Several distros (e.g. Ubuntu) have recently dealt with the problem 
mentioned in the subject line by adding a patch in the module 
lib/BackupPC/CGI/RestoreFile.pm.

A bug requesting this security issue to be fixed has now also been filed 
in Mageia. Trying to follow up this bug, I realised that

- according to the references quoted for CVE-2011-5081, the bug is 
"fixed by vendor" (the cve notice dates from april 2011)

- trying the commands proposed as PoC on my (un-patched) backuppc 3.2.1 
installation, there was no apparent problem.

Am I right assuming that the patch in RestoreFile.pm is not needed (and 
that backuppc developpers have solved the problem by a modification 
different from that proposed in the RestoreFile.pm patch)?

I would very much appreciate to receive confirmation in order to be able 
to close the bug as resolved by "upstream"

(PS: I also tried applying the patch proposed for RestoreFile.pm and did 
not see any difference in the response to the PoC commands)

Juergen

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/