helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-04-02 02:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

webmin: patch CVE-2025-67738

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-67738

Backport the patch referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Gyorgy Sarvari 2026-02-27 13:03:19 +01:00
parent 5b9b91b0e2
commit 4c60a2c8d6
2 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
meta-webserver/recipes-webadmin/webmin/files/CVE-2025-67738.patch Normal file
View File

@ -0,0 +1,37 @@
From 21d9cbdc2b719e9d1349f14e03b5a041b476cce5 Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Wed, 29 Oct 2025 22:02:29 -0700
Subject: [PATCH] Fix quoting of args
CVE: CVE-2025-67738
Upstream-Status: Backport [https://github.com/webmin/webmin/commit/1a52bf4d72f9da6d79250c66e51f41c6f5b880ee]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
squid/cachemgr.cgi | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/squid/cachemgr.cgi b/squid/cachemgr.cgi
index b75f9427..41386d35 100755
--- a/squid/cachemgr.cgi
+++ b/squid/cachemgr.cgi
@@ -12,6 +12,7 @@ my ($mgr) = glob($config{'cachemgr_path'});
if (&has_command($mgr)) {
$| = 1;
my $temp;
+ my $args = join(" ", map { quotemeta($_) } @ARGV);
if ($ENV{'REQUEST_METHOD'} eq 'POST') {
# Deal with POST data
my $post;
@@ -21,10 +22,10 @@ if (&has_command($mgr)) {
&open_tempfile($fh, ">$temp", 0, 1);
&print_tempfile($fh, $post);
&close_tempfile($fh);
- open(MGR, "$mgr ".join(" ", @ARGV)." <$temp |");
+ open(MGR, "$mgr $args <$temp |");
}
else {
- open(MGR, "$mgr ".join(" ", @ARGV)." |");
+ open(MGR, "$mgr $args |");
}
while(<MGR>) {
print;

1
meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb
View File

@ -24,6 +24,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/webadmin/webmin-${PV}.tar.gz \
file://0001-Object-names-cannot-contact-special-characters.patch \
file://0001-Foreign-module-may-need-a-check.patch \
file://0001-Add-missing-permissions-check-when-saving-allowed-cr.patch \
file://CVE-2025-67738.patch \
"
SRC_URI[md5sum] = "cd6ee98f73f9418562197675b952d81b"