Your message dated Wed, 23 Apr 2025 16:36:45 +0000
with message-id <e1u7d5z-00degf...@fasolo.debian.org>
and subject line Bug#1102080: fixed in yelp 42.2-3
has caused the Debian Bug report #1102080,
regarding yelp: CVE-2025-3155
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1102080: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102080
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: yelp
Version: 42.2-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/yelp/-/issues/221
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for yelp.
CVE-2025-3155[0]:
| A flaw was found in Yelp. The Gnome user help application allows the
| help document to execute arbitrary scripts. This vulnerability
| allows malicious users to input help documents, which may exfiltrate
| user files to an external environment.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-3155
https://www.cve.org/CVERecord?id=CVE-2025-3155
[1] https://gitlab.gnome.org/GNOME/yelp/-/issues/221
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: yelp
Source-Version: 42.2-3
Done: Jeremy Bícha <jbi...@ubuntu.com>
We believe that the bug you reported is fixed in the latest version of
yelp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1102...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bícha <jbi...@ubuntu.com> (supplier of updated yelp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 23 Apr 2025 12:17:23 -0400
Source: yelp
Built-For-Profiles: noudeb
Architecture: source
Version: 42.2-3
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers
<pkg-gnome-maintain...@lists.alioth.debian.org>
Changed-By: Jeremy Bícha <jbi...@ubuntu.com>
Closes: 1102080
Changes:
yelp (42.2-3) unstable; urgency=high
.
[ Marc Deslauriers ]
* SECURITY UPDATE: arbitrary script execution
- debian/patches/CVE-2025-3155.patch: use a nonce in
data/xslt/mal2html.xsl.in, data/xslt/man2html.xsl.in,
data/xslt/yelp-common.xsl.in, libyelp/yelp-transform.c,
libyelp/yelp-view.c.
- CVE-2025-3155 (Closes: #1102080)
Checksums-Sha1:
cc26a8ebda797382dab2c9ebf4ced3dced8002bf 2449 yelp_42.2-3.dsc
6658e4c049d1dc055adb25131007e83ac092d342 18420 yelp_42.2-3.debian.tar.xz
85f767f6f68bdaf83be5297bd2c9b817de8b571b 17927 yelp_42.2-3_source.buildinfo
Checksums-Sha256:
895470600351a54f5fa746cdb75529570cf35eda1f85ab5dfc6450c79ff58885 2449
yelp_42.2-3.dsc
03835e6622ef2585939902e7604c5f7d28cb36530f653db680a71cb368890f92 18420
yelp_42.2-3.debian.tar.xz
25f3ded83ccd83667f948689a368b0372177cdb92ff9a82fb12a4c5b36f1424b 17927
yelp_42.2-3_source.buildinfo
Files:
84498b92ca54cc15a2f8030e0039c09d 2449 gnome optional yelp_42.2-3.dsc
3b6160c46ac2a837ed008c1f49ac6669 18420 gnome optional yelp_42.2-3.debian.tar.xz
5cbc67728ba34bd659b1f47bc3327370 17927 gnome optional
yelp_42.2-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmgJEsUACgkQ5mx3Wuv+
bH3RMQ/+KWA+I8LZDNJLogfDOTIPon4LejcCON5/CpnClx8kjhFrluCiJXzKShO2
Tsd57TlXHBOYhR28x8EKi/jhCoHWFsO2tuCeTOsHBhnZ1s6jDY/8MEu96bC0U8t1
XXqS468J+/0o5g/av7+mrVN9j4lCQWRTQokk7fVtvBXsgEtn83UotbFhMMQxASgG
wH2oVFxrhruwPdkRn+Ih4HWEiYape2YjB6VtnF/WfPjTkcLnyzd9pAaCBNKMrbVs
JazQAguR2vFlwDFlyfP4nS1eADGYW0RLxpDb2UG8xTFt0UmU/j6/uhf5q+wKxeT7
y3mH+5MU1m+jbi2MLJGVXODIr1yxxi9uKVQRVJ4QrYzPPtmyPhLfINOVDhLY5Xez
omN9aNIxj9B8dT32S4/K/Z0qvok9Un9B6KzGfa+aExK5i2rIdj8y8IgMIvlj2tuy
gYhn5VKbJ6uEZtdf8mKOyC3S5QspuazWu/EGQ0HJajU/8NLdkCMZXzfuzcapK297
X9hPRoWujiqYwvUhfvwGGM1RRlsebfxPF6/ATrARkJSuQodtk/6X4+3VsCSpj10a
lmauc3+LoSRrUWVklOu5deixQSiDDgaC5AxN1g0EcUDz2Ky41S30KGhyOf7hjUi1
59RFfQyqka/EZohYCMTaBFPOg2uylwFPGO0qarRQRXhKW5pIxHU=
=DGk2
-----END PGP SIGNATURE-----
pgpV2AdOBt1ig.pgp
Description: PGP signature
--- End Message ---
