[ANNOUNCE] urbit-os-v2.16
46 views
Skip to first unread message
Liam Fitzgerald
Jan 14, 2021, 7:54:24 PM1/14/21
to urbit-dev
urbit-os-v2.16
This release will be pushed to the network as an over-the-air update
Base hash (check with +trouble):
0v1.1gbvo.e03d1.nk94q.lmsv5.lasnk.7s08i.jmgvq.7goos.3uqij.fienr
Release Notes:
This release fixes a security issue with the push/pull hook libraries
that could allow a malicious host to escalate privileges or write to
graphs that they do not have permissions, due to lack of validation
Privilege escalation:
Suppose Alice hosts a graph inside Bob's private group. Alice is also a
member of Mallory's group. Mallory then modifies her group-push-hook
to emit a group-update adding her to Bob's group, but sends it along the
path for her own group. Alice's group-pull-hook then receives the
malicious group-update and processes it, forwarding it to group-store.
Then, Mallory can subscribe to Alice's graph, as Alice thinks Mallory is
a member of Bob's private group.
A similar setup applies for writing to graphs, except you send a malicious
graph-update instead.
Breaking changes:
- The hook libraries have been changed to use mark conversions,
instead of the +resource-for-update arm
Contributions:
Liam Fitzgerald (3):
push-hook: use mark conversion to get resource
pull-hook: ensure facts are not malicious
push-hook: remove old resource-for-update
——
~hastuc-dibtux
https://urbit.org
This release will be pushed to the network as an over-the-air update
Base hash (check with +trouble):
0v1.1gbvo.e03d1.nk94q.lmsv5.lasnk.7s08i.jmgvq.7goos.3uqij.fienr
Release Notes:
This release fixes a security issue with the push/pull hook libraries
that could allow a malicious host to escalate privileges or write to
graphs that they do not have permissions, due to lack of validation
Privilege escalation:
Suppose Alice hosts a graph inside Bob's private group. Alice is also a
member of Mallory's group. Mallory then modifies her group-push-hook
to emit a group-update adding her to Bob's group, but sends it along the
path for her own group. Alice's group-pull-hook then receives the
malicious group-update and processes it, forwarding it to group-store.
Then, Mallory can subscribe to Alice's graph, as Alice thinks Mallory is
a member of Bob's private group.
A similar setup applies for writing to graphs, except you send a malicious
graph-update instead.
Breaking changes:
- The hook libraries have been changed to use mark conversions,
instead of the +resource-for-update arm
Contributions:
Liam Fitzgerald (3):
push-hook: use mark conversion to get resource
pull-hook: ensure facts are not malicious
push-hook: remove old resource-for-update
——
~hastuc-dibtux
https://urbit.org
Liam Fitzgerald
Jan 14, 2021, 8:15:56 PM1/14/21
to urbit-dev
The boot pill has been updated for this release, it has a base hash of
0v1n.4ev0g.fisqn.30trr.tul81.2hm4v.n7gb9.r3d30.e17u6.oor2s.str1r
——
~hastuc-dibtux
https://urbit.org
0v1n.4ev0g.fisqn.30trr.tul81.2hm4v.n7gb9.r3d30.e17u6.oor2s.str1r
——
~hastuc-dibtux
https://urbit.org
Reply all
Reply to author
Forward
0 new messages