[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1102974: marked as done (bookworm-pu: package twitter-bootstrap4/4.6.1+dfsg1-4+deb12u1)

Your message dated Sat, 17 May 2025 09:37:58 +0000
with message-id <E1uGDzS-005KJx-Sx@coccia.debian.org>
and subject line Close 1102974
has caused the Debian Bug report #1102974,
regarding bookworm-pu: package twitter-bootstrap4/4.6.1+dfsg1-4+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1102974: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102974
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: twitter-bootstrap4@packages.debian.org
Control: affects -1 + src:twitter-bootstrap4
User: release.debian.org@packages.debian.org
Usertags: pu


[ Reason ]
CVE-2024-6531

[ Impact ]
CVE-2024-6531 is not closed

[ Tests ]
No but it tested the PoC

[ Risks ]
Low

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
CVE-2024-6531

[ Other info ]
May need a rebuilt of webpacked/bundled package

diff -Nru twitter-bootstrap4-4.6.1+dfsg1/debian/changelog twitter-bootstrap4-4.6.1+dfsg1/debian/changelog
--- twitter-bootstrap4-4.6.1+dfsg1/debian/changelog	2022-11-25 06:37:10.000000000 +0100
+++ twitter-bootstrap4-4.6.1+dfsg1/debian/changelog	2025-04-13 13:42:02.000000000 +0200
@@ -1,3 +1,21 @@
+twitter-bootstrap4 (4.6.1+dfsg1-4+deb12u1) bookworm; urgency=high
+
+  * Team upload
+  * Fix CVE-2024-6531 (XSS vulnerability):
+    An anchor element (<a>), when used for carousel navigation
+    with a data-slide attribute, can contain an href attribute
+    value that is not subject to proper content sanitization.
+    Improper extraction of the intended target carousel’s
+    #id from the href attribute can lead to use cases where
+    the click event’s preventDefault()
+    is not applied and the href is evaluated and executed.
+    As a result, restrictions are not applied to the data
+    that is evaluated, which can lead to potential
+    XSS vulnerabilities.
+    (Closes: #1084059)
+
+ -- Bastien Roucariès <rouca@debian.org>  Sun, 13 Apr 2025 13:42:02 +0200
+
 twitter-bootstrap4 (4.6.1+dfsg1-4) unstable; urgency=medium
 
   * Team upload
diff -Nru twitter-bootstrap4-4.6.1+dfsg1/debian/patches/0003-CVE-2024-6531.patch twitter-bootstrap4-4.6.1+dfsg1/debian/patches/0003-CVE-2024-6531.patch
--- twitter-bootstrap4-4.6.1+dfsg1/debian/patches/0003-CVE-2024-6531.patch	1970-01-01 01:00:00.000000000 +0100
+++ twitter-bootstrap4-4.6.1+dfsg1/debian/patches/0003-CVE-2024-6531.patch	2025-04-13 13:42:02.000000000 +0200
@@ -0,0 +1,45 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Sun, 13 Apr 2025 12:33:22 +0200
+Subject: CVE-2024-6531
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+An anchor element (<a>), when used for carousel navigation with a data-slide attribute,
+can contain an href attribute value that is not subject to proper content sanitization.
+Improper extraction of the intended target carousel’s #id from the href attribute
+can lead to use cases where the click event’s preventDefault()
+is not applied and the href is evaluated and executed.
+As a result, restrictions are not applied to the data that is evaluated, which
+can lead to potential XSS vulnerabilities.
+
+return false in case of error that will avoid the XSS attack, and avoid further
+treatment by the handler.
+
+bug: https://www.herodevs.com/vulnerability-directory/cve-2024-6531
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084059
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-6531
+---
+ js/src/carousel.js | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/js/src/carousel.js b/js/src/carousel.js
+index 18732d0..9447da6 100644
+--- a/js/src/carousel.js
++++ b/js/src/carousel.js
+@@ -543,13 +543,13 @@ class Carousel {
+     const selector = Util.getSelectorFromElement(this)
+ 
+     if (!selector) {
+-      return
++      return false
+     }
+ 
+     const target = $(selector)[0]
+ 
+     if (!target || !$(target).hasClass(CLASS_NAME_CAROUSEL)) {
+-      return
++      return false
+     }
+ 
+     const config = {
diff -Nru twitter-bootstrap4-4.6.1+dfsg1/debian/patches/series twitter-bootstrap4-4.6.1+dfsg1/debian/patches/series
--- twitter-bootstrap4-4.6.1+dfsg1/debian/patches/series	2021-07-30 06:53:16.000000000 +0200
+++ twitter-bootstrap4-4.6.1+dfsg1/debian/patches/series	2025-04-13 13:42:02.000000000 +0200
@@ -1,2 +1,3 @@
 do-not-update-copyright-year.diff
 dont-check-for-caniuse-lite-update.patch
+0003-CVE-2024-6531.patch

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.

--- End Message ---
Reply to: