From: Gyorgy Sarvari <[email protected]> Details: https://nvd.nist.gov/vuln/detail/CVE-2017-17089
Pick the patch referenced in the nvd report. Signed-off-by: Gyorgy Sarvari <[email protected]> (cherry picked from commit 85933945fba1096bfcb1d3e723dc50bac3416867) Signed-off-by: Ankur Tyagi <[email protected]> --- ...0001-HTML-escape-command-description.patch | 29 +++++++++++++++++++ .../recipes-webadmin/webmin/webmin_1.850.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta-webserver/recipes-webadmin/webmin/files/0001-HTML-escape-command-description.patch diff --git a/meta-webserver/recipes-webadmin/webmin/files/0001-HTML-escape-command-description.patch b/meta-webserver/recipes-webadmin/webmin/files/0001-HTML-escape-command-description.patch new file mode 100644 index 0000000000..f4078c7f4f --- /dev/null +++ b/meta-webserver/recipes-webadmin/webmin/files/0001-HTML-escape-command-description.patch @@ -0,0 +1,29 @@ +From 0d5e731a173767e7e4ea2051a7a33c8e5cc57880 Mon Sep 17 00:00:00 2001 +From: Jamie Cameron <[email protected]> +Date: Mon, 27 Nov 2017 08:50:15 -0800 +Subject: [PATCH] HTML escape command description + +CVE: CVE-2017-17089 +Upstream-Status: Backport [https://github.com/webmin/webmin/commit/a9c97eea6c268fb83d93a817d58bac75e0d2599e] + +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + custom/run.cgi | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/custom/run.cgi b/custom/run.cgi +index 327de410..375b041b 100755 +--- a/custom/run.cgi ++++ b/custom/run.cgi +@@ -40,8 +40,9 @@ if ($cmd->{'format'} ne 'redirect' && $cmd->{'format'} ne 'form') { + print "\n"; + } + else { +- &ui_print_unbuffered_header($cmd->{'desc'}, $text{'run_title'}, +- "", -d "help" ? "run" : undef); ++ &ui_print_unbuffered_header( ++ &html_escape($cmd->{'desc'}), $text{'run_title'}, ++ "", -d "help" ? "run" : undef); + } + } + diff --git a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb index bc71c74474..784e3b69b9 100644 --- a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb +++ b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb @@ -20,6 +20,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/webadmin/webmin-${PV}.tar.gz \ file://mysql-config-fix.patch \ file://webmin.service \ file://0001-Escape-potentially-malicious-HTTP-headers.patch \ + file://0001-HTML-escape-command-description.patch \ " SRC_URI[md5sum] = "cd6ee98f73f9418562197675b952d81b"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121806): https://lists.openembedded.org/g/openembedded-devel/message/121806 Mute This Topic: https://lists.openembedded.org/mt/116352358/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
