Bug 555655 - (sslstrip) Review Request: sslstrip - tool that provides a demonstration of HTTPS stripping attacks
Review Request: sslstrip - tool that provides a demonstration of HTTPS stripp...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: manuel wolfshant
manuel wolfshant
:
Depends On:
Blocks: FE-SECLAB
  Show dependency treegraph
 
Reported: 2010-01-15 00:20 EST by Adam Miller
Modified: 2011-08-16 21:04 EDT (History)
5 users (show)

See Also:
Fixed In Version: sslstrip-0.9-2.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-08-16 17:00:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
wolfy: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Adam Miller 2010-01-15 00:20:25 EST
Spec URL: http://maxamillion.fedorapeople.org/sslstrip.spec
SRPM URL: http://maxamillion.fedorapeople.org/sslstrip-0.7-1.fc12.src.rpm

Description: 
Tool that provides a demonstration of HTTPS stripping attacks that were 
presented at Black Hat DC 2009 by Moxie Marlinspike. It will transparently 
hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map 
those links into either look-alike HTTP links or homograph-similar HTTPS links.
It also supports modes for supplying a favicon which looks like a lock icon, 
selective logging, and session denial
Comment 1 manuel wolfshant 2010-07-20 10:45:50 EDT
Package Review
==============

Key:
 - = N/A
 x = Check
 ! = Problem
 ? = Not evaluated

=== REQUIRED ITEMS ===
 [x] Package is named according to the Package Naming Guidelines.
 [x] Spec file name must match the base package %{name}, in the format %{name}.spec.
 [x] Package meets the Packaging Guidelines.
 [x] Package successfully compiles and builds into binary rpms on at least one supported architecture.
     Tested on: EL6/x86_64
 [x] Rpmlint output:
source RPM:
sslstrip.src: W: summary-not-capitalized C tool that provides a demonstration of HTTPS stripping attacks
=> cosmetic, please fix before importing the package in CVS

sslstrip.src: W: spelling-error %description -l en_US Marlinspike -> Marlin spike, Marlin-spike, Marlinespike
sslstrip.src: W: spelling-error %description -l en_US favicon -> falcon, faction, favorite
=> bogus

sslstrip.src: W: no-cleaning-of-buildroot %install
=> old rpmlint, new fedora rules

sslstrip.src:13: W: mixed-use-of-spaces-and-tabs (spaces: line 13, tab: line 2)
=> cosmetic, please fix before importing the package in CVS
1 packages and 0 specfiles checked; 0 errors, 5 warnings.

binary RPM:
sslstrip.noarch: W: summary-not-capitalized C tool that provides a demonstration of HTTPS stripping attacks
=> will get fixed once the first warning above is fixed
sslstrip.noarch: W: spelling-error %description -l en_US Marlinspike -> Marlin spike, Marlin-spike, Marlinespike
sslstrip.noarch: W: spelling-error %description -l en_US favicon -> falcon, faction, favorite
=> bogus

1 packages and 0 specfiles checked; 0 errors, 3 warnings.

 [x] Package is not relocatable.
 [x] Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines.
 [x] License field in the package spec file matches the actual license.
     License type: GPLv3+
 [x] If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %doc.
 [x] Spec file is legible and written in American English.
 [x] Sources used to build the package match the upstream source, as provided in the spec URL.
     SHA1SUM of source file: 7219328b4d43d96b7a0d629355fd818310d61c9b  sslstrip-0.7.tar.gz
 [x] Package is not known to require ExcludeArch
 [!] All build dependencies are listed in BuildRequires, except for any that are listed in the exceptions section of Packaging Guidelines.
=> python-devel is not needed. BR: python is enough
 [-] The spec file handles locales properly.
 [-] ldconfig called in %post and %postun if required.
 [x] Package must own all directories that it creates.
 [x] Package requires other packages for directories it uses.
 [x] Package does not contain duplicates in %files.
 [x] Permissions on files are set properly.
 [x] Package consistently uses macros.
 [x] Package contains code, or permissable content.
 [-] Large documentation files are in a -doc subpackage, if required.
 [x] Package uses nothing in %doc for runtime.
 [-] Header files in -devel subpackage, if present.
 [-] Static libraries in -devel subpackage, if present.
 [-] Package requires pkgconfig, if .pc files are present.
 [-] Development .so files in -devel subpackage, if present.
 [-] Fully versioned dependency in subpackages, if present.
 [x] Package does not contain any libtool archives (.la).
 [-] Package contains a properly installed %{name}.desktop file if it is a GUI application.
 [x] Package does not own files or directories owned by other packages.
 [x] Final provides and requires are sane.

=== SUGGESTED ITEMS ===
 [x] Latest version is packaged.
 [x] Package does not include license text files separate from upstream.
 [-] Description and summary sections in the package spec file contains translations for supported Non-English languages, if available.
 [x] Reviewer should test that the package builds in mock.
     Tested on: EL6
 [x] Package should compile and build into binary rpms on all supported architectures.
     Tested on: EL6 ( the package is noarch)
 [x] Package functions as described.
 [-] Scriptlets must be sane, if used.
 [-] The placement of pkgconfig(.pc) files is correct.
 [-] File based requires are sane.
 [x] %check is present and the test passes.

=== OPTIONAL ITEMS ===
 [x] Buildroot is correct (%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n))
 [x] Package has a %clean section, which contains rm -rf $RPM_BUILD_ROOT.

=== Issues ===
1. BR python-devel is not needed, just python is enough
2. a small need of cosmetics is needed in %Summary (s/tool/Tool) and the BuildArch line ( you've used tabs everywhere but before "noarch")
3. python-twisted-web is a runtime require, not BR
4. Docs are included twice:
/usr/share/doc/sslstrip-0.7
/usr/share/doc/sslstrip-0.7/COPYING
/usr/share/doc/sslstrip-0.7/README
/usr/share/sslstrip/COPYING
/usr/share/sslstrip/README

=== Notes ===
1. if you take care of .egg-info, the package builds just fine in EPEL-5 (see http://koji.fedoraproject.org/koji/taskinfo?taskID=2330964).
2. please inform the upstream author that version 0.7 of sslstrip prints a wrong version at startup time:
   [root@wolfy ~]# sslstrip -l 1001
   /usr/lib64/python2.6/site-packages/twisted/internet/_sslverify.py:5:  DeprecationWarning: the md5 module is deprecated; use hashlib instead
  import itertools, md5

   sslstrip 0.6 by Moxie Marlinspike running...
Comment 2 Adam Miller 2010-11-01 14:36:27 EDT
Spec URL: http://maxamillion.fedorapeople.org/sslstrip.spec
SRPM URL: http://maxamillion.fedorapeople.org/sslstrip-0.7-3.fc13.src.rpm

All notes have been fixed. Apologies for the delay.

-AdamM
Comment 3 emoziko 2011-05-21 16:11:18 EDT
Hello. When will be available this package in Fedora repos?
Comment 4 manuel wolfshant 2011-05-31 19:19:59 EDT
(In reply to comment #2)
> Spec URL: http://maxamillion.fedorapeople.org/sslstrip.spec
> SRPM URL: http://maxamillion.fedorapeople.org/sslstrip-0.7-3.fc13.src.rpm
> 
> All notes have been fixed. Apologies for the delay.
> 
> -AdamM

Sorry for the huge delay, wrong mail config on my side made tons of messages pass by unseen.


Adam, since sslstrip-0.9 is available for 2 weeks and http://koji.fedoraproject.org/koji/taskinfo?taskID=3102819 shows that the package from comment#2 fails to build, if I promise to take care of the review [much] faster this time, can you please update the package to the current version and provide a new link here ?
Comment 5 Adam Miller 2011-06-07 23:59:03 EDT
Spec URL: http://maxamillion.fedorapeople.org/sslstrip.spec
SRPM URL: http://maxamillion.fedorapeople.org/sslstrip-0.9-1.fc15.src.rpm

Fixed up and updated to latest upstream release.

No worries on the delay, life happens :)

-AdamM
Comment 6 manuel wolfshant 2011-06-08 06:57:22 EDT
The new package builds fine in EPEl6 (http://koji.fedoraproject.org/koji/taskinfo?taskID=3118749 ) and F15 ( http://koji.fedoraproject.org/koji/taskinfo?taskID=3118747 ).
However
- rpmlint complains again about the documentation COPYING and README having the exec bit set
- the package installs fine but...
[wolfy@wolfy ~]$ sslstrip 
Traceback (most recent call last):
  File "/usr/bin/sslstrip", line 27, in <module>
    from twisted.web import http                
ImportError: No module named twisted.web

Apparently you need to add a hardrequire on python-twisted-web ( which in turn will bring in python-twisted-core which provides twisted.internet, which is also required by sslstrip )
Comment 7 Adam Miller 2011-06-10 19:25:08 EDT
Spec URL: http://maxamillion.fedorapeople.org/sslstrip.spec
SRPM URL: http://maxamillion.fedorapeople.org/sslstrip-0.9-2.fc15.src.rpm

Fixed up the permissions, that was a complete oversight on my part.

Sorry about the python-twisted-web dep miss, I just got lucky/unlucky and had that already installed on the machine I tested on. Also a major goof, fixed now.

Many thanks for the review!

-AdamM
Comment 8 manuel wolfshant 2011-06-10 20:08:07 EDT
Only remaining word from rpmlint is:

[wolfy@wolfy tmp]$ rpmlint sslstrip*rpm
sslstrip.noarch: W: spelling-error %description -l en_US Marlinspike -> Marlin spike, Marlin-spike, Marlinespike
sslstrip.noarch: W: spelling-error %description -l en_US favicon -> falcon, faction, favorite
sslstrip.src: W: spelling-error %description -l en_US Marlinspike -> Marlin spike, Marlin-spike, Marlinespike
sslstrip.src: W: spelling-error %description -l en_US favicon -> falcon, faction, favorite
2 packages and 0 specfiles checked; 0 errors, 4 warnings.

which is obviously a false alert. Everything seems fine now [*] so the package is APPROVED

[*]
- builds fine in koji
- works as expected
- no regressions compared to previous versions.

PS
1. you'll get bonus points for including this tool in EPEL :)
2. please inform the upstream author that the file DnsCache.py does not include the license info
Comment 9 Adam Miller 2011-06-14 10:24:37 EDT
I'm a big fan of EPEL, bonus points are on the roadmap :D
Comment 10 Adam Miller 2011-06-14 10:25:54 EDT
New Package SCM Request
=======================
Package Name: sslstrip
Short Description: tool that provides a demonstration of HTTPS stripping attacks
Owners: maxamillion
Branches: f14 f15 el6
Comment 11 Jon Ciesla 2011-06-14 10:41:47 EDT
Git done (by process-git-requests).
Comment 12 Fedora Update System 2011-06-15 23:56:12 EDT
sslstrip-0.9-2.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/sslstrip-0.9-2.fc14
Comment 13 Fedora Update System 2011-06-15 23:56:24 EDT
sslstrip-0.9-2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/sslstrip-0.9-2.fc15
Comment 14 Fedora Update System 2011-06-15 23:56:31 EDT
sslstrip-0.9-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/sslstrip-0.9-2.el6
Comment 15 Fedora Update System 2011-06-21 13:09:55 EDT
sslstrip-0.9-2.el6 has been pushed to the Fedora EPEL 6 testing repository.
Comment 16 Fedora Update System 2011-08-16 17:00:35 EDT
sslstrip-0.9-2.el6 has been pushed to the Fedora EPEL 6 stable repository.
Comment 17 Fedora Update System 2011-08-16 20:57:43 EDT
sslstrip-0.9-2.fc15 has been pushed to the Fedora 15 stable repository.
Comment 18 Fedora Update System 2011-08-16 21:04:20 EDT
sslstrip-0.9-2.fc14 has been pushed to the Fedora 14 stable repository.

Note You need to log in before you can comment on or make changes to this bug.