Bug#1037082: unblock: kanboard/1.2.26+ds-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: kanboard@packages.debian.org, joe@nahmias.net
Control: affects -1 + src:kanboard
Please unblock package kanboard
[ Reason ]
Security fix only for CVE-2023-32685 from kanboard v1.2.29
https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock kanboard/1.2.26+ds-3
diff -Nru kanboard-1.2.26+ds/debian/changelog kanboard-1.2.26+ds/debian/changelog
--- kanboard-1.2.26+ds/debian/changelog 2023-05-16 22:49:38.000000000 -0400
+++ kanboard-1.2.26+ds/debian/changelog 2023-05-28 21:42:46.000000000 -0400
@@ -1,3 +1,11 @@
+kanboard (1.2.26+ds-3) unstable; urgency=medium
+
+ * backport fix for CVE-2023-32685 from kanboard v1.2.29
+ https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
+ Based on upstream commits 26b6eeb & c9c1872. (Closes: #1036874)
+
+ -- Joseph Nahmias <jello@debian.org> Sun, 28 May 2023 21:42:46 -0400
+
kanboard (1.2.26+ds-2) unstable; urgency=medium
* properly test for lighty-enable-mod.
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 1969-12-31 19:00:00.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 2023-05-28 21:41:20.000000000 -0400
@@ -0,0 +1,111 @@
+Description: fix for CVE-2023-32685
+ Clipboard based cross-site scripting (blocked with default CSP)
+ https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
+Author: Frédéric Guillot <fred@kanboard.net>
+Origin: upstream
+Last-Update: 2023-05-24
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/assets/js/components/screenshot.js b/assets/js/components/screenshot.js
+index a8acd64..1130bd2 100644
+--- a/assets/js/components/screenshot.js
++++ b/assets/js/components/screenshot.js
+@@ -1,5 +1,4 @@
+ KB.component('screenshot', function (containerElement) {
+- var pasteCatcher = null;
+ var inputElement = null;
+
+ function onFileLoaded(e) {
+@@ -7,7 +6,6 @@ KB.component('screenshot', function (containerElement) {
+ }
+
+ function onPaste(e) {
+- // Firefox doesn't have the property e.clipboardData.items (only Chrome)
+ if (e.clipboardData && e.clipboardData.items) {
+ var items = e.clipboardData.items;
+
+@@ -24,69 +22,13 @@ KB.component('screenshot', function (containerElement) {
+ }
+ }
+ }
+- } else {
+-
+- // Handle Firefox
+- setTimeout(checkInput, 100);
+ }
+ }
+
+ function initialize() {
+- destroy();
+-
+- if (! window.Clipboard) {
+- // Insert the content editable at the top to avoid scrolling down in the board view
+- pasteCatcher = document.createElement('div');
+- pasteCatcher.id = 'screenshot-pastezone';
+- pasteCatcher.contentEditable = true;
+- pasteCatcher.style.opacity = 0;
+- pasteCatcher.style.position = 'fixed';
+- pasteCatcher.style.top = 0;
+- pasteCatcher.style.right = 0;
+- pasteCatcher.style.width = 0;
+- document.body.insertBefore(pasteCatcher, document.body.firstChild);
+-
+- pasteCatcher.focus();
+-
+- // Set the focus when clicked anywhere in the document
+- document.addEventListener('click', setFocus);
+-
+- // Set the focus when clicked in screenshot dropzone
+- document.getElementById('screenshot-zone').addEventListener('click', setFocus);
+- }
+-
+ window.addEventListener('paste', onPaste, false);
+ }
+
+- function destroy() {
+- if (KB.exists('#screenshot-pastezone')) {
+- KB.find('#screenshot-pastezone').remove();
+- }
+-
+- document.removeEventListener('click', setFocus);
+- pasteCatcher = null;
+- }
+-
+- function setFocus() {
+- if (pasteCatcher !== null) {
+- pasteCatcher.focus();
+- }
+- }
+-
+- function checkInput() {
+- var child = pasteCatcher.childNodes[0];
+-
+- if (child) {
+- // If the user pastes an image, the src attribute
+- // will represent the image as a base64 encoded string.
+- if (child.tagName === 'IMG') {
+- createImage(child.src);
+- }
+- }
+-
+- pasteCatcher.innerHTML = '';
+- }
+-
+ function createImage(blob) {
+ var pastedImage = new Image();
+ pastedImage.src = blob;
+@@ -102,14 +44,9 @@ KB.component('screenshot', function (containerElement) {
+ zone.className = 'screenshot-pasted';
+ zone.appendChild(pastedImage);
+
+- destroy();
+ initialize();
+ }
+
+- KB.on('modal.close', function () {
+- destroy();
+- });
+-
+ this.render = function () {
+ inputElement = KB.dom('input')
+ .attr('type', 'hidden')
diff -Nru kanboard-1.2.26+ds/debian/patches/series kanboard-1.2.26+ds/debian/patches/series
--- kanboard-1.2.26+ds/debian/patches/series 2023-01-14 19:48:28.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/series 2023-05-28 21:41:20.000000000 -0400
@@ -5,3 +5,4 @@
loosen_php_module_version_requirements.patch
fix_version_testing.patch
fix_plugin_dir_test.patch
+CVE-2023-32685.patch
Reply to: