Bug 810928 (CVE-2012-3997, CVE-2012-3998)
Summary: | CVE-2012-3997 CVE-2012-3998 Review Request: sticky-notes - Sticky notes is a free and open source paste-bin application | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Riches <david.r> |
Component: | Package Review | Assignee: | Kevin Fenzi <kevin> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | athmanem, jlieskov, notting, package-review |
Target Milestone: | --- | Flags: | kevin:
fedora-review+
gwync: fedora-cvs+ |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-30 08:23:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Attachments: |
Description
David Riches
2012-04-09 16:37:14 UTC
rpmlint output: [david@puppet rpmbuild]$ rpmlint SPECS/sticky-notes.spec SPECS/sticky-notes.spec: W: invalid-url Source0: sticky-notes-20120407git.tar 0 packages and 1 specfiles checked; 0 errors, 1 warnings. [david@puppet rpmbuild]$ rpmlint SRPMS/sticky-notes-20120407git-1.fc16.src.rpm sticky-notes.src: W: invalid-url Source0: sticky-notes-20120407git.tar 1 packages and 0 specfiles checked; 0 errors, 1 warnings. [david@puppet rpmbuild]$ rpmlint RPMS/noarch/sticky-notes-20120407git-1.fc16.noarch.rpm 1 packages and 0 specfiles checked; 0 errors, 0 warnings. Koji: F15: http://koji.fedoraproject.org/koji/taskinfo?taskID=3974692 F16: http://koji.fedoraproject.org/koji/taskinfo?taskID=3974676 F17: http://koji.fedoraproject.org/koji/taskinfo?taskID=3974693 Rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=3974694 Thanks. I'll review this. Look for a full review in a bit. OK - Package meets naming and packaging guidelines OK - Spec file matches base package name. OK - Spec has consistant macro usage. OK - Meets Packaging Guidelines. OK - License (BSD) OK - License field in spec matches OK - License file included in package OK - Spec in American English OK - Spec is legible. OK - Sources match upstream md5sum: OK - BuildRequires correct OK - Package has %defattr and permissions on files is good. OK - Package has a correct %clean section. OK - Package has correct buildroot OK - Package is code or permissible content. OK - Packages %doc files don't affect runtime. OK - Package has rm -rf RPM_BUILD_ROOT at top of %install OK - Package compiles and builds on at least one arch. OK - Package has no duplicate files in %files. OK - Package doesn't own any directories other packages own. OK - Package owns all the directories it creates. OK - Package obey's FHS standard (except for 2 exceptions) See below - No rpmlint output. See below - final provides and requires are sane. SHOULD Items: OK - Should build in mock. OK - Should build on all supported archs OK - Should function as described. OK - Should have sane scriptlets. OK - Should have dist tag OK - Should package latest version OK - Should not use file requires outside of /etc, /bin, /sbin, /usr/bin, or /usr/sbin Issues: 1. There seem to be two bundled projects in addons: geshi - http://qbnz.com/highlighter/ (already packaged as php-geshi) jquery - under review at https://bugzilla.redhat.com/show_bug.cgi?id=805587 Should require those and fix it work with them. 2. Probibly shouldn't Requires mysql-server. It's very likely that someone could have their database on a remote machine and just install this on a frontend. 3. rpmlint says: sticky-notes.src: W: invalid-url Source0: sticky-notes-20120407git.tar Can be ignored. 4. Non package blockers, but suggestions for upstream: - Add possiblity to use captchas on configurable kinds of pastes. - Add possiblity to blacklist some words in pastes to block spam (Viagra, etc) Thanks for this! I'm sorted for using php-geshi, but with regards to jquery...we (myself and the author) came up with another idea basically, you can reference jquery $(latest) over the internet using: <script type="text/javascript" src="http://code.jquery.com/jquery-latest.js"></script> For me, this works quite nicely because it doesn't rely on another dependency (I'm also not sure how much work would go into adjusting sticky-notes to suit a packaged jquery, and how far this would deviate from the upstream). Also, sticky-notes can survive nicely without jquery - so if the box is offline, there's no real consequence So my proposal is: 1) strip addons/ 2) use php-geshi 3) use code.jquery.com instead of a local bundle What do you think? Ta Dave Well, the problem with using the remote latest jquery is that if somehow they were compromised, you could well be as well. After talking things over with others, we currently don't require unbundling javascript... so, lets just stick with the bundled copy (Of course need to make sure and update it in the event of bugs). Or I suppose you could just have an option to use the bundled copy or the copy from the net? 1 and 2 above seem great. Month ago I contacted the author about a vulnerability, still no response. I've created a merge request in gitorious if you're interested in the patch. Yeah, that would be great. Merge request: https://gitorious.org/sticky-notes/sticky-notes/merge_requests/2 Patch: see attached file This patch will fix some _stored_ XSS (Cross-site Scripting) in 'paste_user' and 'paste_lang' parameters. Created attachment 577135 [details]
Fix some stored XSS (Cross-site Scripting) in 'paste_user' and 'paste_lang' parameters.
Created attachment 577191 [details] Patch that fixes some SQL Injections issues. Merge request updated to include this patch: https://gitorious.org/sticky-notes/sticky-notes/merge_requests/2 I'm still testing, I'll update the merge request and this bugreport when I find new issues. Created attachment 577433 [details] Fix for some security issues (Cross-site scripting and SQL Injections) Patch that fixes some SQL Injection in admin interface, I merged all patchs into this one. Merge request updated to include new fixes: https://gitorious.org/sticky-notes/sticky-notes/merge_requests/2 Also, forcing 'HttpOnly' cookies does not seem to work, because of the following JS calls (jQuery Cookie plugin): skins/$SKINNAME/js/main.js: var author = $.cookie('stickynotes_author'); skins/$SKINNAME/js/main.js: var language = $.cookie('stickynotes_language'); The security fixes are now merged in the new release: 0.2.27052012.8 446 I've fixed some packaging issues, I would like to co-maintain this package if David is OK. Changes: - Remove mysql-server dep - Update to latest upstream version which includes security patch from #810928 - Unbundle php-geshi - Add a config file to make sticky-notes installable - Add php-mysql as requirement SPEC: http://athmane.fedorapeople.org/pkgs/sticky-notes.spec SRPM: http://athmane.fedorapeople.org/pkgs/sticky-notes-20120507git-2.fc17.src.rpm Athmane, yeah that would be awesome... Kevin, could you re-look at the above enclosed spec and src.rpm for the review? I've never had someone sort out the packaging for me, so I hope thats acceptable ;-) One small issue, I moved 'install.php' to %config because sticky-notes is not installable without modifying it (imho we can't keep it in datadir). SPEC: http://athmane.fedorapeople.org/pkgs/sticky-notes.spec SRPM: http://athmane.fedorapeople.org/pkgs/sticky-notes-20120507git-3.fc17.src.rpm ok, the initial issues seem solved here, however, one thing I should have noted before: Does upstream ever plan to release an actual release? Or is it always going to be snapshots? If there is a release sometime like '1.0' it's going to be rpm 'older' than the date version used right now. So, perhaps safer would be: Version: 0.0 Release: 0.1.20120507git Or a quick communication with upstream that they will never do a tarball/actual release. Everything else looks good, so as soon as we sort this out we should be good to go. (In reply to comment #16) > ok, the initial issues seem solved here, however, one thing I should have > noted before: > > Does upstream ever plan to release an actual release? > Or is it always going to be snapshots? > There's a version number in the git repo (file: VERSION), the current one is 0.3.09062012.4, I was going to use that but David already used git/date-based version. Fixed the version number. SPEC: http://athmane.fedorapeople.org/pkgs/sticky-notes.spec SRPM: http://athmane.fedorapeople.org/pkgs/sticky-notes-0.3.09062012.4-4.fc17.src.rpm Looks good to me. You may have to fix the older changelog entries... rpm could get mad about them not being in the right order. Otherwise I see no blockers and this package is APPROVED. Thanks Kevin, I didn't find any issue with rpm or rpmlint about version change (I was updating and testing a sticky-notes installation every time I did some changes) David, if you're going to add me as co-maintainer my FAS is: athmane New Package SCM Request ======================= Package Name: sticky-notes Short Description: Sticky notes is a free and open source paste-bin application Owners: dcr226, athmane Branches: f15,f16,f17 InitialCC: Git done (by process-git-requests). Package Change Request ====================== Package Name: sticky-notes New Branches: el6 Owners: athmane, dcr226 Git done (by process-git-requests). sticky-notes-0.3.09062012.4-4.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/sticky-notes-0.3.09062012.4-4.fc17 sticky-notes-0.3.09062012.4-4.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/sticky-notes-0.3.09062012.4-4.el6 I've found and fixed an XSS issue, informed upstream through merge request: https://gitorious.org/sticky-notes/sticky-notes/merge_requests/2 In meantime patch is included in -5. sticky-notes-0.3.09062012.4-5.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/sticky-notes-0.3.09062012.4-5.fc16 sticky-notes-0.3.09062012.4-5.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/sticky-notes-0.3.09062012.4-5.el6 sticky-notes-0.3.09062012.4-5.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/sticky-notes-0.3.09062012.4-5.el6 sticky-notes-0.3.09062012.4-5.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/sticky-notes-0.3.09062012.4-5.fc17 sticky-notes-0.3.09062012.4-5.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/sticky-notes-0.3.09062012.4-5.fc17 Package sticky-notes-0.3.09062012.4-5.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sticky-notes-0.3.09062012.4-5.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9714/sticky-notes-0.3.09062012.4-5.fc16 then log in and leave karma (feedback). sticky-notes-0.3.09062012.4-5.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. sticky-notes-0.3.09062012.4-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. sticky-notes-0.3.09062012.4-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. -- 1) The CVE identifier of CVE-2012-3997 has been assigned to the following issue: Multiple cross-site scripting (XSS) vulnerabilities in Sticky Notes before 0.2.27052012.5 allow remote attackers to inject arbitrary web script or HTML via the (1) paste_user or (2) paste_lang parameter to (a) list.php or (b) show.php. References: [1] https://bugzilla.redhat.com/show_bug.cgi?id=810928 (this bug) [2] http://gitorious.org/sticky-notes/sticky-notes/commit/d97475f07520d61af3d20fbaeb2e9a974c190308 [3] http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083169.html [4] http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083120.html -- 2) The CVE identifier of CVE-2012-3998 has been assigned to the following issue: Multiple SQL injection vulnerabilities in Sticky Notes before 0.2.27052012.5 allow remote attackers to execute arbitrary SQL commands via the (1) paste id in admin/modules/mod_pastes.php or (2) show.php, (3) user id to admin/modules/mod_users.php, (4) project to list.php, or (5) session id to show.php. References: [1] https://bugzilla.redhat.com/show_bug.cgi?id=810928 (this bug) [2] http://gitorious.org/sticky-notes/sticky-notes/commit/d97475f07520d61af3d20fbaeb2e9a974c190308 [3] http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083169.html [4] http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083120.html |