Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package yelp-xsl for openSUSE:Factory checked in at 2025-05-26 18:32:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yelp-xsl (Old) and /work/SRC/openSUSE:Factory/.yelp-xsl.new.2732 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yelp-xsl" Mon May 26 18:32:14 2025 rev:55 rq:1279659 version:42.1 Changes: -------- --- /work/SRC/openSUSE:Factory/yelp-xsl/yelp-xsl.changes 2022-09-21 14:41:57.981677401 +0200 +++ /work/SRC/openSUSE:Factory/.yelp-xsl.new.2732/yelp-xsl.changes 2025-05-26 18:33:28.942241214 +0200 @@ -1,0 +2,7 @@ +Thu May 8 08:30:06 UTC 2025 - Cliff Zhao <qz...@suse.com> + +- Add 6902d74.patch: + Initial fix for CVE-2025-3155 from parrot409. + (CVE-2025-3155 bsc#1240688) + +------------------------------------------------------------------- New: ---- 6902d74.patch BETA DEBUG BEGIN: New: - Add 6902d74.patch: Initial fix for CVE-2025-3155 from parrot409. BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yelp-xsl.spec ++++++ --- /var/tmp/diff_new_pack.utkYbp/_old 2025-05-26 18:33:29.394260166 +0200 +++ /var/tmp/diff_new_pack.utkYbp/_new 2025-05-26 18:33:29.398260334 +0200 @@ -1,7 +1,7 @@ # # spec file for package yelp-xsl # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2025 SUSE LLC # Copyright (c) 2010 Dominique Leuenberger, Amsterdam, Netherlands. # # All modifications and additions to the file contributed by third parties @@ -26,7 +26,8 @@ URL: https://wiki.gnome.org/Apps/Yelp Source0: https://download.gnome.org/sources/yelp-xsl/42/%{name}-%{version}.tar.xz Source99: yelp-xsl-rpmlintrc - +# PATCH-FIX-UPSTREAM 6902d74.patch CVE-2025-3155 bsc#1240688 qz...@suse.com -- Initial fix for CVE-2025-3155 from parrot409. +Patch0: https://gitlab.gnome.org/GNOME/yelp-xsl/-/commit/6902d74.patch BuildRequires: itstool >= 1.2.0 BuildRequires: pkgconfig BuildRequires: pkgconfig(libxml-2.0) ++++++ 6902d74.patch ++++++ >From 6902d7439c0419055e1c48c7771629ccbb278408 Mon Sep 17 00:00:00 2001 From: Shaun McCance <sha...@redhat.com> Date: Fri, 18 Apr 2025 11:31:18 -0400 Subject: [PATCH] Initial fix for CVE-2025-3155 from parrot409 https://gitlab.gnome.org/GNOME/yelp/-/issues/221 --- xslt/common/html.xsl | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/xslt/common/html.xsl b/xslt/common/html.xsl index 77aed075..82832fb4 100644 --- a/xslt/common/html.xsl +++ b/xslt/common/html.xsl @@ -266,6 +266,16 @@ certain tokens, and you can add your own with {html.sidebar.mode}. See --> <xsl:param name="html.sidebar.right" select="''"/> +<!--@@========================================================================== +html.csp.nonce +An optional CSP nonce string to allow the execution of scripts and styles. +@revision[version=42.2 date=2025-02-22 status=final] + +This parameter takes a string value that will be added to the 'nonce' attribute +of all 'style' and 'script' tags in the generated HTML output. This paramter is used +to whitelist script and style tags that are allowed to be executed. +--> +<xsl:param name="html.csp.nonce" select="false()"/> <!--**========================================================================== html.output @@ -1124,6 +1134,11 @@ dimensions. All parameters can be automatically computed if not provided. </xsl:call-template> </xsl:param> <style type="text/css"> + <xsl:if test="$html.csp.nonce"> + <xsl:attribute name="nonce"> + <xsl:value-of select="$html.csp.nonce" /> + </xsl:attribute> + </xsl:if> <xsl:call-template name="html.css.content"> <xsl:with-param name="node" select="$node"/> <xsl:with-param name="direction" select="$direction"/> @@ -1533,6 +1548,11 @@ copy, override this template and provide the necessary files. <xsl:param name="node" select="."/> <xsl:if test="$node//mml:*[1]"> <script type="text/javascript"> + <xsl:if test="$html.csp.nonce"> + <xsl:attribute name="nonce"> + <xsl:value-of select="$html.csp.nonce" /> + </xsl:attribute> + </xsl:if> <xsl:attribute name="src"> <xsl:text>http://cdn.mathjax.org/mathjax/latest/MathJax.js?config=MML_HTMLorMML</xsl:text> </xsl:attribute> @@ -1558,6 +1578,11 @@ result of {html.js.content} to that file. <xsl:template name="html.js.script"> <xsl:param name="node" select="."/> <script type="text/javascript"> + <xsl:if test="$html.csp.nonce"> + <xsl:attribute name="nonce"> + <xsl:value-of select="$html.csp.nonce" /> + </xsl:attribute> + </xsl:if> <xsl:call-template name="html.js.content"> <xsl:with-param name="node" select="$node"/> </xsl:call-template> @@ -2035,8 +2060,19 @@ on all `code` elements with `"syntax"` in the class value. <xsl:template name="html.js.syntax"> <xsl:param name="node" select="."/> <xsl:if test="$html.syntax.highlight"> - <script type="text/javascript" src="{$html.js.root}highlight.pack.js"></script> - <script><