CVE-2022-37703 - directory existence disclosure via SUID calcsize binary #192
Comments
|
These two local privilege escalation vulnerabilities appear to be CVE-2022-37704 and CVE-2022-37705: https://github.com/MaherAzzouzi/CVE-2022-37704 |
|
Do I understand correctly that this has not yet been reported to Betsol, the current owner of the amanda code? |
|
I just posted it to the 2 main amanda mailing-lists for a start. Unfortunately the project is poorly maintained in the last years. Thanks for your reporting. |
The original "researcher" didn't originally attempt to report to upstream, no. They deleted my issue asking them to after they weren't able to figure out how to send to the mailing lists. I haven't done anything but report them here, though I wasn't aware that this might not be the best place to report them.
Thank you! For any other observers, those mails seem to be the following: https://marc.info/?l=amanda-hackers&m=167437716918603&w=2 |
|
I have reported the same to the Zmanda product team.
We will prioritize these fixes.
Meanwhile if any of you can share the possible solutions from your end that
would be great.
…On Sun, Jan 22, 2023 at 7:10 PM ajakk ***@***.***> wrote:
Do I understand correctly that this has not yet been reported to Betsol,
the current owner of the amanda code?
The original "researcher" didn't originally attempt to report to upstream,
no. They deleted my issue asking them to after they weren't able to figure
out how to send to the mailing lists. I haven't done anything but report
them here, though I wasn't aware that this might not be the best place to
report them.
I just posted it to the 2 main amanda mailing-lists for a start.
Unfortunately the project is poorly maintained in the last years. Thanks
for your reporting.
Thank you! For any other observers, those mails seem to be the following:
https://marc.info/?l=amanda-hackers&m=167437716918603&w=2
https://marc.info/?l=amanda-users&m=167437611218333&w=2
—
Reply to this email directly, view it on GitHub
<#192 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AS2DQM5CBE6OFASJTHOF7V3WTXD6RANCNFSM6AAAAAAQV5YFNQ>
.
You are receiving this because you were assigned.Message ID:
***@***.***>
|
Will there be a new release of amanda with the fixes then? |
|
The fixes have been merged with community code base. Right now, looking at
the new release with the fixes. Post that we will look at the distro
specific packages.
…On Tue, Feb 7, 2023 at 5:44 AM Stefan G. Weichinger < ***@***.***> wrote:
I have reported the same to the Zmanda product team. We will prioritize
these fixes. Meanwhile if any of you can share the possible solutions from
your end that would be great.
Will there be a new release of amanda with the fixes then?
It would be great to see that soon, along some new packages for the
distros as well.
—
Reply to this email directly, view it on GitHub
<#192 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AS2DQMZKC2LAAXS3RFPO7ULWWIRQ3ANCNFSM6AAAAAAQV5YFNQ>
.
You are receiving this because you were assigned.Message ID:
***@***.***>
|
|
According to https://marc.info/?l=amanda-users&m=167628405416862&w=2, there's PRs for fixes: CVE-2022-37703: #198 And those have linked commits: |
|
looks like this was fixed as part of PR raise on #198 |
The researcher that requested this CVE hasn't seemed to actually report to Amanda upstream, so I'm reproducing the report here to hopefully get it fixed. The CVE's description:
"In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use
opendir()as root directly without checking the path, letting the attacker provide an arbitrary path."There's also a tiny bit more information in: https://github.com/MaherAzzouzi/CVE-2022-37703
Probably most notably,
[Affected Component] Component: calcsize SUID binary. C file: calcsize.c Line: 435 if((d = opendir(dirname)) == NULL) {.I tried to convince the researcher to be a bit more responsible and report to upstream, but they eventually deleted the issue where I requested this and told me they'd release 2 local privilege escalation vulnerabilities, but that fortunately doesn't seem to have happened yet. More information on that in this gist.
The text was updated successfully, but these errors were encountered: