835342 – (CVE-2022-24755, CVE-2022-24756) <app-backup/bareos-{19.2.12,20.0.6,21.1.2}: multiple vulnerabilities

Bug 835342 (CVE-2022-24755, CVE-2022-24756) - <app-backup/bareos-{19.2.12,20.0.6,21.1.2}: multiple vulnerabilities

Summary: <app-backup/bareos-{19.2.12,20.0.6,21.1.2}: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2022-24755, CVE-2022-24756

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2022-03-15 16:44 UTC by John Helmert III
Modified:	2022-03-25 14:09 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-03-15 16:44:33 UTC

CVE-2022-24755 (https://github.com/bareos/bareos/security/advisories/GHSA-4979-8ffj-4q26):

Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director >= 18.2 >= 18.2 but prior to 21.1.0, 20.0.6, and 19.2.12 is built and configured for PAM authentication, it will skip authorization checks completely. Expired accounts and accounts with expired passwords can still login. This problem will affect users that have PAM enabled. Currently there is no authorization (e.g. check for expired or disabled accounts), but only plain authentication (i.e. check if username and password match). Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 implement the authorization check that was previously missing. The only workaround is to make sure that authentication fails if the user is not authorized.

CVE-2022-24756 (https://github.com/bareos/bareos/security/advisories/GHSA-jh55-4wgw-xc9j

Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director >= 18.2 but prior to 21.1.0, 20.0.6, and 19.2.12 is built and configured for PAM authentication, a failed PAM authentication will leak a small amount of memory. An attacker that is able to use the PAM Console (i.e. by knowing the shared secret or via the WebUI) can flood the Director with failing login attempts which will eventually lead to an out-of-memory condition in which the Director will not work anymore. Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 contain a Bugfix for this problem. Users who are unable to upgrade may disable PAM authentication as a workaround.

Please bump to 19.2.12, 20.0.6, 21.1.0.

Comment 1 Larry the Git Cow gentoo-dev

2022-03-21 09:59:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=047dc13847ad4716c300068d0368658268c6f50a

commit 047dc13847ad4716c300068d0368658268c6f50a
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2022-03-21 09:58:07 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2022-03-21 09:59:19 +0000

    app-backup/bareos: add 19.2.12, drop 19.2.11-r1
    
    Bug: https://bugs.gentoo.org/835342
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 app-backup/bareos/Manifest                                            | 2 +-
 app-backup/bareos/{bareos-19.2.11-r1.ebuild => bareos-19.2.12.ebuild} | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=850461b19c0077abc8669c9cfc2d4728d27c2d5b

commit 850461b19c0077abc8669c9cfc2d4728d27c2d5b
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2022-03-21 09:53:53 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2022-03-21 09:59:19 +0000

    app-backup/bareos: add 20.0.6, drop 20.0.5
    
    Bug: https://bugs.gentoo.org/835342
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 app-backup/bareos/Manifest                                       | 2 +-
 app-backup/bareos/{bareos-20.0.5.ebuild => bareos-20.0.6.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ba92c7f30696ca85c33e7c62c1ba567d0c0a809

commit 2ba92c7f30696ca85c33e7c62c1ba567d0c0a809
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2022-03-21 09:49:11 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2022-03-21 09:59:19 +0000

    app-backup/bareos: add 21.1.2, drop 21.0.0-r2
    
    Bug: https://bugs.gentoo.org/835342
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 app-backup/bareos/Manifest                                          | 2 +-
 app-backup/bareos/{bareos-21.0.0-r2.ebuild => bareos-21.1.2.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

Comment 2 John Helmert III archtester

2022-03-21 16:30:46 UTC

Thanks! Please cleanup the 18.x branch.

Comment 3 Larry the Git Cow gentoo-dev

2022-03-25 07:17:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7459f97b5e1463374c04948225c705a7d00bfd75

commit 7459f97b5e1463374c04948225c705a7d00bfd75
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2022-03-25 07:16:35 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2022-03-25 07:16:54 +0000

    app-backup/bareos: drop 18.2.12-r1
    
    Bug: https://bugs.gentoo.org/835342
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 app-backup/bareos/Manifest                 |   1 -
 app-backup/bareos/bareos-18.2.12-r1.ebuild | 389 -----------------------------
 2 files changed, 390 deletions(-)

Comment 4 John Helmert III archtester

2022-03-25 14:09:37 UTC

Thanks, all done!