Your message dated Tue, 02 Jun 2026 18:47:53 +0000
with message-id <[email protected]>
and subject line Bug#1136299: fixed in yelp 42.2-1+deb12u2
has caused the Debian Bug report #1136299,
regarding yelp: security vulnerability fixed in 49.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1136299: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136299
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: yelp
Version: 49.0-1
Severity: serious
Tags: security upstream bookworm trixie
X-Debbugs-CC: [email protected]

Sandbox escape hardening was done in yelp's recent 49.1 release that
was discussed more today at

https://blogs.gnome.org/mcatanzaro/2026/05/11/flatpak-sandbox-escape-via-yelp/

A CVE has been requested, but we don't need to wait for it to be
assigned to fix this issue.

The issue is fixed with these 2 upstream commits:
https://gitlab.gnome.org/GNOME/yelp/-/commit/d220aa2f754eed4e6a006a4acaa68b31892dea2b
https://gitlab.gnome.org/GNOME/yelp/-/commit/c8c8244c8a812860782d635890c9b6c43ecc2639

This issue has already been fixed in unstable.

Thank you,
Jeremy Bícha

--- End Message ---
--- Begin Message ---
Source: yelp
Source-Version: 42.2-1+deb12u2
Done: Aron Malache <[email protected]>

We believe that the bug you reported is fixed in the latest version of
yelp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aron Malache <[email protected]> (supplier of updated yelp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 May 2026 23:30:00 +0000
Source: yelp
Architecture: source
Version: 42.2-1+deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: Debian GNOME Maintainers 
<[email protected]>
Changed-By: Aron Malache <[email protected]>
Closes: 1136299
Changes:
 yelp (42.2-1+deb12u2) bookworm-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * SECURITY UPDATE: sandbox escape via ghelp: URIs and external resources
     loaded by help pages, allowing a malicious help document to read
     arbitrary files (e.g. via /proc) and exfiltrate them over the network
     (Closes: #1136299).
Checksums-Sha1:
 3fd52428a767a8e978df5cd7b27ba9db413b5cb2 2135 yelp_42.2-1+deb12u2.dsc
 a42a021667352b31a230e1b47b4b4566a43e5953 19560 
yelp_42.2-1+deb12u2.debian.tar.xz
 78ee77e9526c8847d9fa856d9cb44d5a914ecfae 7347 
yelp_42.2-1+deb12u2_source.buildinfo
Checksums-Sha256:
 41aca16ce9c3ecb9cd24419dd9ed23aba87e5994398a7fc44fd24a119084f0ba 2135 
yelp_42.2-1+deb12u2.dsc
 ecd450cebece67043088163f17205fc9c23145c701b705533535076ee89ff001 19560 
yelp_42.2-1+deb12u2.debian.tar.xz
 1bee1115a850fb1a06443253f3e4d14f74491626cc5664aaa3fde9d980ef5fc9 7347 
yelp_42.2-1+deb12u2_source.buildinfo
Files:
 8836bcf03922f976cd08e0ed27ffba32 2135 gnome optional yelp_42.2-1+deb12u2.dsc
 c48044c1bb213fc808aff94467bf9d30 19560 gnome optional 
yelp_42.2-1+deb12u2.debian.tar.xz
 59061abeca464600a7860e78db388324 7347 gnome optional 
yelp_42.2-1+deb12u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEExq6D0hxncEPaPayX+GQ1dHE8m64FAmodPuYACgkQ+GQ1dHE8
m66TXwf+NcwScSm2t6l+qwE7SgIBZWiQFX9NXcuH/BxEPq8cxFvntDMvf6AdNVRQ
ghgGsZvDCLoFkbjt1RLSuGnZhyfiO1pVMVnbF3r+9az0uJisykcy1b5V49cCgVg7
+bI5e5ugSa1siAkz/3HbuC4P+ruyoEKG9fZgzKFOy2uFLNJRzTcdw2Fk9ZXfWXrb
ky3yJGAkCKMqDIFvKZvNUuXiPUuyEK1fMLMfuwI1EyTAhNmn/w2kecBo5vCaxcRh
W0n+hjbOhfaC5ozzyf+oiKIin9m3Ik71+blO4rvp6or2XR+bRjD6nEQ6bIBoUx+y
znHZ4Y9v/amalK8vivXvzoxmn85yTw==
=rnQ8
-----END PGP SIGNATURE-----

Attachment: pgp8jHLCxOfOG.pgp
Description: PGP signature


--- End Message ---

Reply via email to