Auto sync2gitlab import of amanda-3.5.1-14.el8_7.src.rpm

2023-02-28 18:10:55 +00:00 · 2023-02-28 18:10:55 +00:00 · 27d5dd81c2
commit 27d5dd81c2
parent 55930a729d
4 changed files with 314 additions and 1 deletions
--- a/amanda-3.5.2-CVE-2022-37704-fixup.patch
+++ b/amanda-3.5.2-CVE-2022-37704-fixup.patch
@ -0,0 +1,102 @@
+diff --git a/client-src/rundump.c b/client-src/rundump.c
+index bba569984..85962d11c 100644
+--- a/client-src/rundump.c
+++ b/client-src/rundump.c
+@@ -43,6 +43,16 @@ int main(int argc, char **argv);
+ static void validate_dump_option(int argc, char ** argv);
+ static void validate_xfsdump_options(int argc, char ** argv);
+ 
+/*
+ * Has USE_RUNDUMP been explicitly requsted?
+ * If not, we will not use rundump for DUMP,
+ * although we sill may need to use it for
+ * VDUMP or XFSDUMP
+ */
+#if defined(USE_RUNDUMP)
+#  define USE_RUNDUMP_FOR_DUMP
+#endif
+
+ #if defined(VDUMP) || defined(XFSDUMP)
+ #  undef USE_RUNDUMP
+ #  define USE_RUNDUMP
+@@ -138,9 +148,10 @@ main(
+ 
+ #ifdef XFSDUMP
+ 
+-    if (g_str_equal(argv[0], "xfsdump"))
+    if (g_str_equal(argv[0], "xfsdump")) {
+         dump_program = XFSDUMP;
+-    else /* strcmp(argv[0], "xfsdump") != 0 */
+        validate_xfsdump_options(argc, argv);
+    } else /* strcmp(argv[0], "xfsdump") != 0 */
+ 
+ #endif
+ 
+@@ -160,9 +171,14 @@ main(
+ 
+ #endif
+ 
+      {
+ #if defined(DUMP)
+# if defined(USE_RUNDUMP_FOR_DUMP)
+         dump_program = DUMP;
+         validate_dump_option(argc, argv);
+# else
+        error("error [%s not running %s : run it directly]\n", get_pname(), DUMP);
+# endif
+ #else
+ # if defined(XFSDUMP)
+         dump_program = XFSDUMP;
+@@ -176,6 +192,7 @@ main(
+ #  endif
+ # endif
+ #endif
+      }
+ 
+ 
+     /*
+@@ -197,6 +214,24 @@ main(
+     amfree(cmdline);
+ 
+     env = safe_env();
+    //Filter or Discard RSH Environmental variable
+    int env_count = 0;
+    for (int i = 0; env[i] != NULL; i++){
+        env_count++;
+    }
+    for (int i = 0; i < env_count; i++){
+        if (strncmp(env[i], "RSH=", 4) == 0){
+            // Remove RSH
+            g_free(env[i]);
+            // move array elements one step left - which are after "RSH"
+            for (int j = i; j < env_count; j++){
+                env[j] = env[j + 1];
+            }
+            //decrease the variable count
+            env[env_count-1] = NULL;
+            break;
+        }
+    }
+     execve(dump_program, argv, env);
+     free_env(env);
+ 
+diff --git a/client-src/runtar.c b/client-src/runtar.c
+index 499c7dfec..880068bc4 100644
+--- a/client-src/runtar.c
+++ b/client-src/runtar.c
+@@ -191,9 +191,13 @@ main(
+ 		g_str_has_prefix(argv[i],"--newer") ||
+ 		g_str_has_prefix(argv[i],"--exclude-from") ||
+ 		g_str_has_prefix(argv[i],"--files-from")) {
+-		good_option++;
+		if (strchr(argv[i], '=')) {
+		    good_option++;
+		} else {
+		    /* Accept theses options with the following argument */
+		    good_option += 2;
+		}
+ 	    } else if (argv[i][0] != '-') {
+-		/* argument values are accounted for here */
+ 		good_option++;
+ 	    }
+ 	}
--- a/amanda-3.5.2-CVE-2022-37704.patch
+++ b/amanda-3.5.2-CVE-2022-37704.patch
@ -0,0 +1,175 @@
+From e890d08e16ea0621966a7ae35cce53ccb44a472e Mon Sep 17 00:00:00 2001
+From: seetharaman-rajagopal <seetharaman.chn@gmail.com>
+Date: Mon, 13 Feb 2023 08:14:04 +0000
+Subject: [PATCH] CVE-2022-37704 - privilege escaltion form amandabackup user
+ to root -fix
+
+---
+ client-src/rundump.c | 135 +++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 135 insertions(+)
+
+diff --git a/client-src/rundump.c b/client-src/rundump.c
+index 0b354d70bf..bba5699847 100644
+--- a/client-src/rundump.c
+++ b/client-src/rundump.c
+@@ -40,6 +40,8 @@
+ #include "conffile.h"
+ 
+ int main(int argc, char **argv);
+static void validate_dump_option(int argc, char ** argv);
+static void validate_xfsdump_options(int argc, char ** argv);
+ 
+ #if defined(VDUMP) || defined(XFSDUMP)
+ #  undef USE_RUNDUMP
+@@ -160,14 +162,17 @@ main(
+ 
+ #if defined(DUMP)
+         dump_program = DUMP;
+        validate_dump_option(argc, argv);
+ #else
+ # if defined(XFSDUMP)
+         dump_program = XFSDUMP;
+        validate_xfsdump_options(argc, argv);
+ # else
+ #  if defined(VXDUMP)
+ 	dump_program = VXDUMP;
+ #  else
+         dump_program = "dump";
+        validate_dump_option(argc, argv);
+ #  endif
+ # endif
+ #endif
+@@ -203,3 +208,133 @@ main(
+     return 1;
+ #endif								/* } */
+ }
+
+void validate_dump_option(int argc, char ** argv)
+{
+	int c;
+	int numargs = argc;
+	while (numargs > 0)
+	{
+		c = getopt(argc, argv, "0123456789ab:cd:e:f:h:j:kmnqs:uvwyz:A:B:D:I:L:MQ:ST:W");
+		switch (c) {
+			case -1:
+				optind++;
+			break;
+			case '?':
+				//option is not valid
+				error("error [%s invalid option: %s]\n", get_pname(), argv[optind-1]);
+			break;
+			// All this options takes another argument
+			case 'b':
+			case 'd':
+			case 'e':
+			case 'f':
+			case 'h':
+			case 'j':
+			case 's':
+			case 'z':
+			case 'A':
+			case 'B':
+			case 'D':
+			case 'I':
+			case 'L':
+			case 'Q':
+			case 'T':
+			{
+				// get optarg and check it against NULL. If it is null, then return error.
+				if (optarg == NULL) {
+					error ("error [%s additional parameter is missing for option: %c]\n", get_pname(), c);
+				}
+				break;
+			}
+			case '0':
+			case '1':
+			case '2':
+			case '3':
+			case '4':
+			case '5':
+			case '6':
+			case '7':
+			case '8':
+			case '9':
+			case 'a':
+			case 'c':
+			case 'k':
+			case 'm':
+			case 'n':
+			case 'q':
+			case 'u':
+			case 'v':
+			case 'w':
+			case 'y':
+			case 'M':
+			case 'S':
+			case 'W':
+			{
+				break;
+			}
+			default:
+				error ("error [%s invalid option: %c]\n", get_pname(), c);
+			break;
+		}
+		numargs--;
+	}
+}
+
+void validate_xfsdump_options(int argc, char ** argv)
+{
+	int c;
+	int numargs = argc;
+	while (numargs > 0)
+	{
+		c = getopt(argc, argv, "ab:d:ef:l:mop:qs:t:v:z:AB:DFI:JL:M:RT");
+		switch (c) {
+			case -1:
+				optind++;
+			break;
+			case '?':
+				//option is not valid
+				error ("error [%s invalid option: %s]\n", get_pname(), argv[optind-1]);
+			break;
+			// All this options takes another argument
+			case 'b':
+			case 'd':
+			case 'f':
+			case 'l':
+			case 'p':
+			case 's':
+			case 't':
+			case 'v':
+			case 'z':
+			case 'B':
+			case 'I':
+			case 'L':
+			case 'M':
+			{
+				// get optarg and check it against NULL. If it is null, then return error.
+				if (optarg == NULL) {
+					error ("error [%s additional parameter is missing for option: %c]\n", get_pname(), c);
+				}
+				break;
+			}
+			case 'a':
+			case 'e':
+			case 'm':
+			case 'o':
+			case 'q':
+			case 'A':
+			case 'D':
+			case 'F':
+			case 'J':
+			case 'R':
+			case 'T':
+			{
+				break;
+			}
+			default:
+				error ("error [%s invalid option: %c]\n", get_pname(), c);
+			break;
+		}
+		numargs--;
+	}
+}
--- a/amanda-3.5.2-CVE-2022-37705.patch
+++ b/amanda-3.5.2-CVE-2022-37705.patch
@ -0,0 +1,26 @@
+From ed37ddf8421e34a255eaedfc1e9c3a3f9d454b95 Mon Sep 17 00:00:00 2001
+From: Prajwal T R <prajwaltr93@gmail.com>
+Date: Thu, 22 Dec 2022 10:37:30 -0700
+Subject: [PATCH] fix : fix increment logic for good_option
+
+- for arguements of type --file=x or --file x, fixed logic while incrementing value.
+---
+ client-src/runtar.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/client-src/runtar.c b/client-src/runtar.c
+index d04a1385f6..499c7dfecb 100644
+--- a/client-src/runtar.c
+++ b/client-src/runtar.c
+@@ -191,9 +191,9 @@ main(
+ 		g_str_has_prefix(argv[i],"--newer") ||
+ 		g_str_has_prefix(argv[i],"--exclude-from") ||
+ 		g_str_has_prefix(argv[i],"--files-from")) {
+-		/* Accept theses options with the following argument */
+-		good_option += 2;
+		good_option++;
+ 	    } else if (argv[i][0] != '-') {
+		/* argument values are accounted for here */
+ 		good_option++;
+ 	    }
+ 	}
--- a/amanda.spec
+++ b/amanda.spec
@ -10,7 +10,7 @@
 Summary:       A network-capable tape backup solution
 Name:          amanda
 Version:       3.5.1
-Release:       13%{?dist}
+Release:       14%{?dist}
 Source:        http://downloads.sourceforge.net/amanda/amanda-%{version}.tar.gz
 Source1:       amanda.crontab
 Source4:       disklist
@ -30,6 +30,9 @@ Patch3:        amanda-3.2.0-config-dir.patch
 Patch4:        amanda-3.4.5-no-xinetd.patch
 # Support tirpc
 Patch5:        patch-tirpc
+Patch20:       amanda-3.5.2-CVE-2022-37705.patch
+Patch21:       amanda-3.5.2-CVE-2022-37704.patch
+Patch22:       amanda-3.5.2-CVE-2022-37704-fixup.patch

 License:       BSD and GPLv3+ and GPLv2+ and GPLv2
 URL:           http://www.amanda.org
@ -432,6 +435,13 @@ make check


 %changelog
+* Mon Feb 27 2023 Pavel Cahyna <pcahyna@redhat.com> - 3.5.1-14
+- Apply upstream patch for CVE-2022-37705
+- Apply upstream patch for CVE-2022-37704
+- Add my fixups for CVE-2022-37704 and CVE-2022-37705, the upstream changes broke
+  legitimate usage of xfsdump and tar, while leaving xfsdump and dump vulnerable.
+  One of the fixups submitted as PR205.
+
 * Thu Aug 02 2018 Vaclav Dolezal <vdolezal@redhat.com> - 3.5.1-13
 - fix permissions for log directory (#1572696)