Bug#1082155: bookworm-pu: package amanda/1:3.5.1-11+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Jose M Calhariz <calhariz@debian.org>
* The fix for CVE-2022-37704 was incomplete and also broke some
xfsdump usecases. (Closes: #1081049)
diffstat for amanda-3.5.1 amanda-3.5.1
changelog | 8 +++++
patches/53-fix-CVE-2022-37704_part_3 | 48 +++++++++++++++++++++++++++++++++++
patches/series | 1
3 files changed, 57 insertions(+)
diff -Nru amanda-3.5.1/debian/changelog amanda-3.5.1/debian/changelog
--- amanda-3.5.1/debian/changelog 2023-12-03 15:17:07.000000000 +0200
+++ amanda-3.5.1/debian/changelog 2024-09-18 23:05:35.000000000 +0300
@@ -1,3 +1,11 @@
+amanda (1:3.5.1-11+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * The fix for CVE-2022-37704 was incomplete and also broke some
+ xfsdump usecases. (Closes: #1081049)
+
+ -- Adrian Bunk <bunk@debian.org> Wed, 18 Sep 2024 23:05:35 +0300
+
amanda (1:3.5.1-11+deb12u1) bookworm; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3 amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3
--- amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3 1970-01-01 02:00:00.000000000 +0200
+++ amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3 2024-09-18 23:05:35.000000000 +0300
@@ -0,0 +1,48 @@
+From b930189c06290a23aba177687b2f123590323be1 Mon Sep 17 00:00:00 2001
+From: Pavel Cahyna <pcahyna@redhat.com>
+Date: Sun, 26 Feb 2023 22:34:23 +0100
+Subject: Update the fix for CVE-2022-37704
+
+In the case of xfsdump(8), the check for dump(8) options was invoked
+instead of the check for the xfsdump(8). This broke legitimate use of
+xfsdump, while leaving the vulnerability open.
+---
+ client-src/rundump.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/client-src/rundump.c b/client-src/rundump.c
+index 2d4dd8fba..295b09951 100644
+--- a/client-src/rundump.c
++++ b/client-src/rundump.c
+@@ -138,9 +138,10 @@ main(
+
+ #ifdef XFSDUMP
+
+- if (g_str_equal(argv[0], "xfsdump"))
++ if (g_str_equal(argv[0], "xfsdump")) {
+ dump_program = XFSDUMP;
+- else /* strcmp(argv[0], "xfsdump") != 0 */
++ validate_xfsdump_options(argc, argv);
++ } else /* strcmp(argv[0], "xfsdump") != 0 */
+
+ #endif
+
+@@ -160,6 +161,7 @@ main(
+
+ #endif
+
++ {
+ #if defined(DUMP)
+ dump_program = DUMP;
+ validate_dump_option(argc, argv);
+@@ -176,6 +178,7 @@ main(
+ # endif
+ # endif
+ #endif
++ }
+
+
+ /*
+--
+2.30.2
+
diff -Nru amanda-3.5.1/debian/patches/series amanda-3.5.1/debian/patches/series
--- amanda-3.5.1/debian/patches/series 2023-12-03 15:09:19.000000000 +0200
+++ amanda-3.5.1/debian/patches/series 2024-09-18 23:05:35.000000000 +0300
@@ -48,5 +48,6 @@
49-fix-CVE-2022-37705_part_2
50-fix-CVE-2022-37704
52-fix-CVE-2022-37704_part_2
+53-fix-CVE-2022-37704_part_3
56-fix-CVE-2022-37703
57-CVE-2023-30577.patch
Reply to: