[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1102923: marked as done (bookworm-pu: package twitter-bootstrap3/3.4.1+dfsg-3+deb12u1)

Your message dated Sat, 17 May 2025 09:37:58 +0000
with message-id <E1uGDzS-005KJs-Rv@coccia.debian.org>
and subject line Close 1102923
has caused the Debian Bug report #1102923,
regarding bookworm-pu: package twitter-bootstrap3/3.4.1+dfsg-3+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1102923: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102923
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: twitter-bootstrap3@packages.debian.org
Control: affects -1 + src:twitter-bootstrap3
User: release.debian.org@packages.debian.org
Usertags: pu


[ Reason ]
XSS security problems

[ Impact ]
Vulnerability to XSS attack

[ Tests ]
No but tested manually using POC.

[ Risks ]
Low

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
CVE-2024-6485/CVE-2024-6484

[ Other info ]
May need a rebuild of static linked (webpacked/rollup...) package.
But need first to get in bookworm.

diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/changelog twitter-bootstrap3-3.4.1+dfsg/debian/changelog
--- twitter-bootstrap3-3.4.1+dfsg/debian/changelog	2022-12-18 00:30:51.000000000 +0100
+++ twitter-bootstrap3-3.4.1+dfsg/debian/changelog	2025-04-10 23:47:00.000000000 +0200
@@ -1,3 +1,28 @@
+twitter-bootstrap3 (3.4.1+dfsg-3+deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Fix CVE-2024-6485:
+    A security vulnerability has been discovered in bootstrap
+    that could enable Cross-Site Scripting (XSS) attacks.
+    The vulnerability is associated with the data-loading-text
+    attribute within the button plugin.
+    This vulnerability can be exploited by injecting malicious
+    JavaScript code into the attribute, which would then be
+    executed when the button's loading state is triggered.
+    (Closes: #1084060)
+  * Fix CVE-2024-6484:
+    A vulnerability has been identified in Bootstrap that
+    exposes users to Cross-Site Scripting (XSS) attacks.
+    The issue is present in the carousel component, where the
+    data-slide and data-slide-to attributes can be exploited
+    through the href attribute of an <a> tag due to inadequate
+    sanitization. This vulnerability could potentially enable
+    attackers to execute arbitrary JavaScript within
+    the victim's browser.
+    (Closes: #1084060)
+
+ -- Bastien Roucariès <rouca@debian.org>  Thu, 10 Apr 2025 23:47:00 +0200
+
 twitter-bootstrap3 (3.4.1+dfsg-3) unstable; urgency=medium
 
   [ Yadd ]
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/0002-CVE-2024-6484.patch twitter-bootstrap3-3.4.1+dfsg/debian/patches/0002-CVE-2024-6484.patch
--- twitter-bootstrap3-3.4.1+dfsg/debian/patches/0002-CVE-2024-6484.patch	1970-01-01 01:00:00.000000000 +0100
+++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/0002-CVE-2024-6484.patch	2025-04-10 23:47:00.000000000 +0200
@@ -0,0 +1,27 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Thu, 10 Apr 2025 23:36:04 +0200
+Subject: CVE-2024-6484
+
+Fix this vulnerability by checking before calling if the target is a carousel
+and disabling further event calling if not
+
+origin: backport, https://github.com/odinserj/bootstrap/commit/0ea568be7ff0c1f72a693f5d782277a9e9872077
+bug: https://www.herodevs.com/vulnerability-directory/cve-2024-6484
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084060
+---
+ js/carousel.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/js/carousel.js b/js/carousel.js
+index a5fcac3..058d3d3 100644
+--- a/js/carousel.js
++++ b/js/carousel.js
+@@ -217,7 +217,7 @@
+     var target  = $this.attr('data-target') || href
+     var $target = $(document).find(target)
+ 
+-    if (!$target.hasClass('carousel')) return
++    if (!$target.hasClass('carousel')) return false;
+ 
+     var options = $.extend({}, $target.data(), $this.data())
+     var slideIndex = $this.attr('data-slide-to')
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/0003-CVE-2024-6485.patch twitter-bootstrap3-3.4.1+dfsg/debian/patches/0003-CVE-2024-6485.patch
--- twitter-bootstrap3-3.4.1+dfsg/debian/patches/0003-CVE-2024-6485.patch	1970-01-01 01:00:00.000000000 +0100
+++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/0003-CVE-2024-6485.patch	2025-04-10 23:47:00.000000000 +0200
@@ -0,0 +1,42 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Thu, 10 Apr 2025 23:41:07 +0200
+Subject: CVE-2024-6485
+
+Sanitize data[state] avoiding thus XSS
+
+origin: backport, https://github.com/entreprise7pro/bootstrap/commit/769c032fd93d6f2c07599e096a736c5d09c041cf
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084060
+bug: https://www.herodevs.com/vulnerability-directory/cve-2024-6485
+---
+ js/button.js | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/js/button.js b/js/button.js
+index ff4af20..6569240 100644
+--- a/js/button.js
++++ b/js/button.js
+@@ -25,6 +25,15 @@
+     loadingText: 'loading...'
+   }
+ 
++  Button.prototype.sanitize = function (unsafeText) {
++    return unsafeText
++      .replace(/&/g, '&amp;')
++      .replace(/</g, '&lt;')
++      .replace(/>/g, '&gt;')
++      .replace(/"/g, '&quot;')
++      .replace(/'/g, '&#039;');
++  }
++
+   Button.prototype.setState = function (state) {
+     var d    = 'disabled'
+     var $el  = this.$element
+@@ -37,7 +46,7 @@
+ 
+     // push to event loop to allow forms to submit
+     setTimeout($.proxy(function () {
+-      $el[val](data[state] == null ? this.options[state] : data[state])
++      $el[val](data[state] == null ? this.options[state] : this.sanitize(data[state]))
+ 
+       if (state == 'loadingText') {
+         this.isLoading = true
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/series twitter-bootstrap3-3.4.1+dfsg/debian/patches/series
--- twitter-bootstrap3-3.4.1+dfsg/debian/patches/series	2022-12-18 00:30:51.000000000 +0100
+++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/series	2025-04-10 23:47:00.000000000 +0200
@@ -1 +1,3 @@
 2001_privacy.patch
+0002-CVE-2024-6484.patch
+0003-CVE-2024-6485.patch
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/salsa-ci.yml twitter-bootstrap3-3.4.1+dfsg/debian/salsa-ci.yml
--- twitter-bootstrap3-3.4.1+dfsg/debian/salsa-ci.yml	2022-12-18 00:30:51.000000000 +0100
+++ twitter-bootstrap3-3.4.1+dfsg/debian/salsa-ci.yml	2025-04-10 23:47:00.000000000 +0200
@@ -2,3 +2,6 @@
 include:
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'bookworm'

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.

--- End Message ---
Reply to: