Version in base suite: 42.1-2

Base version: yelp-xsl_42.1-2
Target version: yelp-xsl_42.1-2+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/y/yelp-xsl/yelp-xsl_42.1-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/y/yelp-xsl/yelp-xsl_42.1-2+deb12u1.dsc

 changelog                   |   12 +++++
 patches/CVE-2025-3155.patch |   92 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 3 files changed, 105 insertions(+)

diff -Nru yelp-xsl-42.1/debian/changelog yelp-xsl-42.1/debian/changelog
--- yelp-xsl-42.1/debian/changelog	2022-09-19 22:16:45.000000000 +0000
+++ yelp-xsl-42.1/debian/changelog	2025-05-23 23:18:19.000000000 +0000
@@ -1,3 +1,15 @@
+yelp-xsl (42.1-2+deb12u1) bookworm-security; urgency=medium
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2025-3155.
+    The Gnome user help application allows the help document to execute
+    arbitrary scripts. This vulnerability allows malicious users to input
+    help documents, which may exfiltrate user files to an external
+    environment.
+    - d/p/CVE-2025-3155.patch
+
+ -- Lucas Kanashiro <kanashiro@debian.org>  Fri, 23 May 2025 20:18:19 -0300
+
 yelp-xsl (42.1-2) unstable; urgency=medium
 
   * debian/docs: README -> README.md
diff -Nru yelp-xsl-42.1/debian/patches/CVE-2025-3155.patch yelp-xsl-42.1/debian/patches/CVE-2025-3155.patch
--- yelp-xsl-42.1/debian/patches/CVE-2025-3155.patch	1970-01-01 00:00:00.000000000 +0000
+++ yelp-xsl-42.1/debian/patches/CVE-2025-3155.patch	2025-05-23 23:17:37.000000000 +0000
@@ -0,0 +1,92 @@
+From: Shaun McCance <shaunm@redhat.com>
+Date: Fri, 18 Apr 2025 11:31:18 -0400
+Subject: Initial fix for CVE-2025-3155 from parrot409
+
+https://gitlab.gnome.org/GNOME/yelp/-/issues/221
+
+Origin: https://gitlab.gnome.org/GNOME/yelp-xsl/-/commit/6902d7439c0419
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102080
+Bug: https://gitlab.gnome.org/GNOME/yelp/-/issues/221
+---
+ xslt/common/html.xsl | 40 ++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 38 insertions(+), 2 deletions(-)
+
+diff --git a/xslt/common/html.xsl b/xslt/common/html.xsl
+index 77aed07..82832fb 100644
+--- a/xslt/common/html.xsl
++++ b/xslt/common/html.xsl
+@@ -266,6 +266,16 @@ certain tokens, and you can add your own with {html.sidebar.mode}. See
+ -->
+ <xsl:param name="html.sidebar.right" select="''"/>
+ 
++<!--@@==========================================================================
++html.csp.nonce
++An optional CSP nonce string to allow the execution of scripts and styles.
++@revision[version=42.2 date=2025-02-22 status=final]
++
++This parameter takes a string value that will be added to the 'nonce' attribute
++of all 'style' and 'script' tags in the generated HTML output. This paramter is used
++to whitelist script and style tags that are allowed to be executed.
++-->
++<xsl:param name="html.csp.nonce" select="false()"/>
+ 
+ <!--**==========================================================================
+ html.output
+@@ -1124,6 +1134,11 @@ dimensions. All parameters can be automatically computed if not provided.
+     </xsl:call-template>
+   </xsl:param>
+   <style type="text/css">
++    <xsl:if test="$html.csp.nonce">
++      <xsl:attribute name="nonce">
++        <xsl:value-of select="$html.csp.nonce" />
++      </xsl:attribute>
++    </xsl:if>
+     <xsl:call-template name="html.css.content">
+       <xsl:with-param name="node" select="$node"/>
+       <xsl:with-param name="direction" select="$direction"/>
+@@ -1533,6 +1548,11 @@ copy, override this template and provide the necessary files.
+   <xsl:param name="node" select="."/>
+   <xsl:if test="$node//mml:*[1]">
+     <script type="text/javascript">
++      <xsl:if test="$html.csp.nonce">
++        <xsl:attribute name="nonce">
++          <xsl:value-of select="$html.csp.nonce" />
++        </xsl:attribute>
++      </xsl:if>
+       <xsl:attribute name="src">
+         <xsl:text>http://cdn.mathjax.org/mathjax/latest/MathJax.js?config=MML_HTMLorMML</xsl:text>
+       </xsl:attribute>
+@@ -1558,6 +1578,11 @@ result of {html.js.content} to that file.
+ <xsl:template name="html.js.script">
+   <xsl:param name="node" select="."/>
+   <script type="text/javascript">
++    <xsl:if test="$html.csp.nonce">
++      <xsl:attribute name="nonce">
++        <xsl:value-of select="$html.csp.nonce" />
++      </xsl:attribute>
++    </xsl:if>
+     <xsl:call-template name="html.js.content">
+       <xsl:with-param name="node" select="$node"/>
+     </xsl:call-template>
+@@ -2035,8 +2060,19 @@ on all `code` elements with `"syntax"` in the class value.
+ <xsl:template name="html.js.syntax">
+   <xsl:param name="node" select="."/>
+   <xsl:if test="$html.syntax.highlight">
+-  <script type="text/javascript" src="{$html.js.root}highlight.pack.js"></script>
+-  <script><![CDATA[
++    <script type="text/javascript" src="{$html.js.root}highlight.pack.js">
++      <xsl:if test="$html.csp.nonce">
++        <xsl:attribute name="nonce">
++          <xsl:value-of select="$html.csp.nonce" />
++        </xsl:attribute>
++      </xsl:if>
++    </script>
++    <script>
++    <xsl:if test="$html.csp.nonce">
++      <xsl:attribute name="nonce">
++        <xsl:value-of select="$html.csp.nonce" />
++      </xsl:attribute>
++    </xsl:if><![CDATA[
+ document.addEventListener('DOMContentLoaded', function() {
+   var matches = document.querySelectorAll('code.syntax')
+   for (var i = 0; i < matches.length; i++) {
diff -Nru yelp-xsl-42.1/debian/patches/series yelp-xsl-42.1/debian/patches/series
--- yelp-xsl-42.1/debian/patches/series	2022-09-19 22:16:45.000000000 +0000
+++ yelp-xsl-42.1/debian/patches/series	2025-05-23 23:17:37.000000000 +0000
@@ -0,0 +1 @@
+CVE-2025-3155.patch