Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: twitter-bootstr...@packages.debian.org Control: affects -1 + src:twitter-bootstrap3 User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] XSS security problems [ Impact ] Vulnerability to XSS attack [ Tests ] No but tested manually using POC. [ Risks ] Low [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] CVE-2024-6485/CVE-2024-6484 [ Other info ] May need a rebuild of static linked (webpacked/rollup...) package. But need first to get in bookworm.
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/changelog twitter-bootstrap3-3.4.1+dfsg/debian/changelog --- twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2022-12-18 00:30:51.000000000 +0100 +++ twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2025-04-10 23:47:00.000000000 +0200 @@ -1,3 +1,28 @@ +twitter-bootstrap3 (3.4.1+dfsg-3+deb12u1) bookworm; urgency=medium + + * Team upload + * Fix CVE-2024-6485: + A security vulnerability has been discovered in bootstrap + that could enable Cross-Site Scripting (XSS) attacks. + The vulnerability is associated with the data-loading-text + attribute within the button plugin. + This vulnerability can be exploited by injecting malicious + JavaScript code into the attribute, which would then be + executed when the button's loading state is triggered. + (Closes: #1084060) + * Fix CVE-2024-6484: + A vulnerability has been identified in Bootstrap that + exposes users to Cross-Site Scripting (XSS) attacks. + The issue is present in the carousel component, where the + data-slide and data-slide-to attributes can be exploited + through the href attribute of an <a> tag due to inadequate + sanitization. This vulnerability could potentially enable + attackers to execute arbitrary JavaScript within + the victim's browser. + (Closes: #1084060) + + -- Bastien Roucariès <ro...@debian.org> Thu, 10 Apr 2025 23:47:00 +0200 + twitter-bootstrap3 (3.4.1+dfsg-3) unstable; urgency=medium [ Yadd ] diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/0002-CVE-2024-6484.patch twitter-bootstrap3-3.4.1+dfsg/debian/patches/0002-CVE-2024-6484.patch --- twitter-bootstrap3-3.4.1+dfsg/debian/patches/0002-CVE-2024-6484.patch 1970-01-01 01:00:00.000000000 +0100 +++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/0002-CVE-2024-6484.patch 2025-04-10 23:47:00.000000000 +0200 @@ -0,0 +1,27 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <ro...@debian.org> +Date: Thu, 10 Apr 2025 23:36:04 +0200 +Subject: CVE-2024-6484 + +Fix this vulnerability by checking before calling if the target is a carousel +and disabling further event calling if not + +origin: backport, https://github.com/odinserj/bootstrap/commit/0ea568be7ff0c1f72a693f5d782277a9e9872077 +bug: https://www.herodevs.com/vulnerability-directory/cve-2024-6484 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084060 +--- + js/carousel.js | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/js/carousel.js b/js/carousel.js +index a5fcac3..058d3d3 100644 +--- a/js/carousel.js ++++ b/js/carousel.js +@@ -217,7 +217,7 @@ + var target = $this.attr('data-target') || href + var $target = $(document).find(target) + +- if (!$target.hasClass('carousel')) return ++ if (!$target.hasClass('carousel')) return false; + + var options = $.extend({}, $target.data(), $this.data()) + var slideIndex = $this.attr('data-slide-to') diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/0003-CVE-2024-6485.patch twitter-bootstrap3-3.4.1+dfsg/debian/patches/0003-CVE-2024-6485.patch --- twitter-bootstrap3-3.4.1+dfsg/debian/patches/0003-CVE-2024-6485.patch 1970-01-01 01:00:00.000000000 +0100 +++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/0003-CVE-2024-6485.patch 2025-04-10 23:47:00.000000000 +0200 @@ -0,0 +1,42 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <ro...@debian.org> +Date: Thu, 10 Apr 2025 23:41:07 +0200 +Subject: CVE-2024-6485 + +Sanitize data[state] avoiding thus XSS + +origin: backport, https://github.com/entreprise7pro/bootstrap/commit/769c032fd93d6f2c07599e096a736c5d09c041cf +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084060 +bug: https://www.herodevs.com/vulnerability-directory/cve-2024-6485 +--- + js/button.js | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/js/button.js b/js/button.js +index ff4af20..6569240 100644 +--- a/js/button.js ++++ b/js/button.js +@@ -25,6 +25,15 @@ + loadingText: 'loading...' + } + ++ Button.prototype.sanitize = function (unsafeText) { ++ return unsafeText ++ .replace(/&/g, '&') ++ .replace(/</g, '<') ++ .replace(/>/g, '>') ++ .replace(/"/g, '"') ++ .replace(/'/g, '''); ++ } ++ + Button.prototype.setState = function (state) { + var d = 'disabled' + var $el = this.$element +@@ -37,7 +46,7 @@ + + // push to event loop to allow forms to submit + setTimeout($.proxy(function () { +- $el[val](data[state] == null ? this.options[state] : data[state]) ++ $el[val](data[state] == null ? this.options[state] : this.sanitize(data[state])) + + if (state == 'loadingText') { + this.isLoading = true diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/series twitter-bootstrap3-3.4.1+dfsg/debian/patches/series --- twitter-bootstrap3-3.4.1+dfsg/debian/patches/series 2022-12-18 00:30:51.000000000 +0100 +++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/series 2025-04-10 23:47:00.000000000 +0200 @@ -1 +1,3 @@ 2001_privacy.patch +0002-CVE-2024-6484.patch +0003-CVE-2024-6485.patch diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/salsa-ci.yml twitter-bootstrap3-3.4.1+dfsg/debian/salsa-ci.yml --- twitter-bootstrap3-3.4.1+dfsg/debian/salsa-ci.yml 2022-12-18 00:30:51.000000000 +0100 +++ twitter-bootstrap3-3.4.1+dfsg/debian/salsa-ci.yml 2025-04-10 23:47:00.000000000 +0200 @@ -2,3 +2,6 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bookworm'
signature.asc
Description: This is a digitally signed message part.
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
