Version in base suite: 3.5.1-11+deb12u1 Base version: amanda_3.5.1-11+deb12u1 Target version: amanda_3.5.1-11+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/a/amanda/amanda_3.5.1-11+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/a/amanda/amanda_3.5.1-11+deb12u2.dsc changelog | 8 +++++ patches/53-fix-CVE-2022-37704_part_3 | 48 +++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 57 insertions(+) diff -Nru amanda-3.5.1/debian/changelog amanda-3.5.1/debian/changelog --- amanda-3.5.1/debian/changelog 2023-12-03 13:17:07.000000000 +0000 +++ amanda-3.5.1/debian/changelog 2024-09-18 20:05:35.000000000 +0000 @@ -1,3 +1,11 @@ +amanda (1:3.5.1-11+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload. + * The fix for CVE-2022-37704 was incomplete and also broke some + xfsdump usecases. (Closes: #1081049) + + -- Adrian Bunk Wed, 18 Sep 2024 23:05:35 +0300 + amanda (1:3.5.1-11+deb12u1) bookworm; urgency=high * Non-maintainer upload by the Security Team. diff -Nru amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3 amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3 --- amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3 1970-01-01 00:00:00.000000000 +0000 +++ amanda-3.5.1/debian/patches/53-fix-CVE-2022-37704_part_3 2024-09-18 20:05:35.000000000 +0000 @@ -0,0 +1,48 @@ +From b930189c06290a23aba177687b2f123590323be1 Mon Sep 17 00:00:00 2001 +From: Pavel Cahyna +Date: Sun, 26 Feb 2023 22:34:23 +0100 +Subject: Update the fix for CVE-2022-37704 + +In the case of xfsdump(8), the check for dump(8) options was invoked +instead of the check for the xfsdump(8). This broke legitimate use of +xfsdump, while leaving the vulnerability open. +--- + client-src/rundump.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/client-src/rundump.c b/client-src/rundump.c +index 2d4dd8fba..295b09951 100644 +--- a/client-src/rundump.c ++++ b/client-src/rundump.c +@@ -138,9 +138,10 @@ main( + + #ifdef XFSDUMP + +- if (g_str_equal(argv[0], "xfsdump")) ++ if (g_str_equal(argv[0], "xfsdump")) { + dump_program = XFSDUMP; +- else /* strcmp(argv[0], "xfsdump") != 0 */ ++ validate_xfsdump_options(argc, argv); ++ } else /* strcmp(argv[0], "xfsdump") != 0 */ + + #endif + +@@ -160,6 +161,7 @@ main( + + #endif + ++ { + #if defined(DUMP) + dump_program = DUMP; + validate_dump_option(argc, argv); +@@ -176,6 +178,7 @@ main( + # endif + # endif + #endif ++ } + + + /* +-- +2.30.2 + diff -Nru amanda-3.5.1/debian/patches/series amanda-3.5.1/debian/patches/series --- amanda-3.5.1/debian/patches/series 2023-12-03 13:09:19.000000000 +0000 +++ amanda-3.5.1/debian/patches/series 2024-09-18 20:05:35.000000000 +0000 @@ -48,5 +48,6 @@ 49-fix-CVE-2022-37705_part_2 50-fix-CVE-2022-37704 52-fix-CVE-2022-37704_part_2 +53-fix-CVE-2022-37704_part_3 56-fix-CVE-2022-37703 57-CVE-2023-30577.patch