Bug#990197: unblock: amanda/3.5.1-6
On 22/06/2021 18:08, Jose M Calhariz wrote: > On 22/06/2021 17:53, Michael Biebl wrote: >> Am 22.06.21 um 18:39 schrieb Jose M Calhariz: >>> On 22/06/2021 17:13, Michael Biebl wrote: >>>> Am 22.06.21 um 16:55 schrieb Jose M Calhariz: >>>>> +override_dh_auto_build: >>>>> + # MAILER: Fix for #296022, #475771 and #990080 >>>>> + MAILER="/usr/bin/mail" dh_auto_build >>>> Are you sure this bit is necessary? >>>> Once MAILER has been set by ./configure, the generated Makefiles >>>> should have MAILER set up properly. >>>> >>>> Can you grep over the generate Makefiles if MAILER is set correctly? >>>> >>>> Michael >>>> >>> I have included that diff, because of #475771. So in the past it > was >>> necessary. >>> >>> Doing grep in all Makefiles I am seeing this: >>> >>> DEFAULT_MAILER = /usr/bin/mail >>> MAILER = /usr/bin/mail >>> >>> >>> I can upload a new package with your request, but because of #475771 I >>> prefer amanda/3.5.1-6 as is. It is your call. >> Well, if you drop the override_dh_auto_build bit, does the resulting >> deb work or not? I assume you have tested the patch? >> >> > It works wit both diffs Can you follow #990080 and the thread in > there? Do you want me > > to push my git repo with the commits for both tries? > > > My first build was with MAILER only on config and tested on a > bullseye > server. > > Then I was point into #475771 and that my change was not complete enough > so I > > have done another build and I tested with the extended diff under the > same server. > > > Kind regards > > Jose M Calhariz > > >
Bug#990197: unblock: amanda/3.5.1-6
On 22/06/2021 17:13, Michael Biebl wrote: > Am 22.06.21 um 16:55 schrieb Jose M Calhariz: >> +override_dh_auto_build: >> + # MAILER: Fix for #296022, #475771 and #990080 >> + MAILER="/usr/bin/mail" dh_auto_build > > Are you sure this bit is necessary? > Once MAILER has been set by ./configure, the generated Makefiles > should have MAILER set up properly. > > Can you grep over the generate Makefiles if MAILER is set correctly? > > Michael > I have included that diff, because of #475771. So in the past it was necessary. Doing grep in all Makefiles I am seeing this: DEFAULT_MAILER = /usr/bin/mail MAILER = /usr/bin/mail I can upload a new package with your request, but because of #475771 I prefer amanda/3.5.1-6 as is. It is your call. Kind regards Jose M Calhariz
Bug#990197: unblock: amanda/3.5.1-6
On 22/06/2021 22:15, Michael Biebl wrote: > Am 22.06.21 um 21:49 schrieb Jose M Calhariz: > >>> My first build was with MAILER only on config and tested on a >>> bullseye >>> server. > > This appears to be correct/sufficient > >>> Then I was point into #475771 and that my change was not complete >>> enough >>> so I > > I don't think you need to set it for MAKE. I think it was done so > mistakenly in the past. > > > If it helps, there is packaging/deb/rules which also sets MAILER only > during ./configure. > So you prefer the following patch and that I upload a 3.5.1-7 with only that change, right? I am learning to do my first unblock request. git show d8821280299fe30c64d98635b546c87318ee47a5 commit d8821280299fe30c64d98635b546c87318ee47a5 Author: Jose M Calhariz Date: Sun Jun 20 21:34:41 2021 +0100 Use command mail instead of Mail. diff --git a/debian/rules b/debian/rules index 6f7e9c7..ad6a1a3 100755 --- a/debian/rules +++ b/debian/rules @@ -41,7 +41,8 @@ confflags = --prefix=/usr \ dh $@ --with autoreconf --parallel override_dh_auto_configure: - LIBS="-lssl" dh_auto_configure -- $(confflags) + # MAILER: Fix for #296022, #475771 and #990080 + MAILER="/usr/bin/mail" LIBS="-lssl" dh_auto_configure -- $(confflags) override_dh_install: sed -i "/dependency_libs/ s/'.*'/''/" `find debian/tmp -name '*.la'`
Bug#990197: unblock: amanda/3.5.1-6
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package amanda On a recent minimal install of bullseye I found that amanda software were not able to send emails. With amanda most of the information is communicated by email to the sysadmin and backup operators, so I think this is a bug of level important. (include/attach the debdiff against the package in testing) diff -Nru amanda-3.5.1/debian/rules amanda-3.5.1/debian/rules --- amanda-3.5.1/debian/rules 2020-08-02 21:57:24.0 +0100 +++ amanda-3.5.1/debian/rules 2021-06-22 13:10:01.0 +0100 @@ -1,6 +1,6 @@ #!/usr/bin/make -f # Copyright 1998-2011 by Bdale Garbee. License GPL v2 -# 2016-2017 by Jose M Calhariz. License GPL v2 +# 2016-2021 by Jose M Calhariz. License GPL v2 export DH_VERBOSE=1 @@ -41,7 +41,12 @@ dh $@ --with autoreconf --parallel override_dh_auto_configure: - LIBS="-lssl" dh_auto_configure -- $(confflags) + # MAILER: Fix for #296022, #475771 and #990080 + MAILER="/usr/bin/mail" LIBS="-lssl" dh_auto_configure -- $(confflags) + +override_dh_auto_build: + # MAILER: Fix for #296022, #475771 and #990080 + MAILER="/usr/bin/mail" dh_auto_build override_dh_install: sed -i "/dependency_libs/ s/'.*'/''/" `find debian/tmp -name '*.la'` unblock amanda/3.5.1-6 -- System Information: Debian Release: 10.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=C (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1033292: Subject:Re: Bug#1033292: unblock: amanda/1:3.5.1-11
Hi,
I have updated the git repository on salsa abount amanda and created a
signed tag. g...@salsa.debian.org:debian/amanda.git
As the debdiff amanda_3.5.1-10_source.changes
amanda_3.5.1-11_source.changes did not work as I expected I am
doing a git diff:
diff --git a/debian/changelog b/debian/changelog
index d4e1821..498f6f9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+amanda (1:3.5.1-11) unstable; urgency=medium
+
+ * d/p/49-fix-CVE-2022-37705_part_2: 48-fix-CVE-2022-37705 broken one use
+case at least, this patch fix it, fixing the following two bugs.
+ * Bug fix: "backups fail with the following summary FAILED [no
+backup size line]", thanks to Norman Lyon (Closes: #1032330).
+ * Bug fix: "Amanda is unusable", thanks to Kamil Jonca (Closes:
+ #1032884).
+
+ -- Jose M Calhariz Tue, 21 Mar 2023 17:35:47 +
+
amanda (1:3.5.1-10) unstable; urgency=medium
* d/p/48-fix-CVE-2022-37705: Fix CVE-2022-37705.
diff --git a/debian/patches/49-fix-CVE-2022-37705_part_2
b/debian/patches/49-fix-CVE-2022-37705_part_2
new file mode 100644
index 000..74341a6
--- /dev/null
+++ b/debian/patches/49-fix-CVE-2022-37705_part_2
@@ -0,0 +1,24 @@
+Description: Fix the fix for CVE-2022-37705
+Author: pcahyna https://github.com/pcahyna
+
+Index: amanda.git/client-src/runtar.c
+===
+--- amanda.git.orig/client-src/runtar.c2023-03-05 00:10:46.916884175
+
amanda.git/client-src/runtar.c 2023-03-05 00:15:52.189417756 +
+@@ -191,9 +191,13 @@ main(
+ g_str_has_prefix(argv[i],"--newer") ||
+ g_str_has_prefix(argv[i],"--exclude-from") ||
+ g_str_has_prefix(argv[i],"--files-from")) {
+- good_option++;
+- } else if (argv[i][0] != '-') {
+- /* argument values are accounted for here */
++ if (strchr(argv[i], '=')) {
++ good_option++;
++ } else {
++ /* Accept theses options with the following argument */
++ good_option += 2;
++ }
++} else if (argv[i][0] != '-') {
+ good_option++;
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 92dde9d..2be2df4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -45,6 +45,7 @@ reproducible-build
##
# Patches to fix CVEs from 2022
48-fix-CVE-2022-37705
+49-fix-CVE-2022-37705_part_2
50-fix-CVE-2022-37704
52-fix-CVE-2022-37704_part_2
56-fix-CVE-2022-37703
I have attached the two patches for CVE-2022-37705 that I use in the
package, the one with the regression and the fix.
Kind regards
Jose M Calhariz
--
--
Ha alguma coisa nos armarios que deixa os esqueletos
inquietos.
-- John Barrymore
Description: Fix CVE-2022-37705
Author: Prajwal T R https://github.com/prajwaltr93
Index: amanda.git/client-src/runtar.c
===
--- amanda.git.orig/client-src/runtar.c 2021-06-20 21:02:56.627301251 +0100
+++ amanda.git/client-src/runtar.c 2023-02-24 12:40:05.041286442 +
@@ -191,9 +191,9 @@ main(
g_str_has_prefix(argv[i],"--newer") ||
g_str_has_prefix(argv[i],"--exclude-from") ||
g_str_has_prefix(argv[i],"--files-from")) {
- /* Accept theses options with the following argument */
- good_option += 2;
+ good_option++;
} else if (argv[i][0] != '-') {
+ /* argument values are accounted for here */
good_option++;
}
}
Description: Fix the fix for CVE-2022-37705
Author: pcahyna https://github.com/pcahyna
Index: amanda.git/client-src/runtar.c
===
--- amanda.git.orig/client-src/runtar.c 2023-03-05 00:10:46.916884175 +
+++ amanda.git/client-src/runtar.c 2023-03-05 00:15:52.189417756 +
@@ -191,9 +191,13 @@ main(
g_str_has_prefix(argv[i],"--newer") ||
g_str_has_prefix(argv[i],"--exclude-from") ||
g_str_has_prefix(argv[i],"--files-from")) {
- good_option++;
- } else if (argv[i][0] != '-') {
- /* argument values are accounted for here */
+ if (strchr(argv[i], '=')) {
+ good_option++;
+ } else {
+ /* Accept theses options with the following argument */
+ good_option += 2;
+ }
+} else if (argv[i][0] != '-') {
good_option++;
}
}
signature.asc
Description: PGP signature
Bug#1033292: unblock: amanda/1:3.5.1-11
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: ama...@packages.debian.org, jose.calha...@tecnico.ulisboa.pt,
calha...@debian.org, ns-l...@dsi.ist.utl.pt
Control: affects -1 + src:amanda
Please unblock package amanda
[ Reason ]
The previous version on the fix for CVE-CVE-2022-37705 introduced a
regression that is fixed by this version.
[ Impact ]
Breaks the use of tar, for backups in some setups, on the affected
clients, i.e., the use of package amanda-client. The server can not
backup itself, but can backups clients with good amanda client
software,
[ Tests ]
I manually tested the affected version and the fixed version, using a
VM running testing (bookworm) with a amanda compiled for sid. The
test is to do backup of the server. The detail that breaks or not is
two options in a dumptype that specifies what program to use for
backup. When using traditional and old interface for gnutar it
breaks. When using the new interface it is not affected.
I do not have experience in C language to do a proper review of the
patch that is very simple, but broken in 3.5.1-10.
[ Risks ]
The fix in 3.5.1-10 for the three CVEs are a low risks ones because
user backup is a restricted user. Only people with previliges already
can login as user backup and try to run the setgid binaries. For the
people affected by regression 3.5.1-10 can workaround using an older
version on the affected clients. This bugs does not affect other
packages as amanda-client is a leaf package.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
for name in amanda-client amanda-common amanda-server ; do debdiff
"/var/cache/apt/archives/${name}_1%3a3.5.1-10_amd64.deb"
"/root/${name}_3.5.1-11_amd64.deb" ; done
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} libxml-simple-perl,
perl:any, libc6 (>= 2.34), libglib2.0-0 (>= 2.31.8), libreadline8 (>= 6.0)
Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Suggests: amanda-server (= [-1:3.5.1-10)-] {+1:3.5.1-11)+} | amanda-client (=
[-1:3.5.1-10)-] {+1:3.5.1-11)+}
Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} bsd-mailx | mailx,
libjson-perl, perl:any, libc6 (>= 2.34), libcurl4 (>= 7.16.2), libglib2.0-0 (>=
2.31.8)
Installed-Size: [-1076-] {+1077+}
Suggests: amanda-client (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} cpio | mt-st,
gnuplot
Version: [-1:3.5.1-10-] {+1:3.5.1-11+}
unblock amanda/1:3.5.1-11
