amanda regression

2023-03-2300:00:00

ubuntu.com

ubuntu

amanda

regression

vulnerabilities

information disclosure

privilege escalation

fix

gnutar

backups

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.2

Confidence

Low

EPSS

0.001

Percentile

18.5%

JSON

Releases

Ubuntu 22.10
Ubuntu 22.04 LTS
Ubuntu 20.04 LTS
Ubuntu 18.04 ESM
Ubuntu 16.04 ESM
Ubuntu 14.04 ESM

Packages

amanda - Advanced Maryland Automatic Network Disk Archiver (Client)

Details

USN-5966-1 fixed vulnerabilities in amanda. Unfortunately it introduced
a regression in GNUTAR-based backups. This update reverts all of the
changes in amanda until a better fix is provided.

We apologize for the inconvenience.

Original advisory details:

Maher Azzouzi discovered an information disclosure vulnerability in the
calcsize binary within amanda. calcsize is a suid binary owned by root that
could possibly be used by a malicious local attacker to expose sensitive
file system information. (CVE-2022-37703)

Maher Azzouzi discovered a privilege escalation vulnerability in the
rundump binary within amanda. rundump is a suid binary owned by root that
did not perform adequate sanitization of environment variables or
commandline options and could possibly be used by a malicious local
attacker to escalate privileges. (CVE-2022-37704)

Maher Azzouzi discovered a privilege escalation vulnerability in the runtar
binary within amanda. runtar is a suid binary owned by root that did not
perform adequate sanitization of commandline options and could possibly be
used by a malicious local attacker to escalate privileges. (CVE-2022-37705)

OSVersionArchitecturePackageVersionFilename
Ubuntu22.10noarchamanda-client< 1:3.5.1-9ubuntu0.2UNKNOWN
Ubuntu22.10noarchamanda-client-dbgsym< 1:3.5.1-9ubuntu0.2UNKNOWN
Ubuntu22.10noarchamanda-common< 1:3.5.1-9ubuntu0.2UNKNOWN
Ubuntu22.10noarchamanda-common-dbgsym< 1:3.5.1-9ubuntu0.2UNKNOWN
Ubuntu22.10noarchamanda-server< 1:3.5.1-9ubuntu0.2UNKNOWN
Ubuntu22.10noarchamanda-server-dbgsym< 1:3.5.1-9ubuntu0.2UNKNOWN
Ubuntu22.04noarchamanda-client< 1:3.5.1-8ubuntu1.2UNKNOWN
Ubuntu22.04noarchamanda-client-dbgsym< 1:3.5.1-8ubuntu1.2UNKNOWN
Ubuntu22.04noarchamanda-common< 1:3.5.1-8ubuntu1.2UNKNOWN
Ubuntu22.04noarchamanda-common-dbgsym< 1:3.5.1-8ubuntu1.2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Ubuntu	22.10	noarch	amanda-client	< 1:3.5.1-9ubuntu0.2	UNKNOWN
Ubuntu	22.10	noarch	amanda-client-dbgsym	< 1:3.5.1-9ubuntu0.2	UNKNOWN
Ubuntu	22.10	noarch	amanda-common	< 1:3.5.1-9ubuntu0.2	UNKNOWN
Ubuntu	22.10	noarch	amanda-common-dbgsym	< 1:3.5.1-9ubuntu0.2	UNKNOWN
Ubuntu	22.10	noarch	amanda-server	< 1:3.5.1-9ubuntu0.2	UNKNOWN
Ubuntu	22.10	noarch	amanda-server-dbgsym	< 1:3.5.1-9ubuntu0.2	UNKNOWN
Ubuntu	22.04	noarch	amanda-client	< 1:3.5.1-8ubuntu1.2	UNKNOWN
Ubuntu	22.04	noarch	amanda-client-dbgsym	< 1:3.5.1-8ubuntu1.2	UNKNOWN
Ubuntu	22.04	noarch	amanda-common	< 1:3.5.1-8ubuntu1.2	UNKNOWN
Ubuntu	22.04	noarch	amanda-common-dbgsym	< 1:3.5.1-8ubuntu1.2	UNKNOWN