Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package yelp for openSUSE:Factory checked in at 2025-05-26 18:32:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yelp (Old) and /work/SRC/openSUSE:Factory/.yelp.new.2732 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yelp" Mon May 26 18:32:15 2025 rev:125 rq:1279660 version:42.2 Changes: -------- --- /work/SRC/openSUSE:Factory/yelp/yelp.changes 2024-03-22 15:28:28.370261641 +0100 +++ /work/SRC/openSUSE:Factory/.yelp.new.2732/yelp.changes 2025-05-26 18:33:29.650270900 +0200 @@ -1,0 +2,7 @@ +Thu May 8 08:30:06 UTC 2025 - Cliff Zhao <qz...@suse.com> + +- Add 7ecd58d.patch: + Initial fix for CVE-2025-3155 from parrot409. + (CVE-2025-3155 bsc#1240688) + +------------------------------------------------------------------- New: ---- 7ecd58d.patch BETA DEBUG BEGIN: New: - Add 7ecd58d.patch: Initial fix for CVE-2025-3155 from parrot409. BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yelp.spec ++++++ --- /var/tmp/diff_new_pack.jzkv0E/_old 2025-05-26 18:33:30.098289684 +0200 +++ /var/tmp/diff_new_pack.jzkv0E/_new 2025-05-26 18:33:30.102289852 +0200 @@ -1,7 +1,7 @@ # # spec file for package yelp # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,7 +30,8 @@ Patch1: https://gitlab.gnome.org/GNOME/yelp/-/commit/855cae4a336f7676f093579c9a6b2d9fae7a1f80.patch # PATCH-FIX-SLED yelp-automake.patch mgo...@suse.com -- update Makefile.in for last patch Patch2: yelp-automake.patch - +# PATCH-FIX-UPSTREAM 7ecd58d.patch CVE-2025-3155 bsc#1240688 qz...@suse.com -- Initial fix for CVE-2025-3155 from parrot409. +Patch3: https://gitlab.gnome.org/GNOME/yelp/-/commit/7ecd58d.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: gtk-doc @@ -94,6 +95,7 @@ %if 0%{?sle_version} && 0%{?sle_version} < 160000 %patch -P 2 -p1 %endif +%patch -P 3 -p1 %build %if !0%{?sle_version} || 0%{?sle_version} >= 160000 ++++++ 7ecd58d.patch ++++++ >From 7ecd58dc0ca7bf9d0acb00bf04194a0cb6e8b724 Mon Sep 17 00:00:00 2001 From: Shaun McCance <sha...@gnome.org> Date: Fri, 18 Apr 2025 11:33:01 -0400 Subject: [PATCH] Initial fix for CVE-2025-3155 from parrot409 https://gitlab.gnome.org/GNOME/yelp/-/issues/221 --- data/xslt/mal2html.xsl.in | 5 +++++ data/xslt/man2html.xsl.in | 2 +- data/xslt/yelp-common.xsl.in | 7 +++++++ libyelp/yelp-transform.c | 19 +++++++++++++++++++ libyelp/yelp-view.c | 2 +- 5 files changed, 33 insertions(+), 2 deletions(-) diff --git a/data/xslt/mal2html.xsl.in b/data/xslt/mal2html.xsl.in index 9e44b734..0a74da55 100644 --- a/data/xslt/mal2html.xsl.in +++ b/data/xslt/mal2html.xsl.in @@ -19,6 +19,11 @@ <xsl:param name="mal.link.prefix" select="'xref:'"/> <xsl:param name="mal.link.extension" select="''"/> +<xsl:template name="html.head.top.custom"> + <xsl:param name="node" select="."/> + <meta http-equiv="Content-Security-Policy" content="default-src bogus-ghelp: bogus-gnome-help: bogus-help: bogus-help-list: bogus-info: bogus-man: ; script-src 'nonce-{$html.csp.nonce}'; style-src 'nonce-{$html.csp.nonce}'; "/> +</xsl:template> + <xsl:template name="mal.link.target.custom"> <xsl:param name="node" select="."/> <xsl:param name="action" select="$node/@action"/> diff --git a/data/xslt/man2html.xsl.in b/data/xslt/man2html.xsl.in index 676ce3eb..56bc1f5c 100644 --- a/data/xslt/man2html.xsl.in +++ b/data/xslt/man2html.xsl.in @@ -131,7 +131,7 @@ the correct styling and a single character which we measure the width of and update each sheet as required. --> -<script type="text/javascript" language="javascript"> +<script type="text/javascript" language="javascript" nonce="{$html.csp.nonce}"> <xsl:text> $(document).ready (function () { var div = document.getElementById("invisible-char"); diff --git a/data/xslt/yelp-common.xsl.in b/data/xslt/yelp-common.xsl.in index 0c1ec9bb..421fc02d 100644 --- a/data/xslt/yelp-common.xsl.in +++ b/data/xslt/yelp-common.xsl.in @@ -15,6 +15,13 @@ <xsl:param name="html.syntax.highlight" select="true()"/> <xsl:param name="html.js.root" select="'file://@XSL_JSDIR@/'"/> +<xsl:param name="html.csp.nonce" select="yelp:generate_nonce()"/> + +<xsl:template name="html.head.top.custom"> + <xsl:param name="node" select="."/> + <meta http-equiv="Content-Security-Policy" content="default-src bogus-ghelp: bogus-gnome-help: bogus-help: bogus-help-list: bogus-info: bogus-man: ; script-src 'nonce-{$html.csp.nonce}'; style-src 'unsafe-inline'; "/> +</xsl:template> + <xsl:template name="html.js.mathjax"> <xsl:param name="node" select="."/> <xsl:if test="$node//mml:*[1]"> diff --git a/libyelp/yelp-transform.c b/libyelp/yelp-transform.c index e74eb463..2ce1d05b 100644 --- a/libyelp/yelp-transform.c +++ b/libyelp/yelp-transform.c @@ -71,6 +71,8 @@ static void xslt_yelp_cache (xsltTransformContextPtr ctxt, xsltStylePreCompPtr comp); static void xslt_yelp_aux (xmlXPathParserContextPtr ctxt, int nargs); +static void xslt_yelp_generate_nonce (xmlXPathParserContextPtr ctxt, + int nargs); enum { PROP_0, @@ -412,6 +414,10 @@ transform_run (YelpTransform *transform) BAD_CAST "input", BAD_CAST YELP_NAMESPACE, (xmlXPathFunction) xslt_yelp_aux); + xsltRegisterExtFunction (priv->context, + BAD_CAST "generate_nonce", + BAD_CAST YELP_NAMESPACE, + (xmlXPathFunction) xslt_yelp_generate_nonce); priv->output = xsltApplyStylesheetUser (priv->stylesheet, priv->input, @@ -607,3 +613,16 @@ xslt_yelp_aux (xmlXPathParserContextPtr ctxt, int nargs) xsltExtensionInstructionResultRegister (tctxt, ret); valuePush (ctxt, ret); } + +static void +xslt_yelp_generate_nonce (xmlXPathParserContextPtr ctxt, int nargs) +{ + GRand* rand; + gchar* nonce_str; + + rand = g_rand_new (); + nonce_str = g_strdup_printf("%08x%08x", g_rand_int (rand), g_rand_int (rand)); + xmlXPathReturnString (ctxt, xmlStrdup ((xmlChar *) nonce_str)); + g_free(nonce_str); + g_rand_free(rand); +} diff --git a/libyelp/yelp-view.c b/libyelp/yelp-view.c index 32ae131e..d544c5df 100644 --- a/libyelp/yelp-view.c +++ b/libyelp/yelp-view.c @@ -971,7 +971,7 @@ view_external_uri (YelpView *view, if (app_info) { - if (!strstr (g_app_info_get_executable (app_info), "yelp")) + if (!strstr (g_app_info_get_executable (app_info), "yelp") && !strstr (struri, "%3C") && !strstr (struri, "%3E")) { GList l; -- GitLab
