packages/amanda
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!10 fix cve-2022-37704 and cve-2022-37705

Browse Source 
From: @phluo 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
This commit is contained in:
openeuler-ci-bot 2023-03-02 11:25:59 +00:00 committed by Gitee
commit bc53faf724
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
5 changed files with 241 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

175
CVE-2022-37704.patch Normal file
View File

@ -0,0 +1,175 @@
From e890d08e16ea0621966a7ae35cce53ccb44a472e Mon Sep 17 00:00:00 2001
From: seetharaman-rajagopal <seetharaman.chn@gmail.com>
Date: Mon, 13 Feb 2023 08:14:04 +0000
Subject: [PATCH] CVE-2022-37704 - privilege escaltion form amandabackup user
to root -fix
---
client-src/rundump.c | 135 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 135 insertions(+)
diff --git a/client-src/rundump.c b/client-src/rundump.c
index 0b354d70bf..bba5699847 100644
--- a/client-src/rundump.c
+++ b/client-src/rundump.c
@@ -40,6 +40,8 @@
#include "conffile.h"
int main(int argc, char **argv);
+static void validate_dump_option(int argc, char ** argv);
+static void validate_xfsdump_options(int argc, char ** argv);
#if defined(VDUMP) || defined(XFSDUMP)
# undef USE_RUNDUMP
@@ -160,14 +162,17 @@ main(
#if defined(DUMP)
dump_program = DUMP;
+ validate_dump_option(argc, argv);
#else
# if defined(XFSDUMP)
dump_program = XFSDUMP;
+ validate_xfsdump_options(argc, argv);
# else
# if defined(VXDUMP)
dump_program = VXDUMP;
# else
dump_program = "dump";
+ validate_dump_option(argc, argv);
# endif
# endif
#endif
@@ -203,3 +208,133 @@ main(
return 1;
#endif /* } */
}
+
+void validate_dump_option(int argc, char ** argv)
+{
+ int c;
+ int numargs = argc;
+ while (numargs > 0)
+ {
+ c = getopt(argc, argv, "0123456789ab:cd:e:f:h:j:kmnqs:uvwyz:A:B:D:I:L:MQ:ST:W");
+ switch (c) {
+ case -1:
+ optind++;
+ break;
+ case '?':
+ //option is not valid
+ error("error [%s invalid option: %s]\n", get_pname(), argv[optind-1]);
+ break;
+ // All this options takes another argument
+ case 'b':
+ case 'd':
+ case 'e':
+ case 'f':
+ case 'h':
+ case 'j':
+ case 's':
+ case 'z':
+ case 'A':
+ case 'B':
+ case 'D':
+ case 'I':
+ case 'L':
+ case 'Q':
+ case 'T':
+ {
+ // get optarg and check it against NULL. If it is null, then return error.
+ if (optarg == NULL) {
+ error ("error [%s additional parameter is missing for option: %c]\n", get_pname(), c);
+ }
+ break;
+ }
+ case '0':
+ case '1':
+ case '2':
+ case '3':
+ case '4':
+ case '5':
+ case '6':
+ case '7':
+ case '8':
+ case '9':
+ case 'a':
+ case 'c':
+ case 'k':
+ case 'm':
+ case 'n':
+ case 'q':
+ case 'u':
+ case 'v':
+ case 'w':
+ case 'y':
+ case 'M':
+ case 'S':
+ case 'W':
+ {
+ break;
+ }
+ default:
+ error ("error [%s invalid option: %c]\n", get_pname(), c);
+ break;
+ }
+ numargs--;
+ }
+}
+
+void validate_xfsdump_options(int argc, char ** argv)
+{
+ int c;
+ int numargs = argc;
+ while (numargs > 0)
+ {
+ c = getopt(argc, argv, "ab:d:ef:l:mop:qs:t:v:z:AB:DFI:JL:M:RT");
+ switch (c) {
+ case -1:
+ optind++;
+ break;
+ case '?':
+ //option is not valid
+ error ("error [%s invalid option: %s]\n", get_pname(), argv[optind-1]);
+ break;
+ // All this options takes another argument
+ case 'b':
+ case 'd':
+ case 'f':
+ case 'l':
+ case 'p':
+ case 's':
+ case 't':
+ case 'v':
+ case 'z':
+ case 'B':
+ case 'I':
+ case 'L':
+ case 'M':
+ {
+ // get optarg and check it against NULL. If it is null, then return error.
+ if (optarg == NULL) {
+ error ("error [%s additional parameter is missing for option: %c]\n", get_pname(), c);
+ }
+ break;
+ }
+ case 'a':
+ case 'e':
+ case 'm':
+ case 'o':
+ case 'q':
+ case 'A':
+ case 'D':
+ case 'F':
+ case 'J':
+ case 'R':
+ case 'T':
+ {
+ break;
+ }
+ default:
+ error ("error [%s invalid option: %c]\n", get_pname(), c);
+ break;
+ }
+ numargs--;
+ }
+}

32
CVE-2022-37704_part_2.patch Normal file
View File

@ -0,0 +1,32 @@
Description: Fix CVE-2022-37704, second vector (RSH)
Author: seetharaman-rajagopal https://github.com/seetharaman-rajagopal
Index: amanda.git/client-src/rundump.c
===================================================================
--- amanda.git.orig/client-src/rundump.c 2023-02-24 21:12:21.457531656 +0000
+++ amanda.git/client-src/rundump.c 2023-02-24 21:14:42.113754385 +0000
@@ -197,6 +197,24 @@ main(
amfree(cmdline);
env = safe_env();
+ //Filter or Discard RSH Environmental variable
+ int env_count = 0;
+ for (int i = 0; env[i] != NULL; i++){
+ env_count++;
+ }
+ for (int i = 0; i < env_count; i++){
+ if (strncmp(env[i], "RSH=", 4) == 0){
+ // Remove RSH
+ g_free(env[i]);
+ // move array elements one step left - which are after "RSH"
+ for (int j = i; j < env_count; j++){
+ env[j] = env[j + 1];
+ }
+ //decrease the variable count
+ env[env_count-1] = NULL;
+ break;
+ }
+ }
execve(dump_program, argv, env);
free_env(env);

26
CVE-2022-37705.patch Normal file
View File

@ -0,0 +1,26 @@
From 43c5b32f46186f3ed78fe6c7503096fa9ad1236c Mon Sep 17 00:00:00 2001
From: Prajwal T R <prajwaltr93@gmail.com>
Date: Thu, 22 Dec 2022 10:37:30 -0700
Subject: [PATCH] fix : fix increment logic for good_option
- for arguements of type --file=x or --file x, fixed logic while incrementing value.
---
client-src/runtar.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/client-src/runtar.c b/client-src/runtar.c
index d04a1385f6..499c7dfecb 100644
--- a/client-src/runtar.c
+++ b/client-src/runtar.c
@@ -191,9 +191,9 @@ main(
g_str_has_prefix(argv[i],"--newer") ||
g_str_has_prefix(argv[i],"--exclude-from") ||
g_str_has_prefix(argv[i],"--files-from")) {
- /* Accept theses options with the following argument */
- good_option += 2;
+ good_option++;
} else if (argv[i][0] != '-') {
+ /* argument values are accounted for here */
good_option++;
}
}

10
amanda.spec
View File

@ -9,7 +9,7 @@
Name: amanda Name: amanda
Version: 3.5.1 Version: 3.5.1
Release: 21 Release: 22
Summary: A backup solution over network to disk Summary: A backup solution over network to disk
License: BSD and GPLv3+ and GPLv2+ and GPLv2 License: BSD and GPLv3+ and GPLv2+ and GPLv2
URL: http://www.amanda.org URL: http://www.amanda.org
@ -23,10 +23,13 @@ Source14: amanda-udp.service
Source15: kamanda.socket Source15: kamanda.socket
Source16: kamanda@.service Source16: kamanda@.service
Patch5: patch-tirpc Patch5: patch-tirpc.patch
Patch6: fix-multiple-definition.patch Patch6: fix-multiple-definition.patch
#Refer: https://github.com/zmanda/amanda/pull/176/ #Refer: https://github.com/zmanda/amanda/pull/176/
Patch7: fix-hexencode-test.patch Patch7: fix-hexencode-test.patch
Patch8: CVE-2022-37704.patch
Patch9: CVE-2022-37704_part_2.patch
Patch10: CVE-2022-37705.patch
BuildRequires: automake autoconf libtool dump xfsdump cups BuildRequires: automake autoconf libtool dump xfsdump cups
BuildRequires: samba-client tar grep gcc-c++ readline-devel libtirpc-devel BuildRequires: samba-client tar grep gcc-c++ readline-devel libtirpc-devel
@ -196,6 +199,9 @@ make check
%{_mandir}/man* %{_mandir}/man*
%changelog %changelog
* Tue Feb 28 2023 luopihui <luopihui@ncti-gba.cn> - 3.5.1-22
- Fix CVE-2022-37704 CVE-2022-37705
* Fri Nov 11 2022 caodongxia <caodongxia@h-partners.com> - 3.5.1-21 * Fri Nov 11 2022 caodongxia <caodongxia@h-partners.com> - 3.5.1-21
- fix hexencode test failed - fix hexencode test failed

0
patch-tirpc → patch-tirpc.patch
View File