Several distros (e.g. Ubuntu) have recently dealt with the problem
mentioned in the subject line by adding a patch in the module
A bug requesting this security issue to be fixed has now also been filed
in Mageia. Trying to follow up this bug, I realised that
- according to the references quoted for CVE-2011-5081, the bug is
"fixed by vendor" (the cve notice dates from april 2011)
- trying the commands proposed as PoC on my (un-patched) backuppc 3.2.1
installation, there was no apparent problem.
Am I right assuming that the patch in RestoreFile.pm is not needed (and
that backuppc developpers have solved the problem by a modification
different from that proposed in the RestoreFile.pm patch)?
I would very much appreciate to receive confirmation in order to be able
to close the bug as resolved by "upstream"
(PS: I also tried applying the patch proposed for RestoreFile.pm and did
not see any difference in the response to the PoC commands)