packages/yelp-xsl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:ae984f70f6b35d94646aee7ec0855f62433da03f
Branches Tags
packages:main
..
compare: packages:7699e57dc7459b556ade6691edab062bf6c05150
Branches Tags
packages:main

No commits in common. "ae984f70f6b35d94646aee7ec0855f62433da03f" and "7699e57dc7459b556ade6691edab062bf6c05150" have entirely different histories.
ae984f70f6 ... 7699e57dc7

4 changed files with 25 additions and 134 deletions
Show Stats Expand all files Collapse all files

92
backport-CVE-2025-3155.patch
View File

@ -1,92 +0,0 @@
From 6902d7439c0419055e1c48c7771629ccbb278408 Mon Sep 17 00:00:00 2001
From: Shaun McCance <shaunm@redhat.com>
Date: Fri, 18 Apr 2025 11:31:18 -0400
Subject: [PATCH] Initial fix for CVE-2025-3155 from parrot409
https://gitlab.gnome.org/GNOME/yelp/-/issues/221
---
xslt/common/html.xsl | 40 ++++++++++++++++++++++++++++++++++++++--
1 file changed, 38 insertions(+), 2 deletions(-)
diff --git a/xslt/common/html.xsl b/xslt/common/html.xsl
index 77aed075..82832fb4 100644
--- a/xslt/common/html.xsl
+++ b/xslt/common/html.xsl
@@ -266,6 +266,16 @@ certain tokens, and you can add your own with {html.sidebar.mode}. See
-->
<xsl:param name="html.sidebar.right" select="''"/>
+<!--@@==========================================================================
+html.csp.nonce
+An optional CSP nonce string to allow the execution of scripts and styles.
+@revision[version=42.2 date=2025-02-22 status=final]
+
+This parameter takes a string value that will be added to the 'nonce' attribute
+of all 'style' and 'script' tags in the generated HTML output. This paramter is used
+to whitelist script and style tags that are allowed to be executed.
+-->
+<xsl:param name="html.csp.nonce" select="false()"/>
<!--**==========================================================================
html.output
@@ -1124,6 +1134,11 @@ dimensions. All parameters can be automatically computed if not provided.
</xsl:call-template>
</xsl:param>
<style type="text/css">
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if>
<xsl:call-template name="html.css.content">
<xsl:with-param name="node" select="$node"/>
<xsl:with-param name="direction" select="$direction"/>
@@ -1533,6 +1548,11 @@ copy, override this template and provide the necessary files.
<xsl:param name="node" select="."/>
<xsl:if test="$node//mml:*[1]">
<script type="text/javascript">
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if>
<xsl:attribute name="src">
<xsl:text>http://cdn.mathjax.org/mathjax/latest/MathJax.js?config=MML_HTMLorMML</xsl:text>
</xsl:attribute>
@@ -1558,6 +1578,11 @@ result of {html.js.content} to that file.
<xsl:template name="html.js.script">
<xsl:param name="node" select="."/>
<script type="text/javascript">
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if>
<xsl:call-template name="html.js.content">
<xsl:with-param name="node" select="$node"/>
</xsl:call-template>
@@ -2035,8 +2060,19 @@ on all `code` elements with `"syntax"` in the class value.
<xsl:template name="html.js.syntax">
<xsl:param name="node" select="."/>
<xsl:if test="$html.syntax.highlight">
- <script type="text/javascript" src="{$html.js.root}highlight.pack.js"></script>
- <script><![CDATA[
+ <script type="text/javascript" src="{$html.js.root}highlight.pack.js">
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if>
+ </script>
+ <script>
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if><![CDATA[
document.addEventListener('DOMContentLoaded', function() {
var matches = document.querySelectorAll('code.syntax')
for (var i = 0; i < matches.length; i++) {
--
GitLab

BIN
yelp-xsl-3.36.0.tar.xz Normal file
View File

Binary file not shown.

BIN
yelp-xsl-42.1.tar.xz
View File

Binary file not shown.

67
yelp-xsl.spec
View File

@ -1,36 +1,29 @@
%global tarball_version %%(echo %{version} | tr '~' '.') Name: yelp-xsl
Version: 3.36.0
Name: yelp-xsl Release: 2
Version: 42.1 Summary: XSL stylesheets for the yelp help browser
Release: 2 License: LGPLv2+ and GPLv2+ and MIT
Summary: XSL stylesheets for the yelp help browser URL: https://wiki.gnome.org/Apps/Yelp
License: GPL-2.0-or-later AND LGPL-2.0-or-later AND MIT AND BSD-3-Clause Source0: https://download.gnome.org/sources/%{name}/3.36/%{name}-%{version}.tar.xz
URL: https://wiki.gnome.org/Apps/Yelp
Source0: https://download.gnome.org/sources/%{name}/42/%{name}-%{tarball_version}.tar.xz
Patch6001: backport-CVE-2025-3155.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: gcc
BuildRequires: itstool BuildRequires: gcc python3-libxml2 itstool
BuildRequires: make BuildRequires: /usr/bin/xmllint /usr/bin/xsltproc /usr/bin/ducktype
BuildRequires: python3-libxml2
BuildRequires: /usr/bin/ducktype
BuildRequires: /usr/bin/xmllint
BuildRequires: /usr/bin/xsltproc
Requires: (yelp >= 2:42.2-3 if yelp)
%description %description
This package contains XSL stylesheets that are used by the yelp help browser. This package contains XSL stylesheets that are used by the yelp help browser.
%package devel %package devel
Summary: Developer documentation for yelp-xsl Summary: Header files, libraries and developer documentatio for %{name}
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
%description devel %description devel
The yelp-xsl-devel package contains developer documentation for the The package contains developer documentation for the XSL stylesheets in %{name}.
XSL stylesheets in yelp-xsl.
%package_help
%prep %prep
%autosetup -p1 -n %{name}-%{tarball_version} %autosetup -n %{name}-%{version}
%build %build
%configure --enable-doc %configure --enable-doc
@ -40,30 +33,20 @@ XSL stylesheets in yelp-xsl.
%make_install %make_install
%files %files
%doc AUTHORS README.md %defattr(-,root,root)
%license COPYING COPYING.GPL COPYING.LGPL %license COPYING COPYING.GPL COPYING.LGPL
%doc README AUTHORS
%{_datadir}/yelp-xsl %{_datadir}/yelp-xsl
%files devel %files devel
%defattr(-,root,root)
%{_datadir}/pkgconfig/yelp-xsl.pc %{_datadir}/pkgconfig/yelp-xsl.pc
%files help
%defattr(-,root,root)
%doc NEWS
%changelog %changelog
* Fri May 16 2025 Funda Wang <fundawang@yeah.net> - 42.1-2
- fix CVE-2025-3155
* Wed Nov 9 2022 hkgy <kaguyahatu@outlook.com> - 42.1-1
- Upgrade to v42.1
* Wed Apr 20 2022 dillon chen <dillon.chen@gmail.com> - 42.0-1
- Update to 42.0
* Wed May 19 2021 weijin deng <weijin.deng@turbolinux.com.cn> - 3.38.3-1
- Upgrade to 3.38.3
- Update License and BuildRequires
* Fri Jan 29 2021 jinzhimin <jinzhimin2@huawei.com> - 3.38.2-1
- Upgrade to 3.38.2
* Mon Sep 7 2020 zhanzhimin <zhanzhimin@huawei.com> - 3.36.0-2 * Mon Sep 7 2020 zhanzhimin <zhanzhimin@huawei.com> - 3.36.0-2
- Update Source0 - Update Source0