Your message dated Sun, 01 Jun 2025 14:03:39 +0000
with message-id <e1uljhn-0029en...@respighi.debian.org>
and subject line unblock twitter-bootstrap3
has caused the Debian Bug report #1107087,
regarding unblock: twitter-bootstrap3/3.4.1+dfsg-6
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1107087: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107087
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: twitter-bootstr...@packages.debian.org
Control: affects -1 + src:twitter-bootstrap3
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package twitter-bootstrap3
[ Reason ]
CVE-2025-1647
[ Impact ]
CVE-2025-1647 XSS injection
[ Tests ]
Manual using PoC + yadd review
[ Risks ]
Low change are minimal
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
Lack of upstream support (EOL)
unblock twitter-bootstrap3/3.4.1+dfsg-6
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/changelog twitter-bootstrap3-3.4.1+dfsg/debian/changelog
--- twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2025-04-10 23:47:00.000000000 +0200
+++ twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2025-06-01 15:39:35.000000000 +0200
@@ -1,3 +1,26 @@
+twitter-bootstrap3 (3.4.1+dfsg-6) unstable; urgency=medium
+
+ * Team upload
+ * Do not refresh patches compared to 3.4.1+dfsg-4 in order
+ to ease unblock to trixie.
+
+ -- Bastien Roucariès <ro...@debian.org> Sun, 01 Jun 2025 15:39:35 +0200
+
+twitter-bootstrap3 (3.4.1+dfsg-5) unstable; urgency=medium
+
+ * Team upload
+ * Fix CVE-2025-1647 (Closes: #1105899)
+ Improper Neutralization of Input During Web Page
+ Generation (XSS or 'Cross-site Scripting') vulnerability
+ in Bootstrap allows Cross-Site Scripting (XSS)
+ DOM-based cross-site scripting (XSS) via DOM clobbering
+ occurs when an attacker manipulates the Document Object Model
+ (DOM) to overwrite or "clobber" an existing DOM object,
+ leading to the execution of malicious scripts, particularly
+ document.implementation variable.
+
+ -- Bastien Roucariès <ro...@debian.org> Fri, 30 May 2025 18:17:56 +0200
+
twitter-bootstrap3 (3.4.1+dfsg-4) unstable; urgency=medium
* Team upload
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch
--- twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch 1970-01-01 01:00:00.000000000 +0100
+++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch 2025-06-01 12:26:39.000000000 +0200
@@ -0,0 +1,73 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <ro...@debian.org>
+Date: Fri, 30 May 2025 18:13:34 +0200
+Subject: CVE-2025-1647
+
+Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability
+in Bootstrap allows Cross-Site Scripting (XSS)
+
+DOM-based cross-site scripting (XSS) via DOM clobbering occurs when an attacker
+manipulates the Document Object Model (DOM) to overwrite
+or "clobber" an existing DOM object, leading to the execution
+of malicious scripts.
+
+document.implementation should be tested against well known type
+
+Use DOMParser if possible (supported since 2015) in order to create a DoS in case
+of document.implementation overriden.
+
+bug: https://www.herodevs.com/vulnerability-directory/cve-2025-1647
+bug-freexian-security: https://deb.freexian.com/extended-lts/tracker/CVE-2025-1647
+---
+ js/tooltip.js | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/js/tooltip.js b/js/tooltip.js
+index c8c1c8c..a5b923c 100644
+--- a/js/tooltip.js
++++ b/js/tooltip.js
+@@ -99,6 +99,7 @@
+ }
+
+ function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) {
++ let doc = null
+ if (unsafeHtml.length === 0) {
+ return unsafeHtml
+ }
+@@ -107,16 +108,21 @@
+ return sanitizeFn(unsafeHtml)
+ }
+
+- // IE 8 and below don't support createHTMLDocument
+- if (!document.implementation || !document.implementation.createHTMLDocument) {
+- return unsafeHtml
++ try {
++ doc = new DOMParser().parseFromString(unsafeHtml, 'text/html');
++ } catch (_) {}
++ if (!doc || !doc.documentElement) {
++ // IE 8 and below don't support createHTMLDocument
++ if (!document.implementation || !(document.implementation instanceof DOMImplementation) || document.implementation.createHTMLDocument === undefined) {
++ throw new Error('Could not sanitize CVE-2025-1647');
++ }
++ doc = document.implementation.createHTMLDocument('sanitization')
++ doc.body.innerHTML = unsafeHtml
+ }
+-
+- var createdDocument = document.implementation.createHTMLDocument('sanitization')
+- createdDocument.body.innerHTML = unsafeHtml
++ const body = doc.body || doc.documentElement;
+
+ var whitelistKeys = $.map(whiteList, function (el, i) { return i })
+- var elements = $(createdDocument.body).find('*')
++ var elements = $(body).find('*')
+
+ for (var i = 0, len = elements.length; i < len; i++) {
+ var el = elements[i]
+@@ -138,7 +144,7 @@
+ }
+ }
+
+- return createdDocument.body.innerHTML
++ return body.innerHTML
+ }
+
+ // TOOLTIP PUBLIC CLASS DEFINITION
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/series twitter-bootstrap3-3.4.1+dfsg/debian/patches/series
--- twitter-bootstrap3-3.4.1+dfsg/debian/patches/series 2025-04-10 23:47:00.000000000 +0200
+++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/series 2025-06-01 12:26:39.000000000 +0200
@@ -1,3 +1,4 @@
2001_privacy.patch
0002-CVE-2024-6484.patch
0003-CVE-2024-6485.patch
+CVE-2025-1647.patch
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
