From: <jinfeng.wang.cn@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [scarthgap][PATCH 01/12] gi-docgen: fix CVE-2025-11687
Date: Thu, 9 Apr 2026 14:16:28 +0800 [thread overview]
Message-ID: <20260409061639.1688205-2-jinfeng.wang.cn@windriver.com> (raw)
In-Reply-To: <20260409061639.1688205-1-jinfeng.wang.cn@windriver.com>
From: Zhang Peng <peng.zhang1.cn@windriver.com>
CVE-2025-11687:
A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the
context of the page — enabling DOM access, session cookie theft and other client-side attacks — via
a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).
Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-11687]
Upstream patch:
[https://gitlab.gnome.org/GNOME/gi-docgen/-/commit/c53d2640bfa5823bbdf33683d95c160267c0ec68]
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
---
.../gi-docgen/files/CVE-2025-11687.patch | 90 +++++++++++++++++++
.../gi-docgen/gi-docgen_2023.3.bb | 5 +-
2 files changed, 94 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-gnome/gi-docgen/files/CVE-2025-11687.patch
diff --git a/meta/recipes-gnome/gi-docgen/files/CVE-2025-11687.patch b/meta/recipes-gnome/gi-docgen/files/CVE-2025-11687.patch
new file mode 100644
index 0000000000..8a0c15e4a8
--- /dev/null
+++ b/meta/recipes-gnome/gi-docgen/files/CVE-2025-11687.patch
@@ -0,0 +1,90 @@
+From 0e97b155ff1b15bc3173118561316d8ea28ec9b7 Mon Sep 17 00:00:00 2001
+From: Emmanuele Bassi <ebassi@gnome.org>
+Date: Fri, 10 Oct 2025 17:06:22 +0100
+Subject: [PATCH] Make sure to escape query strings
+
+Unescaped query strings should not be passed to the HTML parser, to
+avoid unwanted execution of JavaScript.
+
+The query is shown in the header of the search results, so we can easily
+split the header from the results; then we use a plain text node to
+represent the query, and let the browser escape it.
+
+See: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
+
+Fixes: #228
+
+CVE: CVE-2025-11687
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gi-docgen/-/commit/c53d2640bfa5823bbdf33683d95c160267c0ec68]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ gidocgen/templates/basic/search.js | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/gidocgen/templates/basic/search.js b/gidocgen/templates/basic/search.js
+index 29c204f..628f0a6 100644
+--- a/gidocgen/templates/basic/search.js
++++ b/gidocgen/templates/basic/search.js
+@@ -182,17 +182,24 @@ function hideSearchResults() {
+ }
+ }
+
+-function renderResults(query, results) {
+- let html = "";
++function createResultsTitle(query, n_results) {
++ // Ensure we're returning an escaped query string, to ensure we
++ // prevent XSS vulnerabilities
++ let h1 = document.createElement("h1");
++ let text = document.createTextNode("Results for “" + query + "” (" + n_results + ")");
++ h1.appendChild(text)
++ return h1;
++}
+
+- html += "<h1>Results for "" + query + "" (" + results.length + ")</h1>" +
+- "<div id=\"search-results\">"
++function createResultsContent(results) {
++ let search_results = document.createElement("div");
++ search_results.setAttribute("id", "search-results");
+
+ if (results.length === 0) {
+- html += "No results found.";
++ search_results.textContent = "No results found.";
+ }
+ else {
+- html += "<div class=\"results\"><dl>";
++ let html = "<div class=\"results\"><dl>";
+ results.forEach(function(item) {
+ html += "<dt class=\"result " + TYPE_CLASSES[item.type] + "\">" +
+ "<a href=\"" + item.href + "\">" + item.text + "</a>" +
+@@ -204,11 +211,11 @@ function renderResults(query, results) {
+ "<dd>" + item.summary + "</dd>";
+ });
+ html += "</dl></div>";
+- }
+
+- html += "</div>";
++ search_results.innerHTML = html;
++ }
+
+- return html;
++ return search_results;
+ }
+
+ function showResults(query, results) {
+@@ -218,9 +225,10 @@ function showResults(query, results) {
+ window.history.replaceState(refs.input.value, "", baseUrl + extra + window.location.hash);
+ }
+
+- window.title = "Results for: " + query;
++ window.title = "Results for “" + query + "” (" + results.length + ")";
+ window.scroll({ top: 0 })
+- refs.search.innerHTML = renderResults(query, results);
++ refs.search.appendChild(createResultsTitle(query, results.length));
++ refs.search.appendChild(createResultsContent(results));
+ showSearchResults(search);
+ }
+
+--
+2.50.0
+
diff --git a/meta/recipes-gnome/gi-docgen/gi-docgen_2023.3.bb b/meta/recipes-gnome/gi-docgen/gi-docgen_2023.3.bb
index 54d7ef7513..53641bcbe3 100644
--- a/meta/recipes-gnome/gi-docgen/gi-docgen_2023.3.bb
+++ b/meta/recipes-gnome/gi-docgen/gi-docgen_2023.3.bb
@@ -8,7 +8,10 @@ HOMEPAGE = "https://gnome.pages.gitlab.gnome.org/gi-docgen/"
LICENSE = "GPL-3.0-or-later & Apache-2.0"
LIC_FILES_CHKSUM = "file://gi-docgen.py;beginline=1;endline=5;md5=2dc0f1f01202478cfe813c0e7f80b326"
-SRC_URI = "git://gitlab.gnome.org/GNOME/gi-docgen.git;protocol=https;branch=main"
+SRC_URI = "\
+ git://gitlab.gnome.org/GNOME/gi-docgen.git;protocol=https;branch=main \
+ file://CVE-2025-11687.patch \
+ "
SRCREV = "96f2e9b93e1d8a5338eb05b87fd879856ab7b3cc"
--
2.34.1
next prev parent reply other threads:[~2026-04-09 6:16 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 6:16 [scarthgap][PATCH 00/12] Fix multiple CVEs jinfeng.wang.cn
2026-04-09 6:16 ` jinfeng.wang.cn [this message]
2026-04-09 6:16 ` [scarthgap][PATCH 02/12] libsoup: fix CVE-2025-14523/CVE-2025-32049 jinfeng.wang.cn
2026-04-23 17:09 ` [OE-core] " Yoann Congal
2026-04-24 7:16 ` Li, Changqing
2026-04-09 6:16 ` [scarthgap][PATCH 03/12] libsoup-2.4: " jinfeng.wang.cn
2026-04-23 17:13 ` [OE-core] " Yoann Congal
2026-04-24 7:37 ` Li, Changqing
2026-04-09 6:16 ` [scarthgap][PATCH 04/12] python3-ply: fix CVE-2025-56005 jinfeng.wang.cn
2026-04-24 6:45 ` [OE-core] " Yoann Congal
2026-04-27 6:20 ` Chen, Libo (CN)
[not found] ` <18AA22684C0F041F.2188217@lists.openembedded.org>
2026-05-06 8:24 ` Chen, Libo (CN)
2026-04-09 6:16 ` [scarthgap][PATCH 05/12] python3-pyasn1: fix CVE-2026-23490 jinfeng.wang.cn
2026-04-09 6:16 ` [scarthgap][PATCH 06/12] python3-wheel: fix CVE-2026-24049 jinfeng.wang.cn
2026-04-09 6:16 ` [scarthgap][PATCH 07/12] gnupg: fix CVE-2026-24882 jinfeng.wang.cn
2026-04-09 6:16 ` [scarthgap][PATCH 08/12] libxml2: Fix CVE-2026-1757 jinfeng.wang.cn
2026-04-09 6:16 ` [scarthgap][PATCH 09/12] python3-pyasn1: fix CVE-2026-30922 jinfeng.wang.cn
2026-04-24 7:36 ` [OE-core] " Yoann Congal
2026-04-27 6:04 ` Song, Jiaying (CN)
2026-04-09 6:16 ` [scarthgap][PATCH 10/12] busybox: fix CVE-2026-26157 and CVE-2026-26158 jinfeng.wang.cn
2026-04-09 6:16 ` [scarthgap][PATCH 11/12] zlib: upgrade 1.3.1 -> 1.3.2 jinfeng.wang.cn
2026-04-24 8:10 ` [OE-core] " Yoann Congal
2026-04-09 6:16 ` [scarthgap][PATCH 12/12] libpcap: 1.10.4 -> 1.10.6 jinfeng.wang.cn
2026-04-24 8:21 ` [OE-core] " Yoann Congal
2026-05-06 3:05 ` Kai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409061639.1688205-2-jinfeng.wang.cn@windriver.com \
--to=jinfeng.wang.cn@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox