[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042

If I got this right, we cannot use $(xyz) unless the value of xyz is
trusted. Otherwise executing $(xyz) can result in the execution of code
if xyz is something like "<img src=1 onerror=alert(123) />". This
happens immediately, and even if you don't use the return value.

I believe this fixes CVE-2018-14040 in Jessie:

--- twitter-bootstrap-2.0.2+dfsg.orig/js/bootstrap-collapse.js
+++ twitter-bootstrap-2.0.2+dfsg/js/bootstrap-collapse.js
@@ -26,7 +26,7 @@
     this.options = $.extend({}, $.fn.collapse.defaults, options)
     if (this.options["parent"]) {
-      this.$parent = $(this.options["parent"])
+      this.$parent = $(document.querySelector(this.options["parent"]))
     this.options.toggle && this.toggle()

I think an alternative option here would be to replace $(xyz) with
$(document).find(xyz) - as used in the upstream patch for

CVE-2018-14041 / CVE-2018-14042 both refer to code that I cannot find in
Jessie, hence I do not think they apply.

Looking at the code I do see a number of other references to $(xyz)
where xyz is potentially untrusted, so simply applying the above patch
may not be sufficient to fixing the problem. e.g. in
js/bootstrap-scrollspy.js I see:

            var href = $(this).attr('href')                                      
            return /^#\w/.test(href) && $(href).length ? href : null             

While this one might be obvious, there any many others that are not so
clear. So I am not sure if I should fix only the instances fixed by
these CVEs or search for everything I can find.

Sidenote: Curiously I cannot connect to
https://security-tracker.debian.org/ today from this machine on this
network... Connections always time out. Probably something weird with my
network, however other webpages appear to be fine. If I ssh into my home
computer and use w3m it works fine.
Brian May <bam@debian.org>

Reply to: