A critical CSP vulnerability in GNOME's Yelp help browser allows malicious Flatpak apps to exfiltrate host files and execute arbitrary scripts. This evergreen guide shows you exactly how to check your Fedora system for this flaw, apply the fix with an automation script, and implement firewall or AppArmor mitigations if you can't update right away. Direct commands, copy‑paste solutions, and a strong call to action.
Yelp – the GNOME desktop’s help browser that handles man pages, info pages, and DocBook documentation – recently received a critical security update.
The issue stems from a Content Security Policy (CSP) that was too permissive, which allowed malicious Flatpak applications to exfiltrate host files and execute arbitrary scripts through specially crafted help documents.
This advisory was published in May 2026, but the underlying problem – insufficiently restrictive CSP policies in help viewers – is a general security risk that can surface in any software that renders external content.
How to Check If You Are Vulnerable (Fedora Linux)
First, determine what version of yelp you have installed:
rpm -q yelp
If the output shows 49.1-1.fc44 or higher, you are protected. Anything lower than that is vulnerable.
To see the full package details:
dnf info yelp
If you’re running Fedora 43, the fixed version is yelp-49.1-1.fc43 (see the Tenable advisory). If you’re on an older release, check whether a backported fix exists for your distribution.
Automation Script to Apply the Fix
Save the following script as fix-yelp.sh and run it with sudo bash fix-yelp.sh:
#!/bin/bash # fix-yelp.sh - Update Yelp on Fedora systems set -euo pipefail if ! grep -q "Fedora" /etc/fedora-release; then echo "This script is designed for Fedora only." exit 1 fi echo "Checking current Yelp version..." rpm -q yelp echo "Refreshing package metadata..." sudo dnf check-update || true echo "Installing the security update..." sudo dnf upgrade --advisory FEDORA-2026-ed4f450fa9 -y echo "Verifying the update..." rpm -q yelp echo "Done! Yelp has been updated to the secure version."
Tip: Build a small Raspberry Pi Kit to test security updates like this in an isolated lab environment before applying them to production workstations.
CanaKit (aversiting) -> https://amzn.to/4umqayY
I earn a comission with you make a purchase.
Alternative Mitigation If You Cannot Update Now
If you cannot update immediately, here are practical workarounds:
Block Yelp from making any outbound connections – this prevents data exfiltration while you arrange a proper update:
# Find Yelp's binary path which yelp # Block outbound connections from Yelp using iptables (replace with actual UID) sudo iptables -A OUTPUT -m owner --uid-owner $(id -u) -j DROP
For a more targeted approach, block outbound HTTP/HTTPS from the Yelp process:
sudo iptables -A OUTPUT -p tcp --dport 80,443 -m owner --uid-owner $(id -u) -j DROP
AppArmor Confinement
Create a restrictive AppArmor profile that limits what Yelp can read and execute:
# Put AppArmor in complain mode to log violations without blocking sudo aa-complain /usr/bin/yelp # Then create a custom profile that blocks access to sensitive directories # Add these lines to /etc/apparmor.d/local/usr.bin.yelp: # Deny reading SSH keys deny @{HOME}/.ssh/** r, # Deny reading password stores deny @{HOME}/.password-store/** r, # Reload the profile sudo apparmor_parser -r /etc/apparmor.d/usr.bin.yelp
Manual Workaround
Until you can update:
Avoid opening untrusted help files, especially from Flatpak applications.
Consider disabling the Yelp package temporarily: sudo systemctl mask --now yelp (if Yelp runs as a service) or simply sudo chmod -x /usr/bin/yelp as a last resort.
Final Call to Action
Update Yelp now. Run the script above or execute:
sudo dnf upgrade --advisory FEDORA-2026-ed4f450fa9
Once updated, verify the fix with rpm -q yelp. For ongoing security monitoring, set up a weekly cron job to check for critical updates.
Keep your system secure – one command is all it takes.
Nenhum comentário:
Postar um comentário