From https://secunia.com/advisories/51201/ : Description A vulnerability has been reported in Webmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the real name field is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is reported in version 1.600. Other versions may also be affected. Solution Apply fix. Further details available in Customer Area Provided and/or discovered by Reported by the vendor. Original Advisory http://www.webmin.com/updates.html
Created attachment 328468 [details, diff] The security patch for the passwd module of Webmin v1.600 The vulnerability was fixed by the author in a new version of the passwd module (1.605). See the note about Webmin v1.600 here: http://www.webmin.com/updates.html So this is the patch that applies the upgrade of the passwd module to 1.605 The new ebuild of Webmin follows - webmin-1.600-r1.ebuild
Created attachment 328470 [details] The new Webmin ebuild revision 1, that applies the vulnerability fix to the passwd module This is the actual ebuild applying the security patch to the Webmin's passwd module. You may commit to main tree and close this bug.
+*webmin-1.600-r1 (05 Nov 2012) + + 05 Nov 2012; Markos Chandras <hwoarang@gentoo.org> + +files/webmin-1.600-SA51201.patch, +webmin-1.600-r1.ebuild, + -webmin-1.600.ebuild: + Revbump to fix security problem in #441840. Thanks to PhobosK + <phobosk@fastmail.fm>. Remove old ebuild +
There seems to be a problem with the patch but maybe it's just for the USE=minimal version? >>> Emerging (3 of 4) app-admin/webmin-1.600-r1 * webmin-1.600-minimal.tar.gz SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking webmin-1.600-minimal.tar.gz to /var/tmp/portage/app-admin/webmin-1.600-r1/work >>> Source unpacked in /var/tmp/portage/app-admin/webmin-1.600-r1/work >>> Preparing source in /var/tmp/portage/app-admin/webmin-1.600-r1/work/webmin-1.600 ... * Applying webmin-1.600-SA51201.patch ... * Failed Patch: webmin-1.600-SA51201.patch ! * ( /usr/portage/app-admin/webmin/files/webmin-1.600-SA51201.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/app-admin/webmin-1.600-r1/temp/webmin-1.600-SA51201.patch.out * ERROR: app-admin/webmin-1.600-r1 failed (prepare phase): * Failed Patch: webmin-1.600-SA51201.patch! * * Call stack: * ebuild.sh, line 93: Called src_prepare * environment, line 2750: Called epatch '/usr/portage/app-admin/webmin/files/webmin-1.600-SA51201.patch' * environment, line 1099: Called die * The specific snippet of code: * die "Failed Patch: ${patchname}!"; * * If you need support, post the output of `emerge --info '=app-admin/webmin-1.600-r1'`, * the complete build log and the output of `emerge -pqv '=app-admin/webmin-1.600-r1'`. * The complete build log is located at '/var/tmp/portage/app-admin/webmin-1.600-r1/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/app-admin/webmin-1.600-r1/temp/environment'. * Working directory: '/var/tmp/portage/app-admin/webmin-1.600-r1/work/webmin-1.600' * S: '/var/tmp/portage/app-admin/webmin-1.600-r1/work/webmin-1.600' >>> Failed to emerge app-admin/webmin-1.600-r1, Log file: >>> '/var/tmp/portage/app-admin/webmin-1.600-r1/temp/build.log' Here is build.log for "# emerge -pqv '=app-admin/webmin-1.600-r1'", it's short. # cat /var/tmp/portage/app-admin/webmin-1.600-r1/temp/build.log * Package: app-admin/webmin-1.600-r1 * Repository: gentoo * Maintainer: hwoarang@gentoo.org phobosk@fastmail.fm,proxy-maint@gentoo.org * USE: amd64 elibc_glibc kernel_linux minimal multilib postgres ssl userland_GNU * FEATURES: preserve-libs sandbox >>> Unpacking source... >>> Unpacking webmin-1.600-minimal.tar.gz to /var/tmp/portage/app-admin/webmin-1.600-r1/work >>> Source unpacked in /var/tmp/portage/app-admin/webmin-1.600-r1/work >>> Preparing source in /var/tmp/portage/app-admin/webmin-1.600-r1/work/webmin-1.600 ... * Applying webmin-1.600-SA51201.patch ... * Failed Patch: webmin-1.600-SA51201.patch ! * ( /usr/portage/app-admin/webmin/files/webmin-1.600-SA51201.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/app-admin/webmin-1.600-r1/temp/webmin-1.600-SA51201.patch.out * ERROR: app-admin/webmin-1.600-r1 failed (prepare phase): * Failed Patch: webmin-1.600-SA51201.patch! * * Call stack: * ebuild.sh, line 93: Called src_prepare * environment, line 2750: Called epatch '/usr/portage/app-admin/webmin/files/webmin-1.600-SA51201.patch' * environment, line 1099: Called die * The specific snippet of code: * die "Failed Patch: ${patchname}!"; * * If you need support, post the output of `emerge --info '=app-admin/webmin-1.600-r1'`, * the complete build log and the output of `emerge -pqv '=app-admin/webmin-1.600-r1'`. * The complete build log is located at '/var/tmp/portage/app-admin/webmin-1.600-r1/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/app-admin/webmin-1.600-r1/temp/environment'. * Working directory: '/var/tmp/portage/app-admin/webmin-1.600-r1/work/webmin-1.600' * S: '/var/tmp/portage/app-admin/webmin-1.600-r1/work/webmin-1.600'
I haven't tested the minimal version. Does it work without it?
(In reply to comment #5) > I haven't tested the minimal version. Does it work without it? I don't know, I only use minimal, but I wonder if what happens isn't that the file(s) to patch simply isn't included in the minimal package. I don't have time to check this before about 2 days though due to work pressure w/ a deadline.
Created attachment 328598 [details] The new Webmin ebuild revision 2, that applies the vulnerability fix to the passwd module for full Webmin version only Sorry it is my fault. I forgot that minimal is not having the passwd module, so no fix is needed for it. This is the r2 of the ebuild, that applies the patch only for the full Webmin version. It should fix all problems now.
Thanks. Fixed. No revbump as it was a build failure
Thanks, everyone. Closing noglsa for ~arch only.