From 0ac83544ed3ceaf814338fe9c4067a55e62eedc36c4e4435d674008b02ffa802 Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Fri, 17 Feb 2023 08:52:31 +0000 Subject: [PATCH] Accepting request 1066165 from home:dgarcia:branches:Archiving - Add CVE-2022-37705.patch to fix privilege scalation (boo#1208032, gh#zmanda/amanda#194) OBS-URL: https://build.opensuse.org/request/show/1066165 OBS-URL: https://build.opensuse.org/package/show/Archiving/amanda?expand=0&rev=86 --- CVE-2022-37705.patch | 16 ++++++++++++++++ amanda.changes | 6 ++++++ amanda.spec | 5 ++++- 3 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-37705.patch diff --git a/CVE-2022-37705.patch b/CVE-2022-37705.patch new file mode 100644 index 0000000..02fec8e --- /dev/null +++ b/CVE-2022-37705.patch @@ -0,0 +1,16 @@ +Index: amanda-tag-community-3.5.2/client-src/runtar.c +=================================================================== +--- amanda-tag-community-3.5.2.orig/client-src/runtar.c ++++ amanda-tag-community-3.5.2/client-src/runtar.c +@@ -191,9 +191,9 @@ main( + g_str_has_prefix(argv[i],"--newer") || + g_str_has_prefix(argv[i],"--exclude-from") || + g_str_has_prefix(argv[i],"--files-from")) { +- /* Accept theses options with the following argument */ +- good_option += 2; ++ good_option++; + } else if (argv[i][0] != '-') { ++ /* argument values are accounted for here */ + good_option++; + } + } diff --git a/amanda.changes b/amanda.changes index 3e38579..147acde 100644 --- a/amanda.changes +++ b/amanda.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Feb 16 11:03:29 UTC 2023 - Daniel Garcia + +- Add CVE-2022-37705.patch to fix privilege scalation + (boo#1208032, gh#zmanda/amanda#194) + ------------------------------------------------------------------- Fri Oct 7 12:43:58 UTC 2022 - Thorsten Kukuk diff --git a/amanda.spec b/amanda.spec index 023b05a..7591fae 100644 --- a/amanda.spec +++ b/amanda.spec @@ -1,7 +1,7 @@ # # spec file for package amanda # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -37,6 +37,8 @@ Patch7: amanda-libnsl.patch Patch8: amanda-3.5.1-GCC10_extern.patch # PATCH-FIX-UPSTREAM amanda-3.5.2-fix-tests.patch -- gh#zmanda/amanda#167 Patch9: amanda-3.5.2-fix-tests.patch +# PATCH-FIX-UPSTREAM CVE-2022-37705.patch -- boo#1208032, gh#zmanda/amanda#194 +Patch10: CVE-2022-37705.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison @@ -95,6 +97,7 @@ running multiple versions of Linux or Unix. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 %build ./autogen