During our security testing of the fixes, we found another attack vector for the issue similar to the one mentioned in CVE-2022-37704<https://github.com/MaherAzzouzi/CVE-2022-37704>. Dump can be manipulated by an attacker through the RSH environment variable, which is used to specify the shell binary to be used for remote backups. By manipulating this variable and invoking Dump via rundump, an attacker can execute arbitrary code with root privileges. We now filter out RSH environment variable to prevent this exploit. The fix for this issue is available at - https://github.com/zmanda/amanda/pull/202. Is there anything else we can help you with to avert the March 2nd auto removal? We also recommend pointing to the github repository (https://github.com/zmanda/amanda.git) instead of pointing to svn as future development will continue on github and we would like to phase out svn. Best Regards, AmandaTrusted From: Amanda Trusted <amanda.trus...@zmanda.com> Date: Wednesday, February 15, 2023 at 5:10 PM To: 1029...@bugs.debian.org <1029...@bugs.debian.org> Cc: j...@calhariz.com <j...@calhariz.com> Subject: Re: Bug#1029829: amanda: CVE-2022-37704 CVE-2022-37705 Hi Jose, Here are the relevant bug fixes - [0] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37704 https://www.cve.org/CVERecord?id=CVE-2022-37704 Fix - https://github.com/zmanda/amanda/pull/197 [1] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37705 https://www.cve.org/CVERecord?id=CVE-2022-37705 Fix - https://github.com/zmanda/amanda/pull/196 [2] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37703 https://www.cve.org/CVERecord?id=CVE-2022-37703 Fix - https://github.com/zmanda/amanda/pull/198 These 3 fixes are due for release as part of Amanda 3.5.3 within a week. Let us know if there are any other action items for us. Regards, AmandaTrusted Confidentiality Notice | The information transmitted by this email is intended only for the person or entity to which it is addressed. This email may contain proprietary, business-confidential and/or privileged material. If you are not the intended recipient of this message, be aware that any use, review, re-transmission, distribution, reproduction or any action taken in reliance upon this message is strictly prohibited. If you received this in error, please contact the sender and delete the material from all computers.
