Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-37703 - directory existence disclosure via SUID calcsize binary #192

Closed
ajakk opened this issue Sep 26, 2022 · 9 comments
Closed

Comments

@ajakk
Copy link

ajakk commented Sep 26, 2022

The researcher that requested this CVE hasn't seemed to actually report to Amanda upstream, so I'm reproducing the report here to hopefully get it fixed. The CVE's description:

"In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use opendir() as root directly without checking the path, letting the attacker provide an arbitrary path."

There's also a tiny bit more information in: https://github.com/MaherAzzouzi/CVE-2022-37703
Probably most notably, [Affected Component] Component: calcsize SUID binary. C file: calcsize.c Line: 435 if((d = opendir(dirname)) == NULL) {.

I tried to convince the researcher to be a bit more responsible and report to upstream, but they eventually deleted the issue where I requested this and told me they'd release 2 local privilege escalation vulnerabilities, but that fortunately doesn't seem to have happened yet. More information on that in this gist.

@ajakk
Copy link
Author

ajakk commented Jan 1, 2023

These two local privilege escalation vulnerabilities appear to be CVE-2022-37704 and CVE-2022-37705:

https://github.com/MaherAzzouzi/CVE-2022-37704
https://github.com/MaherAzzouzi/CVE-2022-37705

@stefangweichinger
Copy link
Contributor

Do I understand correctly that this has not yet been reported to Betsol, the current owner of the amanda code?

@stefangweichinger
Copy link
Contributor

I just posted it to the 2 main amanda mailing-lists for a start. Unfortunately the project is poorly maintained in the last years. Thanks for your reporting.

@ajakk
Copy link
Author

ajakk commented Jan 23, 2023

Do I understand correctly that this has not yet been reported to Betsol, the current owner of the amanda code?

The original "researcher" didn't originally attempt to report to upstream, no. They deleted my issue asking them to after they weren't able to figure out how to send to the mailing lists. I haven't done anything but report them here, though I wasn't aware that this might not be the best place to report them.

I just posted it to the 2 main amanda mailing-lists for a start. Unfortunately the project is poorly maintained in the last years. Thanks for your reporting.

Thank you! For any other observers, those mails seem to be the following:

https://marc.info/?l=amanda-hackers&m=167437716918603&w=2
https://marc.info/?l=amanda-users&m=167437611218333&w=2

@vjnpavanraj
Copy link

vjnpavanraj commented Jan 23, 2023 via email

@stefangweichinger
Copy link
Contributor

I have reported the same to the Zmanda product team. We will prioritize these fixes. Meanwhile if any of you can share the possible solutions from your end that would be great.

Will there be a new release of amanda with the fixes then?
It would be great to see that soon, along some new packages for the distros as well.

@vjnpavanraj
Copy link

vjnpavanraj commented Feb 12, 2023 via email

@ajakk
Copy link
Author

ajakk commented Feb 18, 2023

According to https://marc.info/?l=amanda-users&m=167628405416862&w=2, there's PRs for fixes:

CVE-2022-37703: #198
CVE-2022-37704: #197

And those have linked commits:

cf01041
ee766ef

@prajwaltr93
Copy link
Contributor

looks like this was fixed as part of PR raise on #198

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants