security flaw in Tahoe-LAFS could lead to unauthorized deletion of files

To apply this darcs patch bundle:

$ darcs get --lazy http://tahoe-lafs.org/source/tahoe-lafs/1.8.2
$ cd 1.8.2
$ darcs apply 1.8.3.dpatch

unified diff coming soon

This diff is against v1.8.2 of Tahoe-LAFS.

Thanks for reporting this bug and attaching a patch.

Since tahoe-lafs is in Universe in Ubuntu, it is community maintained, and not supported by the Ubuntu security team.

debdiffs that fix this issue for each Ubuntu release need to be attached to this bug, at which point the security team will publish the update.

See the following link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

We're making a full new release -- Tahoe-LAFS v1.8.3 -- which will be the intended successor to Tahoe-LAFS v1.8.2 (currently in natty and oneiric). Would you consider upgrading Tahoe-LAFS in Lucid and Maverick to 1.8.3? I would recommend it -- there are no backward compatibility problems and no reason to think that the upgrade would introduce significant new bugs for Lucid or Maverick users.

If not, we need someone to volunteer to apply the patch to 1.6.1 and 1.7.1. The patches apply cleanly (excepting the parts of the patches that are changing the version number and the release notes which include the version number). This volunteer would also need to change the embedded version number, as well as the Ubuntu/Debian package version number.

Okay, we've built 1.8.3 package and posted it here: http://tahoe-lafs.org/source/tahoe-lafs/snapshots/allmydata-tahoe-1.8.3.zip

But we haven't linked it into the "releases" directory yet nor announced it to the public.

So it is now detectable by someone who is looking, but isn't widely known yet.

Here is the release announcement and instructions:

http://tahoe-lafs.org/trac/tahoe-lafs/browser/1.8.3/relnotes.txt

I reviewed these patches and they are correct.

Unfortunately some of the documentation patches from the Tahoe-LAFS v1.8.3 release have been omitted. I would be willing to do some work to add those back in so that people who get one of these versions get correct and up-to-date docs with it.

Here are the docs patches:

Changes to known_issues.rst:

http://tahoe-lafs.org/trac/tahoe-lafs/changeset/20110912223135-92b7f-b7ca2ee4e8e6e91f8d62efc3d210addc6b5f9d75/1.8.3#file1

This is important to me! I would like for users who look at a known_issues.rst file to find out about all of the issues that we knew of when we gave them that file. And it definitely won't cause any bug if we add a patch that updates that file.

NEWS:

http://tahoe-lafs.org/trac/tahoe-lafs/changeset/20110912223246-92b7f-e4296327422753a83229688fa56aadafb05839a4/1.8.3#file0

and

http://tahoe-lafs.org/trac/tahoe-lafs/changeset/20110912223329-92b7f-31ba97415740d2a3294e4d338b05c57f0e9e9fb1/1.8.3#file0

I would also prefer if this file were updated.

Those are the only two changes I would request.

I understand, from something that Julian Taylor said on IRC, that it could be kind of weird if the Ubuntu package of Tahoe-LAFS v1.6.1-0ubuntu3 came with a NEWS file describing changes that the NEWS file says are in "1.8.3" when in fact those changes are in 1.6.1-0ubuntu3. I know that's why there exists the changelog.Debian.gz. So, let's leave the NEWS file changes out but still add a patch to update the known_issues.rst file. Can we do that?

We're going to announce Tahoe-LAFS v1.8.3 to the world within a couple of hours so I'd like to move this ticket as far along as possible before then.

Thanks!

Okay, we're proceeding to announce Tahoe-LAFS v1.8.3.

Here is the announcement: http://tahoe-lafs.org/pipermail/tahoe-dev/2011-September/006675.html

The attachment "darcs patch bundle to be applied to the darcs version 1.8.2" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

@Julian: are you planning on updating your branches to add the known_issues.rst changes? If you do, I'll release these as security updates.

I'm subscribing ubuntu-security-sponsors so this bug gets tracked.

I don't really see the point in documenting a "known issue" which does not exist anymore, it will just confuse people in thinking the packaged version is vurnable as it will be <= 1.8.2
But feel free to add it when you are sponsoring.

as the upgrade was screwed up in debian I'll also prepare a branch for oneiric which can be synced when debian is fixed.

That's a good point, Julian. I think it is important to let people know that they *have* been vulnerable to something, in case they need to take the opportunity to double-check whether they *were* actually exploited, or in case it lets them know that they need to upgrade or take defensive action on other installations, or advise someone else to do so.

I guess a possible compromise would be to remove known_issues.rst from the distribution. I just checked and the only mentions of it in the other docs point to the current version of it on the web:

http://tahoe-lafs.org/trac/tahoe-lafs/browser/trunk/docs/known_issues.rst

Here are all the hits for "grep -r known_issues ." in my 1.8.3 sandbox:

docs/how_to_make_a_tahoe-lafs_release.rst:[✓] 1 update doc files: `<../relnotes.txt>`_, `<../CREDITS>`_, `<known_issues.rst>`_, `<../NEWS>`_. Add release name and date to top-most item in NEWS.
docs/known_issues.rst:`<http://tahoe-lafs.org/source/tahoe-lafs/trunk/docs/known_issues.rst>`_.
docs/known_issues.rst:<historical/historical_known_issues.txt>`_.
docs/historical/historical_known_issues.txt:http://tahoe-lafs.org/source/tahoe/trunk/docs/historical/historical_known_issues.txt
docs/historical/historical_known_issues.txt:http://tahoe-lafs.org/source/tahoe/trunk/docs/known_issues.rst
relnotes.txt:[2] and known_issues.rst [3] file for details.
relnotes.txt:please see the known_issues.rst file [3].)
relnotes.txt:[3] http://tahoe-lafs.org/trac/tahoe/browser/docs/known_issues.rst

So I guess you could remove docs/known_issues.rst and docs/how_to_make_a_tahoe-lafs_release.rst. The latter one is clearly not needed by users and which isn't mentioned by any other document in the source tree.

Updated package are currently building and will be released shortly. Thanks!

This bug was fixed in the package tahoe-lafs - 1.8.3-0ubuntu1

---------------
tahoe-lafs (1.8.3-0ubuntu1) oneiric; urgency=low

  * New upstream release.
    Fixes unauthorized deletion vulnerability (LP: #848476)
  * refresh patches
 -- Julian Taylor <email address hidden> Thu, 15 Sep 2011 19:24:02 +0200

This bug was fixed in the package tahoe-lafs - 1.8.2-0ubuntu1.1

---------------
tahoe-lafs (1.8.2-0ubuntu1.1) natty-security; urgency=high

  * SECURITY UPDATE: fix unauthorized deletion (LP: #848476)
    a person who knows the "storage index" that identifies an immutable
    file can cause the server to delete its shares of that file.
    - backported from upstream version 1.8.3
  * http://tahoe-lafs.org/source/tahoe-lafs/snapshots/allmydata-tahoe-1.8.3.zip
 -- Julian Taylor <email address hidden> Tue, 13 Sep 2011 22:37:02 +0200

This bug was fixed in the package tahoe-lafs - 1.7.1-0ubuntu1.1

---------------
tahoe-lafs (1.7.1-0ubuntu1.1) maverick-security; urgency=high

  * SECURITY UPDATE: fix unauthorized deletion (LP: #848476)
    a person who knows the "storage index" that identifies an immutable
    file can cause the server to delete its shares of that file.
    - backported from upstream version 1.8.3
  * http://tahoe-lafs.org/source/tahoe-lafs/snapshots/allmydata-tahoe-1.8.3.zip
 -- Julian Taylor <email address hidden> Tue, 13 Sep 2011 22:37:02 +0200

This bug was fixed in the package tahoe-lafs - 1.6.1-0ubuntu2.1

---------------
tahoe-lafs (1.6.1-0ubuntu2.1) lucid-security; urgency=high

  * SECURITY UPDATE: fix unauthorized deletion (LP: #848476)
    a person who knows the "storage index" that identifies an immutable
    file can cause the server to delete its shares of that file.
    - backported from upstream version 1.8.3
  * http://tahoe-lafs.org/source/tahoe-lafs/snapshots/allmydata-tahoe-1.8.3.zip
 -- Julian Taylor <email address hidden> Tue, 13 Sep 2011 22:37:02 +0200

Thank you very much for your work on this, Julian Taylor, Bert Agaz, Marc Deslauriers, and Micah Anderson!

If someone wants to update this wiki page to link to the current version of Tahoe-LAFS in Ubuntu, that would be good:

http://tahoe-lafs.org/trac/tahoe-lafs/wiki/OSPackages

Also to add or remove your name from that page as desired. People (including me) may use that page to find the name and email address of who to contact about future packaging issues. Thank you very much!