Menu

#192 CVE-2022-37703 - directory existence disclosure via SUID calcsize binary

open
nobody
None
2023-02-12
2022-09-26
Anonymous
No

Originally created by: ajakk

The researcher that requested this CVE hasn't seemed to actually report to Amanda upstream, so I'm reproducing the report here to hopefully get it fixed. The CVE's description:

"In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use opendir() as root directly without checking the path, letting the attacker provide an arbitrary path."

There's also a tiny bit more information in: https://github.com/MaherAzzouzi/CVE-2022-37703
Probably most notably, [Affected Component] Component: calcsize SUID binary. C file: calcsize.c Line: 435 if((d = opendir(dirname)) == NULL) {.

I tried to convince the researcher to be a bit more responsible and report to upstream, but they eventually deleted the issue where I requested this and told me they'd release 2 local privilege escalation vulnerabilities, but that fortunately doesn't seem to have happened yet. More information on that in this gist.

Related

Tickets: #194

Discussion

  • Anonymous

    Anonymous - 2022-10-14
     

  • Anonymous

    Anonymous - 2023-01-22

    Originally posted by: stefangweichinger

    Do I understand correctly that this has not yet been reported to Betsol, the current owner of the amanda code?

     

  • Anonymous

    Anonymous - 2023-01-22

    Originally posted by: stefangweichinger

    I just posted it to the 2 main amanda mailing-lists for a start. Unfortunately the project is poorly maintained in the last years. Thanks for your reporting.

     

  • Anonymous

    Anonymous - 2023-01-23

    Originally posted by: ajakk

    Do I understand correctly that this has not yet been reported to Betsol, the current owner of the amanda code?

    The original "researcher" didn't originally attempt to report to upstream, no. They deleted my issue asking them to after they weren't able to figure out how to send to the mailing lists. I haven't done anything but report them here, though I wasn't aware that this might not be the best place to report them.

    I just posted it to the 2 main amanda mailing-lists for a start. Unfortunately the project is poorly maintained in the last years. Thanks for your reporting.

    Thank you! For any other observers, those mails seem to be the following:

    https://marc.info/?l=amanda-hackers&m=167437716918603&w=2
    https://marc.info/?l=amanda-users&m=167437611218333&w=2

     

  • Anonymous

    Anonymous - 2023-01-23

    Originally posted by: vjnpavanraj

    I have reported the same to the Zmanda product team.
    We will prioritize these fixes.
    Meanwhile if any of you can share the possible solutions from your end that
    would be great.

    On Sun, Jan 22, 2023 at 7:10 PM ajakk @.***> wrote:

    Do I understand correctly that this has not yet been reported to Betsol,
    the current owner of the amanda code?

    The original "researcher" didn't originally attempt to report to upstream,
    no. They deleted my issue asking them to after they weren't able to figure
    out how to send to the mailing lists. I haven't done anything but report
    them here, though I wasn't aware that this might not be the best place to
    report them.

    I just posted it to the 2 main amanda mailing-lists for a start.
    Unfortunately the project is poorly maintained in the last years. Thanks
    for your reporting.

    Thank you! For any other observers, those mails seem to be the following:

    https://marc.info/?l=amanda-hackers&m=167437716918603&w=2
    https://marc.info/?l=amanda-users&m=167437611218333&w=2


    Reply to this email directly, view it on GitHub
    https://github.com/zmanda/amanda/issues/192#issuecomment-1399650313, or
    unsubscribe
    https://github.com/notifications/unsubscribe-auth/AS2DQM5CBE6OFASJTHOF7V3WTXD6RANCNFSM6AAAAAAQV5YFNQ
    .
    You are receiving this because you were assigned.Message ID:
    @.***>

     

  • Anonymous

    Anonymous - 2023-02-07

    Originally posted by: stefangweichinger

    I have reported the same to the Zmanda product team. We will prioritize these fixes. Meanwhile if any of you can share the possible solutions from your end that would be great.

    Will there be a new release of amanda with the fixes then?
    It would be great to see that soon, along some new packages for the distros as well.

     

  • Anonymous

    Anonymous - 2023-02-12

    Originally posted by: vjnpavanraj

    The fixes have been merged with community code base. Right now, looking at
    the new release with the fixes. Post that we will look at the distro
    specific packages.

    On Tue, Feb 7, 2023 at 5:44 AM Stefan G. Weichinger ***@***.*** wrote:

    I have reported the same to the Zmanda product team. We will prioritize
    these fixes. Meanwhile if any of you can share the possible solutions from
    your end that would be great.

    Will there be a new release of amanda with the fixes then?
    It would be great to see that soon, along some new packages for the
    distros as well.


    Reply to this email directly, view it on GitHub
    https://github.com/zmanda/amanda/issues/192#issuecomment-1420564459, or
    unsubscribe
    https://github.com/notifications/unsubscribe-auth/AS2DQMZKC2LAAXS3RFPO7ULWWIRQ3ANCNFSM6AAAAAAQV5YFNQ
    .
    You are receiving this because you were assigned.Message ID:
    @.***>

     

Log in to post a comment.