[Backport release-24.11] yelp: CVE-2025-3155 (#399204)

author: jopejoe1 <nixpkgs@missing.ninja> 2025-04-17 19:24:38 +0200
committer: GitHub <noreply@github.com> 2025-04-17 19:24:38 +0200
commit: 91038b91a4f5fe6a1d7b04a0eea2646025213652 (patch)
tree: 3bcdc7ae0f24ef5e4de67bf0966ac13c3fe0490a
parent: [Backport release-24.11] erlang_26: 26.2.5.10 -> 26.2.5.11, erlang_27: 27.3.2... (diff)
parent: yelp-xsl: fix for CVE-2025-3155 (diff)
download: nixpkgs-91038b91a4f5fe6a1d7b04a0eea2646025213652.tar.gz
4 files changed, 188 insertions, 0 deletions
diff --git a/pkgs/by-name/ye/yelp-xsl/cve-2025-3155.patch b/pkgs/by-name/ye/yelp-xsl/cve-2025-3155.patch
new file mode 100644
index 000000000000..36886d7c4a2a
--- /dev/null
+++ b/pkgs/by-name/ye/yelp-xsl/cve-2025-3155.patch
@@ -0,0 +1,79 @@
+diff --git a/xslt/common/html.xsl b/xslt/common/html.xsl
+index 77aed075..82832fb4 100644
+--- a/xslt/common/html.xsl
++++ b/xslt/common/html.xsl
+@@ -266,6 +266,16 @@ certain tokens, and you can add your own with {html.sidebar.mode}. See
+ -->
+ <xsl:param name="html.sidebar.right" select="''"/>
+ 
++<!--@@==========================================================================
++html.csp.nonce
++An optional CSP nonce string to allow the execution of scripts and styles.
++@revision[version=42.2 date=2025-02-22 status=final]
++
++This parameter takes a string value that will be added to the 'nonce' attribute
++of all 'style' and 'script' tags in the generated HTML output. This paramter is used
++to whitelist script and style tags that are allowed to be executed.
++-->
++<xsl:param name="html.csp.nonce" select="false()"/>
+ 
+ <!--**==========================================================================
+ html.output
+@@ -1124,6 +1134,11 @@ dimensions. All parameters can be automatically computed if not provided.
+     </xsl:call-template>
+   </xsl:param>
+   <style type="text/css">
++    <xsl:if test="$html.csp.nonce">
++      <xsl:attribute name="nonce">
++        <xsl:value-of select="$html.csp.nonce" />
++      </xsl:attribute>
++    </xsl:if>
+     <xsl:call-template name="html.css.content">
+       <xsl:with-param name="node" select="$node"/>
+       <xsl:with-param name="direction" select="$direction"/>
+@@ -1533,6 +1548,11 @@ copy, override this template and provide the necessary files.
+   <xsl:param name="node" select="."/>
+   <xsl:if test="$node//mml:*[1]">
+     <script type="text/javascript">
++      <xsl:if test="$html.csp.nonce">
++        <xsl:attribute name="nonce">
++          <xsl:value-of select="$html.csp.nonce" />
++        </xsl:attribute>
++      </xsl:if>
+       <xsl:attribute name="src">
+         <xsl:text>http://cdn.mathjax.org/mathjax/latest/MathJax.js?config=MML_HTMLorMML</xsl:text>
+       </xsl:attribute>
+@@ -1558,6 +1578,11 @@ result of {html.js.content} to that file.
+ <xsl:template name="html.js.script">
+   <xsl:param name="node" select="."/>
+   <script type="text/javascript">
++    <xsl:if test="$html.csp.nonce">
++      <xsl:attribute name="nonce">
++        <xsl:value-of select="$html.csp.nonce" />
++      </xsl:attribute>
++    </xsl:if>
+     <xsl:call-template name="html.js.content">
+       <xsl:with-param name="node" select="$node"/>
+     </xsl:call-template>
+@@ -2035,8 +2060,19 @@ on all `code` elements with `"syntax"` in the class value.
+ <xsl:template name="html.js.syntax">
+   <xsl:param name="node" select="."/>
+   <xsl:if test="$html.syntax.highlight">
+-  <script type="text/javascript" src="{$html.js.root}highlight.pack.js"></script>
+-  <script><![CDATA[
++    <script type="text/javascript" src="{$html.js.root}highlight.pack.js">
++      <xsl:if test="$html.csp.nonce">
++        <xsl:attribute name="nonce">
++          <xsl:value-of select="$html.csp.nonce" />
++        </xsl:attribute>
++      </xsl:if>
++    </script>
++    <script>
++    <xsl:if test="$html.csp.nonce">
++      <xsl:attribute name="nonce">
++        <xsl:value-of select="$html.csp.nonce" />
++      </xsl:attribute>
++    </xsl:if><![CDATA[
+ document.addEventListener('DOMContentLoaded', function() {
+   var matches = document.querySelectorAll('code.syntax')
+   for (var i = 0; i < matches.length; i++) {
diff --git a/pkgs/by-name/ye/yelp-xsl/package.nix b/pkgs/by-name/ye/yelp-xsl/package.nix
index 613e12f0a561..9f776b03e013 100644
--- a/pkgs/by-name/ye/yelp-xsl/package.nix
+++ b/pkgs/by-name/ye/yelp-xsl/package.nix
@@ -29,6 +29,10 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
+  patches = [
+    ./cve-2025-3155.patch
+  ];
+
   passthru = {
     updateScript = gnome.updateScript {
       packageName = "yelp-xsl";
diff --git a/pkgs/by-name/ye/yelp/cve-2025-3155.patch b/pkgs/by-name/ye/yelp/cve-2025-3155.patch
new file mode 100644
index 000000000000..3cdcfaeef332
--- /dev/null
+++ b/pkgs/by-name/ye/yelp/cve-2025-3155.patch
@@ -0,0 +1,101 @@
+diff --git a/data/xslt/mal2html.xsl.in b/data/xslt/mal2html.xsl.in
+index 9e44b734..0a74da55 100644
+--- a/data/xslt/mal2html.xsl.in
++++ b/data/xslt/mal2html.xsl.in
+@@ -19,6 +19,11 @@
+ <xsl:param name="mal.link.prefix" select="'xref:'"/>
+ <xsl:param name="mal.link.extension" select="''"/>
+ 
++<xsl:template name="html.head.top.custom">
++  <xsl:param name="node" select="."/>
++  <meta http-equiv="Content-Security-Policy" content="default-src bogus-ghelp: bogus-gnome-help: bogus-help: bogus-help-list: bogus-info: bogus-man: ; script-src 'nonce-{$html.csp.nonce}'; style-src 'nonce-{$html.csp.nonce}'; "/>
++</xsl:template>
++
+ <xsl:template name="mal.link.target.custom">
+   <xsl:param name="node" select="."/>
+   <xsl:param name="action" select="$node/@action"/>
+diff --git a/data/xslt/man2html.xsl.in b/data/xslt/man2html.xsl.in
+index 676ce3eb..56bc1f5c 100644
+--- a/data/xslt/man2html.xsl.in
++++ b/data/xslt/man2html.xsl.in
+@@ -131,7 +131,7 @@
+   the correct styling and a single character which we measure the
+   width of and update each sheet as required.
+ -->
+-<script type="text/javascript" language="javascript">
++<script type="text/javascript" language="javascript" nonce="{$html.csp.nonce}">
+ <xsl:text>
+ $(document).ready (function () {
+   var div = document.getElementById("invisible-char");
+diff --git a/data/xslt/yelp-common.xsl.in b/data/xslt/yelp-common.xsl.in
+index 0c1ec9bb..421fc02d 100644
+--- a/data/xslt/yelp-common.xsl.in
++++ b/data/xslt/yelp-common.xsl.in
+@@ -15,6 +15,13 @@
+ <xsl:param name="html.syntax.highlight" select="true()"/>
+ <xsl:param name="html.js.root" select="'file://@XSL_JSDIR@/'"/>
+ 
++<xsl:param name="html.csp.nonce" select="yelp:generate_nonce()"/>
++
++<xsl:template name="html.head.top.custom">
++  <xsl:param name="node" select="."/>
++  <meta http-equiv="Content-Security-Policy" content="default-src bogus-ghelp: bogus-gnome-help: bogus-help: bogus-help-list: bogus-info: bogus-man: ; script-src 'nonce-{$html.csp.nonce}'; style-src 'unsafe-inline'; "/>
++</xsl:template>
++
+ <xsl:template name="html.js.mathjax">
+   <xsl:param name="node" select="."/>
+   <xsl:if test="$node//mml:*[1]">
+diff --git a/libyelp/yelp-transform.c b/libyelp/yelp-transform.c
+index e74eb463..2ce1d05b 100644
+--- a/libyelp/yelp-transform.c
++++ b/libyelp/yelp-transform.c
+@@ -71,6 +71,8 @@ static void      xslt_yelp_cache            (xsltTransformContextPtr  ctxt,
+                                              xsltStylePreCompPtr      comp);
+ static void      xslt_yelp_aux              (xmlXPathParserContextPtr ctxt,
+                                              int                      nargs);
++static void      xslt_yelp_generate_nonce   (xmlXPathParserContextPtr ctxt,
++                                             int                      nargs);
+ 
+ enum {
+     PROP_0,
+@@ -412,6 +414,10 @@ transform_run (YelpTransform *transform)
+                              BAD_CAST "input",
+                              BAD_CAST YELP_NAMESPACE,
+                              (xmlXPathFunction) xslt_yelp_aux);
++    xsltRegisterExtFunction (priv->context,
++                         BAD_CAST "generate_nonce",
++                         BAD_CAST YELP_NAMESPACE,
++                         (xmlXPathFunction) xslt_yelp_generate_nonce);
+ 
+     priv->output = xsltApplyStylesheetUser (priv->stylesheet,
+                                             priv->input,
+@@ -607,3 +613,16 @@ xslt_yelp_aux (xmlXPathParserContextPtr ctxt, int nargs)
+     xsltExtensionInstructionResultRegister (tctxt, ret);
+     valuePush (ctxt, ret);
+ }
++
++static void
++xslt_yelp_generate_nonce (xmlXPathParserContextPtr ctxt, int nargs)
++{
++    GRand* rand;
++    gchar* nonce_str;
++
++    rand = g_rand_new ();
++    nonce_str = g_strdup_printf("%08x%08x", g_rand_int (rand), g_rand_int (rand));
++    xmlXPathReturnString (ctxt, xmlStrdup ((xmlChar *) nonce_str));
++    g_free(nonce_str);
++    g_rand_free(rand);
++}
+diff --git a/libyelp/yelp-view.c b/libyelp/yelp-view.c
+index 32ae131e..d544c5df 100644
+--- a/libyelp/yelp-view.c
++++ b/libyelp/yelp-view.c
+@@ -971,7 +971,7 @@ view_external_uri (YelpView *view,
+ 
+     if (app_info)
+       {
+-        if (!strstr (g_app_info_get_executable (app_info), "yelp"))
++        if (!strstr (g_app_info_get_executable (app_info), "yelp") && !strstr (struri, "%3C") && !strstr (struri, "%3E"))
+           {
+             GList l;
+ 
diff --git a/pkgs/by-name/ye/yelp/package.nix b/pkgs/by-name/ye/yelp/package.nix
index 652cc277ae9a..270df670e2a2 100644
--- a/pkgs/by-name/ye/yelp/package.nix
+++ b/pkgs/by-name/ye/yelp/package.nix
@@ -49,6 +49,10 @@ stdenv.mkDerivation rec {
     gst_all_1.gst-plugins-good
   ];
 
+  patches = [
+    ./cve-2025-3155.patch
+  ];
+
   passthru = {
     updateScript = gnome.updateScript {
       packageName = "yelp";
author	jopejoe1 <nixpkgs@missing.ninja>	2025-04-17 19:24:38 +0200
committer	GitHub <noreply@github.com>	2025-04-17 19:24:38 +0200
commit	91038b91a4f5fe6a1d7b04a0eea2646025213652 (patch)
tree	3bcdc7ae0f24ef5e4de67bf0966ac13c3fe0490a
parent	[Backport release-24.11] erlang_26: 26.2.5.10 -> 26.2.5.11, erlang_27: 27.3.2... (diff)
parent	yelp-xsl: fix for CVE-2025-3155 (diff)
download	nixpkgs-91038b91a4f5fe6a1d7b04a0eea2646025213652.tar.gz