Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 870037 (CVE-2022-37703, CVE-2022-37704, CVE-2022-37705)

Summary: app-backup/amanda: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: dustin, lists, proxy-maint, robbat2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/MaherAzzouzi/CVE-2022-37703
Whiteboard: B4 [upstream/ebuild]
Package list:
Runtime testing required: ---
Bug Depends on: 904350    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-14 00:40:23 UTC 
CVE-2022-37703:

In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path.

Asked the researcher about an upstream report: https://github.com/MaherAzzouzi/CVE-2022-37703/issues/1
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 20:52:06 UTC 
And after trying to help them report this upstream, they eventually just deleted my issue after saying they'll drop 2 Amanda LPEs today.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 15:41:12 UTC 
Reproduced their side of the conversation in:

https://gist.github.com/ajakk/f5aece4564079513f09f6066238ed6aa
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 15:47:47 UTC 
Reported upstream: https://github.com/zmanda/amanda/issues/192
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-01 20:39:44 UTC 
Pointed out these two CVEs in the upstream issue as well.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-23 00:11:06 UTC 
Apparently, that might not be the real upstream, but fortunately someone from that repo reported to the mailing lists:

https://github.com/zmanda/amanda/issues/192#issuecomment-1399650313

https://marc.info/?l=amanda-hackers&m=167437716918603&w=2
https://marc.info/?l=amanda-users&m=167437611218333&w=2