Package: release.debian.org
Severity: normal
X-Debbugs-Cc: twitter-bootstr...@packages.debian.org
Control: affects -1 + src:twitter-bootstrap3
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package twitter-bootstrap3

[ Reason ]
CVE-2025-1647


[ Impact ]
CVE-2025-1647 XSS injection


[ Tests ]
Manual using PoC + yadd review

[ Risks ]
Low change are minimal

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
Lack of upstream support (EOL)

unblock twitter-bootstrap3/3.4.1+dfsg-6
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/changelog twitter-bootstrap3-3.4.1+dfsg/debian/changelog
--- twitter-bootstrap3-3.4.1+dfsg/debian/changelog	2025-04-10 23:47:00.000000000 +0200
+++ twitter-bootstrap3-3.4.1+dfsg/debian/changelog	2025-06-01 15:39:35.000000000 +0200
@@ -1,3 +1,26 @@
+twitter-bootstrap3 (3.4.1+dfsg-6) unstable; urgency=medium
+
+  * Team upload
+  * Do not refresh patches compared to 3.4.1+dfsg-4 in order
+    to ease unblock to trixie.
+
+ -- Bastien Roucariès <ro...@debian.org>  Sun, 01 Jun 2025 15:39:35 +0200
+
+twitter-bootstrap3 (3.4.1+dfsg-5) unstable; urgency=medium
+
+  * Team upload
+  * Fix CVE-2025-1647 (Closes: #1105899)
+    Improper Neutralization of Input During Web Page
+    Generation (XSS or 'Cross-site Scripting') vulnerability
+    in Bootstrap allows Cross-Site Scripting (XSS)
+    DOM-based cross-site scripting (XSS) via DOM clobbering
+    occurs when an attacker manipulates the Document Object Model
+    (DOM) to overwrite or "clobber" an existing DOM object,
+    leading to the execution of malicious scripts, particularly
+    document.implementation variable.
+
+ -- Bastien Roucariès <ro...@debian.org>  Fri, 30 May 2025 18:17:56 +0200
+
 twitter-bootstrap3 (3.4.1+dfsg-4) unstable; urgency=medium
 
   * Team upload
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch
--- twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch	1970-01-01 01:00:00.000000000 +0100
+++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch	2025-06-01 12:26:39.000000000 +0200
@@ -0,0 +1,73 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <ro...@debian.org>
+Date: Fri, 30 May 2025 18:13:34 +0200
+Subject: CVE-2025-1647
+
+Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability
+in Bootstrap allows Cross-Site Scripting (XSS)
+
+DOM-based cross-site scripting (XSS) via DOM clobbering occurs when an attacker
+manipulates the Document Object Model (DOM) to overwrite
+or "clobber" an existing DOM object, leading to the execution
+of malicious scripts.
+
+document.implementation should be tested against well known type
+
+Use DOMParser if possible (supported since 2015) in order to create a DoS in case
+of document.implementation overriden.
+
+bug: https://www.herodevs.com/vulnerability-directory/cve-2025-1647
+bug-freexian-security: https://deb.freexian.com/extended-lts/tracker/CVE-2025-1647
+---
+ js/tooltip.js | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/js/tooltip.js b/js/tooltip.js
+index c8c1c8c..a5b923c 100644
+--- a/js/tooltip.js
++++ b/js/tooltip.js
+@@ -99,6 +99,7 @@
+   }
+ 
+   function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) {
++    let doc = null
+     if (unsafeHtml.length === 0) {
+       return unsafeHtml
+     }
+@@ -107,16 +108,21 @@
+       return sanitizeFn(unsafeHtml)
+     }
+ 
+-    // IE 8 and below don't support createHTMLDocument
+-    if (!document.implementation || !document.implementation.createHTMLDocument) {
+-      return unsafeHtml
++    try {
++        doc = new DOMParser().parseFromString(unsafeHtml, 'text/html');
++    } catch (_) {}
++    if (!doc || !doc.documentElement) {
++      // IE 8 and below don't support createHTMLDocument
++      if (!document.implementation || !(document.implementation instanceof DOMImplementation) || document.implementation.createHTMLDocument === undefined) {
++        throw new Error('Could not sanitize CVE-2025-1647');
++      }
++      doc = document.implementation.createHTMLDocument('sanitization')
++      doc.body.innerHTML = unsafeHtml
+     }
+-
+-    var createdDocument = document.implementation.createHTMLDocument('sanitization')
+-    createdDocument.body.innerHTML = unsafeHtml
++    const body = doc.body || doc.documentElement;
+ 
+     var whitelistKeys = $.map(whiteList, function (el, i) { return i })
+-    var elements = $(createdDocument.body).find('*')
++    var elements = $(body).find('*')
+ 
+     for (var i = 0, len = elements.length; i < len; i++) {
+       var el = elements[i]
+@@ -138,7 +144,7 @@
+       }
+     }
+ 
+-    return createdDocument.body.innerHTML
++    return body.innerHTML
+   }
+ 
+   // TOOLTIP PUBLIC CLASS DEFINITION
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/series twitter-bootstrap3-3.4.1+dfsg/debian/patches/series
--- twitter-bootstrap3-3.4.1+dfsg/debian/patches/series	2025-04-10 23:47:00.000000000 +0200
+++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/series	2025-06-01 12:26:39.000000000 +0200
@@ -1,3 +1,4 @@
 2001_privacy.patch
 0002-CVE-2024-6484.patch
 0003-CVE-2024-6485.patch
+CVE-2025-1647.patch

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to