From: Juergen H. <Jue...@un...> - 2012-05-28 19:23:13
|
Several distros (e.g. Ubuntu) have recently dealt with the problem mentioned in the subject line by adding a patch in the module lib/BackupPC/CGI/RestoreFile.pm. A bug requesting this security issue to be fixed has now also been filed in Mageia. Trying to follow up this bug, I realised that - according to the references quoted for CVE-2011-5081, the bug is "fixed by vendor" (the cve notice dates from april 2011) - trying the commands proposed as PoC on my (un-patched) backuppc 3.2.1 installation, there was no apparent problem. Am I right assuming that the patch in RestoreFile.pm is not needed (and that backuppc developpers have solved the problem by a modification different from that proposed in the RestoreFile.pm patch)? I would very much appreciate to receive confirmation in order to be able to close the bug as resolved by "upstream" (PS: I also tried applying the patch proposed for RestoreFile.pm and did not see any difference in the response to the PoC commands) Juergen |