Version in base suite: 42.2-4

Base version: yelp_42.2-4
Target version: yelp_42.2-4+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/y/yelp/yelp_42.2-4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/y/yelp/yelp_42.2-4+deb13u1.dsc

 changelog                                            |    9 +++++
 patches/sandbox-escape-1-no-ghelp-proc.patch         |   29 ++++++++++++++++++
 patches/sandbox-escape-2-no-external-resources.patch |   30 +++++++++++++++++++
 patches/series                                       |    2 +
 4 files changed, 70 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp5z3b6rh8/yelp_42.2-4.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp5z3b6rh8/yelp_42.2-4+deb13u1.dsc: no acceptable signature found
diff -Nru yelp-42.2/debian/changelog yelp-42.2/debian/changelog
--- yelp-42.2/debian/changelog	2025-04-26 12:17:44.000000000 +0000
+++ yelp-42.2/debian/changelog	2026-05-28 16:30:10.000000000 +0000
@@ -1,3 +1,12 @@
+yelp (42.2-4+deb13u1) trixie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * sandbox escape via ghelp: URIs loaded by help pages, allowing a
+    malicious help document to read arbitrary files (e.g. via /proc)
+    and exfiltrate them over the network (Closes: #1136299).
+
+ -- Aron Xu <aron@debian.org>  Thu, 28 May 2026 23:30:00 +0000
+
 yelp (42.2-4) unstable; urgency=medium
 
   * Update Homepage
diff -Nru yelp-42.2/debian/patches/sandbox-escape-1-no-ghelp-proc.patch yelp-42.2/debian/patches/sandbox-escape-1-no-ghelp-proc.patch
--- yelp-42.2/debian/patches/sandbox-escape-1-no-ghelp-proc.patch	1970-01-01 00:00:00.000000000 +0000
+++ yelp-42.2/debian/patches/sandbox-escape-1-no-ghelp-proc.patch	2026-05-28 15:38:34.000000000 +0000
@@ -0,0 +1,29 @@
+From: Shaun McCance <shaunm@redhat.com>
+Date: Wed, 6 May 2026 12:29:29 -0400
+Subject: Don't allow ghelp:/proc URIs
+
+When there is something you can exploit, this kind of URI is a way
+to trick people into running a malicious document. I doubt there
+are any legitimate use cases. This change mitigates risk.
+
+Origin: upstream, https://gitlab.gnome.org/GNOME/yelp/-/commit/d220aa2f754eed4e6a006a4acaa68b31892dea2b
+Bug: https://gitlab.gnome.org/GNOME/yelp/-/work_items/238
+Bug-Debian: https://bugs.debian.org/1136299
+---
+ libyelp/yelp-uri.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/libyelp/yelp-uri.c
++++ b/libyelp/yelp-uri.c
+@@ -788,7 +788,10 @@ resolve_ghelp_uri (YelpUri *uri)
+         gchar *path;
+
+         path = g_build_filename ("/", slash, NULL);
+-        if (g_file_test (path, G_FILE_TEST_EXISTS)) {
++        if (g_str_has_prefix (path, "/proc")) {
++            priv->tmptype = YELP_URI_DOCUMENT_TYPE_ERROR;
++        }
++        else if (g_file_test (path, G_FILE_TEST_EXISTS)) {
+             priv->gfile = g_file_new_for_path (path);
+             resolve_gfile (uri, query, hash);
+         } else {
diff -Nru yelp-42.2/debian/patches/sandbox-escape-2-no-external-resources.patch yelp-42.2/debian/patches/sandbox-escape-2-no-external-resources.patch
--- yelp-42.2/debian/patches/sandbox-escape-2-no-external-resources.patch	1970-01-01 00:00:00.000000000 +0000
+++ yelp-42.2/debian/patches/sandbox-escape-2-no-external-resources.patch	2026-05-28 15:40:17.000000000 +0000
@@ -0,0 +1,30 @@
+From: Shaun McCance <shaunm@redhat.com>
+Date: Wed, 6 May 2026 12:12:57 -0400
+Subject: Don't allow loading external resources from web pages
+
+This is an attack vector for sending data places.
+
+Origin: upstream, https://gitlab.gnome.org/GNOME/yelp/-/commit/c8c8244c8a812860782d635890c9b6c43ecc2639
+Bug: https://gitlab.gnome.org/GNOME/yelp/-/work_items/238
+Bug-Debian: https://bugs.debian.org/1136299
+
+Note: in 42.2 the web extension code lives in libyelp/web-extension/
+yelp-web-extension.c; upstream later renamed the directory to
+web-process-extension. The hunk is otherwise unchanged.
+---
+ libyelp/web-extension/yelp-web-extension.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/libyelp/web-extension/yelp-web-extension.c
++++ b/libyelp/web-extension/yelp-web-extension.c
+@@ -74,6 +74,10 @@ web_page_send_request (WebKitWebPage     *web_page,
+     const gchar *resource_uri = webkit_uri_request_get_uri (request);
+     gchar *yelp_uri, *file_path;
+
++    /* Don't allow loading external resources at all, for security */
++    if (g_str_has_prefix (resource_uri, "http://") || g_str_has_prefix (resource_uri, "https://"))
++        return TRUE;
++
+     if (!current_uri)
+         return FALSE;
+
diff -Nru yelp-42.2/debian/patches/series yelp-42.2/debian/patches/series
--- yelp-42.2/debian/patches/series	2025-04-26 12:17:44.000000000 +0000
+++ yelp-42.2/debian/patches/series	2026-05-28 15:41:04.000000000 +0000
@@ -2,3 +2,5 @@
 #04_use_doc-base.patch
 disable_package_search.patch
 CVE-2025-3155.patch
+sandbox-escape-1-no-ghelp-proc.patch
+sandbox-escape-2-no-external-resources.patch