| Package | yelp |
|---|---|
| Version | 3.22.0-1+deb9u2 (stretch), 3.31.90-1+deb10u2 (buster) |
A vulnerability was discovered in yelp, the GNOME help browser, that allows a crafted help document to read files accessible to the user and exfiltrate them to a remote server through resources loaded by the embedded web view. When yelp is launched from a sandboxed application (for example via the Flatpak OpenURI portal), this also enables a sandbox escape.
The issue has not been assigned a CVE yet.
For Debian 10 buster, these problems have been fixed in version 3.31.90-1+deb10u2.
For Debian 9 stretch, these problems have been fixed in version 3.22.0-1+deb9u2.
We recommend that you upgrade your yelp packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.