!16 [sync] PR-13: fix CVE-2025-3155

From: @openeuler-sync-bot Reviewed-by: @weidongkl Signed-off-by: @weidongkl
fix CVE-2025-3155
2025-05-16 03:03:37 +00:00 · 2025-05-16 10:27:48 +08:00 · 2023-01-18 01:56:53 +00:00 · 2022-11-09 08:21:35 +00:00 · 2022-04-20 09:42:52 +00:00 · 2022-04-20 14:50:51 +08:00
4 changed files with 134 additions and 25 deletions
--- a/backport-CVE-2025-3155.patch
+++ b/backport-CVE-2025-3155.patch
@ -0,0 +1,92 @@
+From 6902d7439c0419055e1c48c7771629ccbb278408 Mon Sep 17 00:00:00 2001
+From: Shaun McCance <shaunm@redhat.com>
+Date: Fri, 18 Apr 2025 11:31:18 -0400
+Subject: [PATCH] Initial fix for CVE-2025-3155 from parrot409
+
+https://gitlab.gnome.org/GNOME/yelp/-/issues/221
+---
+ xslt/common/html.xsl | 40 ++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 38 insertions(+), 2 deletions(-)
+
+diff --git a/xslt/common/html.xsl b/xslt/common/html.xsl
+index 77aed075..82832fb4 100644
+--- a/xslt/common/html.xsl
+++ b/xslt/common/html.xsl
+@@ -266,6 +266,16 @@ certain tokens, and you can add your own with {html.sidebar.mode}. See
+ -->
+ <xsl:param name="html.sidebar.right" select="''"/>
+ 
+<!--@@==========================================================================
+html.csp.nonce
+An optional CSP nonce string to allow the execution of scripts and styles.
+@revision[version=42.2 date=2025-02-22 status=final]
+
+This parameter takes a string value that will be added to the 'nonce' attribute
+of all 'style' and 'script' tags in the generated HTML output. This paramter is used
+to whitelist script and style tags that are allowed to be executed.
+-->
+<xsl:param name="html.csp.nonce" select="false()"/>
+ 
+ <!--**==========================================================================
+ html.output
+@@ -1124,6 +1134,11 @@ dimensions. All parameters can be automatically computed if not provided.
+     </xsl:call-template>
+   </xsl:param>
+   <style type="text/css">
+    <xsl:if test="$html.csp.nonce">
+      <xsl:attribute name="nonce">
+        <xsl:value-of select="$html.csp.nonce" />
+      </xsl:attribute>
+    </xsl:if>
+     <xsl:call-template name="html.css.content">
+       <xsl:with-param name="node" select="$node"/>
+       <xsl:with-param name="direction" select="$direction"/>
+@@ -1533,6 +1548,11 @@ copy, override this template and provide the necessary files.
+   <xsl:param name="node" select="."/>
+   <xsl:if test="$node//mml:*[1]">
+     <script type="text/javascript">
+      <xsl:if test="$html.csp.nonce">
+        <xsl:attribute name="nonce">
+          <xsl:value-of select="$html.csp.nonce" />
+        </xsl:attribute>
+      </xsl:if>
+       <xsl:attribute name="src">
+         <xsl:text>http://cdn.mathjax.org/mathjax/latest/MathJax.js?config=MML_HTMLorMML</xsl:text>
+       </xsl:attribute>
+@@ -1558,6 +1578,11 @@ result of {html.js.content} to that file.
+ <xsl:template name="html.js.script">
+   <xsl:param name="node" select="."/>
+   <script type="text/javascript">
+    <xsl:if test="$html.csp.nonce">
+      <xsl:attribute name="nonce">
+        <xsl:value-of select="$html.csp.nonce" />
+      </xsl:attribute>
+    </xsl:if>
+     <xsl:call-template name="html.js.content">
+       <xsl:with-param name="node" select="$node"/>
+     </xsl:call-template>
+@@ -2035,8 +2060,19 @@ on all `code` elements with `"syntax"` in the class value.
+ <xsl:template name="html.js.syntax">
+   <xsl:param name="node" select="."/>
+   <xsl:if test="$html.syntax.highlight">
+-  <script type="text/javascript" src="{$html.js.root}highlight.pack.js"></script>
+-  <script><![CDATA[
+    <script type="text/javascript" src="{$html.js.root}highlight.pack.js">
+      <xsl:if test="$html.csp.nonce">
+        <xsl:attribute name="nonce">
+          <xsl:value-of select="$html.csp.nonce" />
+        </xsl:attribute>
+      </xsl:if>
+    </script>
+    <script>
+    <xsl:if test="$html.csp.nonce">
+      <xsl:attribute name="nonce">
+        <xsl:value-of select="$html.csp.nonce" />
+      </xsl:attribute>
+    </xsl:if><![CDATA[
+ document.addEventListener('DOMContentLoaded', function() {
+   var matches = document.querySelectorAll('code.syntax')
+   for (var i = 0; i < matches.length; i++) {
+-- 
+GitLab
+
--- a/yelp-xsl-3.36.0.tar.xz
+++ b/yelp-xsl-3.36.0.tar.xz
--- a/yelp-xsl-42.1.tar.xz
+++ b/yelp-xsl-42.1.tar.xz
--- a/yelp-xsl.spec
+++ b/yelp-xsl.spec
@ -1,29 +1,36 @@
+%global tarball_version %%(echo %{version} | tr '~' '.')
+
 Name:	       yelp-xsl
-Version:        3.36.0
+Version:	   42.1
 Release:	   2
 Summary:	   XSL stylesheets for the yelp help browser
-License:        LGPLv2+ and GPLv2+ and MIT
+License:	   GPL-2.0-or-later AND LGPL-2.0-or-later AND MIT AND BSD-3-Clause
 URL:	       https://wiki.gnome.org/Apps/Yelp
-Source0:        https://download.gnome.org/sources/%{name}/3.36/%{name}-%{version}.tar.xz
+Source0:	   https://download.gnome.org/sources/%{name}/42/%{name}-%{tarball_version}.tar.xz
+Patch6001:      backport-CVE-2025-3155.patch
 BuildArch:      noarch
-
-BuildRequires:  gcc python3-libxml2 itstool
-BuildRequires:  /usr/bin/xmllint /usr/bin/xsltproc /usr/bin/ducktype
+BuildRequires:  gcc
+BuildRequires:  itstool
+BuildRequires:  make
+BuildRequires:  python3-libxml2
+BuildRequires:  /usr/bin/ducktype
+BuildRequires:  /usr/bin/xmllint
+BuildRequires:  /usr/bin/xsltproc
+Requires:       (yelp >= 2:42.2-3 if yelp)

 %description
 This package contains XSL stylesheets that are used by the yelp help browser.

 %package devel
-Summary:       Header files, libraries and developer documentatio for %{name}
+Summary: Developer documentation for yelp-xsl
 Requires: %{name} = %{version}-%{release}

 %description devel
-The package contains developer documentation for the XSL stylesheets in %{name}.
-
-%package_help
+The yelp-xsl-devel package contains developer documentation for the
+XSL stylesheets in yelp-xsl.

 %prep
-%autosetup -n %{name}-%{version}
+%autosetup -p1 -n %{name}-%{tarball_version}

 %build
 %configure --enable-doc
@ -33,20 +40,30 @@ The package contains developer documentation for the XSL stylesheets in %{name}.
 %make_install

 %files
-%defattr(-,root,root)
+%doc AUTHORS README.md
 %license COPYING COPYING.GPL COPYING.LGPL
-%doc README AUTHORS
 %{_datadir}/yelp-xsl

 %files devel
-%defattr(-,root,root)
 %{_datadir}/pkgconfig/yelp-xsl.pc

-%files help
-%defattr(-,root,root)
-%doc NEWS
-
 %changelog
+* Fri May 16 2025 Funda Wang <fundawang@yeah.net> - 42.1-2
+- fix CVE-2025-3155
+
+* Wed Nov 9 2022 hkgy <kaguyahatu@outlook.com> - 42.1-1
+- Upgrade to v42.1
+
+* Wed Apr 20 2022 dillon chen <dillon.chen@gmail.com> - 42.0-1
+- Update to 42.0
+
+* Wed May 19 2021 weijin deng <weijin.deng@turbolinux.com.cn> - 3.38.3-1
+- Upgrade to 3.38.3
+- Update License and BuildRequires
+
+* Fri Jan 29 2021 jinzhimin <jinzhimin2@huawei.com> - 3.38.2-1
+- Upgrade to 3.38.2
+
 * Mon Sep 7 2020 zhanzhimin <zhanzhimin@huawei.com> - 3.36.0-2
 - Update Source0
Author	SHA1	Message	Date
openeuler-ci-bot	ae984f70f6	!16 [sync] PR-13: fix CVE-2025-3155 From: @openeuler-sync-bot Reviewed-by: @weidongkl Signed-off-by: @weidongkl	2025-05-16 03:03:37 +00:00
Funda Wang	713c738b56	fix CVE-2025-3155 (cherry picked from commit 8d02b9520c4a250cc415cf21681fbd5f596b3aaf)	2025-05-16 10:27:48 +08:00
openeuler-ci-bot	c2f32de080	!12 Upgrade to v42.1 From: @hkgy Reviewed-by: @zhang__3125 Signed-off-by: @zhang__3125	2023-01-18 01:56:53 +00:00
QwQ	141138e603	v42.1	2022-11-09 08:21:35 +00:00
openeuler-ci-bot	e1c6da5e97	!10 upgrade to 42.0 From: @dillon_chen Reviewed-by: @dwl301 Signed-off-by: @dwl301	2022-04-20 09:42:52 +00:00
dillon_chen	460275f501	upgrade to 42.0	2022-04-20 14:50:51 +08:00
openeuler-ci-bot	2fa19a61db	!9 Upgrade to 3.38.3 From: @weijin-deng Reviewed-by: @weidongkl,@dwl301 Signed-off-by: @weidongkl,@dwl301	2021-05-19 16:22:36 +08:00
weijin-deng	26e1df3d92	Upgrade to 3.38.3 Update License and BuildRequires	2021-05-19 15:59:28 +08:00
openeuler-ci-bot	6f919bcfdb	!7 upgrade to 3.38.2 From: @jinzhimin369 Reviewed-by: @orange-snn Signed-off-by: @orange-snn	2021-01-30 17:38:01 +08:00
jzm369	9f274bb668	Upgrade to 3.38.2	2021-01-30 16:27:08 +08:00