Bug#1037082: marked as done (unblock: kanboard/1.2.26+ds-3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 4 Jun 2023 21:46:56 +0200
with message-id <3333b6db-1b2b-305c-dd63-9664f0fa7e60@debian.org>
and subject line closing still open unblock requests
has caused the Debian Bug report #1037082,
regarding unblock: kanboard/1.2.26+ds-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1037082: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037082
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: kanboard/1.2.26+ds-3
• From: Joseph Nahmias <joe@nahmias.net>
• Date: Sat, 03 Jun 2023 22:03:17 -0400
• Message-id: <[🔎] 168584419772.1762622.15784373085284885365.reportbug@pinky.nahmias.net>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: kanboard@packages.debian.org, joe@nahmias.net
Control: affects -1 + src:kanboard

Please unblock package kanboard

[ Reason ]

Security fix only for CVE-2023-32685 from kanboard v1.2.29
https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock kanboard/1.2.26+ds-3

diff -Nru kanboard-1.2.26+ds/debian/changelog kanboard-1.2.26+ds/debian/changelog
--- kanboard-1.2.26+ds/debian/changelog	2023-05-16 22:49:38.000000000 -0400
+++ kanboard-1.2.26+ds/debian/changelog	2023-05-28 21:42:46.000000000 -0400
@@ -1,3 +1,11 @@
+kanboard (1.2.26+ds-3) unstable; urgency=medium
+
+  * backport fix for CVE-2023-32685 from kanboard v1.2.29
+    https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
+    Based on upstream commits 26b6eeb & c9c1872. (Closes: #1036874)
+
+ -- Joseph Nahmias <jello@debian.org>  Sun, 28 May 2023 21:42:46 -0400
+
 kanboard (1.2.26+ds-2) unstable; urgency=medium
 
   * properly test for lighty-enable-mod.
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch	1969-12-31 19:00:00.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch	2023-05-28 21:41:20.000000000 -0400
@@ -0,0 +1,111 @@
+Description: fix for CVE-2023-32685
+ Clipboard based cross-site scripting (blocked with default CSP)
+ https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
+Author: Frédéric Guillot <fred@kanboard.net>
+Origin: upstream
+Last-Update: 2023-05-24
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/assets/js/components/screenshot.js b/assets/js/components/screenshot.js
+index a8acd64..1130bd2 100644
+--- a/assets/js/components/screenshot.js
++++ b/assets/js/components/screenshot.js
+@@ -1,5 +1,4 @@
+ KB.component('screenshot', function (containerElement) {
+-    var pasteCatcher = null;
+     var inputElement = null;
+ 
+     function onFileLoaded(e) {
+@@ -7,7 +6,6 @@ KB.component('screenshot', function (containerElement) {
+     }
+ 
+     function onPaste(e) {
+-        // Firefox doesn't have the property e.clipboardData.items (only Chrome)
+         if (e.clipboardData && e.clipboardData.items) {
+             var items = e.clipboardData.items;
+ 
+@@ -24,69 +22,13 @@ KB.component('screenshot', function (containerElement) {
+                     }
+                 }
+             }
+-        } else {
+-
+-            // Handle Firefox
+-            setTimeout(checkInput, 100);
+         }
+     }
+ 
+     function initialize() {
+-        destroy();
+-
+-        if (! window.Clipboard) {
+-            // Insert the content editable at the top to avoid scrolling down in the board view
+-            pasteCatcher = document.createElement('div');
+-            pasteCatcher.id = 'screenshot-pastezone';
+-            pasteCatcher.contentEditable = true;
+-            pasteCatcher.style.opacity = 0;
+-            pasteCatcher.style.position = 'fixed';
+-            pasteCatcher.style.top = 0;
+-            pasteCatcher.style.right = 0;
+-            pasteCatcher.style.width = 0;
+-            document.body.insertBefore(pasteCatcher, document.body.firstChild);
+-
+-            pasteCatcher.focus();
+-
+-            // Set the focus when clicked anywhere in the document
+-            document.addEventListener('click', setFocus);
+-
+-            // Set the focus when clicked in screenshot dropzone
+-            document.getElementById('screenshot-zone').addEventListener('click', setFocus);
+-        }
+-
+         window.addEventListener('paste', onPaste, false);
+     }
+ 
+-    function destroy() {
+-        if (KB.exists('#screenshot-pastezone')) {
+-            KB.find('#screenshot-pastezone').remove();
+-        }
+-
+-        document.removeEventListener('click', setFocus);
+-        pasteCatcher = null;
+-    }
+-    
+-    function setFocus() {
+-        if (pasteCatcher !== null) {
+-            pasteCatcher.focus();
+-        }
+-    }
+-    
+-    function checkInput() {
+-        var child = pasteCatcher.childNodes[0];
+-
+-        if (child) {
+-            // If the user pastes an image, the src attribute
+-            // will represent the image as a base64 encoded string.
+-            if (child.tagName === 'IMG') {
+-                createImage(child.src);
+-            }
+-        }
+-
+-        pasteCatcher.innerHTML = '';
+-    }
+-    
+     function createImage(blob) {
+         var pastedImage = new Image();
+         pastedImage.src = blob;
+@@ -102,14 +44,9 @@ KB.component('screenshot', function (containerElement) {
+         zone.className = 'screenshot-pasted';
+         zone.appendChild(pastedImage);
+ 
+-        destroy();
+         initialize();
+     }
+ 
+-    KB.on('modal.close', function () {
+-        destroy();
+-    });
+-
+     this.render = function () {
+         inputElement = KB.dom('input')
+             .attr('type', 'hidden')
diff -Nru kanboard-1.2.26+ds/debian/patches/series kanboard-1.2.26+ds/debian/patches/series
--- kanboard-1.2.26+ds/debian/patches/series	2023-01-14 19:48:28.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/series	2023-05-28 21:41:20.000000000 -0400
@@ -5,3 +5,4 @@
 loosen_php_module_version_requirements.patch
 fix_version_testing.patch
 fix_plugin_dir_test.patch
+CVE-2023-32685.patch

--- End Message ---

--- Begin Message ---

• To: 1037072-done@bugs.debian.org, 1037076-done@bugs.debian.org, 1037078-done@bugs.debian.org, 1037079-done@bugs.debian.org, 1037082-done@bugs.debian.org
• Subject: closing still open unblock requests
• From: Paul Gevers <elbrus@debian.org>
• Date: Sun, 4 Jun 2023 21:46:56 +0200
• Message-id: <3333b6db-1b2b-305c-dd63-9664f0fa7e60@debian.org>

Hi,

The unblock requests that I'm closing in this message all came in after the deadline of 2023-05-28 12:00 UTC. We didn't have time to process them before the quiet period that started today.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---