*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: backuppc The 5.12 release of Perl removes the suidperl binary, and therefore the perl_5.12.3-6ubuntu4 package no longer includes the perl-suid package. Oneiric will be migrating to Perl 5.12, and so all packages that depend on perl-suid must be updated to remove the dependency. The Perl 5 Porters (upstream core developers of Perl) recommend two alternative solutions to suidperl: sudo or a small C wrapper. BackupPC uses suidperl for a CGI script, which means it's not possible to substitute sudo. Fedora has applied a patch to use a C wrapper around the CGI script (https://bugzilla.redhat.com/show_bug.cgi?id=611009), and a similar patch has been submitted for Debian but not yet applied (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581950). I'll submit a branch of lp:ubuntu/backuppc applying this patch to the Ubuntu package. I'm requesting review of this solution by the Security Team, since it involves escalating privileges through a CGI script. ** Affects: backuppc (Ubuntu) Importance: Undecided Status: New ** Affects: backuppc (Debian) Importance: Unknown Status: Unknown ** Affects: backuppc (Fedora) Importance: Unknown Status: Unknown ** Tags: oneiric perl-5.12-transition ** Bug watch added: Debian Bug tracker #581950 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581950 ** Also affects: backuppc (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581950 Importance: Unknown Status: Unknown ** Bug watch added: Red Hat Bugzilla #611009 https://bugzilla.redhat.com/show_bug.cgi?id=611009 ** Also affects: backuppc (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=611009 Importance: Unknown Status: Unknown ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to backuppc in Ubuntu. https://bugs.launchpad.net/bugs/786250 Title: Remove dependency on perl-suid for Perl 5.12 -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
