CVE-2025-3155 was announced here: https://www.openwall.com/lists/oss-security/2025/04/04/1
Source RPM: (none) => yelp-42.2-3.mga10.src.rpm, yelp-42.2-1.mga9.src.rpmWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2025-3155Status comment: (none) => Patch available from upstream
"While there are proposed patches in the bug report, none seem to have been committed to the git repo yet." https://gitlab.gnome.org/GNOME/yelp/-/issues/221 is the upstream link in the openwall URL; I got denied access. You might do better.
Assignee: bugsquad => gnome
The issue reporter recommends that distros apply the patches even though they're not yet accepted upstream: https://blogs.gnome.org/mcatanzaro/2025/04/15/dangerous-arbitrary-file-read-vulnerability-in-yelp-cve-2025-3155/
CC: (none) => dan
Correction: it's a GNOME contributor who recommends applying the patches, not the reporter (although, the same is implied there as well). That 221 issue link works fine for men once past the anti-bot script.
Fedora has issued advisories on May 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27Z5WA2SKQGJ4UVVHUNWY73Y4PNKT3AA/ (yelp) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNBXVCRWOMV4OCPACFVW6R4I6T4PSAEM/ (yelp-xsl)
Summary: yelp new security issue CVE-2025-3155 => yelp and yelp-xsl new security issue CVE-2025-3155Source RPM: yelp-42.2-3.mga10.src.rpm, yelp-42.2-1.mga9.src.rpm => yelp-42.2-3.mga10.src.rpm, yelp-42.2-1.mga9.src.rpm, yelp-xsl-42.1-1.mga9.src.rpm
openSUSE has issued an advisory on May 27: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/T4HL3S3XNP5C4Q7YW3W22GDBDEEXQDW2/
Whiteboard: MGA9TOO => (none)Source RPM: yelp-42.2-3.mga10.src.rpm, yelp-42.2-1.mga9.src.rpm, yelp-xsl-42.1-1.mga9.src.rpm => yelp-42.2-1.mga9.src.rpm, yelp-xsl-42.1-1.mga9.src.rpmVersion: Cauldron => 9
Suggested advisory: ======================== The updated packages fix a security vulnerability: The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment. (CVE-2025-3155) References: https://www.openwall.com/lists/oss-security/2025/04/04/1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27Z5WA2SKQGJ4UVVHUNWY73Y4PNKT3AA/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNBXVCRWOMV4OCPACFVW6R4I6T4PSAEM/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/T4HL3S3XNP5C4Q7YW3W22GDBDEEXQDW2/ ======================== Updated packages in core/updates_testing: ======================== lib64yelp-devel-42.2-1.1.mga9 lib64yelp0-42.2-1.1.mga9 yelp-42.2-1.1.mga9 yelp-xsl-42.1-1.1.mga9 from SRPMS: yelp-42.2-1.1.mga9.src.rpm yelp-xsl-42.1-1.1.mga9.src.rpm
Status comment: Patch available from upstream => (none)Assignee: gnome => qa-bugsStatus: NEW => ASSIGNED
Keywords: (none) => advisory
MGA9-64 server Plasma Wayland on Compaq H000SB. No installation issues. The Bugzilla column in the updates list, shows nothing else. So just trying the yelp command. That works well, I did some reading on the help files. As for yelp-xsl, I have no idea how to test. The Gnome gitlab states "yelp-xsl is a collection of programs and data files to help you build, maintain, and distribute documentation. It provides XSLT stylesheets that can be built upon for help viewers and publishing systems. These stylesheets output JavaScript and CSS content, and reference images provided by yelp-xsl. This package also redistributes copies of the jQuery and jQuery.Syntax JavaScript libraries." That does not help me. Further googling neither.
CC: (none) => herman.viaene
installing yelp-42.2-1.1.mga9.x86_64.rpm lib64yelp0-42.2-1.1.mga9.x86_64.rpm yelp-xsl-42.1-1.1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################### 1/3: yelp-xsl ################################################################################################### 2/3: lib64yelp0 ################################################################################################### 3/3: yelp ################################################################################################### 1/3: removing yelp-42.2-1.mga9.x86_64 ################################################################################################### 2/3: removing yelp-xsl-42.1-1.mga9.noarch ################################################################################################### 3/3: removing lib64yelp0-42.2-1.mga9.x86_64 ################################################################################################### Open yelp browse the help, as note before the update the gnome-boxes help didn't open and does now after update Not find POC to test
Whiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0297.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED