Package: release.debian.org Severity: normal X-Debbugs-Cc: twitter-bootstr...@packages.debian.org Control: affects -1 + src:twitter-bootstrap3 User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package twitter-bootstrap3 [ Reason ] CVE-2025-1647 [ Impact ] CVE-2025-1647 XSS injection [ Tests ] Manual using PoC + yadd review [ Risks ] Low change are minimal [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] Lack of upstream support (EOL) unblock twitter-bootstrap3/3.4.1+dfsg-6
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/changelog twitter-bootstrap3-3.4.1+dfsg/debian/changelog --- twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2025-04-10 23:47:00.000000000 +0200 +++ twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2025-06-01 15:39:35.000000000 +0200 @@ -1,3 +1,26 @@ +twitter-bootstrap3 (3.4.1+dfsg-6) unstable; urgency=medium + + * Team upload + * Do not refresh patches compared to 3.4.1+dfsg-4 in order + to ease unblock to trixie. + + -- Bastien Roucariès <ro...@debian.org> Sun, 01 Jun 2025 15:39:35 +0200 + +twitter-bootstrap3 (3.4.1+dfsg-5) unstable; urgency=medium + + * Team upload + * Fix CVE-2025-1647 (Closes: #1105899) + Improper Neutralization of Input During Web Page + Generation (XSS or 'Cross-site Scripting') vulnerability + in Bootstrap allows Cross-Site Scripting (XSS) + DOM-based cross-site scripting (XSS) via DOM clobbering + occurs when an attacker manipulates the Document Object Model + (DOM) to overwrite or "clobber" an existing DOM object, + leading to the execution of malicious scripts, particularly + document.implementation variable. + + -- Bastien Roucariès <ro...@debian.org> Fri, 30 May 2025 18:17:56 +0200 + twitter-bootstrap3 (3.4.1+dfsg-4) unstable; urgency=medium * Team upload diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch --- twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch 1970-01-01 01:00:00.000000000 +0100 +++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch 2025-06-01 12:26:39.000000000 +0200 @@ -0,0 +1,73 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <ro...@debian.org> +Date: Fri, 30 May 2025 18:13:34 +0200 +Subject: CVE-2025-1647 + +Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability +in Bootstrap allows Cross-Site Scripting (XSS) + +DOM-based cross-site scripting (XSS) via DOM clobbering occurs when an attacker +manipulates the Document Object Model (DOM) to overwrite +or "clobber" an existing DOM object, leading to the execution +of malicious scripts. + +document.implementation should be tested against well known type + +Use DOMParser if possible (supported since 2015) in order to create a DoS in case +of document.implementation overriden. + +bug: https://www.herodevs.com/vulnerability-directory/cve-2025-1647 +bug-freexian-security: https://deb.freexian.com/extended-lts/tracker/CVE-2025-1647 +--- + js/tooltip.js | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/js/tooltip.js b/js/tooltip.js +index c8c1c8c..a5b923c 100644 +--- a/js/tooltip.js ++++ b/js/tooltip.js +@@ -99,6 +99,7 @@ + } + + function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) { ++ let doc = null + if (unsafeHtml.length === 0) { + return unsafeHtml + } +@@ -107,16 +108,21 @@ + return sanitizeFn(unsafeHtml) + } + +- // IE 8 and below don't support createHTMLDocument +- if (!document.implementation || !document.implementation.createHTMLDocument) { +- return unsafeHtml ++ try { ++ doc = new DOMParser().parseFromString(unsafeHtml, 'text/html'); ++ } catch (_) {} ++ if (!doc || !doc.documentElement) { ++ // IE 8 and below don't support createHTMLDocument ++ if (!document.implementation || !(document.implementation instanceof DOMImplementation) || document.implementation.createHTMLDocument === undefined) { ++ throw new Error('Could not sanitize CVE-2025-1647'); ++ } ++ doc = document.implementation.createHTMLDocument('sanitization') ++ doc.body.innerHTML = unsafeHtml + } +- +- var createdDocument = document.implementation.createHTMLDocument('sanitization') +- createdDocument.body.innerHTML = unsafeHtml ++ const body = doc.body || doc.documentElement; + + var whitelistKeys = $.map(whiteList, function (el, i) { return i }) +- var elements = $(createdDocument.body).find('*') ++ var elements = $(body).find('*') + + for (var i = 0, len = elements.length; i < len; i++) { + var el = elements[i] +@@ -138,7 +144,7 @@ + } + } + +- return createdDocument.body.innerHTML ++ return body.innerHTML + } + + // TOOLTIP PUBLIC CLASS DEFINITION diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/series twitter-bootstrap3-3.4.1+dfsg/debian/patches/series --- twitter-bootstrap3-3.4.1+dfsg/debian/patches/series 2025-04-10 23:47:00.000000000 +0200 +++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/series 2025-06-01 12:26:39.000000000 +0200 @@ -1,3 +1,4 @@ 2001_privacy.patch 0002-CVE-2024-6484.patch 0003-CVE-2024-6485.patch +CVE-2025-1647.patch
signature.asc
Description: This is a digitally signed message part.
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
