[SRM] proposed update backuppc for squeeze

To: 654692@bugs.debian.org
Cc: debian-release@lists.debian.org
Subject: [SRM] proposed update backuppc for squeeze
From: "Thijs Kinkhorst" <thijs@debian.org>
Date: Wed, 11 Jan 2012 20:39:39 +0100
Message-id: <[🔎] e39ac90b69d2afdc8a15f9b3601a7b8e.squirrel@wm.kinkhorst.nl>

Hi,

I propose attached NMU for backuppc for squeeze. This is meant to address
#654692, a bug where backuppc produces corrupted tarballs. For me this
data corruption is important enough to want to fix it in squeeze.

The bug was introduced in a Debian-specific patch, and
oldstable/testing/unstable are not affected.

I've taken the opportunity to include a "no-DSA" XSS fix.

Ludovic, NMU is not intended as criticism of any kind - I just think the
issue is important enough to push forward with an update for squeeze and
hope to help get this done.

SRM's: let me know if it is acceptable.


cheers,
Thijs

diff -u backuppc-3.1.0/lib/BackupPC/Lib.pm backuppc-3.1.0/lib/BackupPC/Lib.pm
--- backuppc-3.1.0/lib/BackupPC/Lib.pm
+++ backuppc-3.1.0/lib/BackupPC/Lib.pm
@@ -488,7 +488,8 @@
 #    return if ( !opendir(my $fh, $path) );
     my ($fh);
     if ( !opendir($fh, $path) ) {
-       print "log ERROR: opendir ($path) failed\n";
+       print STDERR "ERROR: opendir ($path) failed: $!\n"
+           unless $!{ENOENT};
        return;
     }
 
diff -u backuppc-3.1.0/lib/BackupPC/CGI/View.pm backuppc-3.1.0/lib/BackupPC/CGI/View.pm
--- backuppc-3.1.0/lib/BackupPC/CGI/View.pm
+++ backuppc-3.1.0/lib/BackupPC/CGI/View.pm
@@ -46,7 +46,7 @@
     my $compress = 0;
     my $fh;
     my $host = $In{host};
-    my $num  = $In{num};
+    my $num  = ${EscHTML($In{num})};
     my $type = $In{type};
     my $linkHosts = 0;
     my($file, $comment);
diff -u backuppc-3.1.0/debian/changelog backuppc-3.1.0/debian/changelog
--- backuppc-3.1.0/debian/changelog
+++ backuppc-3.1.0/debian/changelog
@@ -1,3 +1,13 @@
+backuppc (3.1.0-9.1) stable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix data corruption in tarballs due to logging to stdout
+    (closes: #654692, #558431)
+  * Fix XSS issue (CVE-2011-3361 CVE-2011-4923,
+    closes: #641450, #646865)
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Wed, 11 Jan 2012 20:17:35 +0100
+
 backuppc (3.1.0-9) unstable; urgency=low
 
   * chown/chmod only the needed dirs. Closes: #531948
only in patch2:
unchanged:
--- backuppc-3.1.0.orig/lib/BackupPC/CGI/Browse.pm
+++ backuppc-3.1.0/lib/BackupPC/CGI/Browse.pm
@@ -73,8 +73,8 @@
     for ( $i = 0 ; $i < @Backups ; $i++ ) {
         last if ( $Backups[$i]{num} == $num );
     }
-    if ( $i >= @Backups ) {
-        ErrorExit("Backup number $num for host ${EscHTML($host)} does"
+    if ( $i >= @Backups || $num !~ /^\d+$/ ) {
+        ErrorExit("Backup number ${EscHTML($num)} for host ${EscHTML($host)} does"
 	        . " not exist.");
     }
     my $backupTime = timeStamp2($Backups[$i]{startTime});

Reply to:

Follow-Ups:
- Re: [SRM] proposed update backuppc for squeeze
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Upcoming stable point release
Next by Date: Re: [SRM] proposed update backuppc for squeeze
Previous by thread: Re: Upcoming stable point release
Next by thread: Re: [SRM] proposed update backuppc for squeeze
Index(es):
- Date
- Thread