CVE-2022-37703: In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path. Asked the researcher about an upstream report: https://github.com/MaherAzzouzi/CVE-2022-37703/issues/1
And after trying to help them report this upstream, they eventually just deleted my issue after saying they'll drop 2 Amanda LPEs today.
Reproduced their side of the conversation in: https://gist.github.com/ajakk/f5aece4564079513f09f6066238ed6aa
Reported upstream: https://github.com/zmanda/amanda/issues/192
Pointed out these two CVEs in the upstream issue as well.
Apparently, that might not be the real upstream, but fortunately someone from that repo reported to the mailing lists: https://github.com/zmanda/amanda/issues/192#issuecomment-1399650313 https://marc.info/?l=amanda-hackers&m=167437716918603&w=2 https://marc.info/?l=amanda-users&m=167437611218333&w=2
Looks like some fixes made it into Git upstream. CVE-2022-37703 was fixed with: https://github.com/zmanda/amanda/commit/cf01041d34b830fc8bfe87346a9a1aa092d76820 CVE-2022-37704 was partially fixed with: https://github.com/zmanda/amanda/commit/ee766efdd77acd2e08f646bf2f9028944cdb9d06 Then had further fixes: https://github.com/zmanda/amanda/commit/e06005c01c4e008705083d053adefab0be5b2c4f https://github.com/zmanda/amanda/commit/f069e2c190146c5ed4d5ef8df390ee5024d4a3c8
