWdcA2PhPLqfT8YgNhF2zH2UmpPD04dbQtS2V2YW4gQ2Fyc3RlbnNlbiA8 a2FjYXJzdGVuc2VuQGNzdXBvbW9uYS5lZHU+iIAEExEIACgFAk4Ds6ACGwMFCQHh M4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEI5rIQYkJdeum7IA/j56gW+h zpqkKkzsZAnvJw0GX1R8KI3Ppai6Yn3sfUtoAP46mY+UxDf89AOhgOIe2ABJtJWb 385WIv4A/nTnnQT6QrkDDQROA7OgEAwAw/mLuVT7T+ooC2DLbPy9kQKHlyxQeJNR gBsVdh41QGOXOcsCUJ/6jtlpFJ+/PByTHLr6tL3z9cYyddp0mNpS3NV0+6eHpopV 1SAhHEBPlJuCtTFWj5BhXTqEHMkf12bGX8kBwJgpNcXJ4JOCItM8q7yVNUkr3988 xl2fUCVTT+vRw4N8KQUKy4rGpg3Vcp/QZwpNNrUyazo1VstcSfkIWImSVobeBuXT lCBozL0wZgB/WEH/9cXzLIJJbUBTxNaWXJmPXDR8CW/QUy/baQWUXui9OGyldqLL zJwWZp7Jw9i4XtgyXVMswNQJI9au+q9l8PCtZyZyM9CPznqBZ4Y371NMxle70e9q HjhfAqUdr5k7jDmSSKwLIyZGGK0VqLTetgLCUH2eld1PnrUastP3NHbxJuh8oa7C ZAt9y6HXi6hceUhV8/W1fPYxaE4Wj6E8Vlwzy7qqNzhygVZzE1B2A5uvNb+dVV+M x8s6b6EnkOPtRCUqB+SDDHfDQF3Y3AmPAAQNC/9PZ9SSb5YkH0DGrN4eSixn6J99 H2QsmO/e/dZEVyouRKmPehBcxyibqL0u9wzloJx0t5obFDgY7h02aAN3VUIEQL2V bf6Ol3n63TrKXX3INRfY9h2in42W1ba/p8BTj0vboZN+vRsadnODMiZZV1WF3uZw rXAHvjuGBbLEeZZB92DyVqCtmZN18AFlxxhfgZfoeyKXBtjImX64lfx2SE3YBfTu KyBgVJDhc8hljf5msnUEj3cQGu8f5K0e47Hwf5+IB6jhA0bzyPZVKQ63G05QWmnZ fs+XvNUykVcAAxOsXiTIRQvPQR/aLrQKtapNDEDtgT8FsANlEtHUjPi0JvE0gS/p +4+p3YOyK8VNgj7Yq2XI2BC7ZzHn2KACLkfhz7YbpnRDf6toCvaw14XVpBegY/l+ q4FHEW7rOjtwNSF8jj/qWoN01mfjHQtaOY33c1jeuMsrwq69aYAHsFszaGaappe+ q7A4NGrlmha7M7ssC5ArbpvTvJ6Djr3DuJ6DdgOIZwQYEQgADwUCTgOzoAIbDAUJ AeEzgAAKCRCOayEGJCXXriR4AP9YVdXBtZZHCjfuT+6CU09nvPvLeOf1vWa+t2Rr 767UpAD/Sukn7pceESBqLMLOPDfgEoYLJ7/ZjPJDEmYRDnXG5JE= =EbMb?
- -----END PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk8KjpAACgkQXyL0KCQr6F/PUACfb9EZeqIyehgB7wSoZqHvRgJn vIIAoMwVD3cKaJfuwI6KEAURD0to+qAT =XB1s
Change History (2)
comment:1 Changed at 2012-01-09T06:54:32Z by zooko
- Description modified (diff)
- Keywords integrity added
- Milestone changed from undecided to 1.9.1
- Priority changed from major to supercritical