Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: twitter-bootstr...@packages.debian.org Control: affects -1 + src:twitter-bootstrap4 User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] CVE-2024-6531 [ Impact ] CVE-2024-6531 is not closed [ Tests ] No but it tested the PoC [ Risks ] Low [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] CVE-2024-6531 [ Other info ] May need a rebuilt of webpacked/bundled package
diff -Nru twitter-bootstrap4-4.6.1+dfsg1/debian/changelog twitter-bootstrap4-4.6.1+dfsg1/debian/changelog --- twitter-bootstrap4-4.6.1+dfsg1/debian/changelog 2022-11-25 06:37:10.000000000 +0100 +++ twitter-bootstrap4-4.6.1+dfsg1/debian/changelog 2025-04-13 13:42:02.000000000 +0200 @@ -1,3 +1,21 @@ +twitter-bootstrap4 (4.6.1+dfsg1-4+deb12u1) bookworm; urgency=high + + * Team upload + * Fix CVE-2024-6531 (XSS vulnerability): + An anchor element (<a>), when used for carousel navigation + with a data-slide attribute, can contain an href attribute + value that is not subject to proper content sanitization. + Improper extraction of the intended target carousel’s + #id from the href attribute can lead to use cases where + the click event’s preventDefault() + is not applied and the href is evaluated and executed. + As a result, restrictions are not applied to the data + that is evaluated, which can lead to potential + XSS vulnerabilities. + (Closes: #1084059) + + -- Bastien Roucariès <ro...@debian.org> Sun, 13 Apr 2025 13:42:02 +0200 + twitter-bootstrap4 (4.6.1+dfsg1-4) unstable; urgency=medium * Team upload diff -Nru twitter-bootstrap4-4.6.1+dfsg1/debian/patches/0003-CVE-2024-6531.patch twitter-bootstrap4-4.6.1+dfsg1/debian/patches/0003-CVE-2024-6531.patch --- twitter-bootstrap4-4.6.1+dfsg1/debian/patches/0003-CVE-2024-6531.patch 1970-01-01 01:00:00.000000000 +0100 +++ twitter-bootstrap4-4.6.1+dfsg1/debian/patches/0003-CVE-2024-6531.patch 2025-04-13 13:42:02.000000000 +0200 @@ -0,0 +1,45 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <ro...@debian.org> +Date: Sun, 13 Apr 2025 12:33:22 +0200 +Subject: CVE-2024-6531 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +An anchor element (<a>), when used for carousel navigation with a data-slide attribute, +can contain an href attribute value that is not subject to proper content sanitization. +Improper extraction of the intended target carousel’s #id from the href attribute +can lead to use cases where the click event’s preventDefault() +is not applied and the href is evaluated and executed. +As a result, restrictions are not applied to the data that is evaluated, which +can lead to potential XSS vulnerabilities. + +return false in case of error that will avoid the XSS attack, and avoid further +treatment by the handler. + +bug: https://www.herodevs.com/vulnerability-directory/cve-2024-6531 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084059 +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-6531 +--- + js/src/carousel.js | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/js/src/carousel.js b/js/src/carousel.js +index 18732d0..9447da6 100644 +--- a/js/src/carousel.js ++++ b/js/src/carousel.js +@@ -543,13 +543,13 @@ class Carousel { + const selector = Util.getSelectorFromElement(this) + + if (!selector) { +- return ++ return false + } + + const target = $(selector)[0] + + if (!target || !$(target).hasClass(CLASS_NAME_CAROUSEL)) { +- return ++ return false + } + + const config = { diff -Nru twitter-bootstrap4-4.6.1+dfsg1/debian/patches/series twitter-bootstrap4-4.6.1+dfsg1/debian/patches/series --- twitter-bootstrap4-4.6.1+dfsg1/debian/patches/series 2021-07-30 06:53:16.000000000 +0200 +++ twitter-bootstrap4-4.6.1+dfsg1/debian/patches/series 2025-04-13 13:42:02.000000000 +0200 @@ -1,2 +1,3 @@ do-not-update-copyright-year.diff dont-check-for-caniuse-lite-update.patch +0003-CVE-2024-6531.patch
signature.asc
Description: This is a digitally signed message part.
