Bug#918763: stretch-pu: package twitter-bootstrap3/3.3.7+dfsg-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#918763: stretch-pu: package twitter-bootstrap3/3.3.7+dfsg-2
From: Xavier Guimard <yadd@debian.org>
Date: Wed, 09 Jan 2019 07:26:05 +0100
Message-id: <[🔎] 154701516544.25572.9371514622948604813.reportbug@madebian.lemonldap-ng.org>
Reply-to: Xavier Guimard <yadd@debian.org>, 918763@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hello, twitter-bootstrap3 has some CVEs to fix (issues marked as
no-dsa). This patch imports related fix from twitter-bootstrap 3.4.

Cheers,
Xavier

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru twitter-bootstrap3-3.3.7+dfsg/debian/changelog twitter-bootstrap3-3.3.7+dfsg/debian/changelog
--- twitter-bootstrap3-3.3.7+dfsg/debian/changelog	2016-10-24 14:45:58.000000000 +0200
+++ twitter-bootstrap3-3.3.7+dfsg/debian/changelog	2019-01-06 23:34:50.000000000 +0100
@@ -1,3 +1,11 @@
+twitter-bootstrap3 (3.3.7+dfsg-2+deb9u1) stretch; urgency=high
+
+  * Team upload.
+  * Fix multiples XSS vulnerabilities (Closes: #907414)
+  * Update debian/copyright
+
+ -- Xavier Guimard <yadd@debian.org>  Sun, 06 Jan 2019 23:34:50 +0100
+
 twitter-bootstrap3 (3.3.7+dfsg-2) unstable; urgency=medium
 
   * Team upload
diff -Nru twitter-bootstrap3-3.3.7+dfsg/debian/copyright twitter-bootstrap3-3.3.7+dfsg/debian/copyright
--- twitter-bootstrap3-3.3.7+dfsg/debian/copyright	2016-10-24 14:45:58.000000000 +0200
+++ twitter-bootstrap3-3.3.7+dfsg/debian/copyright	2019-01-06 23:34:36.000000000 +0100
@@ -9,7 +9,7 @@
                 js/tests/vendor/jquery.min.js
 
 Files: *
-Copyright: 2011-2015, Twitter, Inc.
+Copyright: 2011-2018, Twitter, Inc.
            2014, jQuery Foundation and other contributors
            2014, "Cowboy" Ben Alman, contributors
            HTML5 Boilerplate
diff -Nru twitter-bootstrap3-3.3.7+dfsg/debian/patches/fix-xss-vulnerabilities.patch twitter-bootstrap3-3.3.7+dfsg/debian/patches/fix-xss-vulnerabilities.patch
--- twitter-bootstrap3-3.3.7+dfsg/debian/patches/fix-xss-vulnerabilities.patch	1970-01-01 01:00:00.000000000 +0100
+++ twitter-bootstrap3-3.3.7+dfsg/debian/patches/fix-xss-vulnerabilities.patch	2019-01-06 23:34:15.000000000 +0100
@@ -0,0 +1,305 @@
+Description: Fix multies vulnerabilities
+Author: Xavier Guimard <yadd@debian.org>
+Origin: upstream, https://github.com/twbs/bootstrap/pull/26630/commits/efca80bb5bb34546a2e7a9488b89f71457d2ad92
+Bug: https://github.com/twbs/bootstrap/pull/26630
+Bug-Debian: https://bugs.debian.org/907414
+Forwarded: not-needed
+Last-Update: 2019-01-06
+
+--- a/dist/js/bootstrap.js
++++ b/dist/js/bootstrap.js
+@@ -1,6 +1,6 @@
+ /*!
+  * Bootstrap v3.3.7 (http://getbootstrap.com)
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+  * Licensed under the MIT license
+  */
+ 
+@@ -109,7 +109,8 @@
+       selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
+     }
+ 
+-    var $parent = $(selector === '#' ? [] : selector)
++    selector    = selector === '#' ? [] : selector
++    var $parent = $(document).find(selector)
+ 
+     if (e) e.preventDefault()
+ 
+@@ -443,7 +444,9 @@
+     var slidEvent = $.Event('slid.bs.carousel', { relatedTarget: relatedTarget, direction: direction }) // yes, "slid"
+     if ($.support.transition && this.$element.hasClass('slide')) {
+       $next.addClass(type)
+-      $next[0].offsetWidth // force reflow
++      if (typeof $next === 'object' && $next.length) {
++        $next[0].offsetWidth // force reflow
++      }
+       $active.addClass(direction)
+       $next.addClass(direction)
+       $active
+@@ -505,10 +508,17 @@
+   // =================
+ 
+   var clickHandler = function (e) {
+-    var href
+     var $this   = $(this)
+-    var $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
++    var href    = $this.attr('href')
++    if (href) {
++      href = href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
++    }
++
++    var target  = $this.attr('data-target') || href
++    var $target = $(document).find(target)
++
+     if (!$target.hasClass('carousel')) return
++
+     var options = $.extend({}, $target.data(), $this.data())
+     var slideIndex = $this.attr('data-slide-to')
+     if (slideIndex) options.interval = false
+@@ -674,7 +684,7 @@
+   }
+ 
+   Collapse.prototype.getParent = function () {
+-    return $(this.options.parent)
++    return $(document).find(this.options.parent)
+       .find('[data-toggle="collapse"][data-parent="' + this.options.parent + '"]')
+       .each($.proxy(function (i, element) {
+         var $element = $(element)
+@@ -697,7 +707,7 @@
+     var target = $trigger.attr('data-target')
+       || (href = $trigger.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
+ 
+-    return $(target)
++    return $(document).find(target)
+   }
+ 
+ 
+@@ -779,7 +789,7 @@
+       selector = selector && /#[A-Za-z]/.test(selector) && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
+     }
+ 
+-    var $parent = selector && $(selector)
++    var $parent = selector && $(document).find(selector)
+ 
+     return $parent && $parent.length ? $parent : $this.parent()
+   }
+@@ -1307,7 +1317,7 @@
+     this.type      = type
+     this.$element  = $(element)
+     this.options   = this.getOptions(options)
+-    this.$viewport = this.options.viewport && $($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport))
++    this.$viewport = this.options.viewport && $(document).find($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport))
+     this.inState   = { click: false, hover: false, focus: false }
+ 
+     if (this.$element[0] instanceof document.constructor && !this.options.selector) {
+@@ -1460,7 +1470,7 @@
+         .addClass(placement)
+         .data('bs.' + this.type, this)
+ 
+-      this.options.container ? $tip.appendTo(this.options.container) : $tip.insertAfter(this.$element)
++      this.options.container ? $tip.appendTo($(document).find(this.options.container)) : $tip.insertAfter(this.$element)
+       this.$element.trigger('inserted.bs.' + this.type)
+ 
+       var pos          = this.getPosition()
+@@ -2107,7 +2117,7 @@
+ 
+     if (showEvent.isDefaultPrevented() || hideEvent.isDefaultPrevented()) return
+ 
+-    var $target = $(selector)
++    var $target = $(document).find(selector)
+ 
+     this.activate($this.closest('li'), $ul)
+     this.activate($target, $target.parent(), function () {
+--- a/js/affix.js
++++ b/js/affix.js
+@@ -2,7 +2,7 @@
+  * Bootstrap: affix.js v3.3.7
+  * http://getbootstrap.com/javascript/#affix
+  * ========================================================================
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+  * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+  * ======================================================================== */
+ 
+@@ -16,7 +16,9 @@
+   var Affix = function (element, options) {
+     this.options = $.extend({}, Affix.DEFAULTS, options)
+ 
+-    this.$target = $(this.options.target)
++    var target = this.options.target === Affix.DEFAULTS.target ? $(this.options.target) : $(document).find(this.options.target)
++
++    this.$target = target
+       .on('scroll.bs.affix.data-api', $.proxy(this.checkPosition, this))
+       .on('click.bs.affix.data-api',  $.proxy(this.checkPositionWithEventLoop, this))
+ 
+--- a/js/alert.js
++++ b/js/alert.js
+@@ -2,7 +2,7 @@
+  * Bootstrap: alert.js v3.3.7
+  * http://getbootstrap.com/javascript/#alerts
+  * ========================================================================
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+  * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+  * ======================================================================== */
+ 
+@@ -31,7 +31,8 @@
+       selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
+     }
+ 
+-    var $parent = $(selector === '#' ? [] : selector)
++    selector    = selector === '#' ? [] : selector
++    var $parent = $(document).find(selector)
+ 
+     if (e) e.preventDefault()
+ 
+--- a/js/carousel.js
++++ b/js/carousel.js
+@@ -2,7 +2,7 @@
+  * Bootstrap: carousel.js v3.3.7
+  * http://getbootstrap.com/javascript/#carousel
+  * ========================================================================
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+  * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+  * ======================================================================== */
+ 
+@@ -144,7 +144,9 @@
+     var slidEvent = $.Event('slid.bs.carousel', { relatedTarget: relatedTarget, direction: direction }) // yes, "slid"
+     if ($.support.transition && this.$element.hasClass('slide')) {
+       $next.addClass(type)
+-      $next[0].offsetWidth // force reflow
++      if (typeof $next === 'object' && $next.length) {
++        $next[0].offsetWidth // force reflow
++      }
+       $active.addClass(direction)
+       $next.addClass(direction)
+       $active
+@@ -206,10 +208,17 @@
+   // =================
+ 
+   var clickHandler = function (e) {
+-    var href
+     var $this   = $(this)
+-    var $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
++    var href    = $this.attr('href')
++    if (href) {
++      href = href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
++    }
++
++    var target  = $this.attr('data-target') || href
++    var $target = $(document).find(target)
++
+     if (!$target.hasClass('carousel')) return
++
+     var options = $.extend({}, $target.data(), $this.data())
+     var slideIndex = $this.attr('data-slide-to')
+     if (slideIndex) options.interval = false
+--- a/js/collapse.js
++++ b/js/collapse.js
+@@ -2,7 +2,7 @@
+  * Bootstrap: collapse.js v3.3.7
+  * http://getbootstrap.com/javascript/#collapse
+  * ========================================================================
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+  * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+  * ======================================================================== */
+ 
+@@ -137,7 +137,7 @@
+   }
+ 
+   Collapse.prototype.getParent = function () {
+-    return $(this.options.parent)
++    return $(document).find(this.options.parent)
+       .find('[data-toggle="collapse"][data-parent="' + this.options.parent + '"]')
+       .each($.proxy(function (i, element) {
+         var $element = $(element)
+@@ -160,7 +160,7 @@
+     var target = $trigger.attr('data-target')
+       || (href = $trigger.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
+ 
+-    return $(target)
++    return $(document).find(target)
+   }
+ 
+ 
+--- a/js/dropdown.js
++++ b/js/dropdown.js
+@@ -2,7 +2,7 @@
+  * Bootstrap: dropdown.js v3.3.7
+  * http://getbootstrap.com/javascript/#dropdowns
+  * ========================================================================
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+  * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+  * ======================================================================== */
+ 
+@@ -19,7 +19,7 @@
+     $(element).on('click.bs.dropdown', this.toggle)
+   }
+ 
+-  Dropdown.VERSION = '3.3.7'
++  Dropdown.VERSION = '3.4.0'
+ 
+   function getParent($this) {
+     var selector = $this.attr('data-target')
+@@ -29,7 +29,7 @@
+       selector = selector && /#[A-Za-z]/.test(selector) && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
+     }
+ 
+-    var $parent = selector && $(selector)
++    var $parent = selector && $(document).find(selector)
+ 
+     return $parent && $parent.length ? $parent : $this.parent()
+   }
+--- a/js/tab.js
++++ b/js/tab.js
+@@ -2,7 +2,7 @@
+  * Bootstrap: tab.js v3.3.7
+  * http://getbootstrap.com/javascript/#tabs
+  * ========================================================================
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+  * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+  * ======================================================================== */
+ 
+@@ -48,7 +48,7 @@
+ 
+     if (showEvent.isDefaultPrevented() || hideEvent.isDefaultPrevented()) return
+ 
+-    var $target = $(selector)
++    var $target = $(document).find(selector)
+ 
+     this.activate($this.closest('li'), $ul)
+     this.activate($target, $target.parent(), function () {
+--- a/js/tooltip.js
++++ b/js/tooltip.js
+@@ -3,7 +3,7 @@
+  * http://getbootstrap.com/javascript/#tooltip
+  * Inspired by the original jQuery.tipsy by Jason Frame
+  * ========================================================================
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+  * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+  * ======================================================================== */
+ 
+@@ -51,7 +51,7 @@
+     this.type      = type
+     this.$element  = $(element)
+     this.options   = this.getOptions(options)
+-    this.$viewport = this.options.viewport && $($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport))
++    this.$viewport = this.options.viewport && $(document).find($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport))
+     this.inState   = { click: false, hover: false, focus: false }
+ 
+     if (this.$element[0] instanceof document.constructor && !this.options.selector) {
+@@ -204,7 +204,7 @@
+         .addClass(placement)
+         .data('bs.' + this.type, this)
+ 
+-      this.options.container ? $tip.appendTo(this.options.container) : $tip.insertAfter(this.$element)
++      this.options.container ? $tip.appendTo($(document).find(this.options.container)) : $tip.insertAfter(this.$element)
+       this.$element.trigger('inserted.bs.' + this.type)
+ 
+       var pos          = this.getPosition()
diff -Nru twitter-bootstrap3-3.3.7+dfsg/debian/patches/series twitter-bootstrap3-3.3.7+dfsg/debian/patches/series
--- twitter-bootstrap3-3.3.7+dfsg/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ twitter-bootstrap3-3.3.7+dfsg/debian/patches/series	2019-01-06 23:30:34.000000000 +0100
@@ -0,0 +1 @@
+fix-xss-vulnerabilities.patch

Reply to:

Follow-Ups:
- Bug#918763: marked as done (stretch-pu: package twitter-bootstrap3/3.3.7+dfsg-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#918762: stretch-pu: package twitter-bootstrap3/3.3.7+dfsg-2
Next by Date: Bug#918687: transition: exempi
Previous by thread: Bug#918762: stretch-pu: package twitter-bootstrap3/3.3.7+dfsg-2
Next by thread: Bug#918763: marked as done (stretch-pu: package twitter-bootstrap3/3.3.7+dfsg-2)
Index(es):
- Date
- Thread