LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
The Tahoe secure filesystem
The Tahoe filesystem is designed as a secure, distributed filesystem that is available as free software. Tahoe is also designed for fault tolerance so that data remains available even in the presence of missing or malicious peers. In March, the project released a 1.0 version which makes this a good time to take a peek.
The basics of Tahoe are somewhat similar to GNUnet or Freenet in that the data is encrypted and spread around to multiple nodes in the network. Unlike those, though, Tahoe does not seek to provide anonymity. The nodes making up a Tahoe filesystem are called a "grid". Grids consist of some number of peers acting as storage server nodes along with an "introducer" that knows all of the other nodes and is the central point of contact for the grid.
Files are stored in Tahoe by first being encrypted on the local machine using AES. They are then broken into "shares", ten by default, that are distributed to different servers in the grid. Before that happens, though, the encrypted file is encoded in such a way that the whole file can be recovered even if only a subset of the shares can be retrieved.
This encoding, known as "erasure coding", is the key to the fault-tolerance of the Tahoe system. By default, Tahoe encodes the shares such that retrieving three of the ten is sufficient to recover the entire file. It also increases the size of the file by the expected 10/3 ratio.
The suggested use case for Tahoe is a "friendnet" where some group of friends share their storage with each other in a way that reduces or eliminates the need for backups. Tahoe also has ways to share data in either read-only or read-write (immutable or mutable in Tahoe-speak) modes. Tahoe is used as a commercial backup system by Allmydata, sponsor of the Tahoe project.
Tahoe is designed to be secure, which means that it protects the integrity and confidentiality of the data stored in it. SHA-256 is used extensively to ensure consistency of the plaintext, ciphertext, and shares. Files stored in the system are identified by long identifiers called capabilities, that look something like:
URI:CHK:yeyur23dw7cg3mxmsl2kiqvtt4:sdtrgczwtntzyfg2uapbfytxvyqsn45j4jpgrhcey7ebzpaoznya:3:10:107833344For mutable files, there are two versions of the capability, one that allows only reading, while the other allows writing as well. Anyone who does not have a capability string for a particular file cannot access it at all.
Multiple user interfaces are available for Tahoe, including a web interface, a command-line interface, a FUSE extension and a web API. Tahoe is written in Python, using some C extensions for efficiency. It uses the Twisted framework for event handling, pycryptopp (a Python interface to the Crypto++ library) for its encryption needs, and zfec for the erasure coding. All of the Tahoe code is available under the GPL.
Installing Tahoe was fairly straightforward—there were a few hiccups which have since been resolved—using the installation guide. Joining the test grid was as easy as putting an introducer identifier into a file and starting Tahoe from the command line. In some basic testing, it seems to work quite well, overall, though it did not seem to use available bandwidth as efficiently as it might.
This brief overview only scratches the surface of the information available about Tahoe; there is much more on the documentation page. For anyone interested in distributed, secure, and/or fault-tolerant filesystems, Tahoe is definitely worth a look.
New vulnerabilities
asterisk: denial of service
| Package(s): | asterisk | CVE #(s): | CVE-2008-1897 | |||||||||
| Created: | April 29, 2008 | Updated: | April 30, 2008 | |||||||||
| Description: | From the CVE entry: The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW before 1.0.3; Appliance Developer Kit 0.x.x; and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a call number matching the server's reply to a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed ACK response that does not complete a 3-way handshake. NOTE: this issue exists because of an incomplete fix for CVE-2008-1923. | |||||||||||
| Alerts: |
| |||||||||||
blender: buffer overflows, temp file issues
| Package(s): | blender | CVE #(s): | CVE-2008-1102 CVE-2008-1103 | |||||||||||||||
| Created: | April 25, 2008 | Updated: | May 15, 2008 | |||||||||||||||
| Description: | From the SUSE advisory: The rendering program Blender was affected by buffer overflows in the RGBE header file parsing (CVE-2008-1102) and some temporary file issues (CVE-2008-1103). | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
comix: denial of service
| Package(s): | comix | CVE #(s): | CVE-2008-1796 | |||
| Created: | April 28, 2008 | Updated: | April 30, 2008 | |||
| Description: | From the CVE entry: Comix 3.6.4 creates temporary directories with predictable names, which allows local users to cause an unspecified denial of service. | |||||
| Alerts: |
| |||||
IBM java: arbitrary file write
| Package(s): | IBMJava2,IBMJava5,java-1_4_2-ibm,java-1_5_0-ibm | CVE #(s): | CVE-2007-5236 | |||
| Created: | April 25, 2008 | Updated: | April 30, 2008 | |||
| Description: | From the SUSE advisory: An untrusted Java Web Start application may write arbitrary files with the privileges of the user running the application. | |||||
| Alerts: |
| |||||
jrockit: multiple vulnerabilities
| Package(s): | jrockit | CVE #(s): | ||||
| Created: | April 24, 2008 | Updated: | April 30, 2008 | |||
| Description: | From the Gentoo alert: A remote attacker could entice a user to run a specially crafted applet on a website or start an application in Java Web Start to execute arbitrary code outside of the Java sandbox and of the Java security restrictions with the privileges of the user running Java. The attacker could also obtain sensitive information, create, modify, rename and read local files, execute local applications, establish connections in the local network, bypass the same origin policy, and cause a Denial of Service via multiple vectors. | |||||
| Alerts: |
| |||||
kdelibs: arbitrary code execution
| Package(s): | kdelibs | CVE #(s): | CVE-2008-1671 | |||||||||||||||
| Created: | April 28, 2008 | Updated: | May 9, 2008 | |||||||||||||||
| Description: | From the KDE advisory: start_kdeinit is a wrapper to launch kdeinit with a lower OOM score on Linux. This helper is used to ensure that a single KDE application triggering the Linux kernel OOM killer does not kill the whole KDE session. By default, start_kdeinit is installed as setuid root. The start_kdeinit processing of user-influenceable input is faulty. If start_kdeinit is installed as setuid root, a local user might be able to send unix signals to other processes, cause a denial of service or even possibly execute arbitrary code. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kdelibs4: buffer overflow in KHTML's image loader
| Package(s): | kdelibs4 | CVE #(s): | CVE-2008-1670 | |||||||||||||||||||||||||||||||||||||||
| Created: | April 29, 2008 | Updated: | May 9, 2008 | |||||||||||||||||||||||||||||||||||||||
| Description: | From Fedora bug 443766: The new progressive PNG Image loader in KHTML of KDE 4.0 and newer can be tricked into overrunning a heap allocated memory buffer by loading a specially encoded image. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
kronolith2: cross-site scripting
| Package(s): | kronolith2 | CVE #(s): | CVE-2008-1974 | |||||||||
| Created: | April 28, 2008 | Updated: | June 11, 2008 | |||||||||
| Description: | From the Debian advisory: "The-0utl4w" discovered that the Kronolith, calendar component for the Horde Framework, didn't properly sanitise URL input, leading to a cross-site scripting vulnerability in the add event screen. | |||||||||||
| Alerts: |
| |||||||||||
ldm: authentication bypass/information disclosure
| Package(s): | ldm | CVE #(s): | CVE-2008-1293 | ||||||
| Created: | April 28, 2008 | Updated: | May 7, 2008 | ||||||
| Description: | From the Debian advisory: Christian Herzog discovered that within the Linux Terminal Server Project, it was possible to connect to X on any LTSP client from any host on the network, making client windows and keystrokes visible to that host. | ||||||||
| Alerts: |
| ||||||||
perl: heap buffer overflow
| Package(s): | perl | CVE #(s): | CVE-2008-1927 | |||||||||||||||||||||||||||
| Created: | April 25, 2008 | Updated: | June 18, 2008 | |||||||||||||||||||||||||||
| Description: | From the Debian advisory: It has been discovered that the Perl interpreter may encounter a buffer overflow condition when compiling certain regular expressions containing Unicode characters. This also happens if the offending characters are contained in a variable reference protected by the \Q...\E quoting construct. When encountering this condition, the Perl interpreter typically crashes, but arbitrary code execution cannot be ruled out. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
perl-Imager: buffer overflow
| Package(s): | perl-Imager | CVE #(s): | CVE-2008-1928 | |||||||||
| Created: | April 29, 2008 | Updated: | May 19, 2008 | |||||||||
| Description: | From the CVE entry: Buffer overflow in Imager 0.42 through 0.63 allows attackers to cause a denial of service (crash) via an image based fill in which the number of input channels is different from the number of output channels. | |||||||||||
| Alerts: |
| |||||||||||
phpgedview: cross-site scripting
| Package(s): | phpgedview | CVE #(s): | CVE-2007-5051 | |||
| Created: | April 28, 2008 | Updated: | April 30, 2008 | |||
| Description: | From the Debian advisory: It was discovered that phpGedView, an application to provide online access to genealogical data, performed insufficient input sanitising on some parameters, making it vulnerable to cross site scripting. | |||||
| Alerts: |
| |||||
phpmyadmin: arbitrary file read
| Package(s): | phpmyadmin | CVE #(s): | CVE-2008-1924 | |||||||||
| Created: | April 25, 2008 | Updated: | July 7, 2008 | |||||||||
| Description: | From the Debian advisory: Attackers with CREATE table permissions were allowed to read arbitrary files readable by the webserver via a crafted HTTP POST request. | |||||||||||
| Alerts: |
| |||||||||||
python, idle: arbitrary code execution
| Package(s): | python, idle | CVE #(s): | CVE-2008-1679 | ||||||
| Created: | April 28, 2008 | Updated: | July 1, 2008 | ||||||
| Description: | From the CVE entry: Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows. NOTE: this issue is due to an incomplete fix for CVE-2007-4965. | ||||||||
| Alerts: |
| ||||||||
util-linux-ng: argument injection vulnerability
| Package(s): | util-linux-ng | CVE #(s): | CVE-2008-1926 | ||||||
| Created: | April 29, 2008 | Updated: | June 16, 2008 | ||||||
| Description: | From the CVE entry: Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection." | ||||||||
| Alerts: |
| ||||||||
wordpress: privilege escalation
| Package(s): | wordpress | CVE #(s): | CVE-2008-1930 | ||||||
| Created: | April 29, 2008 | Updated: | April 30, 2008 | ||||||
| Description: | From the Red Hat bugzilla entry: An attacker, who is able to register a specially crafted username on a Wordpress 2.5 installation, is able to generate authentication cookies for other chosen accounts. This vulnerability exists because it is possible to modify authentication cookies without invalidating the cryptographic integrity protection. If a Wordpress blog is configured to freely permit account creation, a remote attacker can gain Wordpress-administrator access and then elevate this to arbitrary code execution as the web server user. The vulnerability is fixed in Wordpress 2.5.1 | ||||||||
| Alerts: |
| ||||||||
xine-lib: buffer overflow
| Package(s): | xine-lib | CVE #(s): | CVE-2008-1878 | ||||||||||||
| Created: | April 29, 2008 | Updated: | June 6, 2008 | ||||||||||||
| Description: | From the CVE entry: Stack-based buffer overflow in the demux_nsf_send_chunk function in src/demuxers/demux_nsf.c in xine-lib 1.1.12 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long NSF title. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page: Kernel development>>