Your message dated Sat, 09 Nov 2024 10:51:02 +0000 with message-id <b0a29248bc631362ed06a8879f93b8cdae5414d0.ca...@adam-barratt.org.uk> and subject line Closing bugs released with 12.8 has caused the Debian Bug report #1082155, regarding bookworm-pu: package amanda/1:3.5.1-11+deb12u2 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1082155: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082155 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: secur...@debian.org, Jose M Calhariz <calha...@debian.org> * The fix for CVE-2022-37704 was incomplete and also broke some xfsdump usecases. (Closes: #1081049)diffstat for amanda-3.5.1 amanda-3.5.1 changelog | 8 +++++ patches/53-fix-CVE-2022-37704_part_3 | 48 +++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 57 insertions(+) diff -Nru amanda-3.5.1/debian/changelog amanda-3.5.1/debian/changelog --- amanda-3.5.1/debian/changelog 2023-12-03 15:17:07.000000000 +0200 +++ amanda-3.5.1/debian/changelog 2024-09-18 23:05:35.000000000 +0300 @@ -1,3 +1,11 @@ +amanda (1:3.5.1-11+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload. + * The fix for CVE-2022-37704 was incomplete and also broke some + xfsdump usecases. (Closes: #1081049) + + -- Adrian Bunk <b...@debian.org> Wed, 18 Sep 2024 23:05:35 +0300 + amanda (1:3.5.1-11+deb12u1) bookworm; urgency=high * Non-maintainer upload by the Security Team. diff -Nru amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3 amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3 --- amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3 1970-01-01 02:00:00.000000000 +0200 +++ amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3 2024-09-18 23:05:35.000000000 +0300 @@ -0,0 +1,48 @@ +From b930189c06290a23aba177687b2f123590323be1 Mon Sep 17 00:00:00 2001 +From: Pavel Cahyna <pcah...@redhat.com> +Date: Sun, 26 Feb 2023 22:34:23 +0100 +Subject: Update the fix for CVE-2022-37704 + +In the case of xfsdump(8), the check for dump(8) options was invoked +instead of the check for the xfsdump(8). This broke legitimate use of +xfsdump, while leaving the vulnerability open. +--- + client-src/rundump.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/client-src/rundump.c b/client-src/rundump.c +index 2d4dd8fba..295b09951 100644 +--- a/client-src/rundump.c ++++ b/client-src/rundump.c +@@ -138,9 +138,10 @@ main( + + #ifdef XFSDUMP + +- if (g_str_equal(argv[0], "xfsdump")) ++ if (g_str_equal(argv[0], "xfsdump")) { + dump_program = XFSDUMP; +- else /* strcmp(argv[0], "xfsdump") != 0 */ ++ validate_xfsdump_options(argc, argv); ++ } else /* strcmp(argv[0], "xfsdump") != 0 */ + + #endif + +@@ -160,6 +161,7 @@ main( + + #endif + ++ { + #if defined(DUMP) + dump_program = DUMP; + validate_dump_option(argc, argv); +@@ -176,6 +178,7 @@ main( + # endif + # endif + #endif ++ } + + + /* +-- +2.30.2 + diff -Nru amanda-3.5.1/debian/patches/series amanda-3.5.1/debian/patches/series --- amanda-3.5.1/debian/patches/series 2023-12-03 15:09:19.000000000 +0200 +++ amanda-3.5.1/debian/patches/series 2024-09-18 23:05:35.000000000 +0300 @@ -48,5 +48,6 @@ 49-fix-CVE-2022-37705_part_2 50-fix-CVE-2022-37704 52-fix-CVE-2022-37704_part_2 +53-fix-CVE-2022-37704_part_3 56-fix-CVE-2022-37703 57-CVE-2023-30577.patch
--- End Message ---
--- Begin Message ---Source: release.debian.org Version: 12.8 Hi, Each of the updates tracked by these bugs was included in today's 12.8 bookworm point release. Regards, Adam
--- End Message ---
