Your message dated Sun, 01 Jun 2025 14:03:39 +0000 with message-id <E1uLjHn-0029En-2n@respighi.debian.org> and subject line unblock twitter-bootstrap3 has caused the Debian Bug report #1107087, regarding unblock: twitter-bootstrap3/3.4.1+dfsg-6 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1107087: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107087 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: twitter-bootstrap3/3.4.1+dfsg-6
- From: Bastien Roucaries <rouca@debian.org>
- Date: Sun, 01 Jun 2025 15:50:23 +0200
- Message-id: <[🔎] 2602273.4XsnlVU6TS@debian-ei>
Package: release.debian.org Severity: normal X-Debbugs-Cc: twitter-bootstrap3@packages.debian.org Control: affects -1 + src:twitter-bootstrap3 User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package twitter-bootstrap3 [ Reason ] CVE-2025-1647 [ Impact ] CVE-2025-1647 XSS injection [ Tests ] Manual using PoC + yadd review [ Risks ] Low change are minimal [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] Lack of upstream support (EOL) unblock twitter-bootstrap3/3.4.1+dfsg-6diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/changelog twitter-bootstrap3-3.4.1+dfsg/debian/changelog --- twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2025-04-10 23:47:00.000000000 +0200 +++ twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2025-06-01 15:39:35.000000000 +0200 @@ -1,3 +1,26 @@ +twitter-bootstrap3 (3.4.1+dfsg-6) unstable; urgency=medium + + * Team upload + * Do not refresh patches compared to 3.4.1+dfsg-4 in order + to ease unblock to trixie. + + -- Bastien Roucariès <rouca@debian.org> Sun, 01 Jun 2025 15:39:35 +0200 + +twitter-bootstrap3 (3.4.1+dfsg-5) unstable; urgency=medium + + * Team upload + * Fix CVE-2025-1647 (Closes: #1105899) + Improper Neutralization of Input During Web Page + Generation (XSS or 'Cross-site Scripting') vulnerability + in Bootstrap allows Cross-Site Scripting (XSS) + DOM-based cross-site scripting (XSS) via DOM clobbering + occurs when an attacker manipulates the Document Object Model + (DOM) to overwrite or "clobber" an existing DOM object, + leading to the execution of malicious scripts, particularly + document.implementation variable. + + -- Bastien Roucariès <rouca@debian.org> Fri, 30 May 2025 18:17:56 +0200 + twitter-bootstrap3 (3.4.1+dfsg-4) unstable; urgency=medium * Team upload diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch --- twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch 1970-01-01 01:00:00.000000000 +0100 +++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch 2025-06-01 12:26:39.000000000 +0200 @@ -0,0 +1,73 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org> +Date: Fri, 30 May 2025 18:13:34 +0200 +Subject: CVE-2025-1647 + +Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability +in Bootstrap allows Cross-Site Scripting (XSS) + +DOM-based cross-site scripting (XSS) via DOM clobbering occurs when an attacker +manipulates the Document Object Model (DOM) to overwrite +or "clobber" an existing DOM object, leading to the execution +of malicious scripts. + +document.implementation should be tested against well known type + +Use DOMParser if possible (supported since 2015) in order to create a DoS in case +of document.implementation overriden. + +bug: https://www.herodevs.com/vulnerability-directory/cve-2025-1647 +bug-freexian-security: https://deb.freexian.com/extended-lts/tracker/CVE-2025-1647 +--- + js/tooltip.js | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/js/tooltip.js b/js/tooltip.js +index c8c1c8c..a5b923c 100644 +--- a/js/tooltip.js ++++ b/js/tooltip.js +@@ -99,6 +99,7 @@ + } + + function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) { ++ let doc = null + if (unsafeHtml.length === 0) { + return unsafeHtml + } +@@ -107,16 +108,21 @@ + return sanitizeFn(unsafeHtml) + } + +- // IE 8 and below don't support createHTMLDocument +- if (!document.implementation || !document.implementation.createHTMLDocument) { +- return unsafeHtml ++ try { ++ doc = new DOMParser().parseFromString(unsafeHtml, 'text/html'); ++ } catch (_) {} ++ if (!doc || !doc.documentElement) { ++ // IE 8 and below don't support createHTMLDocument ++ if (!document.implementation || !(document.implementation instanceof DOMImplementation) || document.implementation.createHTMLDocument === undefined) { ++ throw new Error('Could not sanitize CVE-2025-1647'); ++ } ++ doc = document.implementation.createHTMLDocument('sanitization') ++ doc.body.innerHTML = unsafeHtml + } +- +- var createdDocument = document.implementation.createHTMLDocument('sanitization') +- createdDocument.body.innerHTML = unsafeHtml ++ const body = doc.body || doc.documentElement; + + var whitelistKeys = $.map(whiteList, function (el, i) { return i }) +- var elements = $(createdDocument.body).find('*') ++ var elements = $(body).find('*') + + for (var i = 0, len = elements.length; i < len; i++) { + var el = elements[i] +@@ -138,7 +144,7 @@ + } + } + +- return createdDocument.body.innerHTML ++ return body.innerHTML + } + + // TOOLTIP PUBLIC CLASS DEFINITION diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/series twitter-bootstrap3-3.4.1+dfsg/debian/patches/series --- twitter-bootstrap3-3.4.1+dfsg/debian/patches/series 2025-04-10 23:47:00.000000000 +0200 +++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/series 2025-06-01 12:26:39.000000000 +0200 @@ -1,3 +1,4 @@ 2001_privacy.patch 0002-CVE-2024-6484.patch 0003-CVE-2024-6485.patch +CVE-2025-1647.patchAttachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
- To: 1107087-done@bugs.debian.org
- Subject: unblock twitter-bootstrap3
- From: Sebastian Ramacher <sramacher@respighi.debian.org>
- Date: Sun, 01 Jun 2025 14:03:39 +0000
- Message-id: <E1uLjHn-0029En-2n@respighi.debian.org>
Unblocked.
--- End Message ---