Bug#1082155: bookworm-pu: package amanda/1:3.5.1-11+deb12u2

Adrian Bunk Wed, 18 Sep 2024 13:23:03 -0700

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: secur...@debian.org, Jose M Calhariz <calha...@debian.org>


  * The fix for CVE-2022-37704 was incomplete and also broke some
    xfsdump usecases. (Closes: #1081049)

diffstat for amanda-3.5.1 amanda-3.5.1

 changelog                            |    8 +++++
 patches/53-fix-CVE-2022-37704_part_3 |   48 +++++++++++++++++++++++++++++++++++
 patches/series                       |    1 
 3 files changed, 57 insertions(+)

diff -Nru amanda-3.5.1/debian/changelog amanda-3.5.1/debian/changelog
--- amanda-3.5.1/debian/changelog       2023-12-03 15:17:07.000000000 +0200
+++ amanda-3.5.1/debian/changelog       2024-09-18 23:05:35.000000000 +0300
@@ -1,3 +1,11 @@
+amanda (1:3.5.1-11+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * The fix for CVE-2022-37704 was incomplete and also broke some
+    xfsdump usecases. (Closes: #1081049)
+
+ -- Adrian Bunk <b...@debian.org>  Wed, 18 Sep 2024 23:05:35 +0300
+
 amanda (1:3.5.1-11+deb12u1) bookworm; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3 
amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3
--- amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3    1970-01-01 
02:00:00.000000000 +0200
+++ amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3    2024-09-18 
23:05:35.000000000 +0300
@@ -0,0 +1,48 @@
+From b930189c06290a23aba177687b2f123590323be1 Mon Sep 17 00:00:00 2001
+From: Pavel Cahyna <pcah...@redhat.com>
+Date: Sun, 26 Feb 2023 22:34:23 +0100
+Subject: Update the fix for CVE-2022-37704
+
+In the case of xfsdump(8), the check for dump(8) options was invoked
+instead of the check for the xfsdump(8). This broke legitimate use of
+xfsdump, while leaving the vulnerability open.
+---
+ client-src/rundump.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/client-src/rundump.c b/client-src/rundump.c
+index 2d4dd8fba..295b09951 100644
+--- a/client-src/rundump.c
++++ b/client-src/rundump.c
+@@ -138,9 +138,10 @@ main(
+ 
+ #ifdef XFSDUMP
+ 
+-    if (g_str_equal(argv[0], "xfsdump"))
++    if (g_str_equal(argv[0], "xfsdump")) {
+         dump_program = XFSDUMP;
+-    else /* strcmp(argv[0], "xfsdump") != 0 */
++        validate_xfsdump_options(argc, argv);
++    } else /* strcmp(argv[0], "xfsdump") != 0 */
+ 
+ #endif
+ 
+@@ -160,6 +161,7 @@ main(
+ 
+ #endif
+ 
++      {
+ #if defined(DUMP)
+         dump_program = DUMP;
+         validate_dump_option(argc, argv);
+@@ -176,6 +178,7 @@ main(
+ #  endif
+ # endif
+ #endif
++      }
+ 
+ 
+     /*
+-- 
+2.30.2
+
diff -Nru amanda-3.5.1/debian/patches/series amanda-3.5.1/debian/patches/series
--- amanda-3.5.1/debian/patches/series  2023-12-03 15:09:19.000000000 +0200
+++ amanda-3.5.1/debian/patches/series  2024-09-18 23:05:35.000000000 +0300
@@ -48,5 +48,6 @@
 49-fix-CVE-2022-37705_part_2
 50-fix-CVE-2022-37704
 52-fix-CVE-2022-37704_part_2
+53-fix-CVE-2022-37704_part_3
 56-fix-CVE-2022-37703
 57-CVE-2023-30577.patch

Bug#1082155: bookworm-pu: package amanda/1:3.5.1-11+deb12u2

Reply via email to