From ff65fb4ebf8e6a9785cdff85a72f3ae238657e95 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 28 2023 18:10:39 +0000 Subject: import amanda-3.5.1-14.el8_7 --- diff --git a/SOURCES/amanda-3.5.2-CVE-2022-37704-fixup.patch b/SOURCES/amanda-3.5.2-CVE-2022-37704-fixup.patch new file mode 100644 index 0000000..c1ded31 --- /dev/null +++ b/SOURCES/amanda-3.5.2-CVE-2022-37704-fixup.patch @@ -0,0 +1,102 @@ +diff --git a/client-src/rundump.c b/client-src/rundump.c +index bba569984..85962d11c 100644 +--- a/client-src/rundump.c ++++ b/client-src/rundump.c +@@ -43,6 +43,16 @@ int main(int argc, char **argv); + static void validate_dump_option(int argc, char ** argv); + static void validate_xfsdump_options(int argc, char ** argv); + ++/* ++ * Has USE_RUNDUMP been explicitly requsted? ++ * If not, we will not use rundump for DUMP, ++ * although we sill may need to use it for ++ * VDUMP or XFSDUMP ++ */ ++#if defined(USE_RUNDUMP) ++# define USE_RUNDUMP_FOR_DUMP ++#endif ++ + #if defined(VDUMP) || defined(XFSDUMP) + # undef USE_RUNDUMP + # define USE_RUNDUMP +@@ -138,9 +148,10 @@ main( + + #ifdef XFSDUMP + +- if (g_str_equal(argv[0], "xfsdump")) ++ if (g_str_equal(argv[0], "xfsdump")) { + dump_program = XFSDUMP; +- else /* strcmp(argv[0], "xfsdump") != 0 */ ++ validate_xfsdump_options(argc, argv); ++ } else /* strcmp(argv[0], "xfsdump") != 0 */ + + #endif + +@@ -160,9 +171,14 @@ main( + + #endif + ++ { + #if defined(DUMP) ++# if defined(USE_RUNDUMP_FOR_DUMP) + dump_program = DUMP; + validate_dump_option(argc, argv); ++# else ++ error("error [%s not running %s : run it directly]\n", get_pname(), DUMP); ++# endif + #else + # if defined(XFSDUMP) + dump_program = XFSDUMP; +@@ -176,6 +192,7 @@ main( + # endif + # endif + #endif ++ } + + + /* +@@ -197,6 +214,24 @@ main( + amfree(cmdline); + + env = safe_env(); ++ //Filter or Discard RSH Environmental variable ++ int env_count = 0; ++ for (int i = 0; env[i] != NULL; i++){ ++ env_count++; ++ } ++ for (int i = 0; i < env_count; i++){ ++ if (strncmp(env[i], "RSH=", 4) == 0){ ++ // Remove RSH ++ g_free(env[i]); ++ // move array elements one step left - which are after "RSH" ++ for (int j = i; j < env_count; j++){ ++ env[j] = env[j + 1]; ++ } ++ //decrease the variable count ++ env[env_count-1] = NULL; ++ break; ++ } ++ } + execve(dump_program, argv, env); + free_env(env); + +diff --git a/client-src/runtar.c b/client-src/runtar.c +index 499c7dfec..880068bc4 100644 +--- a/client-src/runtar.c ++++ b/client-src/runtar.c +@@ -191,9 +191,13 @@ main( + g_str_has_prefix(argv[i],"--newer") || + g_str_has_prefix(argv[i],"--exclude-from") || + g_str_has_prefix(argv[i],"--files-from")) { +- good_option++; ++ if (strchr(argv[i], '=')) { ++ good_option++; ++ } else { ++ /* Accept theses options with the following argument */ ++ good_option += 2; ++ } + } else if (argv[i][0] != '-') { +- /* argument values are accounted for here */ + good_option++; + } + } diff --git a/SOURCES/amanda-3.5.2-CVE-2022-37704.patch b/SOURCES/amanda-3.5.2-CVE-2022-37704.patch new file mode 100644 index 0000000..2a42500 --- /dev/null +++ b/SOURCES/amanda-3.5.2-CVE-2022-37704.patch @@ -0,0 +1,175 @@ +From e890d08e16ea0621966a7ae35cce53ccb44a472e Mon Sep 17 00:00:00 2001 +From: seetharaman-rajagopal +Date: Mon, 13 Feb 2023 08:14:04 +0000 +Subject: [PATCH] CVE-2022-37704 - privilege escaltion form amandabackup user + to root -fix + +--- + client-src/rundump.c | 135 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 135 insertions(+) + +diff --git a/client-src/rundump.c b/client-src/rundump.c +index 0b354d70bf..bba5699847 100644 +--- a/client-src/rundump.c ++++ b/client-src/rundump.c +@@ -40,6 +40,8 @@ + #include "conffile.h" + + int main(int argc, char **argv); ++static void validate_dump_option(int argc, char ** argv); ++static void validate_xfsdump_options(int argc, char ** argv); + + #if defined(VDUMP) || defined(XFSDUMP) + # undef USE_RUNDUMP +@@ -160,14 +162,17 @@ main( + + #if defined(DUMP) + dump_program = DUMP; ++ validate_dump_option(argc, argv); + #else + # if defined(XFSDUMP) + dump_program = XFSDUMP; ++ validate_xfsdump_options(argc, argv); + # else + # if defined(VXDUMP) + dump_program = VXDUMP; + # else + dump_program = "dump"; ++ validate_dump_option(argc, argv); + # endif + # endif + #endif +@@ -203,3 +208,133 @@ main( + return 1; + #endif /* } */ + } ++ ++void validate_dump_option(int argc, char ** argv) ++{ ++ int c; ++ int numargs = argc; ++ while (numargs > 0) ++ { ++ c = getopt(argc, argv, "0123456789ab:cd:e:f:h:j:kmnqs:uvwyz:A:B:D:I:L:MQ:ST:W"); ++ switch (c) { ++ case -1: ++ optind++; ++ break; ++ case '?': ++ //option is not valid ++ error("error [%s invalid option: %s]\n", get_pname(), argv[optind-1]); ++ break; ++ // All this options takes another argument ++ case 'b': ++ case 'd': ++ case 'e': ++ case 'f': ++ case 'h': ++ case 'j': ++ case 's': ++ case 'z': ++ case 'A': ++ case 'B': ++ case 'D': ++ case 'I': ++ case 'L': ++ case 'Q': ++ case 'T': ++ { ++ // get optarg and check it against NULL. If it is null, then return error. ++ if (optarg == NULL) { ++ error ("error [%s additional parameter is missing for option: %c]\n", get_pname(), c); ++ } ++ break; ++ } ++ case '0': ++ case '1': ++ case '2': ++ case '3': ++ case '4': ++ case '5': ++ case '6': ++ case '7': ++ case '8': ++ case '9': ++ case 'a': ++ case 'c': ++ case 'k': ++ case 'm': ++ case 'n': ++ case 'q': ++ case 'u': ++ case 'v': ++ case 'w': ++ case 'y': ++ case 'M': ++ case 'S': ++ case 'W': ++ { ++ break; ++ } ++ default: ++ error ("error [%s invalid option: %c]\n", get_pname(), c); ++ break; ++ } ++ numargs--; ++ } ++} ++ ++void validate_xfsdump_options(int argc, char ** argv) ++{ ++ int c; ++ int numargs = argc; ++ while (numargs > 0) ++ { ++ c = getopt(argc, argv, "ab:d:ef:l:mop:qs:t:v:z:AB:DFI:JL:M:RT"); ++ switch (c) { ++ case -1: ++ optind++; ++ break; ++ case '?': ++ //option is not valid ++ error ("error [%s invalid option: %s]\n", get_pname(), argv[optind-1]); ++ break; ++ // All this options takes another argument ++ case 'b': ++ case 'd': ++ case 'f': ++ case 'l': ++ case 'p': ++ case 's': ++ case 't': ++ case 'v': ++ case 'z': ++ case 'B': ++ case 'I': ++ case 'L': ++ case 'M': ++ { ++ // get optarg and check it against NULL. If it is null, then return error. ++ if (optarg == NULL) { ++ error ("error [%s additional parameter is missing for option: %c]\n", get_pname(), c); ++ } ++ break; ++ } ++ case 'a': ++ case 'e': ++ case 'm': ++ case 'o': ++ case 'q': ++ case 'A': ++ case 'D': ++ case 'F': ++ case 'J': ++ case 'R': ++ case 'T': ++ { ++ break; ++ } ++ default: ++ error ("error [%s invalid option: %c]\n", get_pname(), c); ++ break; ++ } ++ numargs--; ++ } ++} diff --git a/SOURCES/amanda-3.5.2-CVE-2022-37705.patch b/SOURCES/amanda-3.5.2-CVE-2022-37705.patch new file mode 100644 index 0000000..dce8ecb --- /dev/null +++ b/SOURCES/amanda-3.5.2-CVE-2022-37705.patch @@ -0,0 +1,26 @@ +From ed37ddf8421e34a255eaedfc1e9c3a3f9d454b95 Mon Sep 17 00:00:00 2001 +From: Prajwal T R +Date: Thu, 22 Dec 2022 10:37:30 -0700 +Subject: [PATCH] fix : fix increment logic for good_option + +- for arguements of type --file=x or --file x, fixed logic while incrementing value. +--- + client-src/runtar.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/client-src/runtar.c b/client-src/runtar.c +index d04a1385f6..499c7dfecb 100644 +--- a/client-src/runtar.c ++++ b/client-src/runtar.c +@@ -191,9 +191,9 @@ main( + g_str_has_prefix(argv[i],"--newer") || + g_str_has_prefix(argv[i],"--exclude-from") || + g_str_has_prefix(argv[i],"--files-from")) { +- /* Accept theses options with the following argument */ +- good_option += 2; ++ good_option++; + } else if (argv[i][0] != '-') { ++ /* argument values are accounted for here */ + good_option++; + } + } diff --git a/SPECS/amanda.spec b/SPECS/amanda.spec index 259e8ba..7b942ed 100644 --- a/SPECS/amanda.spec +++ b/SPECS/amanda.spec @@ -10,7 +10,7 @@ Summary: A network-capable tape backup solution Name: amanda Version: 3.5.1 -Release: 13%{?dist} +Release: 14%{?dist} Source: http://downloads.sourceforge.net/amanda/amanda-%{version}.tar.gz Source1: amanda.crontab Source4: disklist @@ -30,6 +30,9 @@ Patch3: amanda-3.2.0-config-dir.patch Patch4: amanda-3.4.5-no-xinetd.patch # Support tirpc Patch5: patch-tirpc +Patch20: amanda-3.5.2-CVE-2022-37705.patch +Patch21: amanda-3.5.2-CVE-2022-37704.patch +Patch22: amanda-3.5.2-CVE-2022-37704-fixup.patch License: BSD and GPLv3+ and GPLv2+ and GPLv2 URL: http://www.amanda.org @@ -432,6 +435,13 @@ make check %changelog +* Mon Feb 27 2023 Pavel Cahyna - 3.5.1-14 +- Apply upstream patch for CVE-2022-37705 +- Apply upstream patch for CVE-2022-37704 +- Add my fixups for CVE-2022-37704 and CVE-2022-37705, the upstream changes broke + legitimate usage of xfsdump and tar, while leaving xfsdump and dump vulnerable. + One of the fixups submitted as PR205. + * Thu Aug 02 2018 Vaclav Dolezal - 3.5.1-13 - fix permissions for log directory (#1572696)