Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package amanda for openSUSE:Factory checked in at 2023-07-31 15:24:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/amanda (Old) and /work/SRC/openSUSE:Factory/.amanda.new.32662 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "amanda" Mon Jul 31 15:24:39 2023 rev:9 rq:1101484 version:3.5.4 Changes: -------- --- /work/SRC/openSUSE:Factory/amanda/amanda.changes 2023-07-03 17:44:24.569292272 +0200 +++ /work/SRC/openSUSE:Factory/.amanda.new.32662/amanda.changes 2023-07-31 15:24:44.575453607 +0200 @@ -1,0 +2,8 @@ +Fri Jul 28 08:53:07 UTC 2023 - pgajdos@suse.com + +- version update to 3.5.4 + * Fixed: arg checking for runtar.c (CVE-2023-30577) [bsc#1213701] +- modified patches + % amanda-2.6.1p1-avoid-perl-provides.patch (refreshed) + +------------------------------------------------------------------- Old: ---- amanda-3.5.3.tar.gz New: ---- amanda-3.5.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ amanda.spec ++++++ --- /var/tmp/diff_new_pack.RKoBhK/_old 2023-07-31 15:24:46.327463721 +0200 +++ /var/tmp/diff_new_pack.RKoBhK/_new 2023-07-31 15:24:46.367463953 +0200 @@ -19,7 +19,7 @@ %define amanda_group amanda %define upstreamver tag-community-%{version} Name: amanda -Version: 3.5.3 +Version: 3.5.4 Release: 0 Summary: Network Disk Archiver License: GPL-3.0-or-later ++++++ amanda-2.6.1p1-avoid-perl-provides.patch ++++++ --- /var/tmp/diff_new_pack.RKoBhK/_old 2023-07-31 15:24:46.647465569 +0200 +++ /var/tmp/diff_new_pack.RKoBhK/_new 2023-07-31 15:24:46.687465800 +0200 @@ -1,8 +1,8 @@ -Index: amanda-2.6.1p1/perl/Amanda/BigIntCompat.pm +Index: amanda-tag-community-3.5.4/perl/Amanda/BigIntCompat.pm =================================================================== ---- amanda-2.6.1p1.orig/perl/Amanda/BigIntCompat.pm 2008-12-16 01:03:38.000000000 +0100 -+++ amanda-2.6.1p1/perl/Amanda/BigIntCompat.pm 2011-04-30 17:21:41.515787668 +0200 -@@ -60,7 +60,8 @@ our $stringify = overload::Method($test_ +--- amanda-tag-community-3.5.4.orig/perl/Amanda/BigIntCompat.pm ++++ amanda-tag-community-3.5.4/perl/Amanda/BigIntCompat.pm +@@ -61,7 +61,8 @@ $stringify = $stringify; if ($test_num =~ /^\+/) { eval <<'EVAL'; @@ -12,7 +12,7 @@ use overload 'eq' => sub { my ($self, $other) = @_; return "$self" eq "$other"; -@@ -82,7 +83,8 @@ EVAL +@@ -83,7 +84,8 @@ EVAL # by bigint2uint64(). if (!$test_num->can("sign")) { eval <<'EVAL'; @@ -22,7 +22,7 @@ sub sign { ($_[0] =~ /^-/)? "-" : "+"; } EVAL die $@ if $@; -@@ -91,7 +93,8 @@ EVAL +@@ -92,7 +94,8 @@ EVAL # similarly for bstr if (!$test_num->can("bstr")) { eval <<'EVAL'; ++++++ amanda-3.5.3.tar.gz -> amanda-3.5.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/amanda-tag-community-3.5.3/ChangeLog new/amanda-tag-community-3.5.4/ChangeLog --- old/amanda-tag-community-3.5.3/ChangeLog 2023-03-16 06:33:16.000000000 +0100 +++ new/amanda-tag-community-3.5.4/ChangeLog 2023-07-26 12:27:30.000000000 +0200 @@ -1,3 +1,6 @@ +2023-07-26 amandaTrusted <amandaTrusted@Zmanda.com> + * Fixed: arg checking for runtar.c (CVE-2023-30577) + 2023-02-25 amandaTrusted <amandaTrusted@Zmanda.com> * Fixed: removed vulnerable jQuery dependency * Fixed: fix suppressed 1st char of error message in common-src/bsdtcp-security.c diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/amanda-tag-community-3.5.3/VERSION new/amanda-tag-community-3.5.4/VERSION --- old/amanda-tag-community-3.5.3/VERSION 2023-03-16 06:33:16.000000000 +0100 +++ new/amanda-tag-community-3.5.4/VERSION 2023-07-26 12:27:30.000000000 +0200 @@ -1 +1 @@ -3.5.2 +3.5.4 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/amanda-tag-community-3.5.3/client-src/runtar.c new/amanda-tag-community-3.5.4/client-src/runtar.c --- old/amanda-tag-community-3.5.3/client-src/runtar.c 2023-03-16 06:33:16.000000000 +0100 +++ new/amanda-tag-community-3.5.4/client-src/runtar.c 2023-07-26 12:27:30.000000000 +0200 @@ -39,6 +39,11 @@ #include "amutil.h" #include "conffile.h" #include "client_util.h" +#include <stdbool.h> + +static const char *whitelisted_args[] = {"--blocking-factor", "--file", "--directory", "--exclude", "--transform", "--listed-incremental", "--newer", "--exclude-from", "--files-from", NULL}; + +bool check_whitelist(char* option); int main(int argc, char **argv); @@ -49,6 +54,7 @@ { #ifdef GNUTAR int i; + char **j; char *e; char *dbf; char *cmdline; @@ -182,20 +188,23 @@ g_str_has_prefix(argv[i],"--verbose")) { /* Accept theses options */ good_option++; - } else if (g_str_has_prefix(argv[i],"--blocking-factor") || - g_str_has_prefix(argv[i],"--file") || - g_str_has_prefix(argv[i],"--directory") || - g_str_has_prefix(argv[i],"--exclude") || - g_str_has_prefix(argv[i],"--transform") || - g_str_has_prefix(argv[i],"--listed-incremental") || - g_str_has_prefix(argv[i],"--newer") || - g_str_has_prefix(argv[i],"--exclude-from") || - g_str_has_prefix(argv[i],"--files-from")) { + } else if (check_whitelist(argv[i])) { if (strchr(argv[i], '=')) { good_option++; } else { /* Accept theses options with the following argument */ good_option += 2; + + /* Whitelisting only the allowed arguments*/ + for(j=whitelisted_args; *j; j++) { + if (strcmp(argv[i], *j) == 0) { + break; + } + } + + if (!*j) { + good_option = 0; // not allowing arguments absent in the whitelist + } } } else if (argv[i][0] != '-') { good_option++; @@ -227,6 +236,7 @@ env = safe_env(); execve(my_realpath, new_argv, env); free_env(env); + free_env(new_argv); e = strerror(errno); dbreopen(dbf, "more"); @@ -239,3 +249,23 @@ return 1; #endif } + +bool +check_whitelist( + gchar* option) +{ + bool result = TRUE; + char** i; + + for(i=whitelisted_args; *i; i++) { + if (g_str_has_prefix(option, *i)) { + break; + } + } + + if (!*i) { + result = FALSE; // not allowing arguments absent in the whitelist + } + + return result; +}