Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 855536 (CVE-2022-22474, CVE-2022-22478) - <app-backup/tsm-8.1.17.2 : multiple vulnerabilities
Summary: <app-backup/tsm-8.1.17.2 : multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2022-22474, CVE-2022-22478
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords: PATCH
Depends on: 905294
Blocks:
  Show dependency tree
 
Reported: 2022-07-01 12:49 UTC by Horst Prote
Modified: 2023-06-09 14:17 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
Ebuild (tsm-8.1.15.0.ebuild,7.43 KB, text/plain)
2022-07-01 12:50 UTC, Horst Prote
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Horst Prote 2022-07-01 12:49:31 UTC
IBM published two Security Bulletins:
-  Information Disclosure and Denial of Service Vulnerabilities in IBM Spectrum Protect Backup-Archive Client (CVE-2022-22478, CVE-2022-22474)
- Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments (CVE-2021-35550, CVE-2021-35603)


Reproducible: Always




The vulnerabilities are fixed in version 8.1.15
Comment 1 Horst Prote 2022-07-01 12:50:43 UTC
Created attachment 789176 [details]
Ebuild

I created this ebuild in my local overlay and installed it on my servers.
Comment 2 Horst Prote 2022-07-01 12:56:06 UTC
Note:
- The new USE flag "tdpvmware" (off by default, as I don't use these part of the package) and it's RDEPEND line should solve bug 834431.
- I didn't get the "Unsupported type of integrity check" warning from bug 837503  on installing my ebuild.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-02 22:49:59 UTC
Thanks for reporting! Feel free to open a PR for the update. Do you have a link for the upstream documentation on how TSM itself is vulnerable?
Comment 4 Horst Prote 2022-07-04 10:56:00 UTC
(In reply to John Helmert III from comment #3)
> Do you have a link for the upstream documentation on how TSM itself is vulnerable?
https://www.ibm.com/support/pages/node/6596741
https://www.ibm.com/support/pages/node/6596379
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 04:55:39 UTC
(In reply to Horst Prote from comment #4)
> (In reply to John Helmert III from comment #3)
> > Do you have a link for the upstream documentation on how TSM itself is vulnerable?
> https://www.ibm.com/support/pages/node/6596741
> https://www.ibm.com/support/pages/node/6596379

Sorry for my lack of familiarity with this stuff, but TSM doesn't seem to be mentioned here?
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 04:57:20 UTC
(In reply to John Helmert III from comment #5)
> (In reply to Horst Prote from comment #4)
> > (In reply to John Helmert III from comment #3)
> > > Do you have a link for the upstream documentation on how TSM itself is vulnerable?
> > https://www.ibm.com/support/pages/node/6596741
> > https://www.ibm.com/support/pages/node/6596379
> 
> Sorry for my lack of familiarity with this stuff, but TSM doesn't seem to be
> mentioned here?

Oh, sorry, TSM = IBM Spectrum Protect. Nice acronym :P

ANyway, are we affected by the Java vulnerabilities? The ebuild seems to have functionality for pulling in a JRE, so I think it's not bundled here?
Comment 7 Horst Prote 2022-07-07 07:43:35 UTC
(In reply to John Helmert III from comment #6)
> Oh, sorry, TSM = IBM Spectrum Protect. Nice acronym :P
Not really an acronym. Whoever was the maintainer of the tsm package when IBM switched the name fron "Tivoli Storage Manager" to "IBM Spectrum Protect" years ago just didn't change the package name.

> ANyway, are we affected by the Java vulnerabilities? The ebuild seems to
> have functionality for pulling in a JRE, so I think it's not bundled here?
I think you are right for https://www.ibm.com/support/pages/node/6596379 with its vulnerabilities CVE-2021-35550 and CVE-2021-35603 but the CVE-2022-22478 and CVE-2022-22474 of https://www.ibm.com/support/pages/node/6596741 both clearly state that the bugs are in the IBM Spectrum Protect Clients code.
Comment 8 Larry the Git Cow gentoo-dev 2023-04-06 22:50:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7f071a94b49db3e421a4ee6189c391d1b39a1eba

commit 7f071a94b49db3e421a4ee6189c391d1b39a1eba
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2023-04-06 22:49:41 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2023-04-06 22:50:08 +0000

    app-backup/tsm: add 8.1.15.0, 8.1.17.2
    
    Bug: https://bugs.gentoo.org/855536
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 app-backup/tsm/Manifest            |   2 +
 app-backup/tsm/metadata.xml        |   1 +
 app-backup/tsm/tsm-8.1.15.0.ebuild | 249 +++++++++++++++++++++++++++++++++++++
 app-backup/tsm/tsm-8.1.17.2.ebuild | 249 +++++++++++++++++++++++++++++++++++++
 4 files changed, 501 insertions(+)
Comment 9 Andreas K. Hüttel archtester gentoo-dev 2023-04-06 22:51:55 UTC
Thanks. Finally catching up here. I didn't have the https URL when I last checked...

Let's wait a bit and then immediately stabilize 8.1.17.2
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-20 04:08:54 UTC
("stable?" is usually how we denote that in security bug whiteboard)
Comment 11 Andreas K. Hüttel archtester gentoo-dev 2023-05-06 20:37:20 UTC
Cleanup done