Report forwarded
to debian-bugs-dist@lists.debian.org, debian security team <team@security.debian.org> (additional cc recipient for {1118145}), Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org> (gi-docgen for {1118145}): Bug#1118145; Package gi-docgen.
(Wed, 15 Oct 2025 10:23:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, pkg-gnome-maintainers@lists.alioth.debian.org.
(Wed, 15 Oct 2025 10:23:02 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gi-docgen: CVE-2025-11687: cross-site scripting in search.js
Date: Wed, 15 Oct 2025 11:22:06 +0100
Package: gi-docgen
Version: 2025.4-1
Severity: normal
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Forwarded: https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228
Control: close -1 2025.5-1
As noted in the security tracker, a cross-site scripting vulnerability
was reported in gi-docgen. I've uploaded the fixed version to unstable
already.
If I'm understanding correctly, the exploit route would be:
1. a library developer builds API documentation using gi-docgen
2. they host it on a web server that is accessible by the victim
3. there is something else hosted on the same web server (same origin)
that is not public information, or that is editable by the victim
4. the attacker makes the victim follow a link to a crafted search query
5. the cross-site scripting vulnerability results in attacker-chosen
JavaScript running in the victim's browser in the context of the
website, which can be used to leak non-public information or carry
out edits, depending on the scope of (3.)
How serious does the security team consider this to be? My suggestion
would be to treat it as a minor vulnerability that can be fixed via
proposed-updates.
The JavaScript file that contains the vulnerability (search.js) gets
copied into documentation packages such as libportal-doc, so if someone
uploaded these documentation packages to a public web server, it would
be vulnerable to cross-site scripting. This seems somewhat unlikely in
practice, so I don't think it is necessary to do a mass rebuild of
libraries like src:libportal that have gi-docgen-generated
documentation, either in testing/unstable or in (old)stable. Does the
security team agree?
smcv
Marked as fixed in versions 2025.5-1.
Request was from Simon McVittie <smcv@debian.org>
to submit@bugs.debian.org.
(Wed, 15 Oct 2025 10:23:02 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Simon McVittie <smcv@debian.org>
to submit@bugs.debian.org.
(Wed, 15 Oct 2025 10:23:03 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Wed, 15 Oct 2025 10:23:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 17 Nov 2025 07:25:59 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.