GNOME's Help Browser Affected By A Serious Security Issue For Arbitrary File Reads
([GNOME] 3 Hours Ago
Yelp Yelp)
- Reference: 0001540918
- News link: https://www.phoronix.com/news/GNOME-Yelp-Security-Issue-2025
- Source link:
The GNOME Help Browser "Yelp" for viewing HTML / man page / DocBook and other documentation formats from the GNOME desktop is subject to a yet-to-be-patched-upstream security vulnerability that is now public and can allow for arbitrary file reads and could be funneled through your web browser.
GNOME's Yelp application is installed by default on various desktop Linux distributions like Ubuntu. A GNOME Security bug report back on Christmas (25 December) initially raised this security vulnerability that's since made public following the 90-day disclosure period yet still isn't addressed in the upstream software.
Michael Catanzaro of the GNOME Release Team and desktop engineer at Red Hat is raising the alarm bells today over this security issue. Catanzaro calls this a "dangerous" arbitrary file read vulnerability and is all the more severe if your browser is set to automatically allow downloading files and then via the ghelp:///proc/self/cwd/Downloads URL base could then be used on a link to call that file on your system. From there if GNOME's Yelp is launched to view the downloaded file, it could arbitrary read any known file location on the file-system and via JavaScript could then be posted to a remote server.
In a post earlier this month, "parrot409" who initially reported this issue demonstrated reading ~/.ssh/id_rsa in the Chrome web browser.
Michael Catanzaro wrote a summary of this GNOME Yelp situation via his [1]GNOME.org blog . [2]This bug report was made public recently that outlines the issue. [3]This post earlier this month further outlines the vulnerability in action.
What's worse is there have been [4]proposed patches for addressing this issue within the GNOME help viewer since last month but not yet reviewed and merged even with this vulnerability now public. Linux distribution vendors are encouraged to pick-up the patches in the meantime if desired. This looks to be a very messy issue and unfortunate it's dragged on so long now being public and without being patched upstream, especially given the GNOME 48 release last month and all the fresh Linux distribution releases this week like Ubuntu 25.04.
[1] https://blogs.gnome.org/mcatanzaro/2025/04/15/dangerous-arbitrary-file-read-vulnerability-in-yelp-cve-2025-3155/
[2] https://gitlab.gnome.org/GNOME/yelp/-/issues/221
[3] https://gist.github.com/parrot409/e970b155358d45b298d7024edd9b17f2
[4] https://gitlab.gnome.org/GNOME/yelp/-/issues/221#note_2359937
GNOME's Yelp application is installed by default on various desktop Linux distributions like Ubuntu. A GNOME Security bug report back on Christmas (25 December) initially raised this security vulnerability that's since made public following the 90-day disclosure period yet still isn't addressed in the upstream software.
Michael Catanzaro of the GNOME Release Team and desktop engineer at Red Hat is raising the alarm bells today over this security issue. Catanzaro calls this a "dangerous" arbitrary file read vulnerability and is all the more severe if your browser is set to automatically allow downloading files and then via the ghelp:///proc/self/cwd/Downloads URL base could then be used on a link to call that file on your system. From there if GNOME's Yelp is launched to view the downloaded file, it could arbitrary read any known file location on the file-system and via JavaScript could then be posted to a remote server.
In a post earlier this month, "parrot409" who initially reported this issue demonstrated reading ~/.ssh/id_rsa in the Chrome web browser.
Michael Catanzaro wrote a summary of this GNOME Yelp situation via his [1]GNOME.org blog . [2]This bug report was made public recently that outlines the issue. [3]This post earlier this month further outlines the vulnerability in action.
What's worse is there have been [4]proposed patches for addressing this issue within the GNOME help viewer since last month but not yet reviewed and merged even with this vulnerability now public. Linux distribution vendors are encouraged to pick-up the patches in the meantime if desired. This looks to be a very messy issue and unfortunate it's dragged on so long now being public and without being patched upstream, especially given the GNOME 48 release last month and all the fresh Linux distribution releases this week like Ubuntu 25.04.
[1] https://blogs.gnome.org/mcatanzaro/2025/04/15/dangerous-arbitrary-file-read-vulnerability-in-yelp-cve-2025-3155/
[2] https://gitlab.gnome.org/GNOME/yelp/-/issues/221
[3] https://gist.github.com/parrot409/e970b155358d45b298d7024edd9b17f2
[4] https://gitlab.gnome.org/GNOME/yelp/-/issues/221#note_2359937
pWe00Iri3e7Z9lHOX2Qx