From 2f3977cfe28497a2367ea7b0cc37290096deb1b8 Mon Sep 17 00:00:00 2001 From: phluo Date: Tue, 28 Feb 2023 10:31:37 +0800 Subject: [PATCH] Fix CVE-2022-37704 CVE-2022-37705 (cherry picked from commit 4bef9f0762766c32fb38ac7684db6bb383dc3c1f) --- CVE-2022-37704.patch | 175 +++++++++++++++++++++++++++++++ CVE-2022-37704_part_2.patch | 32 ++++++ CVE-2022-37705.patch | 26 +++++ amanda.spec | 10 +- patch-tirpc => patch-tirpc.patch | 0 5 files changed, 241 insertions(+), 2 deletions(-) create mode 100644 CVE-2022-37704.patch create mode 100644 CVE-2022-37704_part_2.patch create mode 100644 CVE-2022-37705.patch rename patch-tirpc => patch-tirpc.patch (100%) diff --git a/CVE-2022-37704.patch b/CVE-2022-37704.patch new file mode 100644 index 0000000..2a42500 --- /dev/null +++ b/CVE-2022-37704.patch @@ -0,0 +1,175 @@ +From e890d08e16ea0621966a7ae35cce53ccb44a472e Mon Sep 17 00:00:00 2001 +From: seetharaman-rajagopal +Date: Mon, 13 Feb 2023 08:14:04 +0000 +Subject: [PATCH] CVE-2022-37704 - privilege escaltion form amandabackup user + to root -fix + +--- + client-src/rundump.c | 135 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 135 insertions(+) + +diff --git a/client-src/rundump.c b/client-src/rundump.c +index 0b354d70bf..bba5699847 100644 +--- a/client-src/rundump.c ++++ b/client-src/rundump.c +@@ -40,6 +40,8 @@ + #include "conffile.h" + + int main(int argc, char **argv); ++static void validate_dump_option(int argc, char ** argv); ++static void validate_xfsdump_options(int argc, char ** argv); + + #if defined(VDUMP) || defined(XFSDUMP) + # undef USE_RUNDUMP +@@ -160,14 +162,17 @@ main( + + #if defined(DUMP) + dump_program = DUMP; ++ validate_dump_option(argc, argv); + #else + # if defined(XFSDUMP) + dump_program = XFSDUMP; ++ validate_xfsdump_options(argc, argv); + # else + # if defined(VXDUMP) + dump_program = VXDUMP; + # else + dump_program = "dump"; ++ validate_dump_option(argc, argv); + # endif + # endif + #endif +@@ -203,3 +208,133 @@ main( + return 1; + #endif /* } */ + } ++ ++void validate_dump_option(int argc, char ** argv) ++{ ++ int c; ++ int numargs = argc; ++ while (numargs > 0) ++ { ++ c = getopt(argc, argv, "0123456789ab:cd:e:f:h:j:kmnqs:uvwyz:A:B:D:I:L:MQ:ST:W"); ++ switch (c) { ++ case -1: ++ optind++; ++ break; ++ case '?': ++ //option is not valid ++ error("error [%s invalid option: %s]\n", get_pname(), argv[optind-1]); ++ break; ++ // All this options takes another argument ++ case 'b': ++ case 'd': ++ case 'e': ++ case 'f': ++ case 'h': ++ case 'j': ++ case 's': ++ case 'z': ++ case 'A': ++ case 'B': ++ case 'D': ++ case 'I': ++ case 'L': ++ case 'Q': ++ case 'T': ++ { ++ // get optarg and check it against NULL. If it is null, then return error. ++ if (optarg == NULL) { ++ error ("error [%s additional parameter is missing for option: %c]\n", get_pname(), c); ++ } ++ break; ++ } ++ case '0': ++ case '1': ++ case '2': ++ case '3': ++ case '4': ++ case '5': ++ case '6': ++ case '7': ++ case '8': ++ case '9': ++ case 'a': ++ case 'c': ++ case 'k': ++ case 'm': ++ case 'n': ++ case 'q': ++ case 'u': ++ case 'v': ++ case 'w': ++ case 'y': ++ case 'M': ++ case 'S': ++ case 'W': ++ { ++ break; ++ } ++ default: ++ error ("error [%s invalid option: %c]\n", get_pname(), c); ++ break; ++ } ++ numargs--; ++ } ++} ++ ++void validate_xfsdump_options(int argc, char ** argv) ++{ ++ int c; ++ int numargs = argc; ++ while (numargs > 0) ++ { ++ c = getopt(argc, argv, "ab:d:ef:l:mop:qs:t:v:z:AB:DFI:JL:M:RT"); ++ switch (c) { ++ case -1: ++ optind++; ++ break; ++ case '?': ++ //option is not valid ++ error ("error [%s invalid option: %s]\n", get_pname(), argv[optind-1]); ++ break; ++ // All this options takes another argument ++ case 'b': ++ case 'd': ++ case 'f': ++ case 'l': ++ case 'p': ++ case 's': ++ case 't': ++ case 'v': ++ case 'z': ++ case 'B': ++ case 'I': ++ case 'L': ++ case 'M': ++ { ++ // get optarg and check it against NULL. If it is null, then return error. ++ if (optarg == NULL) { ++ error ("error [%s additional parameter is missing for option: %c]\n", get_pname(), c); ++ } ++ break; ++ } ++ case 'a': ++ case 'e': ++ case 'm': ++ case 'o': ++ case 'q': ++ case 'A': ++ case 'D': ++ case 'F': ++ case 'J': ++ case 'R': ++ case 'T': ++ { ++ break; ++ } ++ default: ++ error ("error [%s invalid option: %c]\n", get_pname(), c); ++ break; ++ } ++ numargs--; ++ } ++} diff --git a/CVE-2022-37704_part_2.patch b/CVE-2022-37704_part_2.patch new file mode 100644 index 0000000..65af772 --- /dev/null +++ b/CVE-2022-37704_part_2.patch @@ -0,0 +1,32 @@ +Description: Fix CVE-2022-37704, second vector (RSH) +Author: seetharaman-rajagopal https://github.com/seetharaman-rajagopal + +Index: amanda.git/client-src/rundump.c +=================================================================== +--- amanda.git.orig/client-src/rundump.c 2023-02-24 21:12:21.457531656 +0000 ++++ amanda.git/client-src/rundump.c 2023-02-24 21:14:42.113754385 +0000 +@@ -197,6 +197,24 @@ main( + amfree(cmdline); + + env = safe_env(); ++ //Filter or Discard RSH Environmental variable ++ int env_count = 0; ++ for (int i = 0; env[i] != NULL; i++){ ++ env_count++; ++ } ++ for (int i = 0; i < env_count; i++){ ++ if (strncmp(env[i], "RSH=", 4) == 0){ ++ // Remove RSH ++ g_free(env[i]); ++ // move array elements one step left - which are after "RSH" ++ for (int j = i; j < env_count; j++){ ++ env[j] = env[j + 1]; ++ } ++ //decrease the variable count ++ env[env_count-1] = NULL; ++ break; ++ } ++ } + execve(dump_program, argv, env); + free_env(env); + diff --git a/CVE-2022-37705.patch b/CVE-2022-37705.patch new file mode 100644 index 0000000..abbae46 --- /dev/null +++ b/CVE-2022-37705.patch @@ -0,0 +1,26 @@ +From 43c5b32f46186f3ed78fe6c7503096fa9ad1236c Mon Sep 17 00:00:00 2001 +From: Prajwal T R +Date: Thu, 22 Dec 2022 10:37:30 -0700 +Subject: [PATCH] fix : fix increment logic for good_option + +- for arguements of type --file=x or --file x, fixed logic while incrementing value. +--- + client-src/runtar.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/client-src/runtar.c b/client-src/runtar.c +index d04a1385f6..499c7dfecb 100644 +--- a/client-src/runtar.c ++++ b/client-src/runtar.c +@@ -191,9 +191,9 @@ main( + g_str_has_prefix(argv[i],"--newer") || + g_str_has_prefix(argv[i],"--exclude-from") || + g_str_has_prefix(argv[i],"--files-from")) { +- /* Accept theses options with the following argument */ +- good_option += 2; ++ good_option++; + } else if (argv[i][0] != '-') { ++ /* argument values are accounted for here */ + good_option++; + } + } diff --git a/amanda.spec b/amanda.spec index 1c6ec0d..4d12286 100644 --- a/amanda.spec +++ b/amanda.spec @@ -9,7 +9,7 @@ Name: amanda Version: 3.5.1 -Release: 18 +Release: 19 Summary: A backup solution over network to disk License: BSD and GPLv3+ and GPLv2+ and GPLv2 URL: http://www.amanda.org @@ -23,7 +23,10 @@ Source14: amanda-udp.service Source15: kamanda.socket Source16: kamanda@.service -Patch5: patch-tirpc +Patch5: patch-tirpc.patch +Patch6: CVE-2022-37704.patch +Patch7: CVE-2022-37704_part_2.patch +Patch8: CVE-2022-37705.patch BuildRequires: automake autoconf libtool dump xfsdump cups BuildRequires: samba-client tar grep gcc-c++ readline-devel libtirpc-devel @@ -193,6 +196,9 @@ make check %{_mandir}/man* %changelog +* Tue Feb 28 2023 luopihui - 3.5.1-19 +- Fix CVE-2022-37704 CVE-2022-37705 + * Sat Feb 29 2020 Ling Yang - 3.5.1-18 - Fixed build error diff --git a/patch-tirpc b/patch-tirpc.patch similarity index 100% rename from patch-tirpc rename to patch-tirpc.patch -- Gitee