Bug#1040265: fixing CVE-2023-36813 in kanboard/bookworm

Wed, 12 Jul 2023 17:45:19 -0700 

Please see attached proposed debdiff for fixing CVE-2023-36813 in bookworm.

--Joe

diff -Nru kanboard-1.2.26+ds/debian/changelog kanboard-1.2.26+ds/debian/changelog
--- kanboard-1.2.26+ds/debian/changelog	2023-06-15 23:02:33.000000000 -0400
+++ kanboard-1.2.26+ds/debian/changelog	2023-07-12 20:13:20.000000000 -0400
@@ -1,3 +1,13 @@
+kanboard (1.2.26+ds-2+deb12u2) bookworm; urgency=high
+
+  * backport fix for CVE-2023-36813: Multiple Authenticated SQL Injections
+    https://github.com/kanboard/kanboard/security/advisories/GHSA-9gvq-78jp-jxcx
+    Fix picked from kanboard v1.2.31
+    https://github.com/kanboard/kanboard/commit/25b93343baeaf8ad
+    (Closes: #1040265)
+
+ -- Joseph Nahmias <je...@debian.org>  Wed, 12 Jul 2023 20:13:20 -0400
+
 kanboard (1.2.26+ds-2+deb12u1) bookworm; urgency=high
 
   * Cherry-pick security fixes from kanboard_1.2.26+ds-[34] for bookworm.
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-36813.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-36813.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-36813.patch	1969-12-31 19:00:00.000000000 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-36813.patch	2023-07-12 19:58:45.000000000 -0400
@@ -0,0 +1,34 @@
+From 25b93343baeaf8ad018dcd87b094e47a5c6a3e0a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <f...@kanboard.net>
+Date: Fri, 30 Jun 2023 21:08:11 -0700
+Subject: [PATCH] Avoid potential SQL injections without breaking compatibility
+ with plugins
+
+---
+ libs/picodb/lib/PicoDb/Database.php | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libs/picodb/lib/PicoDb/Database.php b/libs/picodb/lib/PicoDb/Database.php
+index 22c9d2fb61..df017ed82b 100644
+--- a/libs/picodb/lib/PicoDb/Database.php
++++ b/libs/picodb/lib/PicoDb/Database.php
+@@ -5,6 +5,7 @@
+ use Closure;
+ use PDOException;
+ use LogicException;
++use PicoDb\SQLException;
+ use PicoDb\Driver\Mssql;
+ use PicoDb\Driver\Sqlite;
+ use PicoDb\Driver\Mysql;
+@@ -215,6 +216,11 @@ public function escapeIdentifier($value, $table = '')
+             return $value;
+         }
+ 
++        // Avoid potential SQL injection
++        if (preg_match('/^[a-z0-9_]+$/', $value) === 0) {
++            throw new SQLException('Invalid identifier: '.$value);
++        }
++
+         if (! empty($table)) {
+             return $this->driver->escape($table).'.'.$this->driver->escape($value);
+         }
diff -Nru kanboard-1.2.26+ds/debian/patches/series kanboard-1.2.26+ds/debian/patches/series
--- kanboard-1.2.26+ds/debian/patches/series	2023-06-15 23:01:14.000000000 -0400
+++ kanboard-1.2.26+ds/debian/patches/series	2023-07-12 19:59:09.000000000 -0400
@@ -10,3 +10,4 @@
 CVE-2023-33956.patch
 CVE-2023-33970.patch
 CVE-2023-33968.patch
+CVE-2023-36813.patch

Reply via email to