From c54a62dd0ba78ec692fa79ae00f53134f9a7decc2c8372780545c9c4b5ca2883 Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Tue, 21 Mar 2023 17:54:53 +0000 Subject: [PATCH] Accepting request 1073593 from home:dspinella:branches:Archiving - Update to version 3.5.3: * Fixed: removed vulnerable jQuery dependency * Fixed: fix suppressed 1st char of error message in common-src/bsdtcp-security.c * docs: improved README with Markdown * docs: updated README file name for docs in Debian builds * Fixed: post_inst_functions.sh to create amkey * Fixed: added extern keyword for tu_debugging_enabled declaration in testutils.h * Fixed: https://sogis.eu complaint symmetric encryption key derivation algorithm * Fixed: removed perror to fix information leak vulnerability found in the calcsize SUID binary. (CVE-2022-37703, bsc#1203390) * Fixed: added filter for RSH environment settings in rundump to fix privilege escalation vulnerability (CVE-2022-37704, bsc#1208033) * Fixed: arg checking for runtar.c (CVE-2022-37705, bsc#1208032) - Remove upstreamed patches: * CVE-2022-37705.patch * amanda-3.5.1-GCC10_extern.patch * amanda-3.5.2-fix-tests.patch OBS-URL: https://build.opensuse.org/request/show/1073593 OBS-URL: https://build.opensuse.org/package/show/Archiving/amanda?expand=0&rev=88 --- CVE-2022-37705.patch | 16 ---------------- amanda-3.5.1-GCC10_extern.patch | 13 ------------- amanda-3.5.2-fix-tests.patch | 26 -------------------------- amanda-3.5.2.tar.gz | 3 --- amanda-3.5.3.tar.gz | 3 +++ amanda.changes | 23 +++++++++++++++++++++++ amanda.spec | 14 +++----------- 7 files changed, 29 insertions(+), 69 deletions(-) delete mode 100644 CVE-2022-37705.patch delete mode 100644 amanda-3.5.1-GCC10_extern.patch delete mode 100644 amanda-3.5.2-fix-tests.patch delete mode 100644 amanda-3.5.2.tar.gz create mode 100644 amanda-3.5.3.tar.gz diff --git a/CVE-2022-37705.patch b/CVE-2022-37705.patch deleted file mode 100644 index 02fec8e..0000000 --- a/CVE-2022-37705.patch +++ /dev/null @@ -1,16 +0,0 @@ -Index: amanda-tag-community-3.5.2/client-src/runtar.c -=================================================================== ---- amanda-tag-community-3.5.2.orig/client-src/runtar.c -+++ amanda-tag-community-3.5.2/client-src/runtar.c -@@ -191,9 +191,9 @@ main( - g_str_has_prefix(argv[i],"--newer") || - g_str_has_prefix(argv[i],"--exclude-from") || - g_str_has_prefix(argv[i],"--files-from")) { -- /* Accept theses options with the following argument */ -- good_option += 2; -+ good_option++; - } else if (argv[i][0] != '-') { -+ /* argument values are accounted for here */ - good_option++; - } - } diff --git a/amanda-3.5.1-GCC10_extern.patch b/amanda-3.5.1-GCC10_extern.patch deleted file mode 100644 index ed11d45..0000000 --- a/amanda-3.5.1-GCC10_extern.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/common-src/testutils.h b/common-src/testutils.h -index 31f89737..2e9bb0b3 100644 ---- a/common-src/testutils.h -+++ b/common-src/testutils.h -@@ -75,7 +75,7 @@ typedef struct TestUtilsTest { - #define tu_dbg(...) if (tu_debugging_enabled) { g_fprintf(stderr, __VA_ARGS__); } - - /* Is debugging enabled for this test run? (set internally) */ --int tu_debugging_enabled; -+extern gboolean tu_debugging_enabled; - - /* - * Main loop diff --git a/amanda-3.5.2-fix-tests.patch b/amanda-3.5.2-fix-tests.patch deleted file mode 100644 index de710e4..0000000 --- a/amanda-3.5.2-fix-tests.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 262c05b20c7de243542e7502e00152cdafb573d4 Mon Sep 17 00:00:00 2001 -From: Peter Bieringer -Date: Wed, 6 Jul 2022 22:53:12 +0200 -Subject: [PATCH] fix for https://github.com/zmanda/amanda/issues/167 - ---- - common-src/amutil.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/common-src/amutil.c b/common-src/amutil.c -index 20454ab73c..371d38e433 100644 ---- a/common-src/amutil.c -+++ b/common-src/amutil.c -@@ -1132,6 +1132,12 @@ char *hexdecode_string(const char *str, GError **err) - new_len = orig_len = strlen(str); - for (i = 0; i < orig_len; i++) { - if (str[i] == '%') { -+ if (new_len < 2) { -+ g_set_error(err, am_util_error_quark(), AM_UTIL_ERROR_HEXDECODEINVAL, -+ "Invalid hexcode string: %s", str); -+ s = g_string_sized_new(0); -+ goto cleanup; -+ } - new_len -= 2; - } - } diff --git a/amanda-3.5.2.tar.gz b/amanda-3.5.2.tar.gz deleted file mode 100644 index 0ebdadc..0000000 --- a/amanda-3.5.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:812aea37d5e5ae852ab4147e989f090fb60ef66e7b7fe49ef58e2d139fe3e99f -size 3949431 diff --git a/amanda-3.5.3.tar.gz b/amanda-3.5.3.tar.gz new file mode 100644 index 0000000..060d0ef --- /dev/null +++ b/amanda-3.5.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7821d7420e12bfc96c8db385c29f79afe7d6f35e80faa81da0b87a47ee5b2476 +size 3926198 diff --git a/amanda.changes b/amanda.changes index 147acde..8319f6d 100644 --- a/amanda.changes +++ b/amanda.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Tue Mar 21 16:16:06 UTC 2023 - Danilo Spinella + +- Update to version 3.5.3: + * Fixed: removed vulnerable jQuery dependency + * Fixed: fix suppressed 1st char of error message in + common-src/bsdtcp-security.c + * docs: improved README with Markdown + * docs: updated README file name for docs in Debian builds + * Fixed: post_inst_functions.sh to create amkey + * Fixed: added extern keyword for tu_debugging_enabled declaration in + testutils.h + * Fixed: https://sogis.eu complaint symmetric encryption key derivation algorithm + * Fixed: removed perror to fix information leak vulnerability found in the + calcsize SUID binary. (CVE-2022-37703, bsc#1203390) + * Fixed: added filter for RSH environment settings in rundump to fix + privilege escalation vulnerability (CVE-2022-37704, bsc#1208033) + * Fixed: arg checking for runtar.c (CVE-2022-37705, bsc#1208032) +- Remove upstreamed patches: + * CVE-2022-37705.patch + * amanda-3.5.1-GCC10_extern.patch + * amanda-3.5.2-fix-tests.patch + ------------------------------------------------------------------- Thu Feb 16 11:03:29 UTC 2023 - Daniel Garcia diff --git a/amanda.spec b/amanda.spec index 7591fae..110a4bd 100644 --- a/amanda.spec +++ b/amanda.spec @@ -19,7 +19,7 @@ %define amanda_group amanda %define upstreamver tag-community-%{version} Name: amanda -Version: 3.5.2 +Version: 3.5.3 Release: 0 Summary: Network Disk Archiver License: GPL-3.0-or-later @@ -34,11 +34,6 @@ Patch3: amanda-2.6.1p1-avoid-perl-provides.patch Patch4: amanda-3.3.2-returnvalues.patch Patch6: amanda-3.5-no_return_in_nonvoid_fnc.patch Patch7: amanda-libnsl.patch -Patch8: amanda-3.5.1-GCC10_extern.patch -# PATCH-FIX-UPSTREAM amanda-3.5.2-fix-tests.patch -- gh#zmanda/amanda#167 -Patch9: amanda-3.5.2-fix-tests.patch -# PATCH-FIX-UPSTREAM CVE-2022-37705.patch -- boo#1208032, gh#zmanda/amanda#194 -Patch10: CVE-2022-37705.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison @@ -95,9 +90,6 @@ running multiple versions of Linux or Unix. %patch4 -p1 %patch6 -p1 %patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 %build ./autogen @@ -132,7 +124,7 @@ install -d %{buildroot}/%{_sysconfdir}/amanda \ %{buildroot}%{_localstatedir}/lib/amanda/lbl-templ \ %{buildroot}/%{_docdir}/%{name} \ %{buildroot}/%{_sysconfdir}/xinetd.d -install NEWS README README.SUSE example/{amanda.conf,chg-multi.conf,disklist} %{buildroot}/%{_docdir}/%{name} +install NEWS README.md README.SUSE example/{amanda.conf,chg-multi.conf,disklist} %{buildroot}/%{_docdir}/%{name} install -m 644 %{buildroot}%{_sysconfdir}/amanda/amanda-security.conf %{buildroot}%{_sysconfdir}/amanda-security.conf chmod 644 %{buildroot}/%{_docdir}/%{name}/* %{buildroot}/%{_mandir}/*/* cp -a SUSE/* %{buildroot} @@ -194,7 +186,7 @@ ln -s amrecover.8.gz %{buildroot}%{_mandir}/man8/amoldrecover.8 %verify_permissions -f %{_libexecdir}/amanda/suidlist %files -%doc amanda-howto-collection.pdf ChangeLog NEWS AUTHORS COPYRIGHT README ReleaseNotes README.SUSE +%doc amanda-howto-collection.pdf ChangeLog NEWS AUTHORS COPYRIGHT README.md ReleaseNotes README.SUSE %doc %attr(755,root,root) %dir %{_docdir}/%{name} %{_docdir}/%{name}/* %{_mandir}/man*/*