--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package kanboard/1.2.26+ds-4
- From: Joseph Nahmias <joe@nahmias.net>
- Date: Mon, 12 Jun 2023 20:19:55 -0400
- Message-id: <168661559535.3364653.7134743152946378371.reportbug@pinky.nahmias.net>
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: kanboard@packages.debian.org, joe@nahmias.net
Control: affects -1 + src:kanboard
[ Reason ]
Security updates for kanboard since v1.2.26.
[ Tests ]
upstream's unit test suite are run at build time and via autopkgtest.
there are also some other (superficial) autopkgtests.
[ Risks ]
All listed CVEs have targeted fixes picked from upstream github.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Other info ]
My first stable update, so please advise if I missed anything.
--Joe
diff -Nru kanboard-1.2.26+ds/debian/changelog kanboard-1.2.26+ds/debian/changelog
--- kanboard-1.2.26+ds/debian/changelog 2023-05-16 22:49:38.000000000 -0400
+++ kanboard-1.2.26+ds/debian/changelog 2023-06-07 20:45:40.000000000 -0400
@@ -1,3 +1,24 @@
+kanboard (1.2.26+ds-4) unstable; urgency=medium
+
+ * backport security fixes from kanboard v1.2.30
+ > CVE-2023-33956: Parameter based Indirect Object Referencing leading
+ to private file exposure
+ > CVE-2023-33968: Missing access control allows user to move and
+ duplicate tasks to any project in the software
+ > CVE-2023-33969: Stored XSS in the Task External Link Functionality
+ > CVE-2023-33970: Missing access control in internal task links feature
+ (Closes: #1037167)
+
+ -- Joseph Nahmias <jello@debian.org> Wed, 07 Jun 2023 20:45:40 -0400
+
+kanboard (1.2.26+ds-3) unstable; urgency=medium
+
+ * backport fix for CVE-2023-32685 from kanboard v1.2.29
+ https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
+ Based on upstream commits 26b6eeb & c9c1872. (Closes: #1036874)
+
+ -- Joseph Nahmias <jello@debian.org> Sun, 28 May 2023 21:42:46 -0400
+
kanboard (1.2.26+ds-2) unstable; urgency=medium
* properly test for lighty-enable-mod.
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 1969-12-31 19:00:00.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 2023-05-28 21:41:20.000000000 -0400
@@ -0,0 +1,111 @@
+Description: fix for CVE-2023-32685
+ Clipboard based cross-site scripting (blocked with default CSP)
+ https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
+Author: Frédéric Guillot <fred@kanboard.net>
+Origin: upstream
+Last-Update: 2023-05-24
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/assets/js/components/screenshot.js b/assets/js/components/screenshot.js
+index a8acd64..1130bd2 100644
+--- a/assets/js/components/screenshot.js
++++ b/assets/js/components/screenshot.js
+@@ -1,5 +1,4 @@
+ KB.component('screenshot', function (containerElement) {
+- var pasteCatcher = null;
+ var inputElement = null;
+
+ function onFileLoaded(e) {
+@@ -7,7 +6,6 @@ KB.component('screenshot', function (containerElement) {
+ }
+
+ function onPaste(e) {
+- // Firefox doesn't have the property e.clipboardData.items (only Chrome)
+ if (e.clipboardData && e.clipboardData.items) {
+ var items = e.clipboardData.items;
+
+@@ -24,69 +22,13 @@ KB.component('screenshot', function (containerElement) {
+ }
+ }
+ }
+- } else {
+-
+- // Handle Firefox
+- setTimeout(checkInput, 100);
+ }
+ }
+
+ function initialize() {
+- destroy();
+-
+- if (! window.Clipboard) {
+- // Insert the content editable at the top to avoid scrolling down in the board view
+- pasteCatcher = document.createElement('div');
+- pasteCatcher.id = 'screenshot-pastezone';
+- pasteCatcher.contentEditable = true;
+- pasteCatcher.style.opacity = 0;
+- pasteCatcher.style.position = 'fixed';
+- pasteCatcher.style.top = 0;
+- pasteCatcher.style.right = 0;
+- pasteCatcher.style.width = 0;
+- document.body.insertBefore(pasteCatcher, document.body.firstChild);
+-
+- pasteCatcher.focus();
+-
+- // Set the focus when clicked anywhere in the document
+- document.addEventListener('click', setFocus);
+-
+- // Set the focus when clicked in screenshot dropzone
+- document.getElementById('screenshot-zone').addEventListener('click', setFocus);
+- }
+-
+ window.addEventListener('paste', onPaste, false);
+ }
+
+- function destroy() {
+- if (KB.exists('#screenshot-pastezone')) {
+- KB.find('#screenshot-pastezone').remove();
+- }
+-
+- document.removeEventListener('click', setFocus);
+- pasteCatcher = null;
+- }
+-
+- function setFocus() {
+- if (pasteCatcher !== null) {
+- pasteCatcher.focus();
+- }
+- }
+-
+- function checkInput() {
+- var child = pasteCatcher.childNodes[0];
+-
+- if (child) {
+- // If the user pastes an image, the src attribute
+- // will represent the image as a base64 encoded string.
+- if (child.tagName === 'IMG') {
+- createImage(child.src);
+- }
+- }
+-
+- pasteCatcher.innerHTML = '';
+- }
+-
+ function createImage(blob) {
+ var pastedImage = new Image();
+ pastedImage.src = blob;
+@@ -102,14 +44,9 @@ KB.component('screenshot', function (containerElement) {
+ zone.className = 'screenshot-pasted';
+ zone.appendChild(pastedImage);
+
+- destroy();
+ initialize();
+ }
+
+- KB.on('modal.close', function () {
+- destroy();
+- });
+-
+ this.render = function () {
+ inputElement = KB.dom('input')
+ .attr('type', 'hidden')
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-33956.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-33956.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-33956.patch 1969-12-31 19:00:00.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-33956.patch 2023-06-07 20:29:21.000000000 -0400
@@ -0,0 +1,39 @@
+From 437b141fa2267df36976814e704517f30d2424bd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
+Date: Wed, 24 May 2023 20:36:34 -0700
+Subject: [PATCH] Fix Parameter based Indirect Object Referencing leading to
+ private file exposure
+
+---
+ app/Controller/BaseController.php | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php
+index ca4ca081a8..5aab7e4c1b 100644
+--- a/app/Controller/BaseController.php
++++ b/app/Controller/BaseController.php
+@@ -89,10 +89,10 @@ protected function getTask()
+ * @access protected
+ * @return array
+ * @throws PageNotFoundException
+- * @throws AccessForbiddenException
+ */
+ protected function getFile()
+ {
++ $project_id = $this->request->getIntegerParam('project_id');
+ $task_id = $this->request->getIntegerParam('task_id');
+ $file_id = $this->request->getIntegerParam('file_id');
+ $model = 'projectFileModel';
+@@ -108,7 +108,11 @@ protected function getFile()
+ }
+
+ if (isset($file['task_id']) && $file['task_id'] != $task_id) {
+- throw new AccessForbiddenException();
++ throw new PageNotFoundException();
++ }
++
++ if (isset($file['project_id']) && $file['project_id'] != $project_id) {
++ throw new PageNotFoundException();
+ }
+
+ $file['model'] = $model;
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-33968.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-33968.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-33968.patch 1969-12-31 19:00:00.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-33968.patch 2023-06-07 20:29:21.000000000 -0400
@@ -0,0 +1,67 @@
+From c20be8f5fa26e54005a90c645e80b11481a65053 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
+Date: Mon, 29 May 2023 18:12:24 -0700
+Subject: [PATCH] Add missing project permission check for Move/Duplicate task
+ to another project
+
+---
+ app/Controller/TaskDuplicationController.php | 26 ++++++++++++++++----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/app/Controller/TaskDuplicationController.php b/app/Controller/TaskDuplicationController.php
+index 6ebb6d592c..a700d00036 100644
+--- a/app/Controller/TaskDuplicationController.php
++++ b/app/Controller/TaskDuplicationController.php
+@@ -2,6 +2,8 @@
+
+ namespace Kanboard\Controller;
+
++use Kanboard\Core\Controller\AccessForbiddenException;
++
+ /**
+ * Task Duplication controller
+ *
+@@ -50,14 +52,20 @@ public function move()
+ $values = $this->request->getValues();
+ list($valid, ) = $this->taskValidator->validateProjectModification($values);
+
+- if ($valid && $this->taskProjectMoveModel->moveToProject($task['id'],
++ if ($valid) {
++ if (! $this->projectPermissionModel->isUserAllowed($values['project_id'], $this->userSession->getId())) {
++ throw new AccessForbiddenException();
++ }
++
++ if ($this->taskProjectMoveModel->moveToProject($task['id'],
+ $values['project_id'],
+ $values['swimlane_id'],
+ $values['column_id'],
+ $values['category_id'],
+ $values['owner_id'])) {
+- $this->flash->success(t('Task updated successfully.'));
+- return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id'])));
++ $this->flash->success(t('Task updated successfully.'));
++ return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id'])));
++ }
+ }
+
+ $this->flash->failure(t('Unable to update your task.'));
+@@ -80,9 +88,17 @@ public function copy()
+ list($valid, ) = $this->taskValidator->validateProjectModification($values);
+
+ if ($valid) {
++ if (! $this->projectPermissionModel->isUserAllowed($values['project_id'], $this->userSession->getId())) {
++ throw new AccessForbiddenException();
++ }
++
+ $task_id = $this->taskProjectDuplicationModel->duplicateToProject(
+- $task['id'], $values['project_id'], $values['swimlane_id'],
+- $values['column_id'], $values['category_id'], $values['owner_id']
++ $task['id'],
++ $values['project_id'],
++ $values['swimlane_id'],
++ $values['column_id'],
++ $values['category_id'],
++ $values['owner_id']
+ );
+
+ if ($task_id > 0) {
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-33969.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-33969.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-33969.patch 1969-12-31 19:00:00.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-33969.patch 2023-06-07 20:29:21.000000000 -0400
@@ -0,0 +1,36 @@
+From 05f1d23d821152cd61536d3b09e522c0f7573e3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
+Date: Sun, 28 May 2023 21:10:33 -0700
+Subject: [PATCH] Avoid stored XSS in task external link
+
+---
+ app/Template/board/tooltip_external_links.php | 2 +-
+ app/Template/task_external_link/table.php | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/app/Template/board/tooltip_external_links.php b/app/Template/board/tooltip_external_links.php
+index 2c287adf24..fd5237ae3f 100644
+--- a/app/Template/board/tooltip_external_links.php
++++ b/app/Template/board/tooltip_external_links.php
+@@ -11,7 +11,7 @@
+ <?= $link['type'] ?>
+ </td>
+ <td>
+- <a href="<?= $link['url'] ?>" title="<?= $this->text->e($link['url']) ?>" target="_blank"><?= $this->text->e($link['title']) ?></a>
++ <a href="<?= $this->text->e($link['url']) ?>" title="<?= $this->text->e($link['url']) ?>" target="_blank"><?= $this->text->e($link['title']) ?></a>
+ </td>
+ <td>
+ <?= $this->text->e($link['dependency_label']) ?>
+diff --git a/app/Template/task_external_link/table.php b/app/Template/task_external_link/table.php
+index 315fada6d9..816f5335ee 100644
+--- a/app/Template/task_external_link/table.php
++++ b/app/Template/task_external_link/table.php
+@@ -29,7 +29,7 @@
+ <?= $this->text->e($link['type']) ?>
+ </td>
+ <td>
+- <a href="<?= $link['url'] ?>" title="<?= $this->text->e($link['url']) ?>" target="_blank"><?= $this->text->e($link['title']) ?><span class="ui-helper-hidden-accessible"> (<?= $this->text->e($link['url']) ?>)</span></a>
++ <a href="<?= $this->text->e($link['url']) ?>" title="<?= $this->text->e($link['url']) ?>" target="_blank"><?= $this->text->e($link['title']) ?><span class="ui-helper-hidden-accessible"> (<?= $this->text->e($link['url']) ?>)</span></a>
+ </td>
+ <td>
+ <?= $this->text->e($link['dependency_label']) ?>
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-33970.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-33970.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-33970.patch 1969-12-31 19:00:00.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-33970.patch 2023-06-07 20:29:21.000000000 -0400
@@ -0,0 +1,85 @@
+From b501ef44bc28ee9cf603a4fa446ee121d66f652f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
+Date: Mon, 29 May 2023 19:39:28 -0700
+Subject: [PATCH] Add missing permission check when creating/updating internal
+ links
+
+---
+ app/Api/Procedure/TaskLinkProcedure.php | 18 ++++++++++++++++++
+ app/Controller/TaskInternalLinkController.php | 13 +++++++++++++
+ 2 files changed, 31 insertions(+)
+
+diff --git a/app/Api/Procedure/TaskLinkProcedure.php b/app/Api/Procedure/TaskLinkProcedure.php
+index 375266fb3a..e794f2bbdd 100644
+--- a/app/Api/Procedure/TaskLinkProcedure.php
++++ b/app/Api/Procedure/TaskLinkProcedure.php
+@@ -51,6 +51,15 @@ public function getAllTaskLinks($task_id)
+ public function createTaskLink($task_id, $opposite_task_id, $link_id)
+ {
+ TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'createTaskLink', $task_id);
++
++ if ($this->userSession->isLogged()) {
++ $opposite_task = $this->taskFinderModel->getById($opposite_task_id);
++
++ if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
++ return false;
++ }
++ }
++
+ return $this->taskLinkModel->create($task_id, $opposite_task_id, $link_id);
+ }
+
+@@ -67,6 +76,15 @@ public function createTaskLink($task_id, $opposite_task_id, $link_id)
+ public function updateTaskLink($task_link_id, $task_id, $opposite_task_id, $link_id)
+ {
+ TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'updateTaskLink', $task_id);
++
++ if ($this->userSession->isLogged()) {
++ $opposite_task = $this->taskFinderModel->getById($opposite_task_id);
++
++ if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
++ return false;
++ }
++ }
++
+ return $this->taskLinkModel->update($task_link_id, $task_id, $opposite_task_id, $link_id);
+ }
+
+diff --git a/app/Controller/TaskInternalLinkController.php b/app/Controller/TaskInternalLinkController.php
+index 7ab01374a6..5f80a28bd7 100644
+--- a/app/Controller/TaskInternalLinkController.php
++++ b/app/Controller/TaskInternalLinkController.php
+@@ -2,6 +2,7 @@
+
+ namespace Kanboard\Controller;
+
++use Kanboard\Core\Controller\AccessForbiddenException;
+ use Kanboard\Core\Controller\PageNotFoundException;
+
+ /**
+@@ -53,6 +54,12 @@ public function save()
+ list($valid, $errors) = $this->taskLinkValidator->validateCreation($values);
+
+ if ($valid) {
++ $opposite_task = $this->taskFinderModel->getById($values['opposite_task_id']);
++
++ if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
++ throw new AccessForbiddenException();
++ }
++
+ if ($this->taskLinkModel->create($values['task_id'], $values['opposite_task_id'], $values['link_id']) !== false) {
+ $this->flash->success(t('Link added successfully.'));
+
+@@ -121,6 +128,12 @@ public function update()
+ list($valid, $errors) = $this->taskLinkValidator->validateModification($values);
+
+ if ($valid) {
++ $opposite_task = $this->taskFinderModel->getById($values['opposite_task_id']);
++
++ if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
++ throw new AccessForbiddenException();
++ }
++
+ if ($this->taskLinkModel->update($values['id'], $values['task_id'], $values['opposite_task_id'], $values['link_id'])) {
+ $this->flash->success(t('Link updated successfully.'));
+ return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id'])).'#links');
diff -Nru kanboard-1.2.26+ds/debian/patches/series kanboard-1.2.26+ds/debian/patches/series
--- kanboard-1.2.26+ds/debian/patches/series 2023-01-14 19:48:28.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/series 2023-06-07 20:32:55.000000000 -0400
@@ -5,3 +5,8 @@
loosen_php_module_version_requirements.patch
fix_version_testing.patch
fix_plugin_dir_test.patch
+CVE-2023-32685.patch
+CVE-2023-33969.patch
+CVE-2023-33956.patch
+CVE-2023-33970.patch
+CVE-2023-33968.patch
--- End Message ---