Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: ama...@packages.debian.org, jose.calha...@tecnico.ulisboa.pt,
calha...@debian.org, ns-l...@dsi.ist.utl.pt
Control: affects -1 + src:amanda
Please unblock package amanda
[ Reason ]
The previous version on the fix for CVE-CVE-2022-37705 introduced a
regression that is fixed by this version.
[ Impact ]
Breaks the use of tar, for backups in some setups, on the affected
clients, i.e., the use of package amanda-client. The server can not
backup itself, but can backups clients with good amanda client
software,
[ Tests ]
I manually tested the affected version and the fixed version, using a
VM running testing (bookworm) with a amanda compiled for sid. The
test is to do backup of the server. The detail that breaks or not is
two options in a dumptype that specifies what program to use for
backup. When using traditional and old interface for gnutar it
breaks. When using the new interface it is not affected.
I do not have experience in C language to do a proper review of the
patch that is very simple, but broken in 3.5.1-10.
[ Risks ]
The fix in 3.5.1-10 for the three CVEs are a low risks ones because
user backup is a restricted user. Only people with previliges already
can login as user backup and try to run the setgid binaries. For the
people affected by regression 3.5.1-10 can workaround using an older
version on the affected clients. This bugs does not affect other
packages as amanda-client is a leaf package.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
for name in amanda-client amanda-common amanda-server ; do debdiff
"/var/cache/apt/archives/${name}_1%3a3.5.1-10_amd64.deb"
"/root/${name}_3.5.1-11_amd64.deb" ; done
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} libxml-simple-perl,
perl:any, libc6 (>= 2.34), libglib2.0-0 (>= 2.31.8), libreadline8 (>= 6.0)
Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Suggests: amanda-server (= [-1:3.5.1-10)-] {+1:3.5.1-11)+} | amanda-client (=
[-1:3.5.1-10)-] {+1:3.5.1-11)+}
Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} bsd-mailx | mailx,
libjson-perl, perl:any, libc6 (>= 2.34), libcurl4 (>= 7.16.2), libglib2.0-0 (>=
2.31.8)
Installed-Size: [-1076-] {+1077+}
Suggests: amanda-client (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} cpio | mt-st,
gnuplot
Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
unblock amanda/1:3.5.1-11
