Control: tags -1 moreinfo
On 2023-03-21 19:08:09 +0000, Jose M Calhariz wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian....@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: ama...@packages.debian.org, jose.calha...@tecnico.ulisboa.pt,
> calha...@debian.org, ns-l...@dsi.ist.utl.pt
> Control: affects -1 + src:amanda
>
> Please unblock package amanda
>
>
> [ Reason ]
>
> The previous version on the fix for CVE-CVE-2022-37705 introduced a
> regression that is fixed by this version.
>
>
> [ Impact ]
>
> Breaks the use of tar, for backups in some setups, on the affected
> clients, i.e., the use of package amanda-client. The server can not
> backup itself, but can backups clients with good amanda client
> software,
>
>
>
> [ Tests ]
>
> I manually tested the affected version and the fixed version, using a
> VM running testing (bookworm) with a amanda compiled for sid. The
> test is to do backup of the server. The detail that breaks or not is
> two options in a dumptype that specifies what program to use for
> backup. When using traditional and old interface for gnutar it
> breaks. When using the new interface it is not affected.
>
> I do not have experience in C language to do a proper review of the
> patch that is very simple, but broken in 3.5.1-10.
>
>
> [ Risks ]
>
> The fix in 3.5.1-10 for the three CVEs are a low risks ones because
> user backup is a restricted user. Only people with previliges already
> can login as user backup and try to run the setgid binaries. For the
> people affected by regression 3.5.1-10 can workaround using an older
> version on the affected clients. This bugs does not affect other
> packages as amanda-client is a leaf package.
>
>
>
> [ Checklist ]
> [X] all changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in testing
>
> [ Other info ]
>
> for name in amanda-client amanda-common amanda-server ; do debdiff
> "/var/cache/apt/archives/${name}_1%3a3.5.1-10_amd64.deb"
> "/root/${name}_3.5.1-11_amd64.deb" ; done
Please provide the debdiff of the source package.
Cheers
>
> File lists identical (after any substitutions)
>
> Control files: lines which differ (wdiff format)
> ------------------------------------------------
> Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+}
> libxml-simple-perl, perl:any, libc6 (>= 2.34), libglib2.0-0 (>= 2.31.8),
> libreadline8 (>= 6.0)
> Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
> File lists identical (after any substitutions)
>
> Control files: lines which differ (wdiff format)
> ------------------------------------------------
> Suggests: amanda-server (= [-1:3.5.1-10)-] {+1:3.5.1-11)+} | amanda-client (=
> [-1:3.5.1-10)-] {+1:3.5.1-11)+}
> Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
> File lists identical (after any substitutions)
>
> Control files: lines which differ (wdiff format)
> ------------------------------------------------
> Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} bsd-mailx |
> mailx, libjson-perl, perl:any, libc6 (>= 2.34), libcurl4 (>= 7.16.2),
> libglib2.0-0 (>= 2.31.8)
> Installed-Size: [-1076-] {+1077+}
> Suggests: amanda-client (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} cpio | mt-st,
> gnuplot
> Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
>
>
>
>
> unblock amanda/1:3.5.1-11
>
--
Sebastian Ramacher
