diff --git a/BackupPC-3.2.1-fix-XSS-vulnerability.patch b/BackupPC-3.2.1-fix-XSS-vulnerability.patch new file mode 100644 index 0000000..96ae9b1 --- /dev/null +++ b/BackupPC-3.2.1-fix-XSS-vulnerability.patch @@ -0,0 +1,41 @@ +Date: Thu, 27 Oct 2011 16:00:48 -0500 +From: Jamie Strandboge +To: Craig Barratt , coley@...us.mitre.org, + oss-security +Cc: security@...ntu.com +Subject: CVE Request: Security issue in backuppc + +Hi Craig, + +While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered +another XSS vulnerability in View.pm when accessing the following URLs +in backuppc: +index.cgi?action=view&type=XferLOG&num=&host= +index.cgi?action=view&type=XferErr&num=&host= + +You are being emailed as the upstream contact. Please keep +oss-security@...ts.openwall.com[1] CC'd for any updates on this issue. + +To oss-security, can I have a CVE for this? It is essentially the same +vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead +of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on +3.0.0, 3.1.0, 3.2.0 and 3.2.1. + +-- +Jamie Strandboge | http://www.canonical.com + +diff -u backuppc-3.2.0/lib/BackupPC/CGI/View.pm backuppc-3.2.0/lib/BackupPC/CGI/View.pm +--- backuppc-3.2.0/lib/BackupPC/CGI/View.pm ++++ backuppc-3.2.0/lib/BackupPC/CGI/View.pm +@@ -46,7 +46,7 @@ + my $compress = 0; + my $fh; + my $host = $In{host}; +- my $num = $In{num}; ++ my $num = ${EscHTML($In{num})}; + my $type = $In{type}; + my $linkHosts = 0; + my($file, $comment); + +[ CONTENT OF TYPE application/pgp-signature SKIPPED ] + diff --git a/BackupPC-README.fedora b/BackupPC-README.fedora index 2eb08a0..448c279 100644 --- a/BackupPC-README.fedora +++ b/BackupPC-README.fedora @@ -1,10 +1,12 @@ BackupPC's README file for Fedora ## BackupPC's user -For security reasons, backuppc user cannot log in. If you want to start manual backup (ie for debugging), you'll need to set it a shell : +For security reasons, backuppc user cannot log in. If you want to start manual +backup (ie for debugging), you'll need to set it a shell : usermod -s /bin/bash -Do not forget to create an SSH key (ssk-keygen) and copy it to remote computers if you plan to use tar/rsynv over SSH backup method. +Do not forget to create an SSH key (ssk-keygen) and copy it to remote computers +if you plan to use tar/rsync over SSH backup method. ## BackupPC's web interface The CGI web interface is located at : diff --git a/BackupPC.spec b/BackupPC.spec index 1bcfb59..4e60b3d 100644 --- a/BackupPC.spec +++ b/BackupPC.spec @@ -16,7 +16,7 @@ Name: BackupPC Version: 3.2.1 -Release: 6%{?dist} +Release: 7%{?dist} Summary: High-performance backup system Group: Applications/System @@ -26,6 +26,7 @@ Source0: http://downloads.sourceforge.net/backuppc/%{name}-%{version}.tar Patch0: BackupPC-3.2.1-locatedb.patch Patch1: BackupPC-3.2.1-rundir.patch Patch2: BackupPC-3.2.1-piddir.patch +Patch3: BackupPC-3.2.1-fix-XSS-vulnerability.patch Source1: BackupPC.htaccess Source2: BackupPC.logrotate Source3: BackupPC-README.fedora @@ -33,6 +34,7 @@ Source3: BackupPC-README.fedora Source4: BackupPC_Admin.c Source5: backuppc.service Source6: BackupPC.tmpfiles +Source7: README.RHEL BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -42,7 +44,7 @@ BuildRequires: %{_bindir}/rsync BuildRequires: %{_sbindir}/sendmail BuildRequires: %{_bindir}/split BuildRequires: %{_bindir}/ssh -BuildRequires: perl(Compress::Zlib) +BuildRequires: perl(Compress::Zlib), perl(Digest::MD5) %if 0%{?_with_systemd} BuildRequires: systemd-units %endif @@ -52,7 +54,7 @@ Requires: perl(Net::FTP::AutoReconnect), perl(Net::FTP::RetrHandle) Requires: httpd Requires: perl(File::RsyncP), perl(Compress::Zlib), perl(Archive::Zip) -Requires: perl-Time-modules, perl(XML::RSS) +Requires: perl-Time-modules, perl(XML::RSS), perl(Digest::MD5) Requires: rsync # This is a file dependency so EL5 can use samba or samba-client or # samba3x-client @@ -87,6 +89,7 @@ configurable and easy to install and maintain. %patch0 -p1 -b .locatedb %patch1 -p1 -b .rundir %patch2 -p1 -b .piddir +%patch3 -p1 -b .fix-XSS-vulnerability sed -i "s|\"backuppc\"|\"$LOGNAME\"|g" configure.pl for f in ChangeLog doc/BackupPC.pod doc/BackupPC.html; do @@ -96,6 +99,7 @@ done chmod a-x LICENSE README cp %{SOURCE3} README.fedora +cp %{SOURCE7} README.RHEL cp %{SOURCE4} BackupPC_Admin.c %if ! 0%{?_without_selinux} @@ -183,13 +187,13 @@ sed -i s,$LOGNAME,backuppc,g init.d/linux-backuppc install -d $RPM_BUILD_ROOT/%{_sysconfdir}/tmpfiles.d install -p -m 0644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/tmpfiles.d/%{name}.conf %endif +install -d $RPM_BUILD_ROOT/%{_localstatedir}/run/%{name} %if 0%{?_with_systemd} install -d $RPM_BUILD_ROOT/%{_unitdir} install -p -m 0644 %{SOURCE5} $RPM_BUILD_ROOT/%{_unitdir}/ %else install -d $RPM_BUILD_ROOT/%{_initrddir} -install -d $RPM_BUILD_ROOT/%{_localstatedir}/run/%{name} install -p -m 0755 init.d/linux-backuppc $RPM_BUILD_ROOT%{_initrddir}/backuppc %endif @@ -263,9 +267,9 @@ fi # add BackupPC backup directories to PRUNEPATHS in locate database if [ -w %{_updatedb_conf} ]; then - grep ^PRUNEPATHS %{_updatedb_conf} | grep %{_sharedstatedir}/%{name} > /dev/null + grep ^PRUNEPATHS %{_updatedb_conf} | grep %{_localstatedir}/lib/%{name} > /dev/null if [ $? -eq 1 ]; then - sed -i '\@PRUNEPATHS@s@"$@ '%{_sharedstatedir}/%{name}'"@' %{_updatedb_conf} + sed -i '\@PRUNEPATHS@s@"$@ '%{_localstatedir}/lib/%{name}'"@' %{_updatedb_conf} fi fi : @@ -283,7 +287,7 @@ if [ $1 -eq 0 ]; then # remove BackupPC backup directories from PRUNEPATHS in locate database if [ -w %{_updatedb_conf} ]; then - sed -i '\@PRUNEPATHS@s@[ ]*'%{_sharedstatedir}/%{name}'@@' %{_updatedb_conf} || : + sed -i '\@PRUNEPATHS@s@[ ]*'%{_localstatedir}/lib/%{name}'@@' %{_updatedb_conf} || : fi fi @@ -298,7 +302,7 @@ fi %files %defattr(-,root,root,-) -%doc README README.fedora ChangeLog LICENSE doc/ +%doc README README.fedora README.RHEL ChangeLog LICENSE doc/ %dir %attr(-,backuppc,backuppc) %{_localstatedir}/log/%{name} %dir %attr(-,backuppc,backuppc) %{_sysconfdir}/%{name}/ @@ -313,9 +317,8 @@ fi %if 0%{?_with_tmpfilesd} %config(noreplace) %{_sysconfdir}/tmpfiles.d/%{name}.conf -%else -%dir %attr(0775,backuppc,backuppc) %{_localstatedir}/run/%{name} %endif +%dir %attr(0775,backuppc,backuppc) %{_localstatedir}/run/%{name} %if 0%{?_with_systemd} %{_unitdir}/backuppc.service @@ -332,6 +335,15 @@ fi %endif %changelog +* Sun Jan 22 2012 Bernard Johnson - 3.2.1-7 +- change %%{_sharedstatedir} to %%{_localstatedir}/lib as these expand + differently on EL (bz #767719) +- fix XSS vulnerability (bz #749846, bz #749847, bz #749848) CVE-2011-3361 +- additional documentation about enabling correct channels in RHEL to resolve + all dependencies (bz #749627) +- fix bug with missing tmpfiles.d directory +- add perl(Digest::MD5) to list of build and install dependencies + * Wed Sep 21 2011 Bernard Johnson - 3.2.1-6 - fix postun scriptlet error (bz #736946) - make postun scriptlet more coherent diff --git a/README.RHEL b/README.RHEL new file mode 100644 index 0000000..78c5abe --- /dev/null +++ b/README.RHEL @@ -0,0 +1,22 @@ +If you are installing this software on a Red Hat Enterprise Linux (RHEL) +server, you will have to subscribe to the "RHEL Server Optional" before +attempting to install this component. If you do no enable this channel, you +will receive an error that looks similar to this: + + --> Finished Dependency Resolution + Error: Package: BackupPC-3.2.1-1.el6.x86_64 (epel) + Requires: perl(Archive::Zip) + Error: Package: BackupPC-3.2.1-1.el6.x86_64 (epel) + Requires: perl(XML::RSS) + Error: Package: BackupPC-3.2.1-1.el6.x86_64 (epel) + Requires: perl-Time-modules + Error: Package: BackupPC-3.2.1-1.el6.x86_64 (epel) + Requires: perl(Time::ParseDate) + You could try using --skip-broken to work around the problem + You could try running: rpm -Va --nofiles --nodigest + + +References: +http://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F +https://access.redhat.com/kb/docs/DOC-11313 +https://bugzilla.redhat.com/show_bug.cgi?id=749627