fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125

Directions for fixing:

  * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
    vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
    tracker homes.
  * `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
    tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
    directions available for fixing in prior versions.
  * `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
    an issue can contain embedded JavaScript which is
    executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
    available for fixing in prior versions.

prior to 2.4.0 release this weekend that fixes the last two CVE's.

Author: rouilj

CHANGES.txt

@@ -16,6 +16,21 @@ python 3.6 or newer (3.4/3.5 might work, but they are not tested).
 
 Fixed:
 
+- CVE-2024-39124 - The classhelpers (_generic.help.html) are
+  vulnerable to an XSS attack. A specially crafted URL that used
+  that endpoint would result in running a script embedded in the
+  URL. (Found/reported by Alec Romano (4rdr), fix/tests John
+  Rouillard)
+- CVE-2024-39125 - If the Referer header is set to a script tag,
+  it will be executed when the error in the Referer header is
+  reported. (Found/reported by Alec Romano (4rdr), fix/tests John
+  Rouillard)
+- CVE-2024-39126 - PDF, XML and SVG files attached to an issue can contain
+  embedded JavaScript. This JavaScript was executed when the file was
+  accessed. PDF files are now downloaded and not displayed in the
+  browser. A content security policy is added for all download files
+  which prevents code execution in SVG files.  (Found/reported by Alec
+  Romano (4rdr), fix/tests John Rouillard)
 - issue2551282 - MySQL utf8mb4 issues and
   issue2551115 - Use utf8mb4 as a default for MySQL instead of utf8
   The default database type and collations have been set to:

doc/CVE.txt

@@ -0,0 +1,100 @@
+.. comments:
+   This file is a temporary way to post CVE notifications before
+   a release.
+
+   Document the CVE fix info in upgrading.txt. Publishing
+   upgrading.txt would push info on the next release not the current
+   release.
+
+   So we comment out a reference anchor in upgrading.txt and use that
+   comment to extract the section from upgrading.txt into CVE.txt.
+   The extracted section gets the same anchor that is in upgrading.txt,
+   but is is not commented out.
+
+   Then we add a summary to the list of CVE's in security.txt using a
+   :ref: to the anchor. If CVE.txt is part of the build and
+   upgrading.txt has a commented out anchor, security.txt entries link
+   to CVE.html in the generated documentation.
+
+   In upgrading.txt add a
+
+   .. comment: _CVE-2024-39124:
+
+   before the section for the CVE (use the real CVE number). At the
+   end of the CVE section add an end comment:
+
+   .. comment: end of CVE include marker
+
+   Update security.txt with a :ref: to the CVE section. E.G. a
+   security.txt references look like:
+
+     * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
+    vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
+    tracker homes.
+
+   where <CVE-2024-39124> is the reference. The same reference anchor
+   is present (commented out) in upgrading.txt. In CVE.txt you
+   replicate the existing anchor and include to extract the content
+   section from upgrading.txt. E.G.
+
+   .. _CVE-2024-39124:
+
+   .. include:: upgrading.txt
+      :start-after: .. comment: _CVE-2024-39124:
+      :end-before: .. comment: end of CVE
+
+   After building the docs, install docs/security.html and
+   docs/CVE.html on the web site. Use the security.html URL
+   on the web site to update the CVE report.
+
+   When the release is ready, replace 'comment: _CVE' with '_CVE' in
+   upgrading.txt. This makes the anchors in upgrading.txt live.
+
+    Then disable CVE.txt by removing CVE.txt from contents.txt in the
+   toctree hidden section. Also add CVE.txt to exclude_patterns in
+   conf.py.
+
+   No change needs to happen to security.txt as it's using a :ref: and
+   we just changed the location for the ref so sphinx will get the
+   links correct.
+
+   Now build the docs and publish to the web site.
+
+===========
+Roundup CVE
+===========
+
+This is a list of remediation for CVE's that are not fixed in the
+latest release. When the latest release fixes the CVE, see `the
+upgrading doc <upgrading.html>`_ for these details.
+
+.. contents::
+   :local:
+   :depth: 2
+
+.. _CVE-2024-39124:
+
+.. note::
+
+   Prior to the release of Roundup 2.4.0, you can access updated
+   tracker templates that address CVE-2024-39124 from
+   `CVE-2024-39124-templates.zip
+   <../CVE-2024-39124-templates.zip>`_. Download and extract the zip
+   file to generate a templates subdirectory containing the classic,
+   minimal and other tracker templates.
+
+.. include:: upgrading.txt
+   :start-after: .. comment: _CVE-2024-39124:
+   :end-before: .. comment:
+
+.. _CVE-2024-39125:
+
+.. include:: upgrading.txt
+   :start-after: .. comment: _CVE-2024-39125:
+   :end-before: .. comment:
+
+.. _CVE-2024-39126:
+
+.. include:: upgrading.txt
+   :start-after: .. comment: _CVE-2024-39126:
+   :end-before: .. comment: end of CVE include marker

doc/acknowledgements.txt

@@ -40,6 +40,8 @@ Norbert Schlemmer - docker support
 Bharath Kanama, Nikunj Thakkar, Patel Malav - classhelper web
 component development.
 
+Alec Romano (4rdr) - identified multiple security issues
+
 2.3
 ---
 

doc/announcement.txt

@@ -4,7 +4,7 @@ release, so make sure to read `docs/upgrading.txt
 <https://www.roundup-tracker.org/docs/upgrading.html>`_ to
 bring your tracker up to date.
 
-The 67 changes, as usual, include some new features and many
+The 79 changes, as usual, include some new features and many
 bug fixes.
 
 Note that you should run ``roundup-admin ... migrate`` to
@@ -22,12 +22,16 @@ You can install it with::
 
 then unpack and test/install from the tarball.
 
-Beta 2 includes a small change to the classic tracker's
-classhelper.js to fix a bug found after beta 1 was released.
-
 Among the notable improvements in 2.4.0 from the 2.3.0
 release are:
 
+* three CVE's have been fixed. One requires changes to your
+  tracker's home directory. The other two are fixed by
+  installing 2.4.0.  See
+  https://www.roundup-tracker.org/docs/security.html for
+  details and instructions on how to fix these in 2.4.0 and
+  earlier releases.
+
 * new classhelper component thanks to a team of students
   from CS682 at U-Mass Boston. This fixes many issues with
   the old classhelper. It is implemented as a web-component
@@ -87,7 +91,7 @@ release are:
 * sqlite version 1 and StructuredText support removed.
 
 The file CHANGES.txt has a detailed list of feature
-additions and bug fixes (67) for each release. The most
+additions and bug fixes for each release. The most
 recent changes from there are at the end of this
 announcement. Also see the information in doc/upgrading.txt.
 

doc/security.txt

@@ -1,20 +1,51 @@
 .. meta::
     :description:
         Documentation on how to report security issues with
-        Roundup. Also index to security related portions in other
-        Roundup documentation. How to verify distribution using gpg.
+        Roundup. Index to recent security related (CVE) descriptions
+        in other Roundup documentation. How to verify distribution
+        using gpg.
 
 .. index::
    single: Reporting Security Issues
+   single: CVE announcements
    single: Security Issues, Reporting
+   single: Security Issues, Remediation
+   single: Security Issues, CVE announcements
 
 
 =======================
 Roundup Security Issues
 =======================
 
-This page documents how to report security issues and verify the
-signatures for Roundup releases.
+This page documents CVE's fixed starting with version 2.4.0, how to
+report security issues, and verify the signatures for Roundup
+source release tarballs.
+
+.. contents::
+   :local:
+   :depth: 2
+
+CVE Announcements
+-----------------
+
+  * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
+    vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
+    tracker homes.
+  * `CVE-2024-39125`_ - :ref:`if Referer header is set to a script tag,
+    it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
+    directions available for fixing in prior versions.
+  * `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from an
+    issue can contain embedded JavaScript which is
+    executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
+    available for fixing in prior versions.
+
+.. _CVE-2024-39124:
+        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39124
+.. _CVE-2024-39125:
+        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39125
+.. _CVE-2024-39126:
+        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39126
+
 
 Reporting Security Issues
 -------------------------
@@ -88,8 +119,8 @@ Once you have loaded the public key, you need a detached signature for
 your release.
 
 
-Download and Verify with Detached Signature
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Download Detached Signature and Verify
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 This needs to be done once for each release you wish to verify.
 
@@ -137,5 +168,6 @@ If something is wrong you will see::
   gpg:                using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8
   gpg: BAD signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>"
 
-**do not use** the tarball if the signature is BAD. Email the
-roundup-devel mailing list if you have this happen to you.
+**do not use** the tarball if the signature is BAD. Email the mailing
+list: roundup-devel at lists.sourceforge.net if you have this happen
+to you.