Version in base suite: 3.4.1+dfsg-3 Base version: twitter-bootstrap3_3.4.1+dfsg-3 Target version: twitter-bootstrap3_3.4.1+dfsg-3+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/twitter-bootstrap3/twitter-bootstrap3_3.4.1+dfsg-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/t/twitter-bootstrap3/twitter-bootstrap3_3.4.1+dfsg-3+deb12u1.dsc changelog | 25 +++++++++++++++++++++++ patches/0002-CVE-2024-6484.patch | 27 +++++++++++++++++++++++++ patches/0003-CVE-2024-6485.patch | 42 +++++++++++++++++++++++++++++++++++++++ patches/series | 2 + salsa-ci.yml | 3 ++ 5 files changed, 99 insertions(+) diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/changelog twitter-bootstrap3-3.4.1+dfsg/debian/changelog --- twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2022-12-17 23:30:51.000000000 +0000 +++ twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2025-04-10 21:47:00.000000000 +0000 @@ -1,3 +1,28 @@ +twitter-bootstrap3 (3.4.1+dfsg-3+deb12u1) bookworm; urgency=medium + + * Team upload + * Fix CVE-2024-6485: + A security vulnerability has been discovered in bootstrap + that could enable Cross-Site Scripting (XSS) attacks. + The vulnerability is associated with the data-loading-text + attribute within the button plugin. + This vulnerability can be exploited by injecting malicious + JavaScript code into the attribute, which would then be + executed when the button's loading state is triggered. + (Closes: #1084060) + * Fix CVE-2024-6484: + A vulnerability has been identified in Bootstrap that + exposes users to Cross-Site Scripting (XSS) attacks. + The issue is present in the carousel component, where the + data-slide and data-slide-to attributes can be exploited + through the href attribute of an tag due to inadequate + sanitization. This vulnerability could potentially enable + attackers to execute arbitrary JavaScript within + the victim's browser. + (Closes: #1084060) + + -- Bastien Roucariès Thu, 10 Apr 2025 23:47:00 +0200 + twitter-bootstrap3 (3.4.1+dfsg-3) unstable; urgency=medium [ Yadd ] diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/0002-CVE-2024-6484.patch twitter-bootstrap3-3.4.1+dfsg/debian/patches/0002-CVE-2024-6484.patch --- twitter-bootstrap3-3.4.1+dfsg/debian/patches/0002-CVE-2024-6484.patch 1970-01-01 00:00:00.000000000 +0000 +++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/0002-CVE-2024-6484.patch 2025-04-10 21:47:00.000000000 +0000 @@ -0,0 +1,27 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Thu, 10 Apr 2025 23:36:04 +0200 +Subject: CVE-2024-6484 + +Fix this vulnerability by checking before calling if the target is a carousel +and disabling further event calling if not + +origin: backport, https://github.com/odinserj/bootstrap/commit/0ea568be7ff0c1f72a693f5d782277a9e9872077 +bug: https://www.herodevs.com/vulnerability-directory/cve-2024-6484 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084060 +--- + js/carousel.js | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/js/carousel.js b/js/carousel.js +index a5fcac3..058d3d3 100644 +--- a/js/carousel.js ++++ b/js/carousel.js +@@ -217,7 +217,7 @@ + var target = $this.attr('data-target') || href + var $target = $(document).find(target) + +- if (!$target.hasClass('carousel')) return ++ if (!$target.hasClass('carousel')) return false; + + var options = $.extend({}, $target.data(), $this.data()) + var slideIndex = $this.attr('data-slide-to') diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/0003-CVE-2024-6485.patch twitter-bootstrap3-3.4.1+dfsg/debian/patches/0003-CVE-2024-6485.patch --- twitter-bootstrap3-3.4.1+dfsg/debian/patches/0003-CVE-2024-6485.patch 1970-01-01 00:00:00.000000000 +0000 +++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/0003-CVE-2024-6485.patch 2025-04-10 21:47:00.000000000 +0000 @@ -0,0 +1,42 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Thu, 10 Apr 2025 23:41:07 +0200 +Subject: CVE-2024-6485 + +Sanitize data[state] avoiding thus XSS + +origin: backport, https://github.com/entreprise7pro/bootstrap/commit/769c032fd93d6f2c07599e096a736c5d09c041cf +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084060 +bug: https://www.herodevs.com/vulnerability-directory/cve-2024-6485 +--- + js/button.js | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/js/button.js b/js/button.js +index ff4af20..6569240 100644 +--- a/js/button.js ++++ b/js/button.js +@@ -25,6 +25,15 @@ + loadingText: 'loading...' + } + ++ Button.prototype.sanitize = function (unsafeText) { ++ return unsafeText ++ .replace(/&/g, '&') ++ .replace(//g, '>') ++ .replace(/"/g, '"') ++ .replace(/'/g, '''); ++ } ++ + Button.prototype.setState = function (state) { + var d = 'disabled' + var $el = this.$element +@@ -37,7 +46,7 @@ + + // push to event loop to allow forms to submit + setTimeout($.proxy(function () { +- $el[val](data[state] == null ? this.options[state] : data[state]) ++ $el[val](data[state] == null ? this.options[state] : this.sanitize(data[state])) + + if (state == 'loadingText') { + this.isLoading = true diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/patches/series twitter-bootstrap3-3.4.1+dfsg/debian/patches/series --- twitter-bootstrap3-3.4.1+dfsg/debian/patches/series 2022-12-17 23:30:51.000000000 +0000 +++ twitter-bootstrap3-3.4.1+dfsg/debian/patches/series 2025-04-10 21:47:00.000000000 +0000 @@ -1 +1,3 @@ 2001_privacy.patch +0002-CVE-2024-6484.patch +0003-CVE-2024-6485.patch diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/salsa-ci.yml twitter-bootstrap3-3.4.1+dfsg/debian/salsa-ci.yml --- twitter-bootstrap3-3.4.1+dfsg/debian/salsa-ci.yml 2022-12-17 23:30:51.000000000 +0000 +++ twitter-bootstrap3-3.4.1+dfsg/debian/salsa-ci.yml 2025-04-10 21:47:00.000000000 +0000 @@ -2,3 +2,6 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bookworm'