Catanzaro: Dangerous arbitrary file read vulnerability in Yelp

Date:
Wed, 16 Apr 2025 17:54:00 +0000

Description:
GNOME contributor Michael Catanzaro has written a blog
post about a noteworthy vulnerability in GNOME's help browser, Yelp . I don't normally blog about particular CVEs, but Yelp CVE-2025-3155 is
noteworthy because it is quite severe, public for several weeks now,
and not yet fixed upstream. In short, help files can read your
filesystem and execute arbitrary JavaScript code, allowing an attacker
to exfiltrate any files your Unix user has access to. The vulnerability was first reported on December25, and it
was made public on March26 after the 90-day-disclosure deadline
was reached. Patches have been proposed to fix the issue. The bug reporter
has published a writeup
demonstrating the attack . Catanzaro asks that Linux vendors
" please consider applying the provided patches even though they
have not yet been accepted upstream ".

======================================================================
Link to news story:
https://lwn.net/Articles/1017727/


--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)