Bug#990197: unblock: amanda/3.5.1-6
On 22/06/2021 18:08, Jose M Calhariz wrote: > On 22/06/2021 17:53, Michael Biebl wrote: >> Am 22.06.21 um 18:39 schrieb Jose M Calhariz: >>> On 22/06/2021 17:13, Michael Biebl wrote: >>>> Am 22.06.21 um 16:55 schrieb Jose M Calhariz: >>>>> +override_dh_auto_build: >>>>> + # MAILER: Fix for #296022, #475771 and #990080 >>>>> + MAILER="/usr/bin/mail" dh_auto_build >>>> Are you sure this bit is necessary? >>>> Once MAILER has been set by ./configure, the generated Makefiles >>>> should have MAILER set up properly. >>>> >>>> Can you grep over the generate Makefiles if MAILER is set correctly? >>>> >>>> Michael >>>> >>> I have included that diff, because of #475771. So in the past it > was >>> necessary. >>> >>> Doing grep in all Makefiles I am seeing this: >>> >>> DEFAULT_MAILER = /usr/bin/mail >>> MAILER = /usr/bin/mail >>> >>> >>> I can upload a new package with your request, but because of #475771 I >>> prefer amanda/3.5.1-6 as is. It is your call. >> Well, if you drop the override_dh_auto_build bit, does the resulting >> deb work or not? I assume you have tested the patch? >> >> > It works wit both diffs Can you follow #990080 and the thread in > there? Do you want me > > to push my git repo with the commits for both tries? > > > My first build was with MAILER only on config and tested on a > bullseye > server. > > Then I was point into #475771 and that my change was not complete enough > so I > > have done another build and I tested with the extended diff under the > same server. > > > Kind regards > > Jose M Calhariz > > >
Bug#990197: unblock: amanda/3.5.1-6
On 22/06/2021 17:13, Michael Biebl wrote: > Am 22.06.21 um 16:55 schrieb Jose M Calhariz: >> +override_dh_auto_build: >> + # MAILER: Fix for #296022, #475771 and #990080 >> + MAILER="/usr/bin/mail" dh_auto_build > > Are you sure this bit is necessary? > Once MAILER has been set by ./configure, the generated Makefiles > should have MAILER set up properly. > > Can you grep over the generate Makefiles if MAILER is set correctly? > > Michael > I have included that diff, because of #475771. So in the past it was necessary. Doing grep in all Makefiles I am seeing this: DEFAULT_MAILER = /usr/bin/mail MAILER = /usr/bin/mail I can upload a new package with your request, but because of #475771 I prefer amanda/3.5.1-6 as is. It is your call. Kind regards Jose M Calhariz
Bug#990197: unblock: amanda/3.5.1-6
On 22/06/2021 22:15, Michael Biebl wrote: > Am 22.06.21 um 21:49 schrieb Jose M Calhariz: > >>> My first build was with MAILER only on config and tested on a >>> bullseye >>> server. > > This appears to be correct/sufficient > >>> Then I was point into #475771 and that my change was not complete >>> enough >>> so I > > I don't think you need to set it for MAKE. I think it was done so > mistakenly in the past. > > > If it helps, there is packaging/deb/rules which also sets MAILER only > during ./configure. > So you prefer the following patch and that I upload a 3.5.1-7 with only that change, right? I am learning to do my first unblock request. git show d8821280299fe30c64d98635b546c87318ee47a5 commit d8821280299fe30c64d98635b546c87318ee47a5 Author: Jose M Calhariz Date: Sun Jun 20 21:34:41 2021 +0100 Use command mail instead of Mail. diff --git a/debian/rules b/debian/rules index 6f7e9c7..ad6a1a3 100755 --- a/debian/rules +++ b/debian/rules @@ -41,7 +41,8 @@ confflags = --prefix=/usr \ dh $@ --with autoreconf --parallel override_dh_auto_configure: - LIBS="-lssl" dh_auto_configure -- $(confflags) + # MAILER: Fix for #296022, #475771 and #990080 + MAILER="/usr/bin/mail" LIBS="-lssl" dh_auto_configure -- $(confflags) override_dh_install: sed -i "/dependency_libs/ s/'.*'/''/" `find debian/tmp -name '*.la'`
Bug#990197: unblock: amanda/3.5.1-6
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package amanda On a recent minimal install of bullseye I found that amanda software were not able to send emails. With amanda most of the information is communicated by email to the sysadmin and backup operators, so I think this is a bug of level important. (include/attach the debdiff against the package in testing) diff -Nru amanda-3.5.1/debian/rules amanda-3.5.1/debian/rules --- amanda-3.5.1/debian/rules 2020-08-02 21:57:24.0 +0100 +++ amanda-3.5.1/debian/rules 2021-06-22 13:10:01.0 +0100 @@ -1,6 +1,6 @@ #!/usr/bin/make -f # Copyright 1998-2011 by Bdale Garbee. License GPL v2 -# 2016-2017 by Jose M Calhariz. License GPL v2 +# 2016-2021 by Jose M Calhariz. License GPL v2 export DH_VERBOSE=1 @@ -41,7 +41,12 @@ dh $@ --with autoreconf --parallel override_dh_auto_configure: - LIBS="-lssl" dh_auto_configure -- $(confflags) + # MAILER: Fix for #296022, #475771 and #990080 + MAILER="/usr/bin/mail" LIBS="-lssl" dh_auto_configure -- $(confflags) + +override_dh_auto_build: + # MAILER: Fix for #296022, #475771 and #990080 + MAILER="/usr/bin/mail" dh_auto_build override_dh_install: sed -i "/dependency_libs/ s/'.*'/''/" `find debian/tmp -name '*.la'` unblock amanda/3.5.1-6 -- System Information: Debian Release: 10.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=C (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1033292: Subject:Re: Bug#1033292: unblock: amanda/1:3.5.1-11
Hi, I have updated the git repository on salsa abount amanda and created a signed tag. g...@salsa.debian.org:debian/amanda.git As the debdiff amanda_3.5.1-10_source.changes amanda_3.5.1-11_source.changes did not work as I expected I am doing a git diff: diff --git a/debian/changelog b/debian/changelog index d4e1821..498f6f9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +amanda (1:3.5.1-11) unstable; urgency=medium + + * d/p/49-fix-CVE-2022-37705_part_2: 48-fix-CVE-2022-37705 broken one use +case at least, this patch fix it, fixing the following two bugs. + * Bug fix: "backups fail with the following summary FAILED [no +backup size line]", thanks to Norman Lyon (Closes: #1032330). + * Bug fix: "Amanda is unusable", thanks to Kamil Jonca (Closes: + #1032884). + + -- Jose M Calhariz Tue, 21 Mar 2023 17:35:47 + + amanda (1:3.5.1-10) unstable; urgency=medium * d/p/48-fix-CVE-2022-37705: Fix CVE-2022-37705. diff --git a/debian/patches/49-fix-CVE-2022-37705_part_2 b/debian/patches/49-fix-CVE-2022-37705_part_2 new file mode 100644 index 000..74341a6 --- /dev/null +++ b/debian/patches/49-fix-CVE-2022-37705_part_2 @@ -0,0 +1,24 @@ +Description: Fix the fix for CVE-2022-37705 +Author: pcahyna https://github.com/pcahyna + +Index: amanda.git/client-src/runtar.c +=== +--- amanda.git.orig/client-src/runtar.c2023-03-05 00:10:46.916884175 + amanda.git/client-src/runtar.c 2023-03-05 00:15:52.189417756 + +@@ -191,9 +191,13 @@ main( + g_str_has_prefix(argv[i],"--newer") || + g_str_has_prefix(argv[i],"--exclude-from") || + g_str_has_prefix(argv[i],"--files-from")) { +- good_option++; +- } else if (argv[i][0] != '-') { +- /* argument values are accounted for here */ ++ if (strchr(argv[i], '=')) { ++ good_option++; ++ } else { ++ /* Accept theses options with the following argument */ ++ good_option += 2; ++ } ++} else if (argv[i][0] != '-') { + good_option++; + } + } diff --git a/debian/patches/series b/debian/patches/series index 92dde9d..2be2df4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -45,6 +45,7 @@ reproducible-build ## # Patches to fix CVEs from 2022 48-fix-CVE-2022-37705 +49-fix-CVE-2022-37705_part_2 50-fix-CVE-2022-37704 52-fix-CVE-2022-37704_part_2 56-fix-CVE-2022-37703 I have attached the two patches for CVE-2022-37705 that I use in the package, the one with the regression and the fix. Kind regards Jose M Calhariz -- -- Ha alguma coisa nos armarios que deixa os esqueletos inquietos. -- John Barrymore Description: Fix CVE-2022-37705 Author: Prajwal T R https://github.com/prajwaltr93 Index: amanda.git/client-src/runtar.c === --- amanda.git.orig/client-src/runtar.c 2021-06-20 21:02:56.627301251 +0100 +++ amanda.git/client-src/runtar.c 2023-02-24 12:40:05.041286442 + @@ -191,9 +191,9 @@ main( g_str_has_prefix(argv[i],"--newer") || g_str_has_prefix(argv[i],"--exclude-from") || g_str_has_prefix(argv[i],"--files-from")) { - /* Accept theses options with the following argument */ - good_option += 2; + good_option++; } else if (argv[i][0] != '-') { + /* argument values are accounted for here */ good_option++; } } Description: Fix the fix for CVE-2022-37705 Author: pcahyna https://github.com/pcahyna Index: amanda.git/client-src/runtar.c === --- amanda.git.orig/client-src/runtar.c 2023-03-05 00:10:46.916884175 + +++ amanda.git/client-src/runtar.c 2023-03-05 00:15:52.189417756 + @@ -191,9 +191,13 @@ main( g_str_has_prefix(argv[i],"--newer") || g_str_has_prefix(argv[i],"--exclude-from") || g_str_has_prefix(argv[i],"--files-from")) { - good_option++; - } else if (argv[i][0] != '-') { - /* argument values are accounted for here */ + if (strchr(argv[i], '=')) { + good_option++; + } else { + /* Accept theses options with the following argument */ + good_option += 2; + } +} else if (argv[i][0] != '-') { good_option++; } } signature.asc Description: PGP signature
Bug#1033292: unblock: amanda/1:3.5.1-11
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: ama...@packages.debian.org, jose.calha...@tecnico.ulisboa.pt, calha...@debian.org, ns-l...@dsi.ist.utl.pt Control: affects -1 + src:amanda Please unblock package amanda [ Reason ] The previous version on the fix for CVE-CVE-2022-37705 introduced a regression that is fixed by this version. [ Impact ] Breaks the use of tar, for backups in some setups, on the affected clients, i.e., the use of package amanda-client. The server can not backup itself, but can backups clients with good amanda client software, [ Tests ] I manually tested the affected version and the fixed version, using a VM running testing (bookworm) with a amanda compiled for sid. The test is to do backup of the server. The detail that breaks or not is two options in a dumptype that specifies what program to use for backup. When using traditional and old interface for gnutar it breaks. When using the new interface it is not affected. I do not have experience in C language to do a proper review of the patch that is very simple, but broken in 3.5.1-10. [ Risks ] The fix in 3.5.1-10 for the three CVEs are a low risks ones because user backup is a restricted user. Only people with previliges already can login as user backup and try to run the setgid binaries. For the people affected by regression 3.5.1-10 can workaround using an older version on the affected clients. This bugs does not affect other packages as amanda-client is a leaf package. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] for name in amanda-client amanda-common amanda-server ; do debdiff "/var/cache/apt/archives/${name}_1%3a3.5.1-10_amd64.deb" "/root/${name}_3.5.1-11_amd64.deb" ; done File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} libxml-simple-perl, perl:any, libc6 (>= 2.34), libglib2.0-0 (>= 2.31.8), libreadline8 (>= 6.0) Version: [-1:3.5.1-10-] {+1:3.5.1-11+} File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Suggests: amanda-server (= [-1:3.5.1-10)-] {+1:3.5.1-11)+} | amanda-client (= [-1:3.5.1-10)-] {+1:3.5.1-11)+} Version: [-1:3.5.1-10-] {+1:3.5.1-11+} File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Depends: amanda-common (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} bsd-mailx | mailx, libjson-perl, perl:any, libc6 (>= 2.34), libcurl4 (>= 7.16.2), libglib2.0-0 (>= 2.31.8) Installed-Size: [-1076-] {+1077+} Suggests: amanda-client (= [-1:3.5.1-10),-] {+1:3.5.1-11),+} cpio | mt-st, gnuplot Version: [-1:3.5.1-10-] {+1:3.5.1-11+} unblock amanda/1:3.5.1-11