Fix CVE-2025-3155 in Yelp

[Douglas R. Reno]

Late last week I spotted an oss-security posting for Yelp, where it was originally classified as Arbitrary JavaScript Execution or something similar. Yesterday a user messaged me privately on IRC mentioning that the vulnerability had appeared as an "arbitrary file read" vulnerability. Upstream had not made patches available yet officially, but things have escalated.

There is now a public exploit that can be used to exfiltrate data from a user's home directory, including SSH private keys. Note that it does require a small amount of user interaction as a user would have to approve opening a help document, but if it's named like a legitimate file I suspect users will click on it (e.g. if it's named something like GNOME Calculator Help).

There's a writeup at ​https://gist.github.com/parrot409/e970b155358d45b298d7024edd9b17f2

I contacted upstream yesterday at ​https://gitlab.gnome.org/GNOME/yelp/-/issues/221 and received the following reply from one of GNOME's security maintainers:

"The patches have not been accepted into Yelp yet, but I would take them. Waiting to patch this seems inadvisable. I didn't know about ​https://gist.github.com/parrot409/e970b155358d45b298d7024edd9b17f2. The innovation there is to use /proc/self/cwd to bypass the limitation that the attacker must be able to guess the user's home directory name, which is pretty significant. I expect many curious users would be willing to approve a prompt to open a help document."

There are two patches in the issue that, while they haven't been adopted by upstream (mostly because the maintainers of this project are mostly inactive), do fix the issue by implementing a Content Security Policy through calls to WebKit. This prevents JavaScript code from being execute. We'll need a patch to both yelp-xsl and yelp.

[Douglas R. Reno]

Fixed at 56b47faf104e8b7da9ebb69f662b594507cd7b58