Several distros (e.g. Ubuntu) have recently dealt with the problem mentioned in the subject line by adding a patch in the module lib/BackupPC/CGI/RestoreFile.pm.
A bug requesting this security issue to be fixed has now also been filed in Mageia. Trying to follow up this bug, I realised that - according to the references quoted for CVE-2011-5081, the bug is "fixed by vendor" (the cve notice dates from april 2011) - trying the commands proposed as PoC on my (un-patched) backuppc 3.2.1 installation, there was no apparent problem. Am I right assuming that the patch in RestoreFile.pm is not needed (and that backuppc developpers have solved the problem by a modification different from that proposed in the RestoreFile.pm patch)? I would very much appreciate to receive confirmation in order to be able to close the bug as resolved by "upstream" (PS: I also tried applying the patch proposed for RestoreFile.pm and did not see any difference in the response to the PoC commands) Juergen ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
