Accepting request 1066165 from home:dgarcia:branches:Archiving

- Add CVE-2022-37705.patch to fix privilege scalation (boo#1208032, gh#zmanda/amanda#194) OBS-URL: https://build.opensuse.org/request/show/1066165 OBS-URL: https://build.opensuse.org/package/show/Archiving/amanda?expand=0&rev=86
2023-02-17 08:52:31 +00:00 · 2023-02-17 08:52:31 +00:00 · 0ac83544ed
commit 0ac83544ed
parent 542a96e5f9
3 changed files with 26 additions and 1 deletions
--- a/CVE-2022-37705.patch
+++ b/CVE-2022-37705.patch
@ -0,0 +1,16 @@
+Index: amanda-tag-community-3.5.2/client-src/runtar.c
+===================================================================
+--- amanda-tag-community-3.5.2.orig/client-src/runtar.c
+++ amanda-tag-community-3.5.2/client-src/runtar.c
+@@ -191,9 +191,9 @@ main(
+ 		g_str_has_prefix(argv[i],"--newer") ||
+ 		g_str_has_prefix(argv[i],"--exclude-from") ||
+ 		g_str_has_prefix(argv[i],"--files-from")) {
+-		/* Accept theses options with the following argument */
+-		good_option += 2;
+		good_option++;
+ 	    } else if (argv[i][0] != '-') {
+		/* argument values are accounted for here */
+ 		good_option++;
+ 	    }
+ 	}
--- a/amanda.changes
+++ b/amanda.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Feb 16 11:03:29 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add CVE-2022-37705.patch to fix privilege scalation
+  (boo#1208032, gh#zmanda/amanda#194)
+
 -------------------------------------------------------------------
 Fri Oct  7 12:43:58 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>

--- a/amanda.spec
+++ b/amanda.spec
@ -1,7 +1,7 @@
 #
 # spec file for package amanda
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -37,6 +37,8 @@ Patch7:         amanda-libnsl.patch
 Patch8:         amanda-3.5.1-GCC10_extern.patch
 # PATCH-FIX-UPSTREAM amanda-3.5.2-fix-tests.patch -- gh#zmanda/amanda#167
 Patch9:         amanda-3.5.2-fix-tests.patch
+# PATCH-FIX-UPSTREAM CVE-2022-37705.patch -- boo#1208032, gh#zmanda/amanda#194
+Patch10:        CVE-2022-37705.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison
@ -95,6 +97,7 @@ running multiple versions of Linux or Unix.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1

 %build
 ./autogen