Tags Tags

Bug#654692: [SRM] proposed update backuppc for squeeze

January 11th, 2012 - 02:50 pm ET by Thijs Kinkhorst | Report spam
Help Create a new topic
=_20120111203939_96185

Hi,

I propose attached NMU for backuppc for squeeze. This is meant to address
#654692, a bug where backuppc produces corrupted tarballs. For me this
data corruption is important enough to want to fix it in squeeze.

The bug was introduced in a Debian-specific patch, and
oldstable/testing/unstable are not affected.

I've taken the opportunity to include a "no-DSA" XSS fix.

Ludovic, NMU is not intended as criticism of any kind - I just think the
issue is important enough to push forward with an update for squeeze and
hope to help get this done.

SRM's: let me know if it is acceptable.


cheers,
Thijs
=_20120111203939_96185

diff -u backuppc-3.1.0/lib/BackupPC/Lib.pm backuppc-3.1.0/lib/BackupPC/Lib.pm
backuppc-3.1.0/lib/BackupPC/Lib.pm
+++ backuppc-3.1.0/lib/BackupPC/Lib.pm
@@ -488,7 +488,8 @@
# return if ( !opendir(my $fh, $path) );
my ($fh);
if ( !opendir($fh, $path) ) {
- print "log ERROR: opendir ($path) failed";
+ print STDERR "ERROR: opendir ($path) failed: $!"
+ unless $!{ENOENT};
return;
}

diff -u backuppc-3.1.0/lib/BackupPC/CGI/View.pm backuppc-3.1.0/lib/BackupPC/CGI/View.pm
backuppc-3.1.0/lib/BackupPC/CGI/View.pm
+++ backuppc-3.1.0/lib/BackupPC/CGI/View.pm
@@ -46,7 +46,7 @@
my $compress = 0;
my $fh;
my $host = $In{host};
- my $num = $In{num};
+ my $num = ${EscHTML($In{num})};
my $type = $In{type};
my $linkHosts = 0;
my($file, $comment);
diff -u backuppc-3.1.0/debian/changelog backuppc-3.1.0/debian/changelog
backuppc-3.1.0/debian/changelog
+++ backuppc-3.1.0/debian/changelog
@@ -1,3 +1,13 @@
+backuppc (3.1.0-9.1) stable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix data corruption in tarballs due to logging to stdout
+ (closes: #654692, #558431)
+ * Fix XSS issue (CVE-2011-3361 CVE-2011-4923,
+ closes: #641450, #646865)
+
+ -- Thijs Kinkhorst <thijs@debian.org> Wed, 11 Jan 2012 20:17:35 +0100
+
backuppc (3.1.0-9) unstable; urgency=low

* chown/chmod only the needed dirs. Closes: #531948
only in patch2:
unchanged:
backuppc-3.1.0.orig/lib/BackupPC/CGI/Browse.pm
+++ backuppc-3.1.0/lib/BackupPC/CGI/Browse.pm
@@ -73,8 +73,8 @@
for ( $i = 0 ; $i < @Backups ; $i++ ) {
last if ( $Backups[$i]{num} == $num );
}
- if ( $i >= @Backups ) {
- ErrorExit("Backup number $num for host ${EscHTML($host)} does"
+ if ( $i >= @Backups || $num !~ /^\d+$/ ) {
+ ErrorExit("Backup number ${EscHTML($num)} for host ${EscHTML($host)} does"
. " not exist.");
}
my $backupTime = timeStamp2($Backups[$i]{startTime});
=_20120111203939_96185--




To UNSUBSCRIBE, email to debian-bugs-rc-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
email Follow the discussionReplies 3 repliesReplies Make a reply

Replies

#1 Adam D. Barratt
January 11th, 2012 - 03:50 pm ET | Report spam
On Wed, 2012-01-11 at 20:39 +0100, Thijs Kinkhorst wrote:
I propose attached NMU for backuppc for squeeze. This is meant to address
#654692, a bug where backuppc produces corrupted tarballs. For me this
data corruption is important enough to want to fix it in squeeze.

The bug was introduced in a Debian-specific patch, and
oldstable/testing/unstable are not affected.

I've taken the opportunity to include a "no-DSA" XSS fix.



Given that the affected logging code was apparently removed in the
upload immediately following that in Squeeze and the other issues are
fixed in unstable, I'd be happy for you to go ahead with this upload;
thanks.

However, the version information for the logging-related bugs, to be
candid, sucks. Firstly, please add a fixed version to #654692 (I assume
"3.1.0-10" judging from the log). #558431's status is also rather
confused. It appears that -10 was never uploaded directly to the
archive and the upload including the fix didn't use -v, so the bug was
never marked as fixed. I'm also somewhat confused as to why it's tagged
"lenny" given that you indicated that oldstable doesn't include the
affected code.

(As a side note, the "squeeze" tag on #654692 is also redundant. The
affected version is only in stable, so BTS version tracking will do the
right thing anyway, without the addition of any suite tags.)

Regards,

Adam




To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

Similar topics

Make your own search :