Your message dated Tue, 02 Jun 2026 18:47:17 +0000
with message-id <[email protected]>
and subject line Bug#1136299: fixed in yelp 42.2-4+deb13u1
has caused the Debian Bug report #1136299,
regarding yelp: security vulnerability fixed in 49.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136299: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136299
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: yelp
Version: 49.0-1
Severity: serious
Tags: security upstream bookworm trixie
X-Debbugs-CC: [email protected]
Sandbox escape hardening was done in yelp's recent 49.1 release that
was discussed more today at
https://blogs.gnome.org/mcatanzaro/2026/05/11/flatpak-sandbox-escape-via-yelp/
A CVE has been requested, but we don't need to wait for it to be
assigned to fix this issue.
The issue is fixed with these 2 upstream commits:
https://gitlab.gnome.org/GNOME/yelp/-/commit/d220aa2f754eed4e6a006a4acaa68b31892dea2b
https://gitlab.gnome.org/GNOME/yelp/-/commit/c8c8244c8a812860782d635890c9b6c43ecc2639
This issue has already been fixed in unstable.
Thank you,
Jeremy Bícha
--- End Message ---
--- Begin Message ---
Source: yelp
Source-Version: 42.2-4+deb13u1
Done: Aron Xu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
yelp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <[email protected]> (supplier of updated yelp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 28 May 2026 23:30:00 +0000
Source: yelp
Architecture: source
Version: 42.2-4+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Aron Xu <[email protected]>
Closes: 1136299
Changes:
yelp (42.2-4+deb13u1) trixie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* sandbox escape via ghelp: URIs loaded by help pages, allowing a
malicious help document to read arbitrary files (e.g. via /proc)
and exfiltrate them over the network (Closes: #1136299).
Checksums-Sha1:
3d8b15bca2ee5cd4dc95b45b826a03c772240a80 2132 yelp_42.2-4+deb13u1.dsc
de1d6d374bfd34b2519f1722f0887831ce176b1a 1480504 yelp_42.2.orig.tar.xz
fcd0ab436bf54ecf6b0e6dc225c5ca690b61e7d6 19404
yelp_42.2-4+deb13u1.debian.tar.xz
ac1049945ea9761415fd0750448c53098e2a18f5 7347
yelp_42.2-4+deb13u1_source.buildinfo
Checksums-Sha256:
8bc4ecaeba075e5a97b713eb2525aee0318b69043e7df8ad4aaed8b31bc32475 2132
yelp_42.2-4+deb13u1.dsc
b29e9512766bcd684bdc650457e4ecc99b236935c2c16d2acd4f7dd2cfc87a2e 1480504
yelp_42.2.orig.tar.xz
f0ed9a7da47e822daef2f3f7ff410aeeb399398036fb7069d93c6d6973f30881 19404
yelp_42.2-4+deb13u1.debian.tar.xz
ecdf25bd228df21d59a9dda2650b9a8e65921f8c533da45c855f17ba8fb08a29 7347
yelp_42.2-4+deb13u1_source.buildinfo
Files:
bc2096e1dab542e0a4bab82db19c464a 2132 gnome optional yelp_42.2-4+deb13u1.dsc
520c1e430279df7a7100164a80791280 1480504 gnome optional yelp_42.2.orig.tar.xz
cdcf4d137b35c7ca02330e4edd051dbc 19404 gnome optional
yelp_42.2-4+deb13u1.debian.tar.xz
baa2ce6da2ff6fa707fcf5f7e380e164 7347 gnome optional
yelp_42.2-4+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEExq6D0hxncEPaPayX+GQ1dHE8m64FAmodPwQACgkQ+GQ1dHE8
m652gQgA5R00CnyxgQG1zgUKqXLXvOoxTLTDQpDrgzzuRLgwM0C4zc/4lXaogmqV
daZq4msoUumQGAgLdsStTCLhozCsOYaXfP4MB6Ox7h1pBAFJ8F73RjGTB0cHedd9
E5zvVDA1zc6ive5o2oVp3x5Ay7bNXr05RxkCKuF6UjyT5vKT0OQGEzIL4lA0ADQE
/Wmt1CqmkV/PB8aIEzpaPov0aQ9HPhayJPZsWWpcQlcXeBs0WFujPuY+j9U6MFz8
IjBo+A1TwYYRfw/kDyYijYEsX8KaOVdir+gud1NPXYZaFZii2RLMsNvn/vjiQEsy
x02SlfK0V5cLx2qKdl0ONXKlfZHLoA==
=sI7O
-----END PGP SIGNATURE-----
pgp8v3yOJkAqe.pgp
Description: PGP signature
--- End Message ---