Re: CVE Request: Security issue in backuppc

[Kurt Seifried <kseifrie () redhat com>]

On 01/03/2012 12:55 PM, Moritz Mühlenhoff wrote:
> On Thu, Oct 27, 2011 at 04:00:48PM -0500, Jamie Strandboge wrote:
> > Hi Craig,
> >
> > While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered
> > another XSS vulnerability in View.pm when accessing the following URLs
> > in backuppc:
> > index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host>
> > index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host>
> >
> > You are being emailed as the upstream contact. Please keep
> > oss-security () lists openwall com[1] CC'd for any updates on this issue.
> >
> > To oss-security, can I have a CVE for this? It is essentially the same
> > vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead
> > of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on
> > 3.0.0, 3.1.0, 3.2.0 and 3.2.1.
> *ping*
>
> This hasn't ended up in a CVE assignment.
>
> Cheers,
>         Moritz
I believe as per ADT4 these issues should be merged into the existing
CVE-2011-3361:

ADT4:

At this stage, X and Y are the same bug type, affect the same versions,
and affect the same products.

Do X and Y have any of the following characteristics?

    X appears in a different DLL, library, or program than Y (e.g. X
affects LIB1.DLL and Y affects LIB2.DLL)
    X has more serious impact than Y (e.g. code execution as root versus
leak of system pathname)
    X takes a different input parameter/argument than Y (e.g. SQL
injection in both the "user" and "password" parameters)
    X is exploitable locally, but Y is not.
    X requires stronger authentication than Y.
    X can be exploited by a certain user that Y can not (e.g. a guest
user vs. an admin)

   

    Yes: MERGE them. These characteristics are irrelevant for CVE.

-- 

-- Kurt Seifried / Red Hat Security Response Team