From: Gyorgy Sarvari <[email protected]> Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0829
Pick the patch from the nvd report details. Signed-off-by: Gyorgy Sarvari <[email protected]> (cherry picked from commit 80b536578028e4f6d0e5d13d133d1d88764f7445) Signed-off-by: Ankur Tyagi <[email protected]> --- ...issions-check-when-saving-allowed-cr.patch | 25 +++++++++++++++++++ .../recipes-webadmin/webmin/webmin_1.850.bb | 1 + 2 files changed, 26 insertions(+) create mode 100644 meta-webserver/recipes-webadmin/webmin/files/0001-Add-missing-permissions-check-when-saving-allowed-cr.patch diff --git a/meta-webserver/recipes-webadmin/webmin/files/0001-Add-missing-permissions-check-when-saving-allowed-cr.patch b/meta-webserver/recipes-webadmin/webmin/files/0001-Add-missing-permissions-check-when-saving-allowed-cr.patch new file mode 100644 index 0000000000..a1ab677bc9 --- /dev/null +++ b/meta-webserver/recipes-webadmin/webmin/files/0001-Add-missing-permissions-check-when-saving-allowed-cr.patch @@ -0,0 +1,25 @@ +From 15dd0e4e55579671c01e4808236beb4fe23e9eef Mon Sep 17 00:00:00 2001 +From: Jamie Cameron <[email protected]> +Date: Sat, 19 Feb 2022 13:10:36 -0800 +Subject: [PATCH] Add missing permissions check when saving allowed cron users + +CVE: CVE-2022-0829 +Upstream-Status: Backport [https://github.com/webmin/webmin/commit/eeeea3c097f5cc473770119f7ac61f1dcfa671b9] + +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + cron/save_allow.cgi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cron/save_allow.cgi b/cron/save_allow.cgi +index 87bbe453..73df9a84 100755 +--- a/cron/save_allow.cgi ++++ b/cron/save_allow.cgi +@@ -4,6 +4,7 @@ + + require './cron-lib.pl'; + &ReadParse(); ++$access{'allow'} || &error($text{'allow_ecannot'}); + + &lock_file($config{cron_allow_file}); + &lock_file($config{cron_deny_file}); diff --git a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb index d553c7530c..78ab19601f 100644 --- a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb +++ b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb @@ -23,6 +23,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/webadmin/webmin-${PV}.tar.gz \ file://0001-HTML-escape-command-description.patch \ file://0001-Object-names-cannot-contact-special-characters.patch \ file://0001-Foreign-module-may-need-a-check.patch \ + file://0001-Add-missing-permissions-check-when-saving-allowed-cr.patch \ " SRC_URI[md5sum] = "cd6ee98f73f9418562197675b952d81b"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121809): https://lists.openembedded.org/g/openembedded-devel/message/121809 Mute This Topic: https://lists.openembedded.org/mt/116352361/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
