[BackupPC] - change %%{_sharedstatedir} to %%{_localstatedir}/lib as these expand differently on EL (bz #7677
Bernard Johnson
bjohnson at fedoraproject.org
Mon Jan 23 01:53:13 UTC 2012
commit 1acf8427cc936af63a4df03646037b7663a3752b
Author: Bernard Johnson <bjohnson at symetrix.com>
Date: Sun Jan 22 18:52:42 2012 -0700
- change %%{_sharedstatedir} to %%{_localstatedir}/lib as these expand
differently on EL (bz #767719)
- fix XSS vulnerability (bz #749846, bz #749847, bz #749848) CVE-2011-3361
- additional documentation about enabling correct channels in RHEL to resolve
all dependencies (bz #749627)
- fix bug with missing tmpfiles.d directory
BackupPC-3.2.1-fix-XSS-vulnerability.patch | 41 ++++++++++++++++++++++++++++
BackupPC-README.fedora | 6 +++-
BackupPC.spec | 26 +++++++++++------
README.RHEL | 22 +++++++++++++++
4 files changed, 84 insertions(+), 11 deletions(-)
---
diff --git a/BackupPC-3.2.1-fix-XSS-vulnerability.patch b/BackupPC-3.2.1-fix-XSS-vulnerability.patch
new file mode 100644
index 0000000..96ae9b1
--- /dev/null
+++ b/BackupPC-3.2.1-fix-XSS-vulnerability.patch
@@ -0,0 +1,41 @@
+Date: Thu, 27 Oct 2011 16:00:48 -0500
+From: Jamie Strandboge <jamie at ...onical.com>
+To: Craig Barratt <cbarratt at ...rs.sourceforge.net>, coley at ...us.mitre.org,
+ oss-security <oss-security at ...ts.openwall.com>
+Cc: security at ...ntu.com
+Subject: CVE Request: Security issue in backuppc
+
+Hi Craig,
+
+While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered
+another XSS vulnerability in View.pm when accessing the following URLs
+in backuppc:
+index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host>
+index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host>
+
+You are being emailed as the upstream contact. Please keep
+oss-security at ...ts.openwall.com[1] CC'd for any updates on this issue.
+
+To oss-security, can I have a CVE for this? It is essentially the same
+vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead
+of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on
+3.0.0, 3.1.0, 3.2.0 and 3.2.1.
+
+--
+Jamie Strandboge | http://www.canonical.com
+
+diff -u backuppc-3.2.0/lib/BackupPC/CGI/View.pm backuppc-3.2.0/lib/BackupPC/CGI/View.pm
+--- backuppc-3.2.0/lib/BackupPC/CGI/View.pm
++++ backuppc-3.2.0/lib/BackupPC/CGI/View.pm
+@@ -46,7 +46,7 @@
+ my $compress = 0;
+ my $fh;
+ my $host = $In{host};
+- my $num = $In{num};
++ my $num = ${EscHTML($In{num})};
+ my $type = $In{type};
+ my $linkHosts = 0;
+ my($file, $comment);
+
+[ CONTENT OF TYPE application/pgp-signature SKIPPED ]
+
diff --git a/BackupPC-README.fedora b/BackupPC-README.fedora
index 2eb08a0..448c279 100644
--- a/BackupPC-README.fedora
+++ b/BackupPC-README.fedora
@@ -1,10 +1,12 @@
BackupPC's README file for Fedora
## BackupPC's user
-For security reasons, backuppc user cannot log in. If you want to start manual backup (ie for debugging), you'll need to set it a shell :
+For security reasons, backuppc user cannot log in. If you want to start manual
+backup (ie for debugging), you'll need to set it a shell :
usermod -s /bin/bash
-Do not forget to create an SSH key (ssk-keygen) and copy it to remote computers if you plan to use tar/rsynv over SSH backup method.
+Do not forget to create an SSH key (ssk-keygen) and copy it to remote computers
+if you plan to use tar/rsync over SSH backup method.
## BackupPC's web interface
The CGI web interface is located at :
diff --git a/BackupPC.spec b/BackupPC.spec
index cbca9b9..e2c5293 100644
--- a/BackupPC.spec
+++ b/BackupPC.spec
@@ -26,6 +26,7 @@ Source0: http://downloads.sourceforge.net/backuppc/%{name}-%{version}.tar
Patch0: BackupPC-3.2.1-locatedb.patch
Patch1: BackupPC-3.2.1-rundir.patch
Patch2: BackupPC-3.2.1-piddir.patch
+Patch3: BackupPC-3.2.1-fix-XSS-vulnerability.patch
Source1: BackupPC.htaccess
Source2: BackupPC.logrotate
Source3: BackupPC-README.fedora
@@ -33,6 +34,7 @@ Source3: BackupPC-README.fedora
Source4: BackupPC_Admin.c
Source5: backuppc.service
Source6: BackupPC.tmpfiles
+Source7: README.RHEL
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -87,6 +89,7 @@ configurable and easy to install and maintain.
%patch0 -p1 -b .locatedb
%patch1 -p1 -b .rundir
%patch2 -p1 -b .piddir
+%patch3 -p1 -b .fix-XSS-vulnerability
sed -i "s|\"backuppc\"|\"$LOGNAME\"|g" configure.pl
for f in ChangeLog doc/BackupPC.pod doc/BackupPC.html; do
@@ -96,6 +99,7 @@ done
chmod a-x LICENSE README
cp %{SOURCE3} README.fedora
+cp %{SOURCE7} README.RHEL
cp %{SOURCE4} BackupPC_Admin.c
%if ! 0%{?_without_selinux}
@@ -183,13 +187,13 @@ sed -i s,$LOGNAME,backuppc,g init.d/linux-backuppc
install -d $RPM_BUILD_ROOT/%{_sysconfdir}/tmpfiles.d
install -p -m 0644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/tmpfiles.d/%{name}.conf
%endif
+install -d $RPM_BUILD_ROOT/%{_localstatedir}/run/%{name}
%if 0%{?_with_systemd}
install -d $RPM_BUILD_ROOT/%{_unitdir}
install -p -m 0644 %{SOURCE5} $RPM_BUILD_ROOT/%{_unitdir}/
%else
install -d $RPM_BUILD_ROOT/%{_initrddir}
-install -d $RPM_BUILD_ROOT/%{_localstatedir}/run/%{name}
install -p -m 0755 init.d/linux-backuppc $RPM_BUILD_ROOT%{_initrddir}/backuppc
%endif
@@ -263,9 +267,9 @@ fi
# add BackupPC backup directories to PRUNEPATHS in locate database
if [ -w %{_updatedb_conf} ]; then
- grep ^PRUNEPATHS %{_updatedb_conf} | grep %{_sharedstatedir}/%{name} > /dev/null
+ grep ^PRUNEPATHS %{_updatedb_conf} | grep %{_localstatedir}/lib/%{name} > /dev/null
if [ $? -eq 1 ]; then
- sed -i '\@PRUNEPATHS at s@"$@ '%{_sharedstatedir}/%{name}'"@' %{_updatedb_conf}
+ sed -i '\@PRUNEPATHS at s@"$@ '%{_localstatedir}/lib/%{name}'"@' %{_updatedb_conf}
fi
fi
:
@@ -283,7 +287,7 @@ if [ $1 -eq 0 ]; then
# remove BackupPC backup directories from PRUNEPATHS in locate database
if [ -w %{_updatedb_conf} ]; then
- sed -i '\@PRUNEPATHS at s@[ ]*'%{_sharedstatedir}/%{name}'@@' %{_updatedb_conf} || :
+ sed -i '\@PRUNEPATHS at s@[ ]*'%{_localstatedir}/lib/%{name}'@@' %{_updatedb_conf} || :
fi
fi
@@ -298,7 +302,7 @@ fi
%files
%defattr(-,root,root,-)
-%doc README README.fedora ChangeLog LICENSE doc/
+%doc README README.fedora README.RHEL ChangeLog LICENSE doc/
%dir %attr(-,backuppc,backuppc) %{_localstatedir}/log/%{name}
%dir %attr(-,backuppc,backuppc) %{_sysconfdir}/%{name}/
@@ -313,9 +317,8 @@ fi
%if 0%{?_with_tmpfilesd}
%config(noreplace) %{_sysconfdir}/tmpfiles.d/%{name}.conf
-%else
-%dir %attr(0775,backuppc,backuppc) %{_localstatedir}/run/%{name}
%endif
+%dir %attr(0775,backuppc,backuppc) %{_localstatedir}/run/%{name}
%if 0%{?_with_systemd}
%{_unitdir}/backuppc.service
@@ -332,8 +335,13 @@ fi
%endif
%changelog
-* Thu Jan 12 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 3.2.1-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+* Sun Jan 22 2012 Bernard Johnson <bjohnson at symetrix.com> - 3.2.1-7
+- change %%{_sharedstatedir} to %%{_localstatedir}/lib as these expand
+ differently on EL (bz #767719)
+- fix XSS vulnerability (bz #749846, bz #749847, bz #749848) CVE-2011-3361
+- additional documentation about enabling correct channels in RHEL to resolve
+ all dependencies (bz #749627)
+- fix bug with missing tmpfiles.d directory
* Wed Sep 21 2011 Bernard Johnson <bjohnson at symetrix.com> - 3.2.1-6
- fix postun scriptlet error (bz #736946)
diff --git a/README.RHEL b/README.RHEL
new file mode 100644
index 0000000..78c5abe
--- /dev/null
+++ b/README.RHEL
@@ -0,0 +1,22 @@
+If you are installing this software on a Red Hat Enterprise Linux (RHEL)
+server, you will have to subscribe to the "RHEL Server Optional" before
+attempting to install this component. If you do no enable this channel, you
+will receive an error that looks similar to this:
+
+ --> Finished Dependency Resolution
+ Error: Package: BackupPC-3.2.1-1.el6.x86_64 (epel)
+ Requires: perl(Archive::Zip)
+ Error: Package: BackupPC-3.2.1-1.el6.x86_64 (epel)
+ Requires: perl(XML::RSS)
+ Error: Package: BackupPC-3.2.1-1.el6.x86_64 (epel)
+ Requires: perl-Time-modules
+ Error: Package: BackupPC-3.2.1-1.el6.x86_64 (epel)
+ Requires: perl(Time::ParseDate)
+ You could try using --skip-broken to work around the problem
+ You could try running: rpm -Va --nofiles --nodigest
+
+
+References:
+http://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F
+https://access.redhat.com/kb/docs/DOC-11313
+https://bugzilla.redhat.com/show_bug.cgi?id=749627
More information about the scm-commits
mailing list