twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042
If I got this right, we cannot use $(xyz) unless the value of xyz is
trusted. Otherwise executing $(xyz) can result in the execution of code
if xyz is something like "<img src=1 onerror=alert(123) />". This
happens immediately, and even if you don't use the return value.
I believe this fixes CVE-2018-14040 in Jessie:
--- twitter-bootstrap-2.0.2+dfsg.orig/js/bootstrap-collapse.js
+++ twitter-bootstrap-2.0.2+dfsg/js/bootstrap-collapse.js
@@ -26,7 +26,7 @@
this.options = $.extend({}, $.fn.collapse.defaults, options)
if (this.options["parent"]) {
- this.$parent = $(this.options["parent"])
+ this.$parent = $(document.querySelector(this.options["parent"]))
}
this.options.toggle && this.toggle()
I think an alternative option here would be to replace $(xyz) with
$(document).find(xyz) - as used in the upstream patch for
CVE-2018-14042.
CVE-2018-14041 / CVE-2018-14042 both refer to code that I cannot find in
Jessie, hence I do not think they apply.
Looking at the code I do see a number of other references to $(xyz)
where xyz is potentially untrusted, so simply applying the above patch
may not be sufficient to fixing the problem. e.g. in
js/bootstrap-scrollspy.js I see:
var href = $(this).attr('href')
return /^#\w/.test(href) && $(href).length ? href : null
While this one might be obvious, there any many others that are not so
clear. So I am not sure if I should fix only the instances fixed by
these CVEs or search for everything I can find.
Sidenote: Curiously I cannot connect to
https://security-tracker.debian.org/ today from this machine on this
network... Connections always time out. Probably something weird with my
network, however other webpages appear to be fine. If I ssh into my home
computer and use w3m it works fine.
--
Brian May <bam@debian.org>
Reply to: