urbit-os-v2.16
This release will be pushed to the network as an over-the-air update
Base hash (check with +trouble):
0v1.1gbvo.e03d1.nk94q.lmsv5.lasnk.7s08i.jmgvq.7goos.3uqij.fienr
Release Notes:
This release fixes a security issue with the push/pull hook libraries
that could allow a malicious host to escalate privileges or write to
graphs that they do not have permissions, due to lack of validation
Privilege escalation:
Suppose Alice hosts a graph inside Bob's private group. Alice is also a
member of Mallory's group. Mallory then modifies her group-push-hook
to emit a group-update adding her to Bob's group, but sends it along the
path for her own group. Alice's group-pull-hook then receives the
malicious group-update and processes it, forwarding it to group-store.
Then, Mallory can subscribe to Alice's graph, as Alice thinks Mallory is
a member of Bob's private group.
A similar setup applies for writing to graphs, except you send a malicious
graph-update instead.
Breaking changes:
- The hook libraries have been changed to use mark conversions,
instead of the +resource-for-update arm
Contributions:
Liam Fitzgerald (3):
push-hook: use mark conversion to get resource
pull-hook: ensure facts are not malicious
push-hook: remove old resource-for-update
——
~hastuc-dibtux
https://urbit.org