Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 870037 (CVE-2022-37703, CVE-2022-37704, CVE-2022-37705) - <app-backup/amanda-3.5.4: multiple vulnerabilities
Summary: <app-backup/amanda-3.5.4: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2022-37703, CVE-2022-37704, CVE-2022-37705
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/MaherAzzouzi/CVE-2...
Whiteboard: B4 [stable?]
Keywords:
Depends on: 904350
Blocks:
  Show dependency tree
 
Reported: 2022-09-14 00:40 UTC by John Helmert III
Modified: 2024-07-23 05:42 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-14 00:40:23 UTC 
CVE-2022-37703:

In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path.

Asked the researcher about an upstream report: https://github.com/MaherAzzouzi/CVE-2022-37703/issues/1
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 20:52:06 UTC 
And after trying to help them report this upstream, they eventually just deleted my issue after saying they'll drop 2 Amanda LPEs today.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 15:41:12 UTC 
Reproduced their side of the conversation in:

https://gist.github.com/ajakk/f5aece4564079513f09f6066238ed6aa
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 15:47:47 UTC 
Reported upstream: https://github.com/zmanda/amanda/issues/192
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-01 20:39:44 UTC 
Pointed out these two CVEs in the upstream issue as well.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-23 00:11:06 UTC 
Apparently, that might not be the real upstream, but fortunately someone from that repo reported to the mailing lists:

https://github.com/zmanda/amanda/issues/192#issuecomment-1399650313

https://marc.info/?l=amanda-hackers&m=167437716918603&w=2
https://marc.info/?l=amanda-users&m=167437611218333&w=2
Comment 7 Thomas Hayden 2024-07-23 03:57:25 UTC 
(In reply to John Helmert III from comment #6)
> Looks like some fixes made it into Git upstream.
> 
> CVE-2022-37703 was fixed with:
> https://github.com/zmanda/amanda/commit/
> cf01041d34b830fc8bfe87346a9a1aa092d76820 https://slice-master.io
> 
> CVE-2022-37704 was partially fixed with:
> https://github.com/zmanda/amanda/commit/
> ee766efdd77acd2e08f646bf2f9028944cdb9d06
> 
> Then had further fixes:
> 
> https://github.com/zmanda/amanda/commit/
> e06005c01c4e008705083d053adefab0be5b2c4f
> https://github.com/zmanda/amanda/commit/
> f069e2c190146c5ed4d5ef8df390ee5024d4a3c8

all done! This is the simple fix to ensure automake is run for stable users.