From: Gyorgy Sarvari <[email protected]> Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0824
Pick the patch mentioned in the nvd report. Signed-off-by: Gyorgy Sarvari <[email protected]> (cherry picked from commit b4c4f0c52537afd097c967850267e4e29e4a620f) Signed-off-by: Ankur Tyagi <[email protected]> --- ...0001-Foreign-module-may-need-a-check.patch | 27 +++++++++++++++++++ .../recipes-webadmin/webmin/webmin_1.850.bb | 1 + 2 files changed, 28 insertions(+) create mode 100644 meta-webserver/recipes-webadmin/webmin/files/0001-Foreign-module-may-need-a-check.patch diff --git a/meta-webserver/recipes-webadmin/webmin/files/0001-Foreign-module-may-need-a-check.patch b/meta-webserver/recipes-webadmin/webmin/files/0001-Foreign-module-may-need-a-check.patch new file mode 100644 index 0000000000..8698030e82 --- /dev/null +++ b/meta-webserver/recipes-webadmin/webmin/files/0001-Foreign-module-may-need-a-check.patch @@ -0,0 +1,27 @@ +From 2659c2990427c587a49014abb5275aec0ea44c0a Mon Sep 17 00:00:00 2001 +From: Ilia Rostovtsev <[email protected]> +Date: Sun, 20 Feb 2022 12:48:27 +0300 +Subject: [PATCH] Foreign module may need a check + +CVE: CVE-2022-0824 +Upstream-Status: Backport [https://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38] + +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + web-lib-funcs.pl | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl +index bbe154a9..4bb2b0d6 100755 +--- a/web-lib-funcs.pl ++++ b/web-lib-funcs.pl +@@ -4669,7 +4669,8 @@ if ($module_name) { + } + + if ($module_name && !$main::no_acl_check && +- !defined($ENV{'FOREIGN_MODULE_NAME'}) && ++ (!defined($ENV{'FOREIGN_MODULE_NAME'}) || ++ defined($ENV{'FOREIGN_MODULE_SEC_CHECK'})) && + $main::webmin_script_type eq 'web') { + # Check if the HTTP user can access this module + if (!&foreign_available($module_name)) { diff --git a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb index cc31ff35a7..d553c7530c 100644 --- a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb +++ b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb @@ -22,6 +22,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/webadmin/webmin-${PV}.tar.gz \ file://0001-Escape-potentially-malicious-HTTP-headers.patch \ file://0001-HTML-escape-command-description.patch \ file://0001-Object-names-cannot-contact-special-characters.patch \ + file://0001-Foreign-module-may-need-a-check.patch \ " SRC_URI[md5sum] = "cd6ee98f73f9418562197675b952d81b"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121808): https://lists.openembedded.org/g/openembedded-devel/message/121808 Mute This Topic: https://lists.openembedded.org/mt/116352360/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
