Bug#1107088: bookworm-pu: package twitter-bootstrap3/3.4.1+dfsg-3+deb12u2

[Bastien Roucaries <rouca@debian.org>]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: twitter-bootstrap3@packages.debian.org
Control: affects -1 + src:twitter-bootstrap3
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
CVE-2025-1647

[ Impact ]
CVE-2025-1647 is not fixed. XSS attack


[ Tests ]
Manual test using PoC + yadd review

[ Risks ]
Low

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
CVE-2025-1647 patch

[ Other info ]
EOL upstream

diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/changelog twitter-bootstrap3-3.4.1+dfsg/debian/changelog
--- twitter-bootstrap3-3.4.1+dfsg/debian/changelog	2025-04-10 23:47:00.000000000 +0200
+++ twitter-bootstrap3-3.4.1+dfsg/debian/changelog	2025-05-30 18:17:56.000000000 +0200
@@ -1,3 +1,18 @@
+twitter-bootstrap3 (3.4.1+dfsg-3+deb12u2) bookworm; urgency=medium
+
+  * Team upload
+  * Fix CVE-2025-1647 (Closes: #1105899)
+    Improper Neutralization of Input During Web Page
+    Generation (XSS or 'Cross-site Scripting') vulnerability
+    in Bootstrap allows Cross-Site Scripting (XSS)
+    DOM-based cross-site scripting (XSS) via DOM clobbering
+    occurs when an attacker manipulates the Document Object Model
+    (DOM) to overwrite or "clobber" an existing DOM object,
+    leading to the execution of malicious scripts, particularly
+    document.implementation variable.
+
+ -- Bastien Roucariès <rouca@debian.org>  Fri, 30 May 2025 18:17:56 +0200
+
 twitter-bootstrap3 (3.4.1+dfsg-3+deb12u1) bookworm; urgency=medium
 
   * Team upload
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch
--- twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch	1970-01-01 01:00:00.000000000 +0100
+++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch	2025-05-30 18:17:56.000000000 +0200
@@ -0,0 +1,73 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Fri, 30 May 2025 18:13:34 +0200
+Subject: CVE-2025-1647
+
+Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability
+in Bootstrap allows Cross-Site Scripting (XSS)
+
+DOM-based cross-site scripting (XSS) via DOM clobbering occurs when an attacker
+manipulates the Document Object Model (DOM) to overwrite
+or "clobber" an existing DOM object, leading to the execution
+of malicious scripts.
+
+document.implementation should be tested against well known type
+
+Use DOMParser if possible (supported since 2015) in order to create a DoS in case
+of document.implementation overriden.
+
+bug: https://www.herodevs.com/vulnerability-directory/cve-2025-1647
+bug-freexian-security: https://deb.freexian.com/extended-lts/tracker/CVE-2025-1647
+---
+ js/tooltip.js | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/js/tooltip.js b/js/tooltip.js
+index c8c1c8c..a5b923c 100644
+--- a/js/tooltip.js
++++ b/js/tooltip.js
+@@ -99,6 +99,7 @@
+   }
+ 
+   function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) {
++    let doc = null
+     if (unsafeHtml.length === 0) {
+       return unsafeHtml
+     }
+@@ -107,16 +108,21 @@
+       return sanitizeFn(unsafeHtml)
+     }
+ 
+-    // IE 8 and below don't support createHTMLDocument
+-    if (!document.implementation || !document.implementation.createHTMLDocument) {
+-      return unsafeHtml
++    try {
++        doc = new DOMParser().parseFromString(unsafeHtml, 'text/html');
++    } catch (_) {}
++    if (!doc || !doc.documentElement) {
++      // IE 8 and below don't support createHTMLDocument
++      if (!document.implementation || !(document.implementation instanceof DOMImplementation) || document.implementation.createHTMLDocument === undefined) {
++        throw new Error('Could not sanitize CVE-2025-1647');
++      }
++      doc = document.implementation.createHTMLDocument('sanitization')
++      doc.body.innerHTML = unsafeHtml
+     }
+-
+-    var createdDocument = document.implementation.createHTMLDocument('sanitization')
+-    createdDocument.body.innerHTML = unsafeHtml
++    const body = doc.body || doc.documentElement;
+ 
+     var whitelistKeys = $.map(whiteList, function (el, i) { return i })
+-    var elements = $(createdDocument.body).find('*')
++    var elements = $(body).find('*')
+ 
+     for (var i = 0, len = elements.length; i < len; i++) {
+       var el = elements[i]
+@@ -138,7 +144,7 @@
+       }
+     }
+ 
+-    return createdDocument.body.innerHTML
++    return body.innerHTML
+   }
+ 
+   // TOOLTIP PUBLIC CLASS DEFINITION
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/series twitter-bootstrap3-3.4.1+dfsg/debian/patches/series
--- twitter-bootstrap3-3.4.1+dfsg/debian/patches/series	2025-04-10 23:47:00.000000000 +0200
+++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/series	2025-05-30 18:17:56.000000000 +0200
@@ -1,3 +1,4 @@
 2001_privacy.patch
 0002-CVE-2024-6484.patch
 0003-CVE-2024-6485.patch
+CVE-2025-1647.patch

Attachment: signature.asc
Description: This is a digitally signed message part.