Bug#673331: marked as done (backuppc: fix for CVE-2011-5081)

Thu, 31 May 2012 11:03:26 -0700 

Your message dated Thu, 31 May 2012 18:02:11 +0000
with message-id <e1sa9hl-0000ud...@franck.debian.org>
and subject line Bug#673331: fixed in backuppc 3.2.1-3
has caused the Debian Bug report #673331,
regarding backuppc: fix for CVE-2011-5081
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
673331: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673331
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: backuppc
Version: 3.2.1-2
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:
  * SECURITY UPDATE: XSS in CGI/RestoreFile.pm
    - lib/BackupPC/CGI/RestoreFile.pm: update to escape share and backup
      number
    - CVE-2011-5081

I developed the attached patch and forwarded it upstream. I have not
heard back yet, but the patch is obvious and works here. Thanks for
considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers precise-updates
  APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 
'precise')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -u backuppc-3.2.1/debian/changelog backuppc-3.2.1/debian/changelog
only in patch2:
unchanged:
--- backuppc-3.2.1.orig/lib/BackupPC/CGI/RestoreFile.pm
+++ backuppc-3.2.1/lib/BackupPC/CGI/RestoreFile.pm
@@ -154,12 +154,12 @@
     my $a = $view->fileAttrib($num, $share, $dir);
     if ( $dir =~ m{(^|/)\.\.(/|$)} || !defined($a) ) {
         $dir = decode_utf8($dir);
-        ErrorExit("Can't restore bad file ${EscHTML($dir)} ($num, $share)");
+        ErrorExit("Can't restore bad file ${EscHTML($dir)} (${EscHTML($num)}, ${EscHTML($share)})");
     }
     my $f = BackupPC::FileZIO->open($a->{fullPath}, 0, $a->{compress});
     if ( !defined($f) ) {
         my $fullPath = decode_utf8($a->{fullPath});
-        ErrorExit("Unable to open file ${EscHTML($fullPath)} ($num, $share)");
+        ErrorExit("Unable to open file ${EscHTML($fullPath)} (${EscHTML($num)}, ${EscHTML($share)})");
     }
     my $data;
     if ( !$skipHardLink && $a->{type} == BPC_FTYPE_HARDLINK ) {

--- End Message ---
--- Begin Message --- 
Source: backuppc
Source-Version: 3.2.1-3

We believe that the bug you reported is fixed in the latest version of
backuppc, which is due to be installed in the Debian FTP archive:

backuppc_3.2.1-3.diff.gz
  to main/b/backuppc/backuppc_3.2.1-3.diff.gz
backuppc_3.2.1-3.dsc
  to main/b/backuppc/backuppc_3.2.1-3.dsc
backuppc_3.2.1-3_i386.deb
  to main/b/backuppc/backuppc_3.2.1-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 673...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovic Drolez <ldro...@debian.org> (supplier of updated backuppc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 31 May 2012 11:51:16 +0200
Source: backuppc
Binary: backuppc
Architecture: source i386
Version: 3.2.1-3
Distribution: unstable
Urgency: high
Maintainer: Ludovic Drolez <ldro...@debian.org>
Changed-By: Ludovic Drolez <ldro...@debian.org>
Description: 
 backuppc   - high-performance, enterprise-grade system for backing up PCs
Closes: 659456 662908 673331 673698
Changes: 
 backuppc (3.2.1-3) unstable; urgency=high
 .
   * urgency set to high because of a security fix
   * fixed the XSS in CGI/RestoreFile.pm. CVE-2011-5081. Closes: #673331
   * added the Polish debconf translation. Closes: #673698
   * updated Danish translation. Closes: #659456
   * added autofs in init.d's Should-Start/Should-Stop. Closes: #662908
Checksums-Sha1: 
 27f82261fe7a3f41d63daa03222ba2077f444bce 1029 backuppc_3.2.1-3.dsc
 9f5247bbf1dc6055d72ebb40c2739ad566bc5e87 28778 backuppc_3.2.1-3.diff.gz
 7e16b7eaed2c6b2d67d14ce967ced53569d11e7d 604538 backuppc_3.2.1-3_i386.deb
Checksums-Sha256: 
 eca2984ac592597ccca210533f31b8cfcd61a776855707cf1a7da8c22cb65b46 1029 
backuppc_3.2.1-3.dsc
 f2f09fe94c511ca29d0cbb2ddc545d11f6552609a3a99b7cb9d7ec785ef0c21d 28778 
backuppc_3.2.1-3.diff.gz
 34ec0ea9f0564a09e74d5c1aba1234ac3f9f6c213706a3b79eb678174ad266f3 604538 
backuppc_3.2.1-3_i386.deb
Files: 
 8d43905d867dbea697e4feb90a0fe9ef 1029 utils optional backuppc_3.2.1-3.dsc
 4d38d4654e97a78d9c73f42a280cfe66 28778 utils optional backuppc_3.2.1-3.diff.gz
 bff1a16dcb1523417aa920d050bae809 604538 utils optional 
backuppc_3.2.1-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEUEARECAAYFAk/Hrw8ACgkQsRlQAP1Gppgo1gCYsErsQE0FFyUhG0CkGkUKgvOL
MwCglcHd8FGY/u9xzMZrCyHX3FIsrOs=
=WKKA
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to