Version in base suite: 42.2-1

Base version: yelp_42.2-1
Target version: yelp_42.2-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/y/yelp/yelp_42.2-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/y/yelp/yelp_42.2-1+deb12u1.dsc

 changelog                   |   12 ++++
 patches/CVE-2025-3155.patch |  118 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 3 files changed, 131 insertions(+)

diff -Nru yelp-42.2/debian/changelog yelp-42.2/debian/changelog
--- yelp-42.2/debian/changelog	2022-09-19 14:48:14.000000000 +0000
+++ yelp-42.2/debian/changelog	2025-05-23 23:09:22.000000000 +0000
@@ -1,3 +1,15 @@
+yelp (42.2-1+deb12u1) bookworm-security; urgency=medium
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2025-3155.
+    The Gnome user help application allows the help document to execute
+    arbitrary scripts. This vulnerability allows malicious users to input
+    help documents, which may exfiltrate user files to an external
+    environment.
+    - d/p/CVE-2025-3155.patch
+
+ -- Lucas Kanashiro <kanashiro@debian.org>  Fri, 23 May 2025 20:09:22 -0300
+
 yelp (42.2-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru yelp-42.2/debian/patches/CVE-2025-3155.patch yelp-42.2/debian/patches/CVE-2025-3155.patch
--- yelp-42.2/debian/patches/CVE-2025-3155.patch	1970-01-01 00:00:00.000000000 +0000
+++ yelp-42.2/debian/patches/CVE-2025-3155.patch	2025-05-23 23:07:39.000000000 +0000
@@ -0,0 +1,118 @@
+From: Shaun McCance <shaunm@gnome.org>
+Date: Fri, 18 Apr 2025 11:33:01 -0400
+Subject: Initial fix for CVE-2025-3155 from parrot409
+
+https://gitlab.gnome.org/GNOME/yelp/-/issues/221
+
+Origin: https://gitlab.gnome.org/GNOME/yelp/-/commit/7ecd58dc0ca7bf9d
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102080
+Bug: https://gitlab.gnome.org/GNOME/yelp/-/issues/221
+---
+ data/xslt/mal2html.xsl.in    |  5 +++++
+ data/xslt/man2html.xsl.in    |  2 +-
+ data/xslt/yelp-common.xsl.in |  7 +++++++
+ libyelp/yelp-transform.c     | 19 +++++++++++++++++++
+ libyelp/yelp-view.c          |  2 +-
+ 5 files changed, 33 insertions(+), 2 deletions(-)
+
+diff --git a/data/xslt/mal2html.xsl.in b/data/xslt/mal2html.xsl.in
+index 9e44b73..0a74da5 100644
+--- a/data/xslt/mal2html.xsl.in
++++ b/data/xslt/mal2html.xsl.in
+@@ -19,6 +19,11 @@
+ <xsl:param name="mal.link.prefix" select="'xref:'"/>
+ <xsl:param name="mal.link.extension" select="''"/>
+ 
++<xsl:template name="html.head.top.custom">
++  <xsl:param name="node" select="."/>
++  <meta http-equiv="Content-Security-Policy" content="default-src bogus-ghelp: bogus-gnome-help: bogus-help: bogus-help-list: bogus-info: bogus-man: ; script-src 'nonce-{$html.csp.nonce}'; style-src 'nonce-{$html.csp.nonce}'; "/>
++</xsl:template>
++
+ <xsl:template name="mal.link.target.custom">
+   <xsl:param name="node" select="."/>
+   <xsl:param name="action" select="$node/@action"/>
+diff --git a/data/xslt/man2html.xsl.in b/data/xslt/man2html.xsl.in
+index 676ce3e..56bc1f5 100644
+--- a/data/xslt/man2html.xsl.in
++++ b/data/xslt/man2html.xsl.in
+@@ -131,7 +131,7 @@
+   the correct styling and a single character which we measure the
+   width of and update each sheet as required.
+ -->
+-<script type="text/javascript" language="javascript">
++<script type="text/javascript" language="javascript" nonce="{$html.csp.nonce}">
+ <xsl:text>
+ $(document).ready (function () {
+   var div = document.getElementById("invisible-char");
+diff --git a/data/xslt/yelp-common.xsl.in b/data/xslt/yelp-common.xsl.in
+index 0c1ec9b..421fc02 100644
+--- a/data/xslt/yelp-common.xsl.in
++++ b/data/xslt/yelp-common.xsl.in
+@@ -15,6 +15,13 @@
+ <xsl:param name="html.syntax.highlight" select="true()"/>
+ <xsl:param name="html.js.root" select="'file://@XSL_JSDIR@/'"/>
+ 
++<xsl:param name="html.csp.nonce" select="yelp:generate_nonce()"/>
++
++<xsl:template name="html.head.top.custom">
++  <xsl:param name="node" select="."/>
++  <meta http-equiv="Content-Security-Policy" content="default-src bogus-ghelp: bogus-gnome-help: bogus-help: bogus-help-list: bogus-info: bogus-man: ; script-src 'nonce-{$html.csp.nonce}'; style-src 'unsafe-inline'; "/>
++</xsl:template>
++
+ <xsl:template name="html.js.mathjax">
+   <xsl:param name="node" select="."/>
+   <xsl:if test="$node//mml:*[1]">
+diff --git a/libyelp/yelp-transform.c b/libyelp/yelp-transform.c
+index e74eb46..2ce1d05 100644
+--- a/libyelp/yelp-transform.c
++++ b/libyelp/yelp-transform.c
+@@ -71,6 +71,8 @@ static void      xslt_yelp_cache            (xsltTransformContextPtr  ctxt,
+                                              xsltStylePreCompPtr      comp);
+ static void      xslt_yelp_aux              (xmlXPathParserContextPtr ctxt,
+                                              int                      nargs);
++static void      xslt_yelp_generate_nonce   (xmlXPathParserContextPtr ctxt,
++                                             int                      nargs);
+ 
+ enum {
+     PROP_0,
+@@ -412,6 +414,10 @@ transform_run (YelpTransform *transform)
+                              BAD_CAST "input",
+                              BAD_CAST YELP_NAMESPACE,
+                              (xmlXPathFunction) xslt_yelp_aux);
++    xsltRegisterExtFunction (priv->context,
++                         BAD_CAST "generate_nonce",
++                         BAD_CAST YELP_NAMESPACE,
++                         (xmlXPathFunction) xslt_yelp_generate_nonce);
+ 
+     priv->output = xsltApplyStylesheetUser (priv->stylesheet,
+                                             priv->input,
+@@ -607,3 +613,16 @@ xslt_yelp_aux (xmlXPathParserContextPtr ctxt, int nargs)
+     xsltExtensionInstructionResultRegister (tctxt, ret);
+     valuePush (ctxt, ret);
+ }
++
++static void
++xslt_yelp_generate_nonce (xmlXPathParserContextPtr ctxt, int nargs)
++{
++    GRand* rand;
++    gchar* nonce_str;
++
++    rand = g_rand_new ();
++    nonce_str = g_strdup_printf("%08x%08x", g_rand_int (rand), g_rand_int (rand));
++    xmlXPathReturnString (ctxt, xmlStrdup ((xmlChar *) nonce_str));
++    g_free(nonce_str);
++    g_rand_free(rand);
++}
+diff --git a/libyelp/yelp-view.c b/libyelp/yelp-view.c
+index f5de164..f78ea2a 100644
+--- a/libyelp/yelp-view.c
++++ b/libyelp/yelp-view.c
+@@ -971,7 +971,7 @@ view_external_uri (YelpView *view,
+ 
+     if (app_info)
+       {
+-        if (!strstr (g_app_info_get_executable (app_info), "yelp"))
++        if (!strstr (g_app_info_get_executable (app_info), "yelp") && !strstr (struri, "%3C") && !strstr (struri, "%3E"))
+           {
+             GList l;
+ 
diff -Nru yelp-42.2/debian/patches/series yelp-42.2/debian/patches/series
--- yelp-42.2/debian/patches/series	2022-09-19 14:48:14.000000000 +0000
+++ yelp-42.2/debian/patches/series	2025-05-23 23:08:24.000000000 +0000
@@ -1,3 +1,4 @@
 #02_man-utf8.patch
 #04_use_doc-base.patch
 disable_package_search.patch
+CVE-2025-3155.patch