Bug#1037444: bookworm-pu: package kanboard/1.2.26+ds-4
Attached is a revised debdiff between -2 and -2+deb12u1.
--Joe
diff -Nru kanboard-1.2.26+ds/debian/changelog kanboard-1.2.26+ds/debian/changelog
--- kanboard-1.2.26+ds/debian/changelog 2023-05-16 22:49:38.000000000 -0400
+++ kanboard-1.2.26+ds/debian/changelog 2023-06-15 23:02:33.000000000 -0400
@@ -1,3 +1,24 @@
+kanboard (1.2.26+ds-2+deb12u1) bookworm; urgency=high
+
+ * Cherry-pick security fixes from kanboard_1.2.26+ds-[34] for bookworm.
+ * backport fix for CVE-2023-32685 from kanboard v1.2.29
+ https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
+ Based on upstream commits 26b6eeb & c9c1872.
+ (cherry picked from commit d9b8d854f2d35831b04b84cfdda41cc7b49e3a28)
+ (Closes: #1036874)
+ * backport security fixes from kanboard v1.2.30.
+ > CVE-2023-33956: Parameter based Indirect Object Referencing leading
+ to private file exposure
+ > CVE-2023-33968: Missing access control allows user to move and
+ duplicate tasks to any project in the software
+ > CVE-2023-33969: Stored XSS in the Task External Link Functionality
+ > CVE-2023-33970: Missing access control in internal task links feature
+ (cherry picked from commit 4ad0ad220613bbf04bef559addba8c363fdf0dfa)
+ (Closes: #1037167)
+ * point gbp & salsa at bookworm
+
+ -- Joseph Nahmias <jello@debian.org> Thu, 15 Jun 2023 23:02:33 -0400
+
kanboard (1.2.26+ds-2) unstable; urgency=medium
* properly test for lighty-enable-mod.
diff -Nru kanboard-1.2.26+ds/debian/gbp.conf kanboard-1.2.26+ds/debian/gbp.conf
--- kanboard-1.2.26+ds/debian/gbp.conf 2023-05-09 06:27:15.000000000 -0400
+++ kanboard-1.2.26+ds/debian/gbp.conf 2023-06-15 23:02:33.000000000 -0400
@@ -1,3 +1,3 @@
[DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bookworm
pristine-tar = True
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 1969-12-31 19:00:00.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 2023-06-15 23:00:52.000000000 -0400
@@ -0,0 +1,111 @@
+Description: fix for CVE-2023-32685
+ Clipboard based cross-site scripting (blocked with default CSP)
+ https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
+Author: Frédéric Guillot <fred@kanboard.net>
+Origin: upstream
+Last-Update: 2023-05-24
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/assets/js/components/screenshot.js b/assets/js/components/screenshot.js
+index a8acd64..1130bd2 100644
+--- a/assets/js/components/screenshot.js
++++ b/assets/js/components/screenshot.js
+@@ -1,5 +1,4 @@
+ KB.component('screenshot', function (containerElement) {
+- var pasteCatcher = null;
+ var inputElement = null;
+
+ function onFileLoaded(e) {
+@@ -7,7 +6,6 @@ KB.component('screenshot', function (containerElement) {
+ }
+
+ function onPaste(e) {
+- // Firefox doesn't have the property e.clipboardData.items (only Chrome)
+ if (e.clipboardData && e.clipboardData.items) {
+ var items = e.clipboardData.items;
+
+@@ -24,69 +22,13 @@ KB.component('screenshot', function (containerElement) {
+ }
+ }
+ }
+- } else {
+-
+- // Handle Firefox
+- setTimeout(checkInput, 100);
+ }
+ }
+
+ function initialize() {
+- destroy();
+-
+- if (! window.Clipboard) {
+- // Insert the content editable at the top to avoid scrolling down in the board view
+- pasteCatcher = document.createElement('div');
+- pasteCatcher.id = 'screenshot-pastezone';
+- pasteCatcher.contentEditable = true;
+- pasteCatcher.style.opacity = 0;
+- pasteCatcher.style.position = 'fixed';
+- pasteCatcher.style.top = 0;
+- pasteCatcher.style.right = 0;
+- pasteCatcher.style.width = 0;
+- document.body.insertBefore(pasteCatcher, document.body.firstChild);
+-
+- pasteCatcher.focus();
+-
+- // Set the focus when clicked anywhere in the document
+- document.addEventListener('click', setFocus);
+-
+- // Set the focus when clicked in screenshot dropzone
+- document.getElementById('screenshot-zone').addEventListener('click', setFocus);
+- }
+-
+ window.addEventListener('paste', onPaste, false);
+ }
+
+- function destroy() {
+- if (KB.exists('#screenshot-pastezone')) {
+- KB.find('#screenshot-pastezone').remove();
+- }
+-
+- document.removeEventListener('click', setFocus);
+- pasteCatcher = null;
+- }
+-
+- function setFocus() {
+- if (pasteCatcher !== null) {
+- pasteCatcher.focus();
+- }
+- }
+-
+- function checkInput() {
+- var child = pasteCatcher.childNodes[0];
+-
+- if (child) {
+- // If the user pastes an image, the src attribute
+- // will represent the image as a base64 encoded string.
+- if (child.tagName === 'IMG') {
+- createImage(child.src);
+- }
+- }
+-
+- pasteCatcher.innerHTML = '';
+- }
+-
+ function createImage(blob) {
+ var pastedImage = new Image();
+ pastedImage.src = blob;
+@@ -102,14 +44,9 @@ KB.component('screenshot', function (containerElement) {
+ zone.className = 'screenshot-pasted';
+ zone.appendChild(pastedImage);
+
+- destroy();
+ initialize();
+ }
+
+- KB.on('modal.close', function () {
+- destroy();
+- });
+-
+ this.render = function () {
+ inputElement = KB.dom('input')
+ .attr('type', 'hidden')
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-33956.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-33956.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-33956.patch 1969-12-31 19:00:00.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-33956.patch 2023-06-15 23:01:14.000000000 -0400
@@ -0,0 +1,39 @@
+From 437b141fa2267df36976814e704517f30d2424bd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
+Date: Wed, 24 May 2023 20:36:34 -0700
+Subject: [PATCH] Fix Parameter based Indirect Object Referencing leading to
+ private file exposure
+
+---
+ app/Controller/BaseController.php | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php
+index ca4ca081a8..5aab7e4c1b 100644
+--- a/app/Controller/BaseController.php
++++ b/app/Controller/BaseController.php
+@@ -89,10 +89,10 @@ protected function getTask()
+ * @access protected
+ * @return array
+ * @throws PageNotFoundException
+- * @throws AccessForbiddenException
+ */
+ protected function getFile()
+ {
++ $project_id = $this->request->getIntegerParam('project_id');
+ $task_id = $this->request->getIntegerParam('task_id');
+ $file_id = $this->request->getIntegerParam('file_id');
+ $model = 'projectFileModel';
+@@ -108,7 +108,11 @@ protected function getFile()
+ }
+
+ if (isset($file['task_id']) && $file['task_id'] != $task_id) {
+- throw new AccessForbiddenException();
++ throw new PageNotFoundException();
++ }
++
++ if (isset($file['project_id']) && $file['project_id'] != $project_id) {
++ throw new PageNotFoundException();
+ }
+
+ $file['model'] = $model;
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-33968.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-33968.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-33968.patch 1969-12-31 19:00:00.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-33968.patch 2023-06-15 23:01:14.000000000 -0400
@@ -0,0 +1,67 @@
+From c20be8f5fa26e54005a90c645e80b11481a65053 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
+Date: Mon, 29 May 2023 18:12:24 -0700
+Subject: [PATCH] Add missing project permission check for Move/Duplicate task
+ to another project
+
+---
+ app/Controller/TaskDuplicationController.php | 26 ++++++++++++++++----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/app/Controller/TaskDuplicationController.php b/app/Controller/TaskDuplicationController.php
+index 6ebb6d592c..a700d00036 100644
+--- a/app/Controller/TaskDuplicationController.php
++++ b/app/Controller/TaskDuplicationController.php
+@@ -2,6 +2,8 @@
+
+ namespace Kanboard\Controller;
+
++use Kanboard\Core\Controller\AccessForbiddenException;
++
+ /**
+ * Task Duplication controller
+ *
+@@ -50,14 +52,20 @@ public function move()
+ $values = $this->request->getValues();
+ list($valid, ) = $this->taskValidator->validateProjectModification($values);
+
+- if ($valid && $this->taskProjectMoveModel->moveToProject($task['id'],
++ if ($valid) {
++ if (! $this->projectPermissionModel->isUserAllowed($values['project_id'], $this->userSession->getId())) {
++ throw new AccessForbiddenException();
++ }
++
++ if ($this->taskProjectMoveModel->moveToProject($task['id'],
+ $values['project_id'],
+ $values['swimlane_id'],
+ $values['column_id'],
+ $values['category_id'],
+ $values['owner_id'])) {
+- $this->flash->success(t('Task updated successfully.'));
+- return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id'])));
++ $this->flash->success(t('Task updated successfully.'));
++ return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id'])));
++ }
+ }
+
+ $this->flash->failure(t('Unable to update your task.'));
+@@ -80,9 +88,17 @@ public function copy()
+ list($valid, ) = $this->taskValidator->validateProjectModification($values);
+
+ if ($valid) {
++ if (! $this->projectPermissionModel->isUserAllowed($values['project_id'], $this->userSession->getId())) {
++ throw new AccessForbiddenException();
++ }
++
+ $task_id = $this->taskProjectDuplicationModel->duplicateToProject(
+- $task['id'], $values['project_id'], $values['swimlane_id'],
+- $values['column_id'], $values['category_id'], $values['owner_id']
++ $task['id'],
++ $values['project_id'],
++ $values['swimlane_id'],
++ $values['column_id'],
++ $values['category_id'],
++ $values['owner_id']
+ );
+
+ if ($task_id > 0) {
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-33969.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-33969.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-33969.patch 1969-12-31 19:00:00.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-33969.patch 2023-06-15 23:01:14.000000000 -0400
@@ -0,0 +1,36 @@
+From 05f1d23d821152cd61536d3b09e522c0f7573e3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
+Date: Sun, 28 May 2023 21:10:33 -0700
+Subject: [PATCH] Avoid stored XSS in task external link
+
+---
+ app/Template/board/tooltip_external_links.php | 2 +-
+ app/Template/task_external_link/table.php | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/app/Template/board/tooltip_external_links.php b/app/Template/board/tooltip_external_links.php
+index 2c287adf24..fd5237ae3f 100644
+--- a/app/Template/board/tooltip_external_links.php
++++ b/app/Template/board/tooltip_external_links.php
+@@ -11,7 +11,7 @@
+ <?= $link['type'] ?>
+ </td>
+ <td>
+- <a href="<?= $link['url'] ?>" title="<?= $this->text->e($link['url']) ?>" target="_blank"><?= $this->text->e($link['title']) ?></a>
++ <a href="<?= $this->text->e($link['url']) ?>" title="<?= $this->text->e($link['url']) ?>" target="_blank"><?= $this->text->e($link['title']) ?></a>
+ </td>
+ <td>
+ <?= $this->text->e($link['dependency_label']) ?>
+diff --git a/app/Template/task_external_link/table.php b/app/Template/task_external_link/table.php
+index 315fada6d9..816f5335ee 100644
+--- a/app/Template/task_external_link/table.php
++++ b/app/Template/task_external_link/table.php
+@@ -29,7 +29,7 @@
+ <?= $this->text->e($link['type']) ?>
+ </td>
+ <td>
+- <a href="<?= $link['url'] ?>" title="<?= $this->text->e($link['url']) ?>" target="_blank"><?= $this->text->e($link['title']) ?><span class="ui-helper-hidden-accessible"> (<?= $this->text->e($link['url']) ?>)</span></a>
++ <a href="<?= $this->text->e($link['url']) ?>" title="<?= $this->text->e($link['url']) ?>" target="_blank"><?= $this->text->e($link['title']) ?><span class="ui-helper-hidden-accessible"> (<?= $this->text->e($link['url']) ?>)</span></a>
+ </td>
+ <td>
+ <?= $this->text->e($link['dependency_label']) ?>
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-33970.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-33970.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-33970.patch 1969-12-31 19:00:00.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-33970.patch 2023-06-15 23:01:14.000000000 -0400
@@ -0,0 +1,85 @@
+From b501ef44bc28ee9cf603a4fa446ee121d66f652f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
+Date: Mon, 29 May 2023 19:39:28 -0700
+Subject: [PATCH] Add missing permission check when creating/updating internal
+ links
+
+---
+ app/Api/Procedure/TaskLinkProcedure.php | 18 ++++++++++++++++++
+ app/Controller/TaskInternalLinkController.php | 13 +++++++++++++
+ 2 files changed, 31 insertions(+)
+
+diff --git a/app/Api/Procedure/TaskLinkProcedure.php b/app/Api/Procedure/TaskLinkProcedure.php
+index 375266fb3a..e794f2bbdd 100644
+--- a/app/Api/Procedure/TaskLinkProcedure.php
++++ b/app/Api/Procedure/TaskLinkProcedure.php
+@@ -51,6 +51,15 @@ public function getAllTaskLinks($task_id)
+ public function createTaskLink($task_id, $opposite_task_id, $link_id)
+ {
+ TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'createTaskLink', $task_id);
++
++ if ($this->userSession->isLogged()) {
++ $opposite_task = $this->taskFinderModel->getById($opposite_task_id);
++
++ if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
++ return false;
++ }
++ }
++
+ return $this->taskLinkModel->create($task_id, $opposite_task_id, $link_id);
+ }
+
+@@ -67,6 +76,15 @@ public function createTaskLink($task_id, $opposite_task_id, $link_id)
+ public function updateTaskLink($task_link_id, $task_id, $opposite_task_id, $link_id)
+ {
+ TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'updateTaskLink', $task_id);
++
++ if ($this->userSession->isLogged()) {
++ $opposite_task = $this->taskFinderModel->getById($opposite_task_id);
++
++ if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
++ return false;
++ }
++ }
++
+ return $this->taskLinkModel->update($task_link_id, $task_id, $opposite_task_id, $link_id);
+ }
+
+diff --git a/app/Controller/TaskInternalLinkController.php b/app/Controller/TaskInternalLinkController.php
+index 7ab01374a6..5f80a28bd7 100644
+--- a/app/Controller/TaskInternalLinkController.php
++++ b/app/Controller/TaskInternalLinkController.php
+@@ -2,6 +2,7 @@
+
+ namespace Kanboard\Controller;
+
++use Kanboard\Core\Controller\AccessForbiddenException;
+ use Kanboard\Core\Controller\PageNotFoundException;
+
+ /**
+@@ -53,6 +54,12 @@ public function save()
+ list($valid, $errors) = $this->taskLinkValidator->validateCreation($values);
+
+ if ($valid) {
++ $opposite_task = $this->taskFinderModel->getById($values['opposite_task_id']);
++
++ if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
++ throw new AccessForbiddenException();
++ }
++
+ if ($this->taskLinkModel->create($values['task_id'], $values['opposite_task_id'], $values['link_id']) !== false) {
+ $this->flash->success(t('Link added successfully.'));
+
+@@ -121,6 +128,12 @@ public function update()
+ list($valid, $errors) = $this->taskLinkValidator->validateModification($values);
+
+ if ($valid) {
++ $opposite_task = $this->taskFinderModel->getById($values['opposite_task_id']);
++
++ if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
++ throw new AccessForbiddenException();
++ }
++
+ if ($this->taskLinkModel->update($values['id'], $values['task_id'], $values['opposite_task_id'], $values['link_id'])) {
+ $this->flash->success(t('Link updated successfully.'));
+ return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id'])).'#links');
diff -Nru kanboard-1.2.26+ds/debian/patches/series kanboard-1.2.26+ds/debian/patches/series
--- kanboard-1.2.26+ds/debian/patches/series 2023-01-14 19:48:28.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/series 2023-06-15 23:01:14.000000000 -0400
@@ -5,3 +5,8 @@
loosen_php_module_version_requirements.patch
fix_version_testing.patch
fix_plugin_dir_test.patch
+CVE-2023-32685.patch
+CVE-2023-33969.patch
+CVE-2023-33956.patch
+CVE-2023-33970.patch
+CVE-2023-33968.patch
diff -Nru kanboard-1.2.26+ds/debian/salsa-ci.yml kanboard-1.2.26+ds/debian/salsa-ci.yml
--- kanboard-1.2.26+ds/debian/salsa-ci.yml 2023-05-09 06:27:15.000000000 -0400
+++ kanboard-1.2.26+ds/debian/salsa-ci.yml 2023-06-15 23:02:33.000000000 -0400
@@ -3,7 +3,7 @@
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
variables:
- RELEASE: 'unstable'
+ RELEASE: 'bookworm'
SALSA_CI_ENABLE_PIPELINE_ON_TAGS: 1
SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 1
SALSA_CI_REPROTEST_ENABLE_DIFFOSCOPE: 1
Reply to: