rpms/yelp-xsl
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import OL yelp-xsl-40.2-1.el9_6.1

Browse Source
This commit is contained in:
eabdullin 2025-05-23 12:06:10 +00:00
parent 1930026998
commit f98f5443d3
2 changed files with 98 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
SOURCES/yelp-xsl-CVE-2025-3155.patch Normal file
View File

@ -0,0 +1,92 @@
From 6902d7439c0419055e1c48c7771629ccbb278408 Mon Sep 17 00:00:00 2001
From: Shaun McCance <shaunm@redhat.com>
Date: Fri, 18 Apr 2025 11:31:18 -0400
Subject: [PATCH] Initial fix for CVE-2025-3155 from parrot409
https://gitlab.gnome.org/GNOME/yelp/-/issues/221
---
xslt/common/html.xsl | 40 ++++++++++++++++++++++++++++++++++++++--
1 file changed, 38 insertions(+), 2 deletions(-)
diff --git a/xslt/common/html.xsl b/xslt/common/html.xsl
index 77aed075..82832fb4 100644
--- a/xslt/common/html.xsl
+++ b/xslt/common/html.xsl
@@ -266,6 +266,16 @@ certain tokens, and you can add your own with {html.sidebar.mode}. See
-->
<xsl:param name="html.sidebar.right" select="''"/>
+<!--@@==========================================================================
+html.csp.nonce
+An optional CSP nonce string to allow the execution of scripts and styles.
+@revision[version=42.2 date=2025-02-22 status=final]
+
+This parameter takes a string value that will be added to the 'nonce' attribute
+of all 'style' and 'script' tags in the generated HTML output. This paramter is used
+to whitelist script and style tags that are allowed to be executed.
+-->
+<xsl:param name="html.csp.nonce" select="false()"/>
<!--**==========================================================================
html.output
@@ -1124,6 +1134,11 @@ dimensions. All parameters can be automatically computed if not provided.
</xsl:call-template>
</xsl:param>
<style type="text/css">
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if>
<xsl:call-template name="html.css.content">
<xsl:with-param name="node" select="$node"/>
<xsl:with-param name="direction" select="$direction"/>
@@ -1533,6 +1548,11 @@ copy, override this template and provide the necessary files.
<xsl:param name="node" select="."/>
<xsl:if test="$node//mml:*[1]">
<script type="text/javascript">
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if>
<xsl:attribute name="src">
<xsl:text>http://cdn.mathjax.org/mathjax/latest/MathJax.js?config=MML_HTMLorMML</xsl:text>
</xsl:attribute>
@@ -1558,6 +1578,11 @@ result of {html.js.content} to that file.
<xsl:template name="html.js.script">
<xsl:param name="node" select="."/>
<script type="text/javascript">
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if>
<xsl:call-template name="html.js.content">
<xsl:with-param name="node" select="$node"/>
</xsl:call-template>
@@ -2035,8 +2060,19 @@ on all `code` elements with `"syntax"` in the class value.
<xsl:template name="html.js.syntax">
<xsl:param name="node" select="."/>
<xsl:if test="$html.syntax.highlight">
- <script type="text/javascript" src="{$html.js.root}highlight.pack.js"></script>
- <script><![CDATA[
+ <script type="text/javascript" src="{$html.js.root}highlight.pack.js">
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if>
+ </script>
+ <script>
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if><![CDATA[
document.addEventListener('DOMContentLoaded', function() {
var matches = document.querySelectorAll('code.syntax')
for (var i = 0; i < matches.length; i++) {
--
GitLab

7
SPECS/yelp-xsl.spec
View File

@ -2,13 +2,15 @@
Name: yelp-xsl Name: yelp-xsl
Version: 40.2 Version: 40.2
Release: 1%{?dist} Release: 1%{?dist}.1
Summary: XSL stylesheets for the yelp help browser Summary: XSL stylesheets for the yelp help browser
License: LGPLv2+ and GPLv2+ License: LGPLv2+ and GPLv2+
URL: https://download.gnome.org/sources/yelp-xsl URL: https://download.gnome.org/sources/yelp-xsl
Source0: https://download.gnome.org/sources/%{name}/40/%{name}-%{tarball_version}.tar.xz Source0: https://download.gnome.org/sources/%{name}/40/%{name}-%{tarball_version}.tar.xz
BuildArch: noarch BuildArch: noarch
# https://issues.redhat.com/browse/RHEL-85926
Patch0: yelp-xsl-CVE-2025-3155.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: itstool BuildRequires: itstool
@ -54,6 +56,9 @@ XSL stylesheets in yelp-xsl.
%changelog %changelog
* Wed Apr 23 2025 David King <dking@redhat.com> - 40.2-1.1
- Fix CVE-2025-3155 (RHEL-85926)
* Mon Aug 23 2021 Kalev Lember <klember@redhat.com> - 40.2-1 * Mon Aug 23 2021 Kalev Lember <klember@redhat.com> - 40.2-1
- Update to 40.2 - Update to 40.2