Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: kanbo...@packages.debian.org, j...@nahmias.net Control: affects -1 + src:kanboard
Please unblock package kanboard [ Reason ] Security fix only for CVE-2023-32685 from kanboard v1.2.29 https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock kanboard/1.2.26+ds-3
diff -Nru kanboard-1.2.26+ds/debian/changelog kanboard-1.2.26+ds/debian/changelog --- kanboard-1.2.26+ds/debian/changelog 2023-05-16 22:49:38.000000000 -0400 +++ kanboard-1.2.26+ds/debian/changelog 2023-05-28 21:42:46.000000000 -0400 @@ -1,3 +1,11 @@ +kanboard (1.2.26+ds-3) unstable; urgency=medium + + * backport fix for CVE-2023-32685 from kanboard v1.2.29 + https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv + Based on upstream commits 26b6eeb & c9c1872. (Closes: #1036874) + + -- Joseph Nahmias <je...@debian.org> Sun, 28 May 2023 21:42:46 -0400 + kanboard (1.2.26+ds-2) unstable; urgency=medium * properly test for lighty-enable-mod. diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch --- kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 1969-12-31 19:00:00.000000000 -0500 +++ kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 2023-05-28 21:41:20.000000000 -0400 @@ -0,0 +1,111 @@ +Description: fix for CVE-2023-32685 + Clipboard based cross-site scripting (blocked with default CSP) + https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv +Author: Frédéric Guillot <f...@kanboard.net> +Origin: upstream +Last-Update: 2023-05-24 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +diff --git a/assets/js/components/screenshot.js b/assets/js/components/screenshot.js +index a8acd64..1130bd2 100644 +--- a/assets/js/components/screenshot.js ++++ b/assets/js/components/screenshot.js +@@ -1,5 +1,4 @@ + KB.component('screenshot', function (containerElement) { +- var pasteCatcher = null; + var inputElement = null; + + function onFileLoaded(e) { +@@ -7,7 +6,6 @@ KB.component('screenshot', function (containerElement) { + } + + function onPaste(e) { +- // Firefox doesn't have the property e.clipboardData.items (only Chrome) + if (e.clipboardData && e.clipboardData.items) { + var items = e.clipboardData.items; + +@@ -24,69 +22,13 @@ KB.component('screenshot', function (containerElement) { + } + } + } +- } else { +- +- // Handle Firefox +- setTimeout(checkInput, 100); + } + } + + function initialize() { +- destroy(); +- +- if (! window.Clipboard) { +- // Insert the content editable at the top to avoid scrolling down in the board view +- pasteCatcher = document.createElement('div'); +- pasteCatcher.id = 'screenshot-pastezone'; +- pasteCatcher.contentEditable = true; +- pasteCatcher.style.opacity = 0; +- pasteCatcher.style.position = 'fixed'; +- pasteCatcher.style.top = 0; +- pasteCatcher.style.right = 0; +- pasteCatcher.style.width = 0; +- document.body.insertBefore(pasteCatcher, document.body.firstChild); +- +- pasteCatcher.focus(); +- +- // Set the focus when clicked anywhere in the document +- document.addEventListener('click', setFocus); +- +- // Set the focus when clicked in screenshot dropzone +- document.getElementById('screenshot-zone').addEventListener('click', setFocus); +- } +- + window.addEventListener('paste', onPaste, false); + } + +- function destroy() { +- if (KB.exists('#screenshot-pastezone')) { +- KB.find('#screenshot-pastezone').remove(); +- } +- +- document.removeEventListener('click', setFocus); +- pasteCatcher = null; +- } +- +- function setFocus() { +- if (pasteCatcher !== null) { +- pasteCatcher.focus(); +- } +- } +- +- function checkInput() { +- var child = pasteCatcher.childNodes[0]; +- +- if (child) { +- // If the user pastes an image, the src attribute +- // will represent the image as a base64 encoded string. +- if (child.tagName === 'IMG') { +- createImage(child.src); +- } +- } +- +- pasteCatcher.innerHTML = ''; +- } +- + function createImage(blob) { + var pastedImage = new Image(); + pastedImage.src = blob; +@@ -102,14 +44,9 @@ KB.component('screenshot', function (containerElement) { + zone.className = 'screenshot-pasted'; + zone.appendChild(pastedImage); + +- destroy(); + initialize(); + } + +- KB.on('modal.close', function () { +- destroy(); +- }); +- + this.render = function () { + inputElement = KB.dom('input') + .attr('type', 'hidden') diff -Nru kanboard-1.2.26+ds/debian/patches/series kanboard-1.2.26+ds/debian/patches/series --- kanboard-1.2.26+ds/debian/patches/series 2023-01-14 19:48:28.000000000 -0500 +++ kanboard-1.2.26+ds/debian/patches/series 2023-05-28 21:41:20.000000000 -0400 @@ -5,3 +5,4 @@ loosen_php_module_version_requirements.patch fix_version_testing.patch fix_plugin_dir_test.patch +CVE-2023-32685.patch
