MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
catanzaro
Search

Catanzaro: Dangerous arbitrary file read vulnerability in Yelp

Wednesday April 16, 2025. 07:54 PM , from LWN.net
GNOME contributor Michael Catanzaro has written a blog
post about a noteworthy vulnerability in GNOME's help browser, Yelp.

I don't normally blog about particular CVEs, but Yelp CVE-2025-3155 is
noteworthy because it is quite severe, public for several weeks now,
and not yet fixed upstream. In short, help files can read your
filesystem and execute arbitrary JavaScript code, allowing an attacker
to exfiltrate any files your Unix user has access to.

The vulnerability was first reported on December 25, and it
was made public on March 26 after the 90-day-disclosure deadline
was reached. Patches
have been proposed to fix the issue. The bug reporter has published a writeup
demonstrating the attack. Catanzaro asks that Linux vendors
'please consider applying the provided patches even though they
have not yet been accepted upstream'.
Read more at LWN.net
https://lwn.net/Articles/1017727/

Related News

catanzaro CVE fallout: The splintering of the standard vulnerability tracking system has begun TheRegisterApr 18
yelp ‘Stupid and Dangerous’: CISA Funding Chaos Threatens Essential Cybersecurity Program Wired: Tech.Apr 16
vulnerability Kermit is a typeface to help kids read BoingBoingApr 16
arbitrary Microsoft hits Ctrl-Z after Teams trips over file sharing TheRegisterApr 16
read Canadians decline Gavin Newsom's dangerous invitation to visit California BoingBoingApr 15
public Microsoft OneDrive file sync apps for Windows, Mac broken for 10 months TheRegisterApr 15
help The Most Dangerous Hackers You’ve Never Heard Of Wired: Tech.Apr 14
files 3 days left! Snag this $33 H&R Block deal and file your federal and state taxes in time BoingBoingApr 12
yet Ex-OpenAI Staffers File Amicus Brief Opposing the Company's For-Profit Transition SlashdotApr 12
about Traditional vulnerability assessment falls short on third-party risks BetaNewsApr 8
not Beware the beautiful yet dangerous Caravela Portuguesa BoingBoingApr 4
patches Understand Python’s new lock file format InfoWorldApr 1
noteworthy New Python lock file format will specify dependencies InfoWorldApr 1
file A New Image File Format Efficiently Stores Invisible Light Data SlashdotMar 29
dangerous 0patch releases yet another free fix for yet another 0day vulnerability in Windows that Microsoft has not addressed BetaNewsMar 26
catanzaro How AI Coding Assistants Could Be Compromised Via Rules File SlashdotMar 23
yelp Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist TheRegisterMar 20
vulnerability Who is Funnier, Humans or AI? Read the Results of the Researcher Meme Challenge eWeekMar 20
arbitrary IBM scores perfect 10 ... vulnerability in mission-critical OS AIX TheRegisterMar 19
read [$] Better CPU vulnerability mitigation configuration LWN.netMar 19
News copyright owned by their original publishers | Copyright © 2004 - 2025 Zicos / 440Network
Current Date
Apr, Sat 19 - 15:11 CEST