Control: tags 1055253 + patch Control: tags 1055253 + pending Dear maintainer,
I've prepared an NMU for amanda (versioned as 1:3.5.1-11.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards.
diff -Nru amanda-3.5.1/debian/changelog amanda-3.5.1/debian/changelog --- amanda-3.5.1/debian/changelog 2023-03-21 18:35:47.000000000 +0100 +++ amanda-3.5.1/debian/changelog 2023-12-03 14:09:23.000000000 +0100 @@ -1,3 +1,10 @@ +amanda (1:3.5.1-11.1) unstable; urgency=medium + + * Non-maintainer upload. + * Apply upstream fix for CVE-2023-30577 (Closes: #1055253) + + -- Tobias Frost <t...@debian.org> Sun, 03 Dec 2023 14:09:23 +0100 + amanda (1:3.5.1-11) unstable; urgency=medium * d/p/49-fix-CVE-2022-37705_part_2: 48-fix-CVE-2022-37705 broken one use diff -Nru amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch --- amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch 1970-01-01 01:00:00.000000000 +0100 +++ amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch 2023-12-03 13:55:48.000000000 +0100 @@ -0,0 +1,83 @@ +Description: CVE-2023-30577 - Local privilege escalation. +Origin: https://github.com/zmanda/amanda/pull/228 +Bug: https://github.com/zmanda/amanda/security/advisories/GHSA-crrw-v393-h5q3 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055253 +--- a/client-src/runtar.c ++++ b/client-src/runtar.c +@@ -39,6 +39,11 @@ + #include "amutil.h" + #include "conffile.h" + #include "client_util.h" ++#include <stdbool.h> ++ ++static const char *whitelisted_args[] = {"--blocking-factor", "--file", "--directory", "--exclude", "--transform", "--listed-incremental", "--newer", "--exclude-from", "--files-from", NULL}; ++ ++bool check_whitelist(char* option); + + int main(int argc, char **argv); + +@@ -49,6 +54,7 @@ + { + #ifdef GNUTAR + int i; ++ char **j; + char *e; + char *dbf; + char *cmdline; +@@ -182,20 +188,23 @@ + g_str_has_prefix(argv[i],"--verbose")) { + /* Accept theses options */ + good_option++; +- } else if (g_str_has_prefix(argv[i],"--blocking-factor") || +- g_str_has_prefix(argv[i],"--file") || +- g_str_has_prefix(argv[i],"--directory") || +- g_str_has_prefix(argv[i],"--exclude") || +- g_str_has_prefix(argv[i],"--transform") || +- g_str_has_prefix(argv[i],"--listed-incremental") || +- g_str_has_prefix(argv[i],"--newer") || +- g_str_has_prefix(argv[i],"--exclude-from") || +- g_str_has_prefix(argv[i],"--files-from")) { ++ } else if (check_whitelist(argv[i])) { + if (strchr(argv[i], '=')) { + good_option++; + } else { + /* Accept theses options with the following argument */ + good_option += 2; ++ ++ /* Whitelisting only the allowed arguments*/ ++ for(j=whitelisted_args; *j; j++) { ++ if (strcmp(argv[i], *j) == 0) { ++ break; ++ } ++ } ++ ++ if (!*j) { ++ good_option = 0; // not allowing arguments absent in the whitelist ++ } + } + } else if (argv[i][0] != '-') { + good_option++; +@@ -239,3 +248,23 @@ + return 1; + #endif + } ++ ++bool ++check_whitelist( ++ gchar* option) ++{ ++ bool result = TRUE; ++ char** i; ++ ++ for(i=whitelisted_args; *i; i++) { ++ if (g_str_has_prefix(option, *i)) { ++ break; ++ } ++ } ++ ++ if (!*i) { ++ result = FALSE; // not allowing arguments absent in the whitelist ++ } ++ ++ return result; ++} diff -Nru amanda-3.5.1/debian/patches/series amanda-3.5.1/debian/patches/series --- amanda-3.5.1/debian/patches/series 2023-03-21 18:35:47.000000000 +0100 +++ amanda-3.5.1/debian/patches/series 2023-12-03 14:09:19.000000000 +0100 @@ -49,3 +49,4 @@ 50-fix-CVE-2022-37704 52-fix-CVE-2022-37704_part_2 56-fix-CVE-2022-37703 +57-CVE-2023-30577.patch
signature.asc
Description: PGP signature
