Version in base suite: 42.2-1+deb12u1

Base version: yelp_42.2-1+deb12u1
Target version: yelp_42.2-1+deb12u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/y/yelp/yelp_42.2-1+deb12u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/y/yelp/yelp_42.2-1+deb12u2.dsc

 changelog                                            |   10 ++++++
 control                                              |    2 -
 patches/sandbox-escape-1-no-ghelp-proc.patch         |   29 ++++++++++++++++++
 patches/sandbox-escape-2-no-external-resources.patch |   30 +++++++++++++++++++
 patches/series                                       |    2 +
 5 files changed, 72 insertions(+), 1 deletion(-)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpifxkmj9w/yelp_42.2-1+deb12u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpifxkmj9w/yelp_42.2-1+deb12u2.dsc: no acceptable signature found
diff -Nru yelp-42.2/debian/changelog yelp-42.2/debian/changelog
--- yelp-42.2/debian/changelog	2025-05-23 23:09:22.000000000 +0000
+++ yelp-42.2/debian/changelog	2026-05-28 18:38:32.000000000 +0000
@@ -1,3 +1,13 @@
+yelp (42.2-1+deb12u2) bookworm-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * SECURITY UPDATE: sandbox escape via ghelp: URIs and external resources
+    loaded by help pages, allowing a malicious help document to read
+    arbitrary files (e.g. via /proc) and exfiltrate them over the network
+    (Closes: #1136299).
+
+ -- Aron Malache <aronmalache@gmail.com>  Thu, 28 May 2026 23:30:00 +0000
+
 yelp (42.2-1+deb12u1) bookworm-security; urgency=medium
 
   * Non-maintainer upload by the Security Team.
diff -Nru yelp-42.2/debian/control yelp-42.2/debian/control
--- yelp-42.2/debian/control	2025-05-23 21:25:19.000000000 +0000
+++ yelp-42.2/debian/control	2026-05-28 23:30:00.000000000 +0000
@@ -6,7 +6,7 @@
 Section: gnome
 Priority: optional
 Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
-Uploaders: Jeremy Bicha <jbicha@ubuntu.com>, Laurent Bigonville <bigon@debian.org>, Michael Biebl <biebl@debian.org>
+Uploaders: Laurent Bigonville <bigon@debian.org>, Michael Biebl <biebl@debian.org>
 Build-Depends: appstream-util,
                autoconf-archive,
                debhelper-compat (= 13),
diff -Nru yelp-42.2/debian/patches/sandbox-escape-1-no-ghelp-proc.patch yelp-42.2/debian/patches/sandbox-escape-1-no-ghelp-proc.patch
--- yelp-42.2/debian/patches/sandbox-escape-1-no-ghelp-proc.patch	1970-01-01 00:00:00.000000000 +0000
+++ yelp-42.2/debian/patches/sandbox-escape-1-no-ghelp-proc.patch	2026-05-28 15:41:31.000000000 +0000
@@ -0,0 +1,29 @@
+From: Shaun McCance <shaunm@redhat.com>
+Date: Wed, 6 May 2026 12:29:29 -0400
+Subject: Don't allow ghelp:/proc URIs
+
+When there is something you can exploit, this kind of URI is a way
+to trick people into running a malicious document. I doubt there
+are any legitimate use cases. This change mitigates risk.
+
+Origin: upstream, https://gitlab.gnome.org/GNOME/yelp/-/commit/d220aa2f754eed4e6a006a4acaa68b31892dea2b
+Bug: https://gitlab.gnome.org/GNOME/yelp/-/work_items/238
+Bug-Debian: https://bugs.debian.org/1136299
+---
+ libyelp/yelp-uri.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/libyelp/yelp-uri.c
++++ b/libyelp/yelp-uri.c
+@@ -788,7 +788,10 @@ resolve_ghelp_uri (YelpUri *uri)
+         gchar *path;
+
+         path = g_build_filename ("/", slash, NULL);
+-        if (g_file_test (path, G_FILE_TEST_EXISTS)) {
++        if (g_str_has_prefix (path, "/proc")) {
++            priv->tmptype = YELP_URI_DOCUMENT_TYPE_ERROR;
++        }
++        else if (g_file_test (path, G_FILE_TEST_EXISTS)) {
+             priv->gfile = g_file_new_for_path (path);
+             resolve_gfile (uri, query, hash);
+         } else {
diff -Nru yelp-42.2/debian/patches/sandbox-escape-2-no-external-resources.patch yelp-42.2/debian/patches/sandbox-escape-2-no-external-resources.patch
--- yelp-42.2/debian/patches/sandbox-escape-2-no-external-resources.patch	1970-01-01 00:00:00.000000000 +0000
+++ yelp-42.2/debian/patches/sandbox-escape-2-no-external-resources.patch	2026-05-28 15:41:31.000000000 +0000
@@ -0,0 +1,30 @@
+From: Shaun McCance <shaunm@redhat.com>
+Date: Wed, 6 May 2026 12:12:57 -0400
+Subject: Don't allow loading external resources from web pages
+
+This is an attack vector for sending data places.
+
+Origin: upstream, https://gitlab.gnome.org/GNOME/yelp/-/commit/c8c8244c8a812860782d635890c9b6c43ecc2639
+Bug: https://gitlab.gnome.org/GNOME/yelp/-/work_items/238
+Bug-Debian: https://bugs.debian.org/1136299
+
+Note: in 42.2 the web extension code lives in libyelp/web-extension/
+yelp-web-extension.c; upstream later renamed the directory to
+web-process-extension. The hunk is otherwise unchanged.
+---
+ libyelp/web-extension/yelp-web-extension.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/libyelp/web-extension/yelp-web-extension.c
++++ b/libyelp/web-extension/yelp-web-extension.c
+@@ -74,6 +74,10 @@ web_page_send_request (WebKitWebPage     *web_page,
+     const gchar *resource_uri = webkit_uri_request_get_uri (request);
+     gchar *yelp_uri, *file_path;
+
++    /* Don't allow loading external resources at all, for security */
++    if (g_str_has_prefix (resource_uri, "http://") || g_str_has_prefix (resource_uri, "https://"))
++        return TRUE;
++
+     if (!current_uri)
+         return FALSE;
+
diff -Nru yelp-42.2/debian/patches/series yelp-42.2/debian/patches/series
--- yelp-42.2/debian/patches/series	2025-05-23 23:08:24.000000000 +0000
+++ yelp-42.2/debian/patches/series	2026-05-28 15:41:40.000000000 +0000
@@ -2,3 +2,5 @@
 #04_use_doc-base.patch
 disable_package_search.patch
 CVE-2025-3155.patch
+sandbox-escape-1-no-ghelp-proc.patch
+sandbox-escape-2-no-external-resources.patch