Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 870037 (CVE-2022-37703, CVE-2022-37704, CVE-2022-37705) - <app-backup/amanda-3.5.4: multiple vulnerabilities
Summary: <app-backup/amanda-3.5.4: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2022-37703, CVE-2022-37704, CVE-2022-37705
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/MaherAzzouzi/CVE-2...
Whiteboard: B4 [stable]
Keywords:
Depends on: 940020 904350
Blocks:
  Show dependency tree
 
Reported: 2022-09-14 00:40 UTC by John Helmert III
Modified: 2024-12-26 15:15 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-14 00:40:23 UTC
CVE-2022-37703:

In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path.

Asked the researcher about an upstream report: https://github.com/MaherAzzouzi/CVE-2022-37703/issues/1
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 20:52:06 UTC
And after trying to help them report this upstream, they eventually just deleted my issue after saying they'll drop 2 Amanda LPEs today.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 15:41:12 UTC
Reproduced their side of the conversation in:

https://gist.github.com/ajakk/f5aece4564079513f09f6066238ed6aa
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 15:47:47 UTC
Reported upstream: https://github.com/zmanda/amanda/issues/192
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-01 20:39:44 UTC
Pointed out these two CVEs in the upstream issue as well.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-23 00:11:06 UTC
Apparently, that might not be the real upstream, but fortunately someone from that repo reported to the mailing lists:

https://github.com/zmanda/amanda/issues/192#issuecomment-1399650313

https://marc.info/?l=amanda-hackers&m=167437716918603&w=2
https://marc.info/?l=amanda-users&m=167437611218333&w=2
Comment 7 Thomas Hayden 2024-07-23 03:57:25 UTC
(In reply to John Helmert III from comment #6)
> Looks like some fixes made it into Git upstream.
> 
> CVE-2022-37703 was fixed with:
> https://github.com/zmanda/amanda/commit/
> cf01041d34b830fc8bfe87346a9a1aa092d76820 https://slice-master.io
> 
> CVE-2022-37704 was partially fixed with:
> https://github.com/zmanda/amanda/commit/
> ee766efdd77acd2e08f646bf2f9028944cdb9d06
> 
> Then had further fixes:
> 
> https://github.com/zmanda/amanda/commit/
> e06005c01c4e008705083d053adefab0be5b2c4f
> https://github.com/zmanda/amanda/commit/
> f069e2c190146c5ed4d5ef8df390ee5024d4a3c8

all done! This is the simple fix to ensure automake is run for stable users.
Comment 8 Felix Andrea 2024-09-23 01:31:21 UTC
(In reply to John Helmert III from comment #6)
> Looks like some fixes made it into Git upstream.
> 
> CVE-2022-37703 was fixed with:
> https://github.com/zmanda/amanda/commit/
> cf01041d34b830fc8bfe87346a9a1aa092d76820
> 
> CVE-2022-37704 was partially fixed with:
> https://github.com/zmanda/amanda/commit/
> ee766efdd77acd2e08f646bf2f9028944cdb9d06
> 
> Then had further fixes:
> 
> https://github.com/zmanda/amanda/commit/
> e06005c01c4e008705083d053adefab0be5b2c4f
> https://github.com/zmanda/amanda/commit/
> f069e2c190146c5ed4d5ef8df390ee5024d4a3c8 https://ricepurity-test.io/

Thank you for the update regarding the fixes for CVE-2022-37703 and CVE-2022-37704. Hopefully these fixes will help improve security for Amanda users.
Comment 9 Paul 2024-10-03 08:07:44 UTC
(In reply to John Helmert III from comment #6)
> Looks like some fixes made it into Git upstream.
> 
> CVE-2022-37703 was fixed with:
> https://github.com/zmanda/amanda/commit/
> cf01041d34b830fc8bfe87346a9a1aa092d76820
> 
> CVE-2022-37704 was partially fixed with:
> https://github.com/zmanda/amanda/commit/
> ee766efdd77acd2e08f646bf2f9028944cdb9d06
> 
> Then had further fixes:
> 
> https://github.com/zmanda/amanda/commit/ https://retrobowl-college.io/
> e06005c01c4e008705083d053adefab0be5b2c4f
> https://github.com/zmanda/amanda/commit/
> f069e2c190146c5ed4d5ef8df390ee5024d4a3c8

A vulnerability for information leakage in the calcsize SUID binary was discovered in Amanda 3.5.1. This vulnerability can be used by an attacker to determine if a directory exists in the file system or not. Without verifying the path, the binary will call `opendir()` as root immediately, allowing the attacker to supply any path.
Comment 10 Leonell Pitts 2024-11-21 02:22:58 UTC
This issue involves a command injection vulnerability. Improper neutralization of input in commands allows attackers to execute arbitrary commands, which could potentially lead to privilege escalation or system compromise.
Comment 11 BrendaElliot 2024-12-26 15:15:16 UTC
(In reply to John Helmert III from comment #6)
> Looks like some fixes made it into Git upstream.
> 
> CVE-2022-37703 was fixed with:
> https://github.com/zmanda/amanda/commit/
> cf01041d34b830fc8bfe87346a9a1aa092d76820
> 
> CVE-2022-37704 was partially fixed with:
> https://github.com/zmanda/amanda/commit/
> ee766efdd77acd2e08f646bf2f9028944cdb9d06
> 
> Then had further fixes:
> https://tabattlesimulator.com
> https://github.com/zmanda/amanda/commit/
> e06005c01c4e008705083d053adefab0be5b2c4f
> https://github.com/zmanda/amanda/commit/
> f069e2c190146c5ed4d5ef8df390ee5024d4a3c8

Thanks a lot