Fix CVE-2022-37704 CVE-2022-37705

2023-02-28 10:16:31 +08:00 · 2023-02-28 10:16:31 +08:00 · e17c6285c9
commit e17c6285c9
parent cb1d9489a7
5 changed files with 241 additions and 2 deletions
--- a/CVE-2022-37704.patch
+++ b/CVE-2022-37704.patch
@ -0,0 +1,175 @@
+From e890d08e16ea0621966a7ae35cce53ccb44a472e Mon Sep 17 00:00:00 2001
+From: seetharaman-rajagopal <seetharaman.chn@gmail.com>
+Date: Mon, 13 Feb 2023 08:14:04 +0000
+Subject: [PATCH] CVE-2022-37704 - privilege escaltion form amandabackup user
+ to root -fix
+
+---
+ client-src/rundump.c | 135 +++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 135 insertions(+)
+
+diff --git a/client-src/rundump.c b/client-src/rundump.c
+index 0b354d70bf..bba5699847 100644
+--- a/client-src/rundump.c
+++ b/client-src/rundump.c
+@@ -40,6 +40,8 @@
+ #include "conffile.h"
+ 
+ int main(int argc, char **argv);
+static void validate_dump_option(int argc, char ** argv);
+static void validate_xfsdump_options(int argc, char ** argv);
+ 
+ #if defined(VDUMP) || defined(XFSDUMP)
+ #  undef USE_RUNDUMP
+@@ -160,14 +162,17 @@ main(
+ 
+ #if defined(DUMP)
+         dump_program = DUMP;
+        validate_dump_option(argc, argv);
+ #else
+ # if defined(XFSDUMP)
+         dump_program = XFSDUMP;
+        validate_xfsdump_options(argc, argv);
+ # else
+ #  if defined(VXDUMP)
+ 	dump_program = VXDUMP;
+ #  else
+         dump_program = "dump";
+        validate_dump_option(argc, argv);
+ #  endif
+ # endif
+ #endif
+@@ -203,3 +208,133 @@ main(
+     return 1;
+ #endif								/* } */
+ }
+
+void validate_dump_option(int argc, char ** argv)
+{
+	int c;
+	int numargs = argc;
+	while (numargs > 0)
+	{
+		c = getopt(argc, argv, "0123456789ab:cd:e:f:h:j:kmnqs:uvwyz:A:B:D:I:L:MQ:ST:W");
+		switch (c) {
+			case -1:
+				optind++;
+			break;
+			case '?':
+				//option is not valid
+				error("error [%s invalid option: %s]\n", get_pname(), argv[optind-1]);
+			break;
+			// All this options takes another argument
+			case 'b':
+			case 'd':
+			case 'e':
+			case 'f':
+			case 'h':
+			case 'j':
+			case 's':
+			case 'z':
+			case 'A':
+			case 'B':
+			case 'D':
+			case 'I':
+			case 'L':
+			case 'Q':
+			case 'T':
+			{
+				// get optarg and check it against NULL. If it is null, then return error.
+				if (optarg == NULL) {
+					error ("error [%s additional parameter is missing for option: %c]\n", get_pname(), c);
+				}
+				break;
+			}
+			case '0':
+			case '1':
+			case '2':
+			case '3':
+			case '4':
+			case '5':
+			case '6':
+			case '7':
+			case '8':
+			case '9':
+			case 'a':
+			case 'c':
+			case 'k':
+			case 'm':
+			case 'n':
+			case 'q':
+			case 'u':
+			case 'v':
+			case 'w':
+			case 'y':
+			case 'M':
+			case 'S':
+			case 'W':
+			{
+				break;
+			}
+			default:
+				error ("error [%s invalid option: %c]\n", get_pname(), c);
+			break;
+		}
+		numargs--;
+	}
+}
+
+void validate_xfsdump_options(int argc, char ** argv)
+{
+	int c;
+	int numargs = argc;
+	while (numargs > 0)
+	{
+		c = getopt(argc, argv, "ab:d:ef:l:mop:qs:t:v:z:AB:DFI:JL:M:RT");
+		switch (c) {
+			case -1:
+				optind++;
+			break;
+			case '?':
+				//option is not valid
+				error ("error [%s invalid option: %s]\n", get_pname(), argv[optind-1]);
+			break;
+			// All this options takes another argument
+			case 'b':
+			case 'd':
+			case 'f':
+			case 'l':
+			case 'p':
+			case 's':
+			case 't':
+			case 'v':
+			case 'z':
+			case 'B':
+			case 'I':
+			case 'L':
+			case 'M':
+			{
+				// get optarg and check it against NULL. If it is null, then return error.
+				if (optarg == NULL) {
+					error ("error [%s additional parameter is missing for option: %c]\n", get_pname(), c);
+				}
+				break;
+			}
+			case 'a':
+			case 'e':
+			case 'm':
+			case 'o':
+			case 'q':
+			case 'A':
+			case 'D':
+			case 'F':
+			case 'J':
+			case 'R':
+			case 'T':
+			{
+				break;
+			}
+			default:
+				error ("error [%s invalid option: %c]\n", get_pname(), c);
+			break;
+		}
+		numargs--;
+	}
+}
--- a/CVE-2022-37704_part_2.patch
+++ b/CVE-2022-37704_part_2.patch
@ -0,0 +1,32 @@
+Description: Fix CVE-2022-37704, second vector (RSH)
+Author: seetharaman-rajagopal https://github.com/seetharaman-rajagopal
+
+Index: amanda.git/client-src/rundump.c
+===================================================================
+--- amanda.git.orig/client-src/rundump.c	2023-02-24 21:12:21.457531656 +0000
+++ amanda.git/client-src/rundump.c	2023-02-24 21:14:42.113754385 +0000
+@@ -197,6 +197,24 @@ main(
+     amfree(cmdline);
+ 
+     env = safe_env();
+    //Filter or Discard RSH Environmental variable
+    int env_count = 0;
+    for (int i = 0; env[i] != NULL; i++){
+        env_count++;
+    }
+    for (int i = 0; i < env_count; i++){
+        if (strncmp(env[i], "RSH=", 4) == 0){
+            // Remove RSH
+            g_free(env[i]);
+            // move array elements one step left - which are after "RSH"
+            for (int j = i; j < env_count; j++){
+                env[j] = env[j + 1];
+            }
+            //decrease the variable count
+            env[env_count-1] = NULL;
+            break;
+        }
+    }
+     execve(dump_program, argv, env);
+     free_env(env);
+ 
--- a/CVE-2022-37705.patch
+++ b/CVE-2022-37705.patch
@ -0,0 +1,26 @@
+From 43c5b32f46186f3ed78fe6c7503096fa9ad1236c Mon Sep 17 00:00:00 2001
+From: Prajwal T R <prajwaltr93@gmail.com>
+Date: Thu, 22 Dec 2022 10:37:30 -0700
+Subject: [PATCH] fix : fix increment logic for good_option
+
+- for arguements of type --file=x or --file x, fixed logic while incrementing value.
+---
+ client-src/runtar.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/client-src/runtar.c b/client-src/runtar.c
+index d04a1385f6..499c7dfecb 100644
+--- a/client-src/runtar.c
+++ b/client-src/runtar.c
+@@ -191,9 +191,9 @@ main(
+ 		g_str_has_prefix(argv[i],"--newer") ||
+ 		g_str_has_prefix(argv[i],"--exclude-from") ||
+ 		g_str_has_prefix(argv[i],"--files-from")) {
+-		/* Accept theses options with the following argument */
+-		good_option += 2;
+		good_option++;
+ 	    } else if (argv[i][0] != '-') {
+		/* argument values are accounted for here */
+ 		good_option++;
+ 	    }
+ 	}
--- a/amanda.spec
+++ b/amanda.spec
@ -9,7 +9,7 @@

 Name:          amanda
 Version:       3.5.1
-Release:       21
+Release:       22
 Summary:       A backup solution over network to disk
 License:       BSD and GPLv3+ and GPLv2+ and GPLv2
 URL:           http://www.amanda.org
@ -23,10 +23,13 @@ Source14:      amanda-udp.service
 Source15:      kamanda.socket
 Source16:      kamanda@.service

-Patch5:        patch-tirpc
+Patch5:        patch-tirpc.patch
 Patch6:        fix-multiple-definition.patch
 #Refer:        https://github.com/zmanda/amanda/pull/176/
 Patch7:        fix-hexencode-test.patch
+Patch8:        CVE-2022-37704.patch
+Patch9:        CVE-2022-37704_part_2.patch
+Patch10:        CVE-2022-37705.patch

 BuildRequires: automake autoconf libtool dump xfsdump cups
 BuildRequires: samba-client tar grep gcc-c++ readline-devel libtirpc-devel
@ -196,6 +199,9 @@ make check
 %{_mandir}/man*

 %changelog
+* Tue Feb 28 2023 luopihui <luopihui@ncti-gba.cn> - 3.5.1-22
+- Fix CVE-2022-37704 CVE-2022-37705
+
 * Fri Nov 11 2022 caodongxia <caodongxia@h-partners.com> - 3.5.1-21
 - fix hexencode test failed

--- a/patch-tirpc.patch
+++ b/patch-tirpc.patch