Fedora Account System
Red Hat Associate
Red Hat Customer
A local sandbox escape and host information disclosure flaw was found in Yelp. A regression introduced in the companion yelp-xsl stylesheet component targets the gnome-42 and master development branches, leaving the application's Content Security Policy (CSP) style handling directives overly permissive. A malicious or compromised sandboxed Flatpak application can programmatically abuse the standard host org.freedesktop.portal.OpenURI portal interface to pass crafted help layout files (ghelp:// or mallard extensions). Because the system portal processes this request silently without requiring user interaction, host-level Yelp is automatically invoked to parse the file outside the application container. The attacker-controlled layout leverages local XML inclusions to load arbitrary host-level files into memory, which are subsequently exfiltrated out-of-band to a remote server using a background CSS url() query embedded inside a structured SVG document.