Bug 810928 (CVE-2012-3997, CVE-2012-3998)

Summary: CVE-2012-3997 CVE-2012-3998 Review Request: sticky-notes - Sticky notes is a free and open source paste-bin application
Product: [Fedora] Fedora Reporter: David Riches <david.r>
Component: Package ReviewAssignee: Kevin Fenzi <kevin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: athmanem, jlieskov, notting, package-review
Target Milestone: ---Flags: kevin: fedora-review+
gwync: fedora-cvs+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-30 08:23:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fix some stored XSS (Cross-site Scripting) in 'paste_user' and 'paste_lang' parameters.
none
Patch that fixes some SQL Injections issues.
none
Fix for some security issues (Cross-site scripting and SQL Injections) none

Description David Riches 2012-04-09 16:37:14 UTC
Spec URL: http://www.dcr226.co.uk/sticky-notes.spec
SRPM URL: http://www.dcr226.co.uk/sticky-notes-20120407git-1.fc16.src.rpm
Description: Sticky notes is a free and open source paste-bin application.

Comment 1 David Riches 2012-04-09 16:53:19 UTC
rpmlint output:


[david@puppet rpmbuild]$ rpmlint SPECS/sticky-notes.spec
SPECS/sticky-notes.spec: W: invalid-url Source0: sticky-notes-20120407git.tar
0 packages and 1 specfiles checked; 0 errors, 1 warnings.

[david@puppet rpmbuild]$ rpmlint SRPMS/sticky-notes-20120407git-1.fc16.src.rpm 
sticky-notes.src: W: invalid-url Source0: sticky-notes-20120407git.tar
1 packages and 0 specfiles checked; 0 errors, 1 warnings.

[david@puppet rpmbuild]$ rpmlint RPMS/noarch/sticky-notes-20120407git-1.fc16.noarch.rpm 
1 packages and 0 specfiles checked; 0 errors, 0 warnings.


Koji:

F15: http://koji.fedoraproject.org/koji/taskinfo?taskID=3974692
F16: http://koji.fedoraproject.org/koji/taskinfo?taskID=3974676
F17: http://koji.fedoraproject.org/koji/taskinfo?taskID=3974693
Rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=3974694

Thanks.

Comment 2 Kevin Fenzi 2012-04-10 18:28:37 UTC
I'll review this. Look for a full review in a bit.

Comment 3 Kevin Fenzi 2012-04-10 18:49:48 UTC
OK - Package meets naming and packaging guidelines
OK - Spec file matches base package name. 
OK - Spec has consistant macro usage. 
OK - Meets Packaging Guidelines. 
OK - License (BSD)
OK - License field in spec matches
OK - License file included in package
OK - Spec in American English
OK - Spec is legible.
OK - Sources match upstream md5sum:

OK - BuildRequires correct
OK - Package has %defattr and permissions on files is good. 
OK - Package has a correct %clean section. 
OK - Package has correct buildroot
OK - Package is code or permissible content. 
OK - Packages %doc files don't affect runtime. 
OK - Package has rm -rf RPM_BUILD_ROOT at top of %install

OK - Package compiles and builds on at least one arch. 
OK - Package has no duplicate files in %files. 
OK - Package doesn't own any directories other packages own. 
OK - Package owns all the directories it creates. 
OK - Package obey's FHS standard (except for 2 exceptions)
See below - No rpmlint output. 
See below - final provides and requires are sane.

SHOULD Items:

OK - Should build in mock. 
OK - Should build on all supported archs
OK - Should function as described. 
OK - Should have sane scriptlets. 
OK - Should have dist tag
OK - Should package latest version
OK - Should not use file requires outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin

Issues: 

1. There seem to be two bundled projects in addons: 

geshi - http://qbnz.com/highlighter/ (already packaged as php-geshi)
jquery - under review at https://bugzilla.redhat.com/show_bug.cgi?id=805587

Should require those and fix it work with them. 

2. Probibly shouldn't Requires mysql-server. It's very likely that someone could have 
their database on a remote machine and just install this on a frontend. 

3. rpmlint says: 

sticky-notes.src: W: invalid-url Source0: sticky-notes-20120407git.tar

Can be ignored. 

4. Non package blockers, but suggestions for upstream: 

- Add possiblity to use captchas on configurable kinds of pastes. 
- Add possiblity to blacklist some words in pastes to block spam (Viagra, etc)

Comment 4 David Riches 2012-04-11 16:58:53 UTC
Thanks for this!

I'm sorted for using php-geshi, but with regards to jquery...we (myself and the author) came up with another idea

basically, you can reference jquery $(latest) over the internet using:

<script type="text/javascript" src="http://code.jquery.com/jquery-latest.js"></script>

For me, this works quite nicely because it doesn't rely on another dependency (I'm also not sure how much work would go into adjusting sticky-notes to suit a packaged jquery, and how far this would deviate from the upstream).

Also, sticky-notes can survive nicely without jquery - so if the box is offline, there's no real consequence

So my proposal is:

1) strip addons/
2) use php-geshi
3) use code.jquery.com instead of a local bundle


What do you think?

Ta

Dave

Comment 5 Kevin Fenzi 2012-04-11 22:31:40 UTC
Well, the problem with using the remote latest jquery is that if somehow they were compromised, you could well be as well. 

After talking things over with others, we currently don't require unbundling javascript... so, lets just stick with the bundled copy (Of course need to make sure and update it in the event of bugs). 
Or I suppose you could just have an option to use the bundled copy or the copy from the net?

1 and 2 above seem great.

Comment 6 Othman Madjoudj 2012-04-11 22:49:19 UTC
Month ago I contacted the author about a vulnerability, still no response.

I've created a merge request in gitorious if you're interested in the patch.

Comment 7 David Riches 2012-04-12 09:05:49 UTC
Yeah, that would be great.

Comment 8 Othman Madjoudj 2012-04-12 16:31:55 UTC
Merge request: https://gitorious.org/sticky-notes/sticky-notes/merge_requests/2

Patch: see attached file

This patch will fix some _stored_ XSS (Cross-site Scripting) in 'paste_user' and 'paste_lang' parameters.

Comment 9 Othman Madjoudj 2012-04-12 16:32:59 UTC
Created attachment 577135 [details]
Fix some stored XSS (Cross-site Scripting) in 'paste_user' and 'paste_lang' parameters.

Comment 10 Othman Madjoudj 2012-04-13 00:00:42 UTC
Created attachment 577191 [details]
Patch that fixes some SQL Injections issues.

Merge request updated to include this patch:

https://gitorious.org/sticky-notes/sticky-notes/merge_requests/2

I'm still testing, I'll update the merge request and this bugreport when I find new issues.

Comment 11 Othman Madjoudj 2012-04-14 00:10:43 UTC
Created attachment 577433 [details]
Fix for some security issues (Cross-site scripting and SQL Injections)

Patch that fixes some SQL Injection in admin interface, I merged all patchs into this one.

Merge request updated to include new fixes:

https://gitorious.org/sticky-notes/sticky-notes/merge_requests/2


Also, forcing 'HttpOnly' cookies does not seem to work, because of the following JS calls (jQuery Cookie plugin):

skins/$SKINNAME/js/main.js:    var author = $.cookie('stickynotes_author');
skins/$SKINNAME/js/main.js:    var language = $.cookie('stickynotes_language');

Comment 12 Othman Madjoudj 2012-05-26 22:46:04 UTC
The security fixes are now merged in the new release: 0.2.27052012.8 446

Comment 13 Othman Madjoudj 2012-06-07 21:08:24 UTC
I've fixed some packaging issues, I would like to co-maintain this package if David is OK.

Changes:

- Remove mysql-server dep
- Update to latest upstream version which includes security patch from #810928
- Unbundle php-geshi
- Add a config file to make sticky-notes installable
- Add php-mysql as requirement



SPEC: http://athmane.fedorapeople.org/pkgs/sticky-notes.spec
SRPM: http://athmane.fedorapeople.org/pkgs/sticky-notes-20120507git-2.fc17.src.rpm

Comment 14 David Riches 2012-06-13 17:43:44 UTC
Athmane, yeah that would be awesome...

Kevin, could you re-look at the above enclosed spec and src.rpm for the review?

I've never had someone sort out the packaging for me, so I hope thats acceptable ;-)

Comment 15 Othman Madjoudj 2012-06-13 22:26:31 UTC
One small issue, I moved 'install.php' to %config because sticky-notes is not installable without modifying it (imho we can't keep it in datadir).

SPEC: http://athmane.fedorapeople.org/pkgs/sticky-notes.spec
SRPM: http://athmane.fedorapeople.org/pkgs/sticky-notes-20120507git-3.fc17.src.rpm

Comment 16 Kevin Fenzi 2012-06-14 21:10:33 UTC
ok, the initial issues seem solved here, however, one thing I should have noted before: 

Does upstream ever plan to release an actual release? 
Or is it always going to be snapshots?

If there is a release sometime like '1.0' it's going to be rpm 'older' than the date version used right now. 

So, perhaps safer would be: 

Version: 0.0
Release: 0.1.20120507git

Or a quick communication with upstream that they will never do a tarball/actual release. 

Everything else looks good, so as soon as we sort this out we should be good to go.

Comment 17 Othman Madjoudj 2012-06-14 21:19:29 UTC
(In reply to comment #16)
> ok, the initial issues seem solved here, however, one thing I should have
> noted before: 
> 
> Does upstream ever plan to release an actual release? 
> Or is it always going to be snapshots?
> 


There's a version number in the git repo (file: VERSION), the current one is 0.3.09062012.4, I was going to use that but David already used git/date-based version.

Comment 19 Kevin Fenzi 2012-06-14 21:59:25 UTC
Looks good to me. You may have to fix the older changelog entries... rpm could get mad about them not being in the right order. 

Otherwise I see no blockers and this package is APPROVED.

Comment 20 Othman Madjoudj 2012-06-14 22:36:48 UTC
Thanks Kevin, 
I didn't find any issue with rpm or rpmlint about version change (I was updating and testing a sticky-notes installation every time I did some changes)

David, if you're going to add me as co-maintainer my FAS is: athmane

Comment 21 David Riches 2012-06-19 13:15:58 UTC
New Package SCM Request
=======================
Package Name: sticky-notes
Short Description: Sticky notes is a free and open source paste-bin application
Owners: dcr226, athmane
Branches: f15,f16,f17
InitialCC:

Comment 22 Gwyn Ciesla 2012-06-19 13:25:47 UTC
Git done (by process-git-requests).

Comment 23 Othman Madjoudj 2012-06-19 20:14:34 UTC
Package Change Request
======================
Package Name: sticky-notes
New Branches: el6
Owners: athmane, dcr226

Comment 24 Gwyn Ciesla 2012-06-19 20:18:24 UTC
Git done (by process-git-requests).

Comment 25 Fedora Update System 2012-06-19 20:53:18 UTC
sticky-notes-0.3.09062012.4-4.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/sticky-notes-0.3.09062012.4-4.fc17

Comment 26 Fedora Update System 2012-06-19 21:24:40 UTC
sticky-notes-0.3.09062012.4-4.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/sticky-notes-0.3.09062012.4-4.el6

Comment 27 Othman Madjoudj 2012-06-19 22:19:50 UTC
I've found and fixed an XSS issue, informed upstream through merge request:

https://gitorious.org/sticky-notes/sticky-notes/merge_requests/2

In meantime patch is included in -5.

Comment 28 Fedora Update System 2012-06-19 22:58:44 UTC
sticky-notes-0.3.09062012.4-5.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/sticky-notes-0.3.09062012.4-5.fc16

Comment 29 Fedora Update System 2012-06-19 22:59:19 UTC
sticky-notes-0.3.09062012.4-5.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/sticky-notes-0.3.09062012.4-5.el6

Comment 30 Fedora Update System 2012-06-19 22:59:24 UTC
sticky-notes-0.3.09062012.4-5.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/sticky-notes-0.3.09062012.4-5.el6

Comment 31 Fedora Update System 2012-06-19 23:01:09 UTC
sticky-notes-0.3.09062012.4-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/sticky-notes-0.3.09062012.4-5.fc17

Comment 32 Fedora Update System 2012-06-19 23:01:16 UTC
sticky-notes-0.3.09062012.4-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/sticky-notes-0.3.09062012.4-5.fc17

Comment 33 Fedora Update System 2012-06-20 19:24:40 UTC
Package sticky-notes-0.3.09062012.4-5.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sticky-notes-0.3.09062012.4-5.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9714/sticky-notes-0.3.09062012.4-5.fc16
then log in and leave karma (feedback).

Comment 34 Fedora Update System 2012-06-30 08:23:37 UTC
sticky-notes-0.3.09062012.4-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 35 Fedora Update System 2012-06-30 08:34:14 UTC
sticky-notes-0.3.09062012.4-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 36 Fedora Update System 2012-07-07 19:29:12 UTC
sticky-notes-0.3.09062012.4-5.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 37 Jan Lieskovsky 2012-07-13 11:05:55 UTC
--

1) The CVE identifier of CVE-2012-3997 has been assigned to the following issue:

Multiple cross-site scripting (XSS) vulnerabilities in Sticky Notes before  0.2.27052012.5 allow remote attackers to inject arbitrary web script or HTML via the (1) paste_user or (2) paste_lang parameter to (a) list.php or (b) show.php.

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=810928 (this bug)
[2] http://gitorious.org/sticky-notes/sticky-notes/commit/d97475f07520d61af3d20fbaeb2e9a974c190308
[3] http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083169.html
[4] http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083120.html

--

2) The CVE identifier of CVE-2012-3998 has been assigned to the following issue:

Multiple SQL injection vulnerabilities in Sticky Notes before 0.2.27052012.5 allow remote attackers to execute arbitrary SQL commands via the (1) paste id in admin/modules/mod_pastes.php or (2) show.php, (3) user id to admin/modules/mod_users.php, (4) project to list.php, or (5) session id to show.php.

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=810928 (this bug)
[2] http://gitorious.org/sticky-notes/sticky-notes/commit/d97475f07520d61af3d20fbaeb2e9a974c190308
[3] http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083169.html
[4] http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083120.html