Attached is a revised debdiff between -2 and -2+deb12u1. --Joe
diff -Nru kanboard-1.2.26+ds/debian/changelog kanboard-1.2.26+ds/debian/changelog --- kanboard-1.2.26+ds/debian/changelog 2023-05-16 22:49:38.000000000 -0400 +++ kanboard-1.2.26+ds/debian/changelog 2023-06-15 23:02:33.000000000 -0400 @@ -1,3 +1,24 @@ +kanboard (1.2.26+ds-2+deb12u1) bookworm; urgency=high + + * Cherry-pick security fixes from kanboard_1.2.26+ds-[34] for bookworm. + * backport fix for CVE-2023-32685 from kanboard v1.2.29 + https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv + Based on upstream commits 26b6eeb & c9c1872. + (cherry picked from commit d9b8d854f2d35831b04b84cfdda41cc7b49e3a28) + (Closes: #1036874) + * backport security fixes from kanboard v1.2.30. + > CVE-2023-33956: Parameter based Indirect Object Referencing leading + to private file exposure + > CVE-2023-33968: Missing access control allows user to move and + duplicate tasks to any project in the software + > CVE-2023-33969: Stored XSS in the Task External Link Functionality + > CVE-2023-33970: Missing access control in internal task links feature + (cherry picked from commit 4ad0ad220613bbf04bef559addba8c363fdf0dfa) + (Closes: #1037167) + * point gbp & salsa at bookworm + + -- Joseph Nahmias <je...@debian.org> Thu, 15 Jun 2023 23:02:33 -0400 + kanboard (1.2.26+ds-2) unstable; urgency=medium * properly test for lighty-enable-mod. diff -Nru kanboard-1.2.26+ds/debian/gbp.conf kanboard-1.2.26+ds/debian/gbp.conf --- kanboard-1.2.26+ds/debian/gbp.conf 2023-05-09 06:27:15.000000000 -0400 +++ kanboard-1.2.26+ds/debian/gbp.conf 2023-06-15 23:02:33.000000000 -0400 @@ -1,3 +1,3 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bookworm pristine-tar = True diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch --- kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 1969-12-31 19:00:00.000000000 -0500 +++ kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 2023-06-15 23:00:52.000000000 -0400 @@ -0,0 +1,111 @@ +Description: fix for CVE-2023-32685 + Clipboard based cross-site scripting (blocked with default CSP) + https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv +Author: Frédéric Guillot <f...@kanboard.net> +Origin: upstream +Last-Update: 2023-05-24 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +diff --git a/assets/js/components/screenshot.js b/assets/js/components/screenshot.js +index a8acd64..1130bd2 100644 +--- a/assets/js/components/screenshot.js ++++ b/assets/js/components/screenshot.js +@@ -1,5 +1,4 @@ + KB.component('screenshot', function (containerElement) { +- var pasteCatcher = null; + var inputElement = null; + + function onFileLoaded(e) { +@@ -7,7 +6,6 @@ KB.component('screenshot', function (containerElement) { + } + + function onPaste(e) { +- // Firefox doesn't have the property e.clipboardData.items (only Chrome) + if (e.clipboardData && e.clipboardData.items) { + var items = e.clipboardData.items; + +@@ -24,69 +22,13 @@ KB.component('screenshot', function (containerElement) { + } + } + } +- } else { +- +- // Handle Firefox +- setTimeout(checkInput, 100); + } + } + + function initialize() { +- destroy(); +- +- if (! window.Clipboard) { +- // Insert the content editable at the top to avoid scrolling down in the board view +- pasteCatcher = document.createElement('div'); +- pasteCatcher.id = 'screenshot-pastezone'; +- pasteCatcher.contentEditable = true; +- pasteCatcher.style.opacity = 0; +- pasteCatcher.style.position = 'fixed'; +- pasteCatcher.style.top = 0; +- pasteCatcher.style.right = 0; +- pasteCatcher.style.width = 0; +- document.body.insertBefore(pasteCatcher, document.body.firstChild); +- +- pasteCatcher.focus(); +- +- // Set the focus when clicked anywhere in the document +- document.addEventListener('click', setFocus); +- +- // Set the focus when clicked in screenshot dropzone +- document.getElementById('screenshot-zone').addEventListener('click', setFocus); +- } +- + window.addEventListener('paste', onPaste, false); + } + +- function destroy() { +- if (KB.exists('#screenshot-pastezone')) { +- KB.find('#screenshot-pastezone').remove(); +- } +- +- document.removeEventListener('click', setFocus); +- pasteCatcher = null; +- } +- +- function setFocus() { +- if (pasteCatcher !== null) { +- pasteCatcher.focus(); +- } +- } +- +- function checkInput() { +- var child = pasteCatcher.childNodes[0]; +- +- if (child) { +- // If the user pastes an image, the src attribute +- // will represent the image as a base64 encoded string. +- if (child.tagName === 'IMG') { +- createImage(child.src); +- } +- } +- +- pasteCatcher.innerHTML = ''; +- } +- + function createImage(blob) { + var pastedImage = new Image(); + pastedImage.src = blob; +@@ -102,14 +44,9 @@ KB.component('screenshot', function (containerElement) { + zone.className = 'screenshot-pasted'; + zone.appendChild(pastedImage); + +- destroy(); + initialize(); + } + +- KB.on('modal.close', function () { +- destroy(); +- }); +- + this.render = function () { + inputElement = KB.dom('input') + .attr('type', 'hidden') diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-33956.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-33956.patch --- kanboard-1.2.26+ds/debian/patches/CVE-2023-33956.patch 1969-12-31 19:00:00.000000000 -0500 +++ kanboard-1.2.26+ds/debian/patches/CVE-2023-33956.patch 2023-06-15 23:01:14.000000000 -0400 @@ -0,0 +1,39 @@ +From 437b141fa2267df36976814e704517f30d2424bd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <f...@kanboard.net> +Date: Wed, 24 May 2023 20:36:34 -0700 +Subject: [PATCH] Fix Parameter based Indirect Object Referencing leading to + private file exposure + +--- + app/Controller/BaseController.php | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php +index ca4ca081a8..5aab7e4c1b 100644 +--- a/app/Controller/BaseController.php ++++ b/app/Controller/BaseController.php +@@ -89,10 +89,10 @@ protected function getTask() + * @access protected + * @return array + * @throws PageNotFoundException +- * @throws AccessForbiddenException + */ + protected function getFile() + { ++ $project_id = $this->request->getIntegerParam('project_id'); + $task_id = $this->request->getIntegerParam('task_id'); + $file_id = $this->request->getIntegerParam('file_id'); + $model = 'projectFileModel'; +@@ -108,7 +108,11 @@ protected function getFile() + } + + if (isset($file['task_id']) && $file['task_id'] != $task_id) { +- throw new AccessForbiddenException(); ++ throw new PageNotFoundException(); ++ } ++ ++ if (isset($file['project_id']) && $file['project_id'] != $project_id) { ++ throw new PageNotFoundException(); + } + + $file['model'] = $model; diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-33968.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-33968.patch --- kanboard-1.2.26+ds/debian/patches/CVE-2023-33968.patch 1969-12-31 19:00:00.000000000 -0500 +++ kanboard-1.2.26+ds/debian/patches/CVE-2023-33968.patch 2023-06-15 23:01:14.000000000 -0400 @@ -0,0 +1,67 @@ +From c20be8f5fa26e54005a90c645e80b11481a65053 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <f...@kanboard.net> +Date: Mon, 29 May 2023 18:12:24 -0700 +Subject: [PATCH] Add missing project permission check for Move/Duplicate task + to another project + +--- + app/Controller/TaskDuplicationController.php | 26 ++++++++++++++++---- + 1 file changed, 21 insertions(+), 5 deletions(-) + +diff --git a/app/Controller/TaskDuplicationController.php b/app/Controller/TaskDuplicationController.php +index 6ebb6d592c..a700d00036 100644 +--- a/app/Controller/TaskDuplicationController.php ++++ b/app/Controller/TaskDuplicationController.php +@@ -2,6 +2,8 @@ + + namespace Kanboard\Controller; + ++use Kanboard\Core\Controller\AccessForbiddenException; ++ + /** + * Task Duplication controller + * +@@ -50,14 +52,20 @@ public function move() + $values = $this->request->getValues(); + list($valid, ) = $this->taskValidator->validateProjectModification($values); + +- if ($valid && $this->taskProjectMoveModel->moveToProject($task['id'], ++ if ($valid) { ++ if (! $this->projectPermissionModel->isUserAllowed($values['project_id'], $this->userSession->getId())) { ++ throw new AccessForbiddenException(); ++ } ++ ++ if ($this->taskProjectMoveModel->moveToProject($task['id'], + $values['project_id'], + $values['swimlane_id'], + $values['column_id'], + $values['category_id'], + $values['owner_id'])) { +- $this->flash->success(t('Task updated successfully.')); +- return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id']))); ++ $this->flash->success(t('Task updated successfully.')); ++ return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id']))); ++ } + } + + $this->flash->failure(t('Unable to update your task.')); +@@ -80,9 +88,17 @@ public function copy() + list($valid, ) = $this->taskValidator->validateProjectModification($values); + + if ($valid) { ++ if (! $this->projectPermissionModel->isUserAllowed($values['project_id'], $this->userSession->getId())) { ++ throw new AccessForbiddenException(); ++ } ++ + $task_id = $this->taskProjectDuplicationModel->duplicateToProject( +- $task['id'], $values['project_id'], $values['swimlane_id'], +- $values['column_id'], $values['category_id'], $values['owner_id'] ++ $task['id'], ++ $values['project_id'], ++ $values['swimlane_id'], ++ $values['column_id'], ++ $values['category_id'], ++ $values['owner_id'] + ); + + if ($task_id > 0) { diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-33969.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-33969.patch --- kanboard-1.2.26+ds/debian/patches/CVE-2023-33969.patch 1969-12-31 19:00:00.000000000 -0500 +++ kanboard-1.2.26+ds/debian/patches/CVE-2023-33969.patch 2023-06-15 23:01:14.000000000 -0400 @@ -0,0 +1,36 @@ +From 05f1d23d821152cd61536d3b09e522c0f7573e3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <f...@kanboard.net> +Date: Sun, 28 May 2023 21:10:33 -0700 +Subject: [PATCH] Avoid stored XSS in task external link + +--- + app/Template/board/tooltip_external_links.php | 2 +- + app/Template/task_external_link/table.php | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/app/Template/board/tooltip_external_links.php b/app/Template/board/tooltip_external_links.php +index 2c287adf24..fd5237ae3f 100644 +--- a/app/Template/board/tooltip_external_links.php ++++ b/app/Template/board/tooltip_external_links.php +@@ -11,7 +11,7 @@ + <?= $link['type'] ?> + </td> + <td> +- <a href="<?= $link['url'] ?>" title="<?= $this->text->e($link['url']) ?>" target="_blank"><?= $this->text->e($link['title']) ?></a> ++ <a href="<?= $this->text->e($link['url']) ?>" title="<?= $this->text->e($link['url']) ?>" target="_blank"><?= $this->text->e($link['title']) ?></a> + </td> + <td> + <?= $this->text->e($link['dependency_label']) ?> +diff --git a/app/Template/task_external_link/table.php b/app/Template/task_external_link/table.php +index 315fada6d9..816f5335ee 100644 +--- a/app/Template/task_external_link/table.php ++++ b/app/Template/task_external_link/table.php +@@ -29,7 +29,7 @@ + <?= $this->text->e($link['type']) ?> + </td> + <td> +- <a href="<?= $link['url'] ?>" title="<?= $this->text->e($link['url']) ?>" target="_blank"><?= $this->text->e($link['title']) ?><span class="ui-helper-hidden-accessible"> (<?= $this->text->e($link['url']) ?>)</span></a> ++ <a href="<?= $this->text->e($link['url']) ?>" title="<?= $this->text->e($link['url']) ?>" target="_blank"><?= $this->text->e($link['title']) ?><span class="ui-helper-hidden-accessible"> (<?= $this->text->e($link['url']) ?>)</span></a> + </td> + <td> + <?= $this->text->e($link['dependency_label']) ?> diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-33970.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-33970.patch --- kanboard-1.2.26+ds/debian/patches/CVE-2023-33970.patch 1969-12-31 19:00:00.000000000 -0500 +++ kanboard-1.2.26+ds/debian/patches/CVE-2023-33970.patch 2023-06-15 23:01:14.000000000 -0400 @@ -0,0 +1,85 @@ +From b501ef44bc28ee9cf603a4fa446ee121d66f652f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <f...@kanboard.net> +Date: Mon, 29 May 2023 19:39:28 -0700 +Subject: [PATCH] Add missing permission check when creating/updating internal + links + +--- + app/Api/Procedure/TaskLinkProcedure.php | 18 ++++++++++++++++++ + app/Controller/TaskInternalLinkController.php | 13 +++++++++++++ + 2 files changed, 31 insertions(+) + +diff --git a/app/Api/Procedure/TaskLinkProcedure.php b/app/Api/Procedure/TaskLinkProcedure.php +index 375266fb3a..e794f2bbdd 100644 +--- a/app/Api/Procedure/TaskLinkProcedure.php ++++ b/app/Api/Procedure/TaskLinkProcedure.php +@@ -51,6 +51,15 @@ public function getAllTaskLinks($task_id) + public function createTaskLink($task_id, $opposite_task_id, $link_id) + { + TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'createTaskLink', $task_id); ++ ++ if ($this->userSession->isLogged()) { ++ $opposite_task = $this->taskFinderModel->getById($opposite_task_id); ++ ++ if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) { ++ return false; ++ } ++ } ++ + return $this->taskLinkModel->create($task_id, $opposite_task_id, $link_id); + } + +@@ -67,6 +76,15 @@ public function createTaskLink($task_id, $opposite_task_id, $link_id) + public function updateTaskLink($task_link_id, $task_id, $opposite_task_id, $link_id) + { + TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'updateTaskLink', $task_id); ++ ++ if ($this->userSession->isLogged()) { ++ $opposite_task = $this->taskFinderModel->getById($opposite_task_id); ++ ++ if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) { ++ return false; ++ } ++ } ++ + return $this->taskLinkModel->update($task_link_id, $task_id, $opposite_task_id, $link_id); + } + +diff --git a/app/Controller/TaskInternalLinkController.php b/app/Controller/TaskInternalLinkController.php +index 7ab01374a6..5f80a28bd7 100644 +--- a/app/Controller/TaskInternalLinkController.php ++++ b/app/Controller/TaskInternalLinkController.php +@@ -2,6 +2,7 @@ + + namespace Kanboard\Controller; + ++use Kanboard\Core\Controller\AccessForbiddenException; + use Kanboard\Core\Controller\PageNotFoundException; + + /** +@@ -53,6 +54,12 @@ public function save() + list($valid, $errors) = $this->taskLinkValidator->validateCreation($values); + + if ($valid) { ++ $opposite_task = $this->taskFinderModel->getById($values['opposite_task_id']); ++ ++ if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) { ++ throw new AccessForbiddenException(); ++ } ++ + if ($this->taskLinkModel->create($values['task_id'], $values['opposite_task_id'], $values['link_id']) !== false) { + $this->flash->success(t('Link added successfully.')); + +@@ -121,6 +128,12 @@ public function update() + list($valid, $errors) = $this->taskLinkValidator->validateModification($values); + + if ($valid) { ++ $opposite_task = $this->taskFinderModel->getById($values['opposite_task_id']); ++ ++ if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) { ++ throw new AccessForbiddenException(); ++ } ++ + if ($this->taskLinkModel->update($values['id'], $values['task_id'], $values['opposite_task_id'], $values['link_id'])) { + $this->flash->success(t('Link updated successfully.')); + return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id'])).'#links'); diff -Nru kanboard-1.2.26+ds/debian/patches/series kanboard-1.2.26+ds/debian/patches/series --- kanboard-1.2.26+ds/debian/patches/series 2023-01-14 19:48:28.000000000 -0500 +++ kanboard-1.2.26+ds/debian/patches/series 2023-06-15 23:01:14.000000000 -0400 @@ -5,3 +5,8 @@ loosen_php_module_version_requirements.patch fix_version_testing.patch fix_plugin_dir_test.patch +CVE-2023-32685.patch +CVE-2023-33969.patch +CVE-2023-33956.patch +CVE-2023-33970.patch +CVE-2023-33968.patch diff -Nru kanboard-1.2.26+ds/debian/salsa-ci.yml kanboard-1.2.26+ds/debian/salsa-ci.yml --- kanboard-1.2.26+ds/debian/salsa-ci.yml 2023-05-09 06:27:15.000000000 -0400 +++ kanboard-1.2.26+ds/debian/salsa-ci.yml 2023-06-15 23:02:33.000000000 -0400 @@ -3,7 +3,7 @@ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml variables: - RELEASE: 'unstable' + RELEASE: 'bookworm' SALSA_CI_ENABLE_PIPELINE_ON_TAGS: 1 SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 1 SALSA_CI_REPROTEST_ENABLE_DIFFOSCOPE: 1
