Bug 6530 - Path to ssh missing in backuppc config file (also CVE-2011-5081 and CVE-2011-4923) [mga1]
: Path to ssh missing in backuppc config file (also CVE-2011-5081 and CVE-2011-...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: RPM Packages
: 1
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: MGA1-32-OK MGA1-64-OK
: validated_update
: 6005
:
  Show dependency treegraph
 
Reported: 2012-06-21 11:10 CEST by Derek Jennings
Modified: 2012-07-14 00:57 CEST (History)
6 users (show)

See Also:
Source RPM: backuppc-3.2.1-6.mga2
CVE:


Attachments

Description Derek Jennings 2012-06-21 11:10:00 CEST
Description of problem:
The backuppc config file config.pl ships with sane default settings apart from the path to ssh $Conf{SshPath} = '';  which defaults to NULL


With $Conf{SshPath} left as default backuppc all backups fail.
It would be a help to newcomers to backuppc os the ssh path was predefined just like all the other programme paths in the configuration.
(Actually $Conf{ParPath} is not defined either, but that parameter is not commonly needed.)
Comment 1 Derek Jennings 2012-06-21 11:23:48 CEST
cc'ing Juergen
This is only a minor problem, but it managed to confuse me for half an hour when installing backuppc on a clients server recently.
Comment 2 Juergen Harms 2012-06-22 07:58:33 CEST
Thank you for signalling this, I share your opinion on what the default configuration should offer.

I am presently on vacation with limited bandwidth and away from my server - will have a closer look in two weeks.

Juergen
Comment 3 Derek Jennings 2012-06-22 10:51:18 CEST
The path to smbclient is also missing, as I found out yesterday when I tried to set up a new client.
Comment 4 Juergen Harms 2012-06-22 22:18:05 CEST
Before doing these 2 corrections, I will have a serious look at the standard default file and check whether I find other issues that should be corrected (my private config file had its own life, and I had never gone back to the standard default file - time to do that).
Comment 5 Juergen Harms 2012-06-26 12:02:02 CEST
In fact, the spec file of the backuppc package contains a list of path-name hashes that are modifyed for Mageia customisation:

- the line that redefines SmbClientPath contained a typo (redefined it to TarClientPath rather than SmbClientPath),
- a line for defining SshPath was missing,
- there was yet another path (NmbLookupPath) for which the Mageia-specific definition was not defined.

I have prepared a new version with a corrected spec file. I will test and push the new version next week when I am back home.

These issues also concern Mageia 1 and Cauldron (probably imported from Mandriva): flagging this in the whiteboard.
Comment 6 Juergen Harms 2012-07-04 10:45:27 CEST
The update is now tested and - in principle - ready. There is one issue where I would like to get a second opinion:

As I have it now, the update corrects / adds definitions for distro-dependant path variables for Linux utilities (SmbClientPath, SshPath, NmbLookupPath) - as required in the bug report.

Shall I also add the definition of the variable TopDir (its value must be /var/lib/backuppc to make backuppc work properly)? that goes beyond a strict interpretation of the bug report - and each user can edit config.pl locally. But if this bug aims at facilitating the installation of backuppc by new users, that would make much sense (documentation on this is issue is not easy to find / interpret and may be a stumbling block for a new user).

An alternative to include the definition of TopDir in this update would be to do it in Cauldron -> Mageia3.
Comment 7 Juergen Harms 2012-07-04 20:38:21 CEST
Updated packages have been pushed to updates_testing on Mageia 1 and 2 (including the definition of the TopDir variable).

The Mageia 1 update package also fixes a bug relative to the ownership of files in /etc/backuppc (the Configuration Editor could not write the results of editing to the configuration file) - already corrected in Mageia 2 during its pre-release phase.


Suggested Advisory: (Mageia 2)
===================
This update package corrects/improves the definition of variables in config.pl, the configuration file of backuppc: the variables SshPath, SmbClientPath, NmbLookupPath, TarClientPath, TopDir. As a result, backuppc should now run with the default values installed by the Mageia package, modifications of config.pl should only be required for defining site-specific settings.


Suggested Advisory: (Mageia 1)
===================
This update package corrects/improves the definition of variables in config.pl, the configuration file of backuppc: the variables SshPath, SmbClientPath, NmbLookupPath, TarClientPath, TopDir. As a result, backuppc should now run with the default values installed by the Mageia package, modifications of config.pl should only be required for defining site-specific settings.

This update also fixes a bug which blocked correct use of the Configuration Editor in the Web-interface to backuppc.


Updated packages in core/updates-testing
========================================
backuppc-3.2.0-6.mga1
backuppc-3.2.1-7.mga2

from SRPMS:
backuppc-3.2.0-6.mga1.src.rpm
backuppc-3.2.1-7.mga2.src.rpm
Comment 8 David Walser 2012-07-04 23:04:16 CEST
Thanks Juergen.  Due to the different advisories and already existing two bugs, we'll use this bug for the Mageia 1 and update and Bug 6005 for the Mageia 2 update.
Comment 9 David Walser 2012-07-04 23:08:58 CEST
Advisory:
========================

Updated backuppc packages fix security vulnerabilities:

Cross-site scripting (XSS) vulnerability in RestoreFile.pm in
BackupPC 3.1.0, 3.2.1, and possibly other earlier versions allows
remote attackers to inject arbitrary web script or HTML via the
share parameter in a RestoreFile action to index.cgi (CVE-2011-5081).

Cross-site scripting (XSS) vulnerability in View.pm in BackupPC 3.0.0,
3.1.0, 3.2.0, 3.2.1, and possibly earlier allows remote attackers to
inject arbitrary web script or HTML via the num parameter in a view
action to index.cgi, related to the log file viewer (CVE-2011-4923).

Also, This update package corrects/improves the definition of variables
in config.pl, the configuration file of backuppc: the variables SshPath,
SmbClientPath, NmbLookupPath, TarClientPath, TopDir. As a result,
backuppc should now run with the default values installed by the Mageia
package, modifications of config.pl should only be required for defining
site-specific settings.

Finally, This update also fixes a bug which blocked correct use of the
Configuration Editor in the Web-interface to backuppc.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4923
http://www.ubuntu.com/usn/usn-1444-1/
========================

Updated packages in core/updates_testing:
========================
backuppc-3.2.0-6.mga1

from backuppc-3.2.0-6.mga1.src.rpm
Comment 10 Dave Hodgins 2012-07-12 01:26:53 CEST
Testing complete on Mageia 1 i586.

Set up a smb share in an xp VirtualBox guest, and used backuppc to
backup the share.
Comment 11 Derek Jennings 2012-07-13 11:02:38 CEST
Tested on x86_64 and already pushed as backuppc-3.2.1-7.mga2.src.rpm see Bug 6005
Comment 12 David Walser 2012-07-13 13:19:24 CEST
This bug is for the Mageia 1 package.  See Comment 9.
Comment 13 Derek Jennings 2012-07-13 13:24:11 CEST
whoops.. sorry
Comment 14 Derek Jennings 2012-07-13 17:17:06 CEST
validated on x86_64

Update validated

Could sysadmin please push backuppc-3.2.0-6.mga1.src.rpm  from core/updates/testing to core/updates

depcheck says no packages to link


Advisory:
========================

Updated backuppc packages fix security vulnerabilities:

Cross-site scripting (XSS) vulnerability in RestoreFile.pm in
BackupPC 3.1.0, 3.2.1, and possibly other earlier versions allows
remote attackers to inject arbitrary web script or HTML via the
share parameter in a RestoreFile action to index.cgi (CVE-2011-5081).

Cross-site scripting (XSS) vulnerability in View.pm in BackupPC 3.0.0,
3.1.0, 3.2.0, 3.2.1, and possibly earlier allows remote attackers to
inject arbitrary web script or HTML via the num parameter in a view
action to index.cgi, related to the log file viewer (CVE-2011-4923).

Also, This update package corrects/improves the definition of variables
in config.pl, the configuration file of backuppc: the variables SshPath,
SmbClientPath, NmbLookupPath, TarClientPath, TopDir. As a result,
backuppc should now run with the default values installed by the Mageia
package, modifications of config.pl should only be required for defining
site-specific settings.

Finally, This update also fixes a bug which blocked correct use of the
Configuration Editor in the Web-interface to backuppc.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4923
http://www.ubuntu.com/usn/usn-1444-1/
Comment 15 Juergen Harms 2012-07-13 18:01:52 CEST
The mixup (Comment #13) between the Mageia 1 and Mageia 2 updates goes back to a fault I had made:

6530 was originally a common report for the same bug on both systems, but while correcting this bug, I dicovered that a fix done on Mageia 2 during pre-release was missing on Mageia 1.  At that moment I should have created a new bug for Mageia 1 - which I did not. Always learning, and thank you, David, for arranging this by using bugzilla #6005 for Mageia 2 and #6530 for Mageia 1.
Comment 16 Thomas Backlund 2012-07-14 00:57:14 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0165

Note You need to log in before you can comment on or make changes to this bug.