ticklishhoneybee / nodau Goto Github PK

View Code? Open in Web Editor NEW

12.0 12.0 5.0 96 KB

a simple console notetaking program

License: GNU General Public License v3.0

C 96.64% Makefile 3.36%

nodau's People

Contributors

Stargazers

Watchers

Forkers

carnil jenksed mromerdagan mavjs olamide-github

nodau's Issues

Logic of the `clean` and `distclean` targets in Makefile

Currently the Makefile has:

distclean:                                                                                                            
        rm -f $(OBJS)

clean: distclean
        rm -f $(TARGET)*

According to https://www.gnu.org/software/make/manual/make.html shouldn't the logic in fact be inverted? https://www.gnu.org/software/make/manual/html_node/Standard-Targets.html#Standard-Targets

In fact the distclean currently leaves around the built nodau binary, which should go away as well when running make distclean.

nodau segfault when no match on search

Hi Lisa

I noticed that nodau segfaults if no note match on search, how to reproduce here on my system:

~$ git clone https://github.com/darkrose/nodau.git
Cloning into 'nodau'...
remote: Counting objects: 149, done.
remote: Compressing objects: 100% (69/69), done.
remote: Total 149 (delta 89), reused 134 (delta 74)
Receiving objects: 100% (149/149), 43.87 KiB, done.
Resolving deltas: 100% (89/89), done.
~$ cd nodau/
~/nodau$ make
cc -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3rc2\"  -o src/nodau.o -c src/nodau.c
cc -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3rc2\"  -o src/db.o -c src/db.c
src/db.c: In function ‘db_encrypt’:
src/db.c:458:9: warning: variable ‘name’ set but not used [-Wunused-but-set-variable]
src/db.c:457:9: warning: variable ‘date’ set but not used [-Wunused-but-set-variable]
src/db.c: In function ‘db_decrypt’:
src/db.c:504:9: warning: variable ‘name’ set but not used [-Wunused-but-set-variable]
src/db.c:503:9: warning: variable ‘date’ set but not used [-Wunused-but-set-variable]
cc -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3rc2\"  -o src/lib.o -c src/lib.c
cc -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3rc2\"  -o src/edit.o -c src/edit.c
cc -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3rc2\"  -o src/crypto.o -c src/crypto.c
cc -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3rc2\"  -o src/config.o -c src/config.c
cc  -o nodau src/nodau.o src/db.o src/lib.o src/edit.o src/crypto.o src/config.o -lsqlite3 -lncurses -lcrypto 
~/nodau$ ./nodau --version
nodau 0.3rc2 - simple console notetaking program

USAGE: nodau <OPTION> [DATA]

OPTIONS:
 help            print this message
 list [search]   list notes, accepts optional search term
 new <name>      create new note, name must be unique
 encrypt <name>  encrypt a new or existing note
 decrypt <name>  decrypt an encrypted note
 edit <name>     open an existing note for editing
 show <name>     display an existing note
 del <search>    accepts name or search term

See the nodau man page for more details.

~/nodau$ ./nodau new foo
foo saved
~/nodau$ ./nodau list foo
match 1: foo
~/nodau$ ./nodau list bar
match 1: (null)
Segmentation fault
~/nodau$

I used the following versions:

libsqlite3-dev: 3.7.11-3
libssl-dev: 1.0.1c-1
cc (Debian 4.7.0-8) 4.7.0

Many thanks for your work!

Regards

[security] Unsafe handling of temporary files when using external editor

Looking at the code it looks that when using external editor nodau handles temporary files in unsafe way due to using /tmp/nodau.$time containing unix time. This might lead to overwrite of files owned by a user or even disclosure of information (e.g. a user editing (encrypting) notes).

(Note: For easy reproducing you need to set fs.protected_symlinks=0 on recent Linux kernels[0].)

https://github.com/darkrose/nodau/blob/master/src/edit.c#L159

Evil user creates a world writable file in e.g. /tmp and then creates lots of symlinks /tmp/nodau.$timestamps (with timestamps in future) to this file.
regular user now creates with nodau encrypt testnote a new note.
Evil user now has access to secret note in /tmp/worldwritable after user has saved the file in editor (nodau prompts that the file get's saved

Another usecase would be that if evil user knows the filename writable by the user can make the user overwrite it with note content.

Furthermore in the case how it is implemented right now, depending on the umask of the user editing a note and having the editor open, every other user might read the temporary file during the user having the editor open.

nodau should not use /tmp in unsafe way. Kurt Seifried from Red Hat Security Response Team wrote a nice blog entry describing how to create safely files in various programming languages[1].

[0] https://lwn.net/Articles/503660/
[1] http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/

Regards,
Salvatore

Spelling error in error message

There is a small spelling error in the displayed error message at

https://github.com/darkrose/nodau/blob/master/src/nodau.c#L81

--- a/src/nodau.c
+++ b/src/nodau.c
@@ -78,7 +78,7 @@ static char* get_args(int argc, char** a
        args = malloc(l);
        /* if null throw an error */
        if (args == NULL) {
-               fprintf(stderr,"an error occured in argument compilation\n");
+               fprintf(stderr,"an error occurred in argument compilation\n");
                return NULL;
        }

nodau crashes

Hi!

Researcher from Cylab, Carnegie Mellon University have reported several crashes in programms packaged in Debian. nodau is also crashing on some tests from them.

I can reproduce the crashes if i empty the environment (env -i /usr/bin/nodau), so there is a bug. I did some testing and noticed that nodau crashes if the user has not
more than 3 character usernames.

See: http://bugs.debian.org/716624 for the original report.

Regards,
Salvatore

Document location of config file in manpage

Hi Lisa

Would it be possible to document the location of the config file in the manpage?

In README I read:

The nodau config file is located at $XDG_CONFIG_HOME/nodau/nodau.conf
which is typically ~/.config/nodau/nodau.conf

I think it would be good to have the location of the config file documented in the manpage.

Regards,
Salvatore

nodau 0.3rc4 segfaults on creating new database

Hi Lisa

If I create with removed ~/.config/nodau and ~/.local/share/nodau with version 0.3rc4:

carnil@sid:~/nodau-0.3rc4$ make
cc -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3rc4\"  -o src/nodau.o -c src/nodau.c
cc -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3rc4\"  -o src/db.o -c src/db.c
src/db.c: In function ‘db_decrypt’:
src/db.c:513:9: warning: variable ‘name’ set but not used [-Wunused-but-set-variable]
src/db.c:512:9: warning: variable ‘date’ set but not used [-Wunused-but-set-variable]
cc -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3rc4\"  -o src/lib.o -c src/lib.c
cc -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3rc4\"  -o src/edit.o -c src/edit.c
cc -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3rc4\"  -o src/crypto.o -c src/crypto.c
cc -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3rc4\"  -o src/config.o -c src/config.c
cc  -o nodau src/nodau.o src/db.o src/lib.o src/edit.o src/crypto.o src/config.o -lsqlite3 -lncurses -lcrypto 
carnil@sid:~/nodau-0.3rc4$ ./nodau new test
no such column: name
Segmentation fault
carnil@sid:~/nodau-0.3rc4$

Regards,
Salvatore

Missing files in released tarballs

Hi Lisa

Within the released tarball of nodau 0.3.3 there are inc/ and config.h missing, due to commit 43ded7e

I don't know which approach you would like, thus I have not made a pull-request, but something like

--- a/Makefile
+++ b/Makefile
@@ -5,6 +5,7 @@ BINDIR ?= $(PREFIX)/bin
 MANDIR ?= $(PREFIX)/share/man/man1

 SRCDIR=src
+INCDIR=inc

 TARGET=nodau
 VERSION=0.3.3
@@ -15,7 +16,7 @@ NODAU_CLIBS ?= -lsqlite3 -lncurses -lcrypto $(CLIBS)
 NODAU_LDFLAGS ?= $(LDFLAGS)

 OBJS=$(SRCDIR)/nodau.o $(SRCDIR)/db.o $(SRCDIR)/lib.o $(SRCDIR)/edit.o $(SRCDIR)/crypto.o $(SRCDIR)/config.o
-DISTFILES=man $(SRCDIR) Makefile* CHANGELOG LICENSE README
+DISTFILES=man $(SRCDIR) $(INCDIR) config.h Makefile* CHANGELOG LICENSE README

 all: default

should do.

Regards

Uses asprintf without checking return value

Hi Lisa

In Debian we are now building nodau with some hardening flags and during the build there is

src/db.c: In function 'db_connect':
src/db.c:153:11: warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result [-Wunused-result]
src/db.c:155:11: warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result [-Wunused-result]
src/db.c:160:10: warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result [-Wunused-result]
src/db.c:183:11: warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result [-Wunused-result]
[...]

See 1 and in 2 a sample build log. It is a good idea IMHO to always check the return value for asprintf. But I have not checked here if it is actually exploitable in some way here.

Regards,
Salvatore

nodau: ftbfs with GCC-10

We have the following bug reported to the Debian package of nodau,
c.f. https://bugs.debian.org/957612

It doesn't seem to be a bug in the packaging, so you may want to take
a look. Thanks!

------8<-----------8<-----------8<-----------8<-----------8<-----

Package: src:nodau
Version: 0.3.8-3
Severity: normal
Tags: sid bullseye
User: [email protected]
Usertags: ftbfs-gcc-10

Please keep this issue open in the bug tracker for the package it
was filed for.  If a fix in another package is required, please
file a bug for the other package (or clone), and add a block in this
package. Please keep the issue open until the package can be built in
a follow-up test rebuild.

The package fails to build in a test rebuild on at least amd64 with
gcc-10/g++-10, but succeeds to build with gcc-9/g++-9. The
severity of this report will be raised before the bullseye release,
so nothing has to be done for the buster release.

The full build log can be found at:
http://people.debian.org/~doko/logs/gcc10-20200225/nodau_0.3.8-3_unstable_gcc10.log
The last lines of the build log are at the end of this report.

To build with GCC 10, either set CC=gcc-10 CXX=g++-10 explicitly,
or install the gcc, g++, gfortran, ... packages from experimental.

  apt-get -t=experimental install g++ 

Common build failures are new warnings resulting in build failures with
-Werror turned on, or new/dropped symbols in Debian symbols files.
For other C/C++ related build failures see the porting guide at
http://gcc.gnu.org/gcc-10/porting_to.html

[...]

User Environment
----------------

APT_CONFIG=/var/lib/sbuild/apt.conf
HOME=/sbuild-nonexistent
LANG=C.UTF-8
LC_ALL=C.UTF-8
LOGNAME=user42
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
SCHROOT_ALIAS_NAME=unstable
SCHROOT_CHROOT_NAME=sid-amd64-sbuild
SCHROOT_COMMAND=env
SCHROOT_GID=1001
SCHROOT_GROUP=user42
SCHROOT_SESSION_ID=sid-amd64-sbuild-79730f82-fb48-425b-9357-2e15ff3077d5
SCHROOT_UID=1001
SCHROOT_USER=user42
SHELL=/bin/sh
USER=user42

dpkg-buildpackage
-----------------

Command: dpkg-buildpackage -us -uc -b -rfakeroot
dpkg-buildpackage: info: source package nodau
dpkg-buildpackage: info: source version 0.3.8-3
dpkg-buildpackage: info: source distribution unstable
dpkg-buildpackage: info: source changed by Salvatore Bonaccorso <[email protected]>
 dpkg-source --before-build .
dpkg-buildpackage: info: host architecture amd64
 debian/rules clean
dh clean
   dh_auto_clean
	make -j4 distclean
make[1]: Entering directory '/<<PKGBUILDDIR>>'
rm -f src/nodau.o src/db.o src/lib.o src/edit.o src/crypto.o src/config.o
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
   dh_clean
 debian/rules binary
dh binary
   dh_update_autotools_config
   dh_autoreconf
   dh_auto_configure
   dh_auto_build
	make -j4 "INSTALL=install --strip-program=true"
make[1]: Entering directory '/<<PKGBUILDDIR>>'
cc -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3.8\" -Iinc/ -I. -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -o src/nodau.o -c src/nodau.c
cc -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3.8\" -Iinc/ -I. -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -o src/db.o -c src/db.c
cc -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3.8\" -Iinc/ -I. -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -o src/lib.o -c src/lib.c
cc -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3.8\" -Iinc/ -I. -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -o src/edit.o -c src/edit.c
cc -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3.8\" -Iinc/ -I. -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -o src/crypto.o -c src/crypto.c
cc -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -g -pedantic -DTARGET=\"nodau\" -DVERSION=\"0.3.8\" -Iinc/ -I. -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -o src/config.o -c src/config.c
cc -Wl,-z,relro -Wl,-z,now -o nodau src/nodau.o src/db.o src/lib.o src/edit.o src/crypto.o src/config.o -lsqlite3 -lncurses -lcrypto 
/usr/bin/ld: src/db.o:./inc/nodau.h:48: multiple definition of `db'; src/nodau.o:./inc/nodau.h:48: first defined here
/usr/bin/ld: src/db.o:./inc/nodau.h:49: multiple definition of `error_msg'; src/nodau.o:./inc/nodau.h:49: first defined here
/usr/bin/ld: src/lib.o:./inc/nodau.h:49: multiple definition of `error_msg'; src/nodau.o:./inc/nodau.h:49: first defined here
/usr/bin/ld: src/lib.o:./inc/nodau.h:48: multiple definition of `db'; src/nodau.o:./inc/nodau.h:48: first defined here
/usr/bin/ld: src/edit.o:./inc/nodau.h:49: multiple definition of `error_msg'; src/nodau.o:./inc/nodau.h:49: first defined here
/usr/bin/ld: src/edit.o:./inc/nodau.h:48: multiple definition of `db'; src/nodau.o:./inc/nodau.h:48: first defined here
/usr/bin/ld: src/crypto.o:./inc/nodau.h:49: multiple definition of `error_msg'; src/nodau.o:./inc/nodau.h:49: first defined here
/usr/bin/ld: src/crypto.o:./inc/nodau.h:48: multiple definition of `db'; src/nodau.o:./inc/nodau.h:48: first defined here
/usr/bin/ld: src/config.o:./inc/nodau.h:49: multiple definition of `error_msg'; src/nodau.o:./inc/nodau.h:49: first defined here
/usr/bin/ld: src/config.o:./inc/nodau.h:48: multiple definition of `db'; src/nodau.o:./inc/nodau.h:48: first defined here
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:26: nodau] Error 1
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
dh_auto_build: error: make -j4 "INSTALL=install --strip-program=true" returned exit code 2
make: *** [debian/rules:6: binary] Error 25
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2

------8<-----------8<-----------8<-----------8<-----------8<-----

Thanks for considering,
Salvatore Bonaccorso,

nodau (0.3rc5) does not encrypt/decrypt entries?

Hi Lisa

I just played with the encrypt/decrypt functionality of nodau. With 0.3 rc5 I cannot encrypt/decrypt messages (both new one and already existing one):

carnil@sid:~/nodau$ ./nodau show test
test (Thu Jun 14 06:46:02 2012):
test
carnil@sid:~/nodau$ ./nodau encrypt test
Passphrase: 
carnil@sid:~/nodau$ ./nodau show test
test (Thu Jun 14 06:46:02 2012):
test
carnil@sid:~/nodau$

Whereas a message encrypted with 0.3 rc3 must be decrypted first correctly with the passphrase (this is with 0.3 rc3):

carnil@sid:~/nodau$ ./nodau new test                                                                                                                       
test saved
carnil@sid:~/nodau$ ./nodau show test
test (Thu Jun 14 06:57:24 2012):
test
carnil@sid:~/nodau$ ./nodau encrypt test
Passphrase: 
carnil@sid:~/nodau$ ./nodau show test
Passphrase: 
test (Thu Jun 14 06:57:24 2012):
test
carnil@sid:~/nodau$

Regards,
Salvatore

Give hint on import_old_db

Hi Lisa

(Another wishlist)

It would be great to be more verbose on what import_old_db and have it documented too in manpage of nodau.

Regards,
Salvatore

create release tag

Hi could you please create tags for releases?

Thanks!

Request: Add additional feature: Tab completion

I am using your program and it is working fine. But what drives me crazy is the absence of tab completion.
Can you add this to nodau?

Please tag new upstream releases

Hi @TicklishHoneyBee

I noticed that there were a couple of new upstream releases in https://github.com/TicklishHoneyBee/nodau but which are unttaged (namely 0.3.9 to 0.3.12).

Can you tag those on the github repository?

GPL code linked with OpenSSL

I noticed that nodau would link against OpenSSL, but your code does not contain a 'OpenSSL' exception. Could you add such an exception for nodau?

See Question 28 in FAQ 1.

Something like that what wget does:

In addition, as a special exception, the Free Software Foundation gives permission to link the code of its release of Wget with the OpenSSL project's "OpenSSL" library (or with modified versions of it that use the same license as the "OpenSSL" library), and distribute the linked executables. You must obey the GNU General Public License in all respects for all of the code used other than "OpenSSL". If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version.

Clearly adapted for nodau and you.

If you need more information, please feel free to ask, hope I can help
then.

Many thanks and regards,
Salvatore

Don't create ~/.local/nodau and ~/.config/nodau with read-write-execute permissions for all

Hi!

src/lib.c creates with dir_create:

mode_t mode = S_IRWXU | S_IRWXG | S_IRWXO;

If you don't see drawbacks, please create these with only the permissions needed, i.e. rwx for the user.

Regards

[wishlist] Makefile: Add passed CFLAGS and LDFLAGS by environment to propsed flags

This is more a 'wishlist' bugreport: In Makefile for nodau there is:

CFLAGS ?= -Wall -g -pedantic -DTARGET="$(TARGET)" -DVERSION="$(VERSION)"
CLIBS ?= -lsqlite3 -lncurses -lcrypto

I would like to ask if it make sense, to change this to allow 'appending' some additional flags to the proposed, instead of completly overwrite if CFLAGS and CLIBS would be set. In Debian we are using dpkg-buildpackage to have some additional CFLAGS, CPPFLAGS, CXXFLAGS and LDFLAGS passed via environment (hardening flags).

Projects using e.g. automake use for this e.g. use of CFLAGS_AM AFAIK, for example. Cleary here using automake and co would be like using a sledgehammer to crack a nut.

What do you think? Would such a change be usefull too to others?

Please feel free to close this if this does not make sense or prefered to keep this way.

Regards,
Salvatore

automatically setting import_old_db to false

The program automatically sets the value of import_old_db to false in the configuration file.config/nodau/nodau.conf.
Removing the line import_old_db doesn't work. Setting it to true doesn't work.
And therefore importing the old database doesn't work. The database is of March this year.

nodau -v
nodau 0.3.8 - simple console notetaking program

Fails to build with OpenSSL 1.1

Debian is going ot switch to OpenSSL 1.1 for the Stretch release. nodau fails to build with it, and it was reported at:

https://bugs.debian.org/828456

Regards,
Salvatore

ticklishhoneybee / nodau Goto Github PK

nodau's People

Contributors

Stargazers

Watchers

Forkers

nodau's Issues

Recommend Projects

Recommend Topics

Recommend Org