Bug#1107087: marked as done (unblock: twitter-bootstrap3/3.4.1+dfsg-6)

To: Sebastian Ramacher <sramacher@respighi.debian.org>
Subject: Bug#1107087: marked as done (unblock: twitter-bootstrap3/3.4.1+dfsg-6)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 01 Jun 2025 14:05:02 +0000
Message-id: <[🔎] handler.1107087.D1107087.1748786622941240.ackdone@bugs.debian.org>
Reply-to: 1107087@bugs.debian.org
References: <E1uLjHn-0029En-2n@respighi.debian.org> <[🔎] 2602273.4XsnlVU6TS@debian-ei>

Your message dated Sun, 01 Jun 2025 14:03:39 +0000
with message-id <E1uLjHn-0029En-2n@respighi.debian.org>
and subject line unblock twitter-bootstrap3
has caused the Debian Bug report #1107087,
regarding unblock: twitter-bootstrap3/3.4.1+dfsg-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1107087: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107087
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: twitter-bootstrap3/3.4.1+dfsg-6
From: Bastien Roucaries <rouca@debian.org>
Date: Sun, 01 Jun 2025 15:50:23 +0200
Message-id: <[🔎] 2602273.4XsnlVU6TS@debian-ei>

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: twitter-bootstrap3@packages.debian.org
Control: affects -1 + src:twitter-bootstrap3
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package twitter-bootstrap3

[ Reason ]
CVE-2025-1647


[ Impact ]
CVE-2025-1647 XSS injection


[ Tests ]
Manual using PoC + yadd review

[ Risks ]
Low change are minimal

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
Lack of upstream support (EOL)

unblock twitter-bootstrap3/3.4.1+dfsg-6

diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/changelog twitter-bootstrap3-3.4.1+dfsg/debian/changelog
--- twitter-bootstrap3-3.4.1+dfsg/debian/changelog	2025-04-10 23:47:00.000000000 +0200
+++ twitter-bootstrap3-3.4.1+dfsg/debian/changelog	2025-06-01 15:39:35.000000000 +0200
@@ -1,3 +1,26 @@
+twitter-bootstrap3 (3.4.1+dfsg-6) unstable; urgency=medium
+
+  * Team upload
+  * Do not refresh patches compared to 3.4.1+dfsg-4 in order
+    to ease unblock to trixie.
+
+ -- Bastien Roucariès <rouca@debian.org>  Sun, 01 Jun 2025 15:39:35 +0200
+
+twitter-bootstrap3 (3.4.1+dfsg-5) unstable; urgency=medium
+
+  * Team upload
+  * Fix CVE-2025-1647 (Closes: #1105899)
+    Improper Neutralization of Input During Web Page
+    Generation (XSS or 'Cross-site Scripting') vulnerability
+    in Bootstrap allows Cross-Site Scripting (XSS)
+    DOM-based cross-site scripting (XSS) via DOM clobbering
+    occurs when an attacker manipulates the Document Object Model
+    (DOM) to overwrite or "clobber" an existing DOM object,
+    leading to the execution of malicious scripts, particularly
+    document.implementation variable.
+
+ -- Bastien Roucariès <rouca@debian.org>  Fri, 30 May 2025 18:17:56 +0200
+
 twitter-bootstrap3 (3.4.1+dfsg-4) unstable; urgency=medium
 
   * Team upload
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch
--- twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch	1970-01-01 01:00:00.000000000 +0100
+++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/CVE-2025-1647.patch	2025-06-01 12:26:39.000000000 +0200
@@ -0,0 +1,73 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Fri, 30 May 2025 18:13:34 +0200
+Subject: CVE-2025-1647
+
+Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability
+in Bootstrap allows Cross-Site Scripting (XSS)
+
+DOM-based cross-site scripting (XSS) via DOM clobbering occurs when an attacker
+manipulates the Document Object Model (DOM) to overwrite
+or "clobber" an existing DOM object, leading to the execution
+of malicious scripts.
+
+document.implementation should be tested against well known type
+
+Use DOMParser if possible (supported since 2015) in order to create a DoS in case
+of document.implementation overriden.
+
+bug: https://www.herodevs.com/vulnerability-directory/cve-2025-1647
+bug-freexian-security: https://deb.freexian.com/extended-lts/tracker/CVE-2025-1647
+---
+ js/tooltip.js | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/js/tooltip.js b/js/tooltip.js
+index c8c1c8c..a5b923c 100644
+--- a/js/tooltip.js
++++ b/js/tooltip.js
+@@ -99,6 +99,7 @@
+   }
+ 
+   function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) {
++    let doc = null
+     if (unsafeHtml.length === 0) {
+       return unsafeHtml
+     }
+@@ -107,16 +108,21 @@
+       return sanitizeFn(unsafeHtml)
+     }
+ 
+-    // IE 8 and below don't support createHTMLDocument
+-    if (!document.implementation || !document.implementation.createHTMLDocument) {
+-      return unsafeHtml
++    try {
++        doc = new DOMParser().parseFromString(unsafeHtml, 'text/html');
++    } catch (_) {}
++    if (!doc || !doc.documentElement) {
++      // IE 8 and below don't support createHTMLDocument
++      if (!document.implementation || !(document.implementation instanceof DOMImplementation) || document.implementation.createHTMLDocument === undefined) {
++        throw new Error('Could not sanitize CVE-2025-1647');
++      }
++      doc = document.implementation.createHTMLDocument('sanitization')
++      doc.body.innerHTML = unsafeHtml
+     }
+-
+-    var createdDocument = document.implementation.createHTMLDocument('sanitization')
+-    createdDocument.body.innerHTML = unsafeHtml
++    const body = doc.body || doc.documentElement;
+ 
+     var whitelistKeys = $.map(whiteList, function (el, i) { return i })
+-    var elements = $(createdDocument.body).find('*')
++    var elements = $(body).find('*')
+ 
+     for (var i = 0, len = elements.length; i < len; i++) {
+       var el = elements[i]
+@@ -138,7 +144,7 @@
+       }
+     }
+ 
+-    return createdDocument.body.innerHTML
++    return body.innerHTML
+   }
+ 
+   // TOOLTIP PUBLIC CLASS DEFINITION
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/series twitter-bootstrap3-3.4.1+dfsg/debian/patches/series
--- twitter-bootstrap3-3.4.1+dfsg/debian/patches/series	2025-04-10 23:47:00.000000000 +0200
+++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/series	2025-06-01 12:26:39.000000000 +0200
@@ -1,3 +1,4 @@
 2001_privacy.patch
 0002-CVE-2024-6484.patch
 0003-CVE-2024-6485.patch
+CVE-2025-1647.patch

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

To: 1107087-done@bugs.debian.org

Subject: unblock twitter-bootstrap3

From: Sebastian Ramacher <sramacher@respighi.debian.org>

Date: Sun, 01 Jun 2025 14:03:39 +0000

Message-id: <E1uLjHn-0029En-2n@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#1107087: unblock: twitter-bootstrap3/3.4.1+dfsg-6
  - From: Bastien Roucaries <rouca@debian.org>

Prev by Date: Processed: bookworm-pu: package twitter-bootstrap3/3.4.1+dfsg-3+deb12u2
Next by Date: Bug#1106526: nmu: multiple binNMUs to fix build reproducibility
Previous by thread: Processed: unblock: twitter-bootstrap3/3.4.1+dfsg-6
Next by thread: Bug#1107088: bookworm-pu: package twitter-bootstrap3/3.4.1+dfsg-3+deb12u2
Index(es):
- Date
- Thread