Bug#1033292: Subject:Re: Bug#1033292: unblock: amanda/1:3.5.1-11
Hi, I have updated the git repository on salsa abount amanda and created a signed tag. g...@salsa.debian.org:debian/amanda.git As the debdiff amanda_3.5.1-10_source.changes amanda_3.5.1-11_source.changes did not work as I expected I am doing a git diff: diff --git a/debian/changelog b/debian/changelog index d4e1821..498f6f9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +amanda (1:3.5.1-11) unstable; urgency=medium + + * d/p/49-fix-CVE-2022-37705_part_2: 48-fix-CVE-2022-37705 broken one use +case at least, this patch fix it, fixing the following two bugs. + * Bug fix: "backups fail with the following summary FAILED [no +backup size line]", thanks to Norman Lyon (Closes: #1032330). + * Bug fix: "Amanda is unusable", thanks to Kamil Jonca (Closes: +#1032884). + + -- Jose M Calhariz Tue, 21 Mar 2023 17:35:47 + + amanda (1:3.5.1-10) unstable; urgency=medium * d/p/48-fix-CVE-2022-37705: Fix CVE-2022-37705. diff --git a/debian/patches/49-fix-CVE-2022-37705_part_2 b/debian/patches/49-fix-CVE-2022-37705_part_2 new file mode 100644 index 000..74341a6 --- /dev/null +++ b/debian/patches/49-fix-CVE-2022-37705_part_2 @@ -0,0 +1,24 @@ +Description: Fix the fix for CVE-2022-37705 +Author: pcahyna https://github.com/pcahyna + +Index: amanda.git/client-src/runtar.c +=== +--- amanda.git.orig/client-src/runtar.c2023-03-05 00:10:46.916884175 + amanda.git/client-src/runtar.c 2023-03-05 00:15:52.189417756 + +@@ -191,9 +191,13 @@ main( + g_str_has_prefix(argv[i],"--newer") || + g_str_has_prefix(argv[i],"--exclude-from") || + g_str_has_prefix(argv[i],"--files-from")) { +- good_option++; +- } else if (argv[i][0] != '-') { +- /* argument values are accounted for here */ ++ if (strchr(argv[i], '=')) { ++ good_option++; ++ } else { ++ /* Accept theses options with the following argument */ ++ good_option += 2; ++ } ++} else if (argv[i][0] != '-') { + good_option++; + } + } diff --git a/debian/patches/series b/debian/patches/series index 92dde9d..2be2df4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -45,6 +45,7 @@ reproducible-build ## # Patches to fix CVEs from 2022 48-fix-CVE-2022-37705 +49-fix-CVE-2022-37705_part_2 50-fix-CVE-2022-37704 52-fix-CVE-2022-37704_part_2 56-fix-CVE-2022-37703 I have attached the two patches for CVE-2022-37705 that I use in the package, the one with the regression and the fix. Kind regards Jose M Calhariz -- -- Ha alguma coisa nos armarios que deixa os esqueletos inquietos. -- John Barrymore Description: Fix CVE-2022-37705 Author: Prajwal T R https://github.com/prajwaltr93 Index: amanda.git/client-src/runtar.c === --- amanda.git.orig/client-src/runtar.c 2021-06-20 21:02:56.627301251 +0100 +++ amanda.git/client-src/runtar.c 2023-02-24 12:40:05.041286442 + @@ -191,9 +191,9 @@ main( g_str_has_prefix(argv[i],"--newer") || g_str_has_prefix(argv[i],"--exclude-from") || g_str_has_prefix(argv[i],"--files-from")) { - /* Accept theses options with the following argument */ - good_option += 2; + good_option++; } else if (argv[i][0] != '-') { + /* argument values are accounted for here */ good_option++; } } Description: Fix the fix for CVE-2022-37705 Author: pcahyna https://github.com/pcahyna Index: amanda.git/client-src/runtar.c === --- amanda.git.orig/client-src/runtar.c 2023-03-05 00:10:46.916884175 + +++ amanda.git/client-src/runtar.c 2023-03-05 00:15:52.189417756 + @@ -191,9 +191,13 @@ main( g_str_has_prefix(argv[i],"--newer") || g_str_has_prefix(argv[i],"--exclude-from") || g_str_has_prefix(argv[i],"--files-from")) { - good_option++; - } else if (argv[i][0] != '-') { - /* argument values are accounted for here */ + if (strchr(argv[i], '=')) { + good_option++; + } else { + /* Accept theses options with the following argument */ + good_option += 2; + } +} else if (argv[i][0] != '-') { good_option++; } } signature.asc Description: PGP signature
Bug#1033292: unblock: amanda/1:3.5.1-11
Control: tags -1 moreinfo On 2023-03-21 19:08:09 +, Jose M Calhariz wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: ama...@packages.debian.org, jose.calha...@tecnico.ulisboa.pt, > calha...@debian.org, ns-l...@dsi.ist.utl.pt > Control: affects -1 + src:amanda > > Please unblock package amanda > > > [ Reason ] > > The previous version on the fix for CVE-CVE-2022-37705 introduced a > regression that is fixed by this version. > > > [ Impact ] > > Breaks the use of tar, for backups in some setups, on the affected > clients, i.e., the use of package amanda-client. The server can not > backup itself, but can backups clients with good amanda client > software, > > > > [ Tests ] > > I manually tested the affected version and the fixed version, using a > VM running testing (bookworm) with a amanda compiled for sid. The > test is to do backup of the server. The detail that breaks or not is > two options in a dumptype that specifies what program to use for > backup. When using traditional and old interface for gnutar it > breaks. When using the new interface it is not affected. > > I do not have experience in C language to do a proper review of the > patch that is very simple, but broken in 3.5.1-10. > > > [ Risks ] > > The fix in 3.5.1-10 for the three CVEs are a low risks ones because > user backup is a restricted user. Only people with previliges already > can login as user backup and try to run the setgid binaries. For the > people affected by regression 3.5.1-10 can workaround using an older > version on the affected clients. This bugs does not affect other > packages as amanda-client is a leaf package. > > > > [ Checklist ] > [X] all changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in testing > > [ Other info ] > > for name in amanda-client amanda-common amanda-server ; do debdiff > "/var/cache/apt/archives/${name}_1%3a3.5.1-10_amd64.deb" > "/root/${name}_3.5.1-11_amd64.deb" ; done Please provide the debdiff of the source package. Cheers > > File lists identical (after any substitutions) > > Control files: lines which differ (wdiff format) > > Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} > libxml-simple-perl, perl:any, libc6 (>= 2.34), libglib2.0-0 (>= 2.31.8), > libreadline8 (>= 6.0) > Version: [-1:3.5.1-10-] {+1:3.5.1-11+} > File lists identical (after any substitutions) > > Control files: lines which differ (wdiff format) > > Suggests: amanda-server (= [-1:3.5.1-10)-] {+1:3.5.1-11)+} | amanda-client (= > [-1:3.5.1-10)-] {+1:3.5.1-11)+} > Version: [-1:3.5.1-10-] {+1:3.5.1-11+} > File lists identical (after any substitutions) > > Control files: lines which differ (wdiff format) > > Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} bsd-mailx | > mailx, libjson-perl, perl:any, libc6 (>= 2.34), libcurl4 (>= 7.16.2), > libglib2.0-0 (>= 2.31.8) > Installed-Size: [-1076-] {+1077+} > Suggests: amanda-client (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} cpio | mt-st, > gnuplot > Version: [-1:3.5.1-10-] {+1:3.5.1-11+} > > > > > unblock amanda/1:3.5.1-11 > -- Sebastian Ramacher
Bug#1033292: unblock: amanda/1:3.5.1-11
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: ama...@packages.debian.org, jose.calha...@tecnico.ulisboa.pt, calha...@debian.org, ns-l...@dsi.ist.utl.pt Control: affects -1 + src:amanda Please unblock package amanda [ Reason ] The previous version on the fix for CVE-CVE-2022-37705 introduced a regression that is fixed by this version. [ Impact ] Breaks the use of tar, for backups in some setups, on the affected clients, i.e., the use of package amanda-client. The server can not backup itself, but can backups clients with good amanda client software, [ Tests ] I manually tested the affected version and the fixed version, using a VM running testing (bookworm) with a amanda compiled for sid. The test is to do backup of the server. The detail that breaks or not is two options in a dumptype that specifies what program to use for backup. When using traditional and old interface for gnutar it breaks. When using the new interface it is not affected. I do not have experience in C language to do a proper review of the patch that is very simple, but broken in 3.5.1-10. [ Risks ] The fix in 3.5.1-10 for the three CVEs are a low risks ones because user backup is a restricted user. Only people with previliges already can login as user backup and try to run the setgid binaries. For the people affected by regression 3.5.1-10 can workaround using an older version on the affected clients. This bugs does not affect other packages as amanda-client is a leaf package. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] for name in amanda-client amanda-common amanda-server ; do debdiff "/var/cache/apt/archives/${name}_1%3a3.5.1-10_amd64.deb" "/root/${name}_3.5.1-11_amd64.deb" ; done File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} libxml-simple-perl, perl:any, libc6 (>= 2.34), libglib2.0-0 (>= 2.31.8), libreadline8 (>= 6.0) Version: [-1:3.5.1-10-] {+1:3.5.1-11+} File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Suggests: amanda-server (= [-1:3.5.1-10)-] {+1:3.5.1-11)+} | amanda-client (= [-1:3.5.1-10)-] {+1:3.5.1-11)+} Version: [-1:3.5.1-10-] {+1:3.5.1-11+} File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} bsd-mailx | mailx, libjson-perl, perl:any, libc6 (>= 2.34), libcurl4 (>= 7.16.2), libglib2.0-0 (>= 2.31.8) Installed-Size: [-1076-] {+1077+} Suggests: amanda-client (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} cpio | mt-st, gnuplot Version: [-1:3.5.1-10-] {+1:3.5.1-11+} unblock amanda/1:3.5.1-11