Bug#1033292: Subject:Re: Bug#1033292: unblock: amanda/1:3.5.1-11
Hi,
I have updated the git repository on salsa abount amanda and created a
signed tag. g...@salsa.debian.org:debian/amanda.git
As the debdiff amanda_3.5.1-10_source.changes
amanda_3.5.1-11_source.changes did not work as I expected I am
doing a git diff:
diff --git a/debian/changelog b/debian/changelog
index d4e1821..498f6f9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+amanda (1:3.5.1-11) unstable; urgency=medium
+
+ * d/p/49-fix-CVE-2022-37705_part_2: 48-fix-CVE-2022-37705 broken one use
+case at least, this patch fix it, fixing the following two bugs.
+ * Bug fix: "backups fail with the following summary FAILED [no
+backup size line]", thanks to Norman Lyon (Closes: #1032330).
+ * Bug fix: "Amanda is unusable", thanks to Kamil Jonca (Closes:
+#1032884).
+
+ -- Jose M Calhariz Tue, 21 Mar 2023 17:35:47 +
+
amanda (1:3.5.1-10) unstable; urgency=medium
* d/p/48-fix-CVE-2022-37705: Fix CVE-2022-37705.
diff --git a/debian/patches/49-fix-CVE-2022-37705_part_2
b/debian/patches/49-fix-CVE-2022-37705_part_2
new file mode 100644
index 000..74341a6
--- /dev/null
+++ b/debian/patches/49-fix-CVE-2022-37705_part_2
@@ -0,0 +1,24 @@
+Description: Fix the fix for CVE-2022-37705
+Author: pcahyna https://github.com/pcahyna
+
+Index: amanda.git/client-src/runtar.c
+===
+--- amanda.git.orig/client-src/runtar.c2023-03-05 00:10:46.916884175
+
amanda.git/client-src/runtar.c 2023-03-05 00:15:52.189417756 +
+@@ -191,9 +191,13 @@ main(
+ g_str_has_prefix(argv[i],"--newer") ||
+ g_str_has_prefix(argv[i],"--exclude-from") ||
+ g_str_has_prefix(argv[i],"--files-from")) {
+- good_option++;
+- } else if (argv[i][0] != '-') {
+- /* argument values are accounted for here */
++ if (strchr(argv[i], '=')) {
++ good_option++;
++ } else {
++ /* Accept theses options with the following argument */
++ good_option += 2;
++ }
++} else if (argv[i][0] != '-') {
+ good_option++;
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 92dde9d..2be2df4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -45,6 +45,7 @@ reproducible-build
##
# Patches to fix CVEs from 2022
48-fix-CVE-2022-37705
+49-fix-CVE-2022-37705_part_2
50-fix-CVE-2022-37704
52-fix-CVE-2022-37704_part_2
56-fix-CVE-2022-37703
I have attached the two patches for CVE-2022-37705 that I use in the
package, the one with the regression and the fix.
Kind regards
Jose M Calhariz
--
--
Ha alguma coisa nos armarios que deixa os esqueletos
inquietos.
-- John Barrymore
Description: Fix CVE-2022-37705
Author: Prajwal T R https://github.com/prajwaltr93
Index: amanda.git/client-src/runtar.c
===
--- amanda.git.orig/client-src/runtar.c 2021-06-20 21:02:56.627301251 +0100
+++ amanda.git/client-src/runtar.c 2023-02-24 12:40:05.041286442 +
@@ -191,9 +191,9 @@ main(
g_str_has_prefix(argv[i],"--newer") ||
g_str_has_prefix(argv[i],"--exclude-from") ||
g_str_has_prefix(argv[i],"--files-from")) {
- /* Accept theses options with the following argument */
- good_option += 2;
+ good_option++;
} else if (argv[i][0] != '-') {
+ /* argument values are accounted for here */
good_option++;
}
}
Description: Fix the fix for CVE-2022-37705
Author: pcahyna https://github.com/pcahyna
Index: amanda.git/client-src/runtar.c
===
--- amanda.git.orig/client-src/runtar.c 2023-03-05 00:10:46.916884175 +
+++ amanda.git/client-src/runtar.c 2023-03-05 00:15:52.189417756 +
@@ -191,9 +191,13 @@ main(
g_str_has_prefix(argv[i],"--newer") ||
g_str_has_prefix(argv[i],"--exclude-from") ||
g_str_has_prefix(argv[i],"--files-from")) {
- good_option++;
- } else if (argv[i][0] != '-') {
- /* argument values are accounted for here */
+ if (strchr(argv[i], '=')) {
+ good_option++;
+ } else {
+ /* Accept theses options with the following argument */
+ good_option += 2;
+ }
+} else if (argv[i][0] != '-') {
good_option++;
}
}
signature.asc
Description: PGP signature
Bug#1033292: unblock: amanda/1:3.5.1-11
Control: tags -1 moreinfo
On 2023-03-21 19:08:09 +, Jose M Calhariz wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: ama...@packages.debian.org, jose.calha...@tecnico.ulisboa.pt,
> calha...@debian.org, ns-l...@dsi.ist.utl.pt
> Control: affects -1 + src:amanda
>
> Please unblock package amanda
>
>
> [ Reason ]
>
> The previous version on the fix for CVE-CVE-2022-37705 introduced a
> regression that is fixed by this version.
>
>
> [ Impact ]
>
> Breaks the use of tar, for backups in some setups, on the affected
> clients, i.e., the use of package amanda-client. The server can not
> backup itself, but can backups clients with good amanda client
> software,
>
>
>
> [ Tests ]
>
> I manually tested the affected version and the fixed version, using a
> VM running testing (bookworm) with a amanda compiled for sid. The
> test is to do backup of the server. The detail that breaks or not is
> two options in a dumptype that specifies what program to use for
> backup. When using traditional and old interface for gnutar it
> breaks. When using the new interface it is not affected.
>
> I do not have experience in C language to do a proper review of the
> patch that is very simple, but broken in 3.5.1-10.
>
>
> [ Risks ]
>
> The fix in 3.5.1-10 for the three CVEs are a low risks ones because
> user backup is a restricted user. Only people with previliges already
> can login as user backup and try to run the setgid binaries. For the
> people affected by regression 3.5.1-10 can workaround using an older
> version on the affected clients. This bugs does not affect other
> packages as amanda-client is a leaf package.
>
>
>
> [ Checklist ]
> [X] all changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in testing
>
> [ Other info ]
>
> for name in amanda-client amanda-common amanda-server ; do debdiff
> "/var/cache/apt/archives/${name}_1%3a3.5.1-10_amd64.deb"
> "/root/${name}_3.5.1-11_amd64.deb" ; done
Please provide the debdiff of the source package.
Cheers
>
> File lists identical (after any substitutions)
>
> Control files: lines which differ (wdiff format)
>
> Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+}
> libxml-simple-perl, perl:any, libc6 (>= 2.34), libglib2.0-0 (>= 2.31.8),
> libreadline8 (>= 6.0)
> Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
> File lists identical (after any substitutions)
>
> Control files: lines which differ (wdiff format)
>
> Suggests: amanda-server (= [-1:3.5.1-10)-] {+1:3.5.1-11)+} | amanda-client (=
> [-1:3.5.1-10)-] {+1:3.5.1-11)+}
> Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
> File lists identical (after any substitutions)
>
> Control files: lines which differ (wdiff format)
>
> Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} bsd-mailx |
> mailx, libjson-perl, perl:any, libc6 (>= 2.34), libcurl4 (>= 7.16.2),
> libglib2.0-0 (>= 2.31.8)
> Installed-Size: [-1076-] {+1077+}
> Suggests: amanda-client (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} cpio | mt-st,
> gnuplot
> Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
>
>
>
>
> unblock amanda/1:3.5.1-11
>
--
Sebastian Ramacher
Bug#1033292: unblock: amanda/1:3.5.1-11
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: ama...@packages.debian.org, jose.calha...@tecnico.ulisboa.pt,
calha...@debian.org, ns-l...@dsi.ist.utl.pt
Control: affects -1 + src:amanda
Please unblock package amanda
[ Reason ]
The previous version on the fix for CVE-CVE-2022-37705 introduced a
regression that is fixed by this version.
[ Impact ]
Breaks the use of tar, for backups in some setups, on the affected
clients, i.e., the use of package amanda-client. The server can not
backup itself, but can backups clients with good amanda client
software,
[ Tests ]
I manually tested the affected version and the fixed version, using a
VM running testing (bookworm) with a amanda compiled for sid. The
test is to do backup of the server. The detail that breaks or not is
two options in a dumptype that specifies what program to use for
backup. When using traditional and old interface for gnutar it
breaks. When using the new interface it is not affected.
I do not have experience in C language to do a proper review of the
patch that is very simple, but broken in 3.5.1-10.
[ Risks ]
The fix in 3.5.1-10 for the three CVEs are a low risks ones because
user backup is a restricted user. Only people with previliges already
can login as user backup and try to run the setgid binaries. For the
people affected by regression 3.5.1-10 can workaround using an older
version on the affected clients. This bugs does not affect other
packages as amanda-client is a leaf package.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
for name in amanda-client amanda-common amanda-server ; do debdiff
"/var/cache/apt/archives/${name}_1%3a3.5.1-10_amd64.deb"
"/root/${name}_3.5.1-11_amd64.deb" ; done
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} libxml-simple-perl,
perl:any, libc6 (>= 2.34), libglib2.0-0 (>= 2.31.8), libreadline8 (>= 6.0)
Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Suggests: amanda-server (= [-1:3.5.1-10)-] {+1:3.5.1-11)+} | amanda-client (=
[-1:3.5.1-10)-] {+1:3.5.1-11)+}
Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} bsd-mailx | mailx,
libjson-perl, perl:any, libc6 (>= 2.34), libcurl4 (>= 7.16.2), libglib2.0-0 (>=
2.31.8)
Installed-Size: [-1076-] {+1077+}
Suggests: amanda-client (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} cpio | mt-st,
gnuplot
Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
unblock amanda/1:3.5.1-11
