diff --git a/BackupPC-3.2.1-fix-XSS-vulnerability.patch b/BackupPC-3.2.1-fix-XSS-vulnerability.patch deleted file mode 100644 index 96ae9b1..0000000 --- a/BackupPC-3.2.1-fix-XSS-vulnerability.patch +++ /dev/null @@ -1,41 +0,0 @@ -Date: Thu, 27 Oct 2011 16:00:48 -0500 -From: Jamie Strandboge -To: Craig Barratt , coley@...us.mitre.org, - oss-security -Cc: security@...ntu.com -Subject: CVE Request: Security issue in backuppc - -Hi Craig, - -While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered -another XSS vulnerability in View.pm when accessing the following URLs -in backuppc: -index.cgi?action=view&type=XferLOG&num=&host= -index.cgi?action=view&type=XferErr&num=&host= - -You are being emailed as the upstream contact. Please keep -oss-security@...ts.openwall.com[1] CC'd for any updates on this issue. - -To oss-security, can I have a CVE for this? It is essentially the same -vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead -of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on -3.0.0, 3.1.0, 3.2.0 and 3.2.1. - --- -Jamie Strandboge | http://www.canonical.com - -diff -u backuppc-3.2.0/lib/BackupPC/CGI/View.pm backuppc-3.2.0/lib/BackupPC/CGI/View.pm ---- backuppc-3.2.0/lib/BackupPC/CGI/View.pm -+++ backuppc-3.2.0/lib/BackupPC/CGI/View.pm -@@ -46,7 +46,7 @@ - my $compress = 0; - my $fh; - my $host = $In{host}; -- my $num = $In{num}; -+ my $num = ${EscHTML($In{num})}; - my $type = $In{type}; - my $linkHosts = 0; - my($file, $comment); - -[ CONTENT OF TYPE application/pgp-signature SKIPPED ] - diff --git a/BackupPC-3.2.1-fix-XSS-vulnerability2.patch b/BackupPC-3.2.1-fix-XSS-vulnerability2.patch deleted file mode 100644 index 32e28bb..0000000 --- a/BackupPC-3.2.1-fix-XSS-vulnerability2.patch +++ /dev/null @@ -1,18 +0,0 @@ -CVE-2011-5081 BackupPC: XSS flaw in RestoreFile.pm ---- backuppc-3.2.1.orig/lib/BackupPC/CGI/RestoreFile.pm -+++ backuppc-3.2.1/lib/BackupPC/CGI/RestoreFile.pm -@@ -154,12 +154,12 @@ - my $a = $view->fileAttrib($num, $share, $dir); - if ( $dir =~ m{(^|/)\.\.(/|$)} || !defined($a) ) { - $dir = decode_utf8($dir); -- ErrorExit("Can't restore bad file ${EscHTML($dir)} ($num, $share)"); -+ ErrorExit("Can't restore bad file ${EscHTML($dir)} (${EscHTML($num)}, ${EscHTML($share)})"); - } - my $f = BackupPC::FileZIO->open($a->{fullPath}, 0, $a->{compress}); - if ( !defined($f) ) { - my $fullPath = decode_utf8($a->{fullPath}); -- ErrorExit("Unable to open file ${EscHTML($fullPath)} ($num, $share)"); -+ ErrorExit("Unable to open file ${EscHTML($fullPath)} (${EscHTML($num)}, ${EscHTML($share)})"); - } - my $data; - if ( !$skipHardLink && $a->{type} == BPC_FTYPE_HARDLINK ) { diff --git a/BackupPC-3.2.1-qw.patch b/BackupPC-3.2.1-qw.patch deleted file mode 100644 index 859ed09..0000000 --- a/BackupPC-3.2.1-qw.patch +++ /dev/null @@ -1,28 +0,0 @@ -Remove these messages: -Text.pm: Use of qw(...) as parentheses is deprecated at /usr/share/BackupPC/lib/BackupPC/Storage/Text.pm line 301. -Lib.pm: Use of qw(...) as parentheses is deprecated at /usr/share/BackupPC/lib/BackupPC/Lib.pm line 1412. - -diff -Naur BackupPC-3.2.1-pristine/lib/BackupPC/Lib.pm BackupPC-3.2.1/lib/BackupPC/Lib.pm ---- BackupPC-3.2.1-pristine/lib/BackupPC/Lib.pm 2012-12-24 15:01:44.518877629 -0700 -+++ BackupPC-3.2.1/lib/BackupPC/Lib.pm 2011-04-24 21:31:55.000000000 -0600 -@@ -1409,7 +1409,7 @@ - - $conf->{$shareName} = [ $conf->{$shareName} ] - if ( ref($conf->{$shareName}) ne "ARRAY" ); -- foreach my $param qw(BackupFilesOnly BackupFilesExclude) { -+ foreach my $param (qw(BackupFilesOnly BackupFilesExclude)) { - next if ( !defined($conf->{$param}) ); - if ( ref($conf->{$param}) eq "HASH" ) { - # -diff -Naur BackupPC-3.2.1-pristine/lib/BackupPC/Storage/Text.pm BackupPC-3.2.1/lib/BackupPC/Storage/Text.pm ---- BackupPC-3.2.1-pristine/lib/BackupPC/Storage/Text.pm 2012-12-24 15:03:16.017830715 -0700 -+++ BackupPC-3.2.1/lib/BackupPC/Storage/Text.pm 2011-04-24 21:31:55.000000000 -0600 -@@ -298,7 +298,7 @@ - # - # Promote BackupFilesOnly and BackupFilesExclude to hashes - # -- foreach my $param qw(BackupFilesOnly BackupFilesExclude) { -+ foreach my $param (qw(BackupFilesOnly BackupFilesExclude)) { - next if ( !defined($conf->{$param}) || ref($conf->{$param}) eq "HASH" ); - $conf->{$param} = [ $conf->{$param} ] - if ( ref($conf->{$param}) ne "ARRAY" ); diff --git a/BackupPC.spec b/BackupPC.spec index d446a24..5a17d3c 100644 --- a/BackupPC.spec +++ b/BackupPC.spec @@ -11,8 +11,8 @@ %global _updatedb_conf /etc/updatedb.conf Name: BackupPC -Version: 3.2.1 -Release: 15%{?dist} +Version: 3.3.0 +Release: 1%{?dist} Summary: High-performance backup system Group: Applications/System License: GPLv2+ @@ -22,9 +22,6 @@ Source0: http://downloads.sourceforge.net/backuppc/%{name}-%{version}.tar Patch0: BackupPC-3.2.1-locatedb.patch Patch1: BackupPC-3.2.1-rundir.patch Patch2: BackupPC-3.2.1-piddir.patch -Patch3: BackupPC-3.2.1-fix-XSS-vulnerability.patch -Patch4: BackupPC-3.2.1-fix-XSS-vulnerability2.patch -Patch5: BackupPC-3.2.1-qw.patch Source1: BackupPC.htaccess Source2: BackupPC.logrotate Source3: BackupPC-README.fedora @@ -90,15 +87,43 @@ configurable and easy to install and maintain. %patch0 -p1 -b .locatedb %patch1 -p1 -b .rundir %patch2 -p1 -b .piddir -%patch3 -p1 -b .fix-XSS-vulnerability -%patch4 -p1 -b .fix-XSS-vulnerability2 -%patch5 -p1 -b .qw sed -i "s|\"backuppc\"|\"$LOGNAME\"|g" configure.pl for f in ChangeLog doc/BackupPC.pod doc/BackupPC.html; do iconv -f ISO-8859-1 -t UTF-8 $f > $f.utf && mv $f.utf $f done +#incorrect FSF address +sed -i 's|59 Temple Place, Suite 330, Boston, MA *02111-1307 USA|51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA|' \ + lib/BackupPC/CGI/Queue.pm \ + bin/BackupPC_archive \ + lib/BackupPC/CGI/StartServer.pm \ + lib/BackupPC/CGI/HostInfo.pm \ + lib/BackupPC/CGI/Archive.pm \ + lib/BackupPC/CGI/LOGlist.pm \ + lib/BackupPC/FileZIO.pm \ + lib/BackupPC/CGI/GeneralInfo.pm \ + lib/BackupPC/CGI/Browse.pm \ + lib/BackupPC/CGI/RSS.pm \ + lib/BackupPC/CGI/Restore.pm \ + lib/BackupPC/CGI/RestoreFile.pm \ + bin/BackupPC_restore \ + lib/BackupPC/CGI/DirHistory.pm \ + lib/BackupPC/Xfer/Archive.pm \ + lib/BackupPC/Config/Meta.pm \ + lib/BackupPC/CGI/ArchiveInfo.pm \ + lib/BackupPC/CGI/ReloadServer.pm \ + lib/BackupPC/CGI/View.pm \ + bin/BackupPC_tarExtract \ + lib/BackupPC/CGI/EmailSummary.pm \ + lib/BackupPC/Xfer/RsyncFileIO.pm \ + lib/BackupPC/CGI/RestoreInfo.pm \ + lib/BackupPC/CGI/StartStopBackup.pm \ + lib/BackupPC/CGI/StopServer.pm \ + lib/BackupPC/CGI/AdminOptions.pm \ + lib/BackupPC/CGI/Summary.pm \ + lib/BackupPC/CGI/EditConfig.pm + chmod a-x LICENSE README cp %{SOURCE3} README.fedora @@ -338,6 +363,11 @@ fi %endif %changelog +* Sun Apr 28 2013 Johan Cwiklinski 3.3.0-1 +- Last upstream release +- Remove no longer needeed patches +- Fix incorrect-fsf-address to reduce rpmlint output + * Fri Feb 21 2014 Bernard Johnson - 3.3.0-1 - v 3.3.0 - fixed typos