rpms/yelp
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2025-3155 (RHEL-85922)

Browse Source 
Resolves: RHEL-85922
This commit is contained in:
David King 2025-04-23 21:14:27 +01:00
parent 414ef3097b
commit 9335af0523
2 changed files with 124 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
yelp-CVE-2025-3155.patch Normal file
View File

@ -0,0 +1,118 @@
From 7ecd58dc0ca7bf9d0acb00bf04194a0cb6e8b724 Mon Sep 17 00:00:00 2001
From: Shaun McCance <shaunm@gnome.org>
Date: Fri, 18 Apr 2025 11:33:01 -0400
Subject: [PATCH] Initial fix for CVE-2025-3155 from parrot409
https://gitlab.gnome.org/GNOME/yelp/-/issues/221
---
data/xslt/mal2html.xsl.in | 5 +++++
data/xslt/man2html.xsl.in | 2 +-
data/xslt/yelp-common.xsl.in | 7 +++++++
libyelp/yelp-transform.c | 19 +++++++++++++++++++
libyelp/yelp-view.c | 2 +-
5 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/data/xslt/mal2html.xsl.in b/data/xslt/mal2html.xsl.in
index 9e44b734..0a74da55 100644
--- a/data/xslt/mal2html.xsl.in
+++ b/data/xslt/mal2html.xsl.in
@@ -19,6 +19,11 @@
<xsl:param name="mal.link.prefix" select="'xref:'"/>
<xsl:param name="mal.link.extension" select="''"/>
+<xsl:template name="html.head.top.custom">
+ <xsl:param name="node" select="."/>
+ <meta http-equiv="Content-Security-Policy" content="default-src bogus-ghelp: bogus-gnome-help: bogus-help: bogus-help-list: bogus-info: bogus-man: ; script-src 'nonce-{$html.csp.nonce}'; style-src 'nonce-{$html.csp.nonce}'; "/>
+</xsl:template>
+
<xsl:template name="mal.link.target.custom">
<xsl:param name="node" select="."/>
<xsl:param name="action" select="$node/@action"/>
diff --git a/data/xslt/man2html.xsl.in b/data/xslt/man2html.xsl.in
index 676ce3eb..56bc1f5c 100644
--- a/data/xslt/man2html.xsl.in
+++ b/data/xslt/man2html.xsl.in
@@ -131,7 +131,7 @@
the correct styling and a single character which we measure the
width of and update each sheet as required.
-->
-<script type="text/javascript" language="javascript">
+<script type="text/javascript" language="javascript" nonce="{$html.csp.nonce}">
<xsl:text>
$(document).ready (function () {
var div = document.getElementById("invisible-char");
diff --git a/data/xslt/yelp-common.xsl.in b/data/xslt/yelp-common.xsl.in
index 0c1ec9bb..421fc02d 100644
--- a/data/xslt/yelp-common.xsl.in
+++ b/data/xslt/yelp-common.xsl.in
@@ -15,6 +15,13 @@
<xsl:param name="html.syntax.highlight" select="true()"/>
<xsl:param name="html.js.root" select="'file://@XSL_JSDIR@/'"/>
+<xsl:param name="html.csp.nonce" select="yelp:generate_nonce()"/>
+
+<xsl:template name="html.head.top.custom">
+ <xsl:param name="node" select="."/>
+ <meta http-equiv="Content-Security-Policy" content="default-src bogus-ghelp: bogus-gnome-help: bogus-help: bogus-help-list: bogus-info: bogus-man: ; script-src 'nonce-{$html.csp.nonce}'; style-src 'unsafe-inline'; "/>
+</xsl:template>
+
<xsl:template name="html.js.mathjax">
<xsl:param name="node" select="."/>
<xsl:if test="$node//mml:*[1]">
diff --git a/libyelp/yelp-transform.c b/libyelp/yelp-transform.c
index e74eb463..2ce1d05b 100644
--- a/libyelp/yelp-transform.c
+++ b/libyelp/yelp-transform.c
@@ -71,6 +71,8 @@ static void xslt_yelp_cache (xsltTransformContextPtr ctxt,
xsltStylePreCompPtr comp);
static void xslt_yelp_aux (xmlXPathParserContextPtr ctxt,
int nargs);
+static void xslt_yelp_generate_nonce (xmlXPathParserContextPtr ctxt,
+ int nargs);
enum {
PROP_0,
@@ -412,6 +414,10 @@ transform_run (YelpTransform *transform)
BAD_CAST "input",
BAD_CAST YELP_NAMESPACE,
(xmlXPathFunction) xslt_yelp_aux);
+ xsltRegisterExtFunction (priv->context,
+ BAD_CAST "generate_nonce",
+ BAD_CAST YELP_NAMESPACE,
+ (xmlXPathFunction) xslt_yelp_generate_nonce);
priv->output = xsltApplyStylesheetUser (priv->stylesheet,
priv->input,
@@ -607,3 +613,16 @@ xslt_yelp_aux (xmlXPathParserContextPtr ctxt, int nargs)
xsltExtensionInstructionResultRegister (tctxt, ret);
valuePush (ctxt, ret);
}
+
+static void
+xslt_yelp_generate_nonce (xmlXPathParserContextPtr ctxt, int nargs)
+{
+ GRand* rand;
+ gchar* nonce_str;
+
+ rand = g_rand_new ();
+ nonce_str = g_strdup_printf("%08x%08x", g_rand_int (rand), g_rand_int (rand));
+ xmlXPathReturnString (ctxt, xmlStrdup ((xmlChar *) nonce_str));
+ g_free(nonce_str);
+ g_rand_free(rand);
+}
diff --git a/libyelp/yelp-view.c b/libyelp/yelp-view.c
index 32ae131e..d544c5df 100644
--- a/libyelp/yelp-view.c
+++ b/libyelp/yelp-view.c
@@ -971,7 +971,7 @@ view_external_uri (YelpView *view,
if (app_info)
{
- if (!strstr (g_app_info_get_executable (app_info), "yelp"))
+ if (!strstr (g_app_info_get_executable (app_info), "yelp") && !strstr (struri, "%3C") && !strstr (struri, "%3E"))
{
GList l;
--
GitLab

7
yelp.spec
View File

@ -3,7 +3,7 @@
Name: yelp
Epoch: 2
Version: 3.28.1
Release: 3%{?dist}
Release: 3%{?dist}.1
Summary: Help browser for the GNOME desktop
Group: Applications/System
@ -35,6 +35,8 @@ Patch18: 0016-Fix-possible-double-free.patch
Patch19: 0017-Remove-the-unused-encoding-and-language-code-from-Ye.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1638876
Patch20: yelp-quit.patch
# https://issues.redhat.com/browse/RHEL-85922
Patch21: yelp-CVE-2025-3155.patch
BuildRequires: pkgconfig(gtk+-3.0)
BuildRequires: pkgconfig(liblzma)
@ -124,6 +126,9 @@ desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/applications/yelp.desktop
%changelog
* Wed Apr 23 2025 David King <dking@redhat.com> - 2:3.28.1-3.1
- Fix CVE-2025-3155 (RHEL-85922)
* Mon Oct 15 2018 Tomas Popela <tpopela@redhat.com> - 2:3.28.1-3
- Add the Quit entry to the app menu
- Handle Ctrl+Q shortcut for quitting the application