| Summary: | BackupPC 3.2.1 fixes cross site scripting | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Vigier <boklm> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, derekjenn, juergen.harms, olivier, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | backuppc | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 600 | ||
| Attachments: |
Spec file for building backuppc-3.2.1
Debian security patch adapted to new source of EditConfig.pm notes on items to verify/adapt in the 3.2.1 spec-file Corrected spec file for backuppc-3.2.1 |
||
|
Description
Nicolas Vigier
2011-09-13 16:29:45 CEST
Package with upstream patch submited in updates_testing.
Nicolas Vigier
2011-09-13 17:21:22 CEST
Assignee:
bugsquad =>
qa-bugs Package was rejected on build system because of new rpmlint rule, with the error malformed-line-in-lsb-comment-block. init script was fixed and package submitted again to updates_testing. Tested backuppc-3.2.0-3.1.mga1.x86_64.rpm on x86_64 Web interface is not functional. See comment 9 on Bug 600 https://bugs.mageia.org/show_bug.cgi?id=600#c19 If I do chmod 04755 /var/www/backuppc/BackupPC_Admin chmod 0755 /var/www/backuppc/BackupPC_Admin.cgi Web interface works OK Otherwise backuppc seems to be functioning OK. It is busy at the moment backing up my server. CC:
(none) =>
derekjenn Still requires testing i586 CC:
(none) =>
eeeemail I don't have a packager account anymore, so cannot fix that. But Juergen Harms seemed to be interested to become maintainer of this package, so assigning this to him. Assignee:
boklm =>
juergen.harms Rather than fixing 2.3.0.mga, I suggest to fetch 2.3.1 from upstream: 2.3.1 is a stability update and has the patch mentioned by Nicolas already incorporated (but, evidently, 2.3.1. is not yet tested in Mageia - which should not present problems since the new version only announces a couple of bug fixes) I have done what I can to prepare a corresponding version that is packaged for Mageia (also fixing the problems mentioned in #600; in addition, there is a security fix for prohibiting ClientNameAlias, that is not correctly handled in 2.3.0.mga: the diff file needs to be adapted to the new source of EditConfig.pm). But I am now stuck until I have got some packaging training and there is a channel for properly pushing a corrected package. In case somebody wants to pick up the spec file I tried to adapt - and I suggest also the corrected patch file for the security fix - just tell me.
Juergen Harms
2011-10-11 10:11:22 CEST
CC:
(none) =>
juergen.harms Juergen, If you do not have SVN access yet attach the spec file here and I can test it out. Have you been assigned a mentor to show you the procedures yet? Created attachment 936 [details]
Spec file for building backuppc-3.2.1
Created attachment 937 [details]
Debian security patch adapted to new source of EditConfig.pm
Created attachment 938 [details]
notes on items to verify/adapt in the 3.2.1 spec-file
Thanks if you can pick this up, that would help to rapidly get #600 and #2736 resolved Yes I have a mentor assigned, but he looks overloaded. I will prompt him again, I urgently need some starting help and training - as you see from the things I had to leave open in the spec file. I added an additional attachment "notes" to point out things which need to be fixed in the spec file / where I do not feel safe. Hello, I'm the mentor :) I suggested not to start with this package for mentoring, as it is quite difficult. I just read today's e-mail, and Juergen doesn't seem to be fluent with rpmbuild, SVN and mgarepo, so it will take some time to have the package updated correctly by him. CC:
(none) =>
olivier Created attachment 946 [details]
Corrected spec file for backuppc-3.2.1
Attachment 946 [details] is a spec file for backuppc-3.2.1 that builds (locally on my system) correctly. I have installed backuppc from this package on an i586 system: works without problems.
rpmlint displays a lot of warnings - most of them concerning the source code, some of them packaging problems (should be solved before the package is made available).
@Juergen Harms: do you get my e-mails ? I receive no replies.... The following summary should be helpful Present situation ----------------- There are 3 known problems: A. the "permission bug" (bugzilla #600, description) B. the "apache server bug" (bugzilla #600, comment 19) C. the "XSS problem" (bugzilla # 2736, description) (A) and (B) are "show-stoppers" - (B) only for systems that use an apache server: backuppc will not work correctly as long as these bugs are not fixed. Given this discussion, and looking at the Mageia SVN, there are 3 activities with respect to backuppc 1. Mageia 1 updates (backuppc-3.2.0-3.1) - incorporates a patch against (C) - fixes the init script 2. Cauldron (backuppc-3.2.0-4) - incorporates a patch against (C) - fixes the init script 3. The present bugzilla discussion, i.e. attachment 946 [details] (backuppc-3.2.1) - imports 3.2.1 from upstream - no need any more to fix (C) - incorporates patches against (A) and (B) - to be clarified: the correction of the init script might still be necessary (the updates applied in 3.2.1 and the fix of (C) both create the same source text) Derek pointed out that in all three the "Source:" statement is incorrect (but without negative consequences on functionality) - it should not be http://sourceforge.net/projects/backuppc/%{Name}-%{version}.tar.gz but rather http://downloads.sourceforge.net/backuppc/%{Name}-%{version}.tar.gz (sorry, Derek I missed out on that - I was somewhat hectic reacting on Olivers gentle note and documenting what I have done). Conclusion ---------- Both (1) and (2) do not include fixes for (A) and (B) - they will not work without manual fixes after installation of the backuppc package. (3) provides a correctly working backuppc, but still needs correcting the "Source:" statement and - possibly - the init script (plus the evident corrections for a correct build procedure respecting Mageia conventions). But (C) is a "free-lance" activity - it may be useful as a quick fix to rapidly obtain an operational package, it should not be pursued outside the orderly procedures of Mageia. Suggestions ----------- Merge/coordinate the 3 concurrent activities on backuppc (Mageia 1 update, Cauldron development, Bugzilla proposed fixes). IMHO, the best would be to suspend the development of 3.2.0-3.1 in cauldron - 3.2.0 is obsoleted by the availability of backuppc-3.2.1 at sourceforge - and create a 3.2.1 as an update package for Mageia 1 - which than can go to cauldron as a starting point for what will be released in Mageia 2. A decision must be made who will pursue this activity. I am willing to continue, but that is not possible unless I manage to establish a 2-way dialog with my mentor, and he adjusts his defensive view of my competence and productivity. Given what has now been done, producing a properly built update package with 3.2.1 should not be "la mer a boire" and be possible within a reasonable time (with sufficient margin to go to Cauldron as a base for Mageia 2). There was a mid-air collision between comment 17 and 18. In the meantime, I went to our pop server to verify whether messages have been locally lost. I have received 3 messages (your initial "I am your mentor" message - 3.10. -, your "what do you know" message - 4.10. - and your message in reply to my prompt - yesterday noon). Unfortunately Thunderbird had decided that this last message had to go my junk folder (thunderbird says it can be educated) - as you can see, I was quite busy yesterday and did not yet scavenge for bad junk hits. Let us resume this in direct mail - seeing your last message, I regret my comment on 2-way communication and think that we will work smoothly together. Our discussion should have 2 issues (more if you want) - (1) how I develop the necessary skills - I agree, step by step and not jumping the guns, and (2) how that reflects on winding down the backuppc issue - we will feed the outcome back to this list I don't really understand what I screwed up, but with no answers to my e-mail, I can't change anything. Never mind. The general policy for packages is: - to put the last one in Cauldron - the minimal modifications for a safe and working package in 1/updates - a new version with useful new features for 1 in 1/backports (which is not open for the moment) This means that backuppc-3.2.1 can go to Cauldron, with any patch needed. This means that the current version in Mageia 1 should be patched for security problems only. If the current version is no more supported by upstream, you can provide a newer version (this is a difference in policy with mandriva). You can provide backuppc-3.2.1 built on Mageia 1 in 1/backports, for people who want to take the risk of a new version on their system. If you can provide a SRPM containing all the patches and your last spec, I can put it in the svn and submit it to cauldron. After that, you can ask for a maintainer account and handle the thing yourself. Again, new collision... So ok, all things are in order.
claire robinson
2011-10-13 11:25:23 CEST
CC:
eeeemail =>
(none) backuppc-2.3.0-4 with all open issues fixed (bugzilla #600, #2736) is now in updates_testing
Juergen Harms
2011-11-12 14:40:32 CET
Assignee:
juergen.harms =>
qa-bugs
Manuel Hiebel
2011-11-12 17:26:47 CET
Blocks:
(none) =>
600 Validated OK on x86_64 and i586 Test Procedure -------------- Upgraded my working production backuppc with test candidate x86_64. All functions work OK Web interface, Backup, and Restore. Verified default configuration files are sane. Repeated tests using i586 version Could someone from sysadmin please push backuppc-3.2.0-4.mga1.src.rpm from Core_Updates_Testing to Core_Updates Advisory -------- This update fixes a cross site scripting flaw on backuppc CVE-2011-3361 and also allows backuppc to operate on Apache web servers without perl-suid which is no longer included in Mageia. Keywords:
(none) =>
validated_update Update pushed. Status:
NEW =>
RESOLVED |