Bug#1033292: Subject:Re: Bug#1033292: unblock: amanda/1:3.5.1-11

To: 1033292@bugs.debian.org, Jose M Calhariz <calhariz@debian.org>, Sebastian Ramacher <sramacher@debian.org>
Subject: Bug#1033292: Subject:Re: Bug#1033292: unblock: amanda/1:3.5.1-11
From: Jose M Calhariz <jose.calhariz@tecnico.ulisboa.pt>
Date: Sat, 25 Mar 2023 19:14:44 +0000
Message-id: <[🔎] ZB9IJJSJXzcJTuFd@calhariz.com>
Reply-to: Jose M Calhariz <jose.calhariz@tecnico.ulisboa.pt>, 1033292@bugs.debian.org
References: <[🔎] 167942568929.192819.12074987981324613973.reportbug@debian-at.calhariz.com>

Hi,

I have updated the git repository on salsa abount amanda and created a
signed tag.  git@salsa.debian.org:debian/amanda.git

As the debdiff amanda_3.5.1-10_source.changes
amanda_3.5.1-11_source.changes did not work as I expected I am 
doing a git diff:

diff --git a/debian/changelog b/debian/changelog
index d4e1821..498f6f9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+amanda (1:3.5.1-11) unstable; urgency=medium
+
+  * d/p/49-fix-CVE-2022-37705_part_2: 48-fix-CVE-2022-37705 broken one use
+    case at least, this patch fix it, fixing the following two bugs.
+  * Bug fix: "backups fail with the following summary &quot;FAILED [no
+    backup size line]&quot;", thanks to Norman Lyon (Closes: #1032330).
+  * Bug fix: "Amanda is unusable", thanks to Kamil Jonca (Closes:
+    #1032884).
+
+ -- Jose M Calhariz <calhariz@debian.org>  Tue, 21 Mar 2023 17:35:47 +0000
+
 amanda (1:3.5.1-10) unstable; urgency=medium
 
   * d/p/48-fix-CVE-2022-37705: Fix CVE-2022-37705.
diff --git a/debian/patches/49-fix-CVE-2022-37705_part_2 b/debian/patches/49-fix-CVE-2022-37705_part_2
new file mode 100644
index 0000000..74341a6
--- /dev/null
+++ b/debian/patches/49-fix-CVE-2022-37705_part_2
@@ -0,0 +1,24 @@
+Description: Fix the fix for CVE-2022-37705
+Author: pcahyna https://github.com/pcahyna
+
+Index: amanda.git/client-src/runtar.c
+===================================================================
+--- amanda.git.orig/client-src/runtar.c	2023-03-05 00:10:46.916884175 +0000
++++ amanda.git/client-src/runtar.c	2023-03-05 00:15:52.189417756 +0000
+@@ -191,9 +191,13 @@ main(
+ 		g_str_has_prefix(argv[i],"--newer") ||
+ 		g_str_has_prefix(argv[i],"--exclude-from") ||
+ 		g_str_has_prefix(argv[i],"--files-from")) {
+-		good_option++;
+-	    } else if (argv[i][0] != '-') {
+-		/* argument values are accounted for here */
++		if (strchr(argv[i], '=')) {
++		    good_option++;
++		} else {
++		    /* Accept theses options with the following argument */
++		    good_option += 2;
++		}
++            } else if (argv[i][0] != '-') {
+ 		good_option++;
+ 	    }
+ 	}
diff --git a/debian/patches/series b/debian/patches/series
index 92dde9d..2be2df4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -45,6 +45,7 @@ reproducible-build
 ######################################################################
 # Patches to fix CVEs from 2022
 48-fix-CVE-2022-37705
+49-fix-CVE-2022-37705_part_2
 50-fix-CVE-2022-37704
 52-fix-CVE-2022-37704_part_2
 56-fix-CVE-2022-37703






I have attached the two patches for CVE-2022-37705 that I use in the
package, the one with the regression and the fix.

Kind regards
Jose M Calhariz





-- 
--
	Ha alguma coisa nos armarios que deixa os esqueletos
	inquietos.
		-- John Barrymore

Description: Fix CVE-2022-37705
Author: Prajwal T R https://github.com/prajwaltr93

Index: amanda.git/client-src/runtar.c
===================================================================
--- amanda.git.orig/client-src/runtar.c	2021-06-20 21:02:56.627301251 +0100
+++ amanda.git/client-src/runtar.c	2023-02-24 12:40:05.041286442 +0000
@@ -191,9 +191,9 @@ main(
 		g_str_has_prefix(argv[i],"--newer") ||
 		g_str_has_prefix(argv[i],"--exclude-from") ||
 		g_str_has_prefix(argv[i],"--files-from")) {
-		/* Accept theses options with the following argument */
-		good_option += 2;
+		good_option++;
 	    } else if (argv[i][0] != '-') {
+		/* argument values are accounted for here */
 		good_option++;
 	    }
 	}

Description: Fix the fix for CVE-2022-37705
Author: pcahyna https://github.com/pcahyna

Index: amanda.git/client-src/runtar.c
===================================================================
--- amanda.git.orig/client-src/runtar.c	2023-03-05 00:10:46.916884175 +0000
+++ amanda.git/client-src/runtar.c	2023-03-05 00:15:52.189417756 +0000
@@ -191,9 +191,13 @@ main(
 		g_str_has_prefix(argv[i],"--newer") ||
 		g_str_has_prefix(argv[i],"--exclude-from") ||
 		g_str_has_prefix(argv[i],"--files-from")) {
-		good_option++;
-	    } else if (argv[i][0] != '-') {
-		/* argument values are accounted for here */
+		if (strchr(argv[i], '=')) {
+		    good_option++;
+		} else {
+		    /* Accept theses options with the following argument */
+		    good_option += 2;
+		}
+            } else if (argv[i][0] != '-') {
 		good_option++;
 	    }
 	}

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Bug#1033292: unblock: amanda/1:3.5.1-11
  - From: Jose M Calhariz <calhariz@debian.org>

Prev by Date: Bug#1033476: unblock: lios/2.7.2-4
Next by Date: Bug#1033292: marked as done (unblock: amanda/1:3.5.1-11)
Previous by thread: Bug#1033292: unblock: amanda/1:3.5.1-11
Next by thread: Bug#1033292: marked as done (unblock: amanda/1:3.5.1-11)
Index(es):
- Date
- Thread