Bugzilla – Bug 1208033
VUL-0: CVE-2022-37704: amanda: rundump: local privilege escalation
Last modified: 2024-05-03 13:57:08 UTC
CVE-2022-37704 Amanda 3.5.1 has a flaw that allows privilege escalation from the regular user backup to root. The SUID binary located at /lib/amanda/rundump will execute /usr/sbin/dump as root with controlled arguments from the attacker which may lead to escalation of privileges, denial of service, and information disclosure. Upstream PR (not merged yet): https://github.com/zmanda/amanda/pull/195 https://github.com/MaherAzzouzi/CVE-2022-37704 https://github.com/zmanda/amanda/issues/192 https://marc.info/?l=amanda-hackers&m=167437716918603&w=2 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37704 https://bugzilla.redhat.com/show_bug.cgi?id=2167743
Affected: - SUSE:SLE-11:Update - openSUSE:Factory - openSUSE:Backports:SLE-15-SP3 - openSUSE:Backports:SLE-15-SP4
I've been checking the devel project version [1] and it looks like the fix for this CVE is now in the 3.5.2 release from June. I'm not sure how it's possible that a commit from Feb 13th is in the release from June, but the code is there, so maybe this fix in master was added during the release process and never added to the git repo. [1] https://github.com/zmanda/amanda/archive/refs/tags/tag-community-3.5.2.tar.gz [2] https://github.com/zmanda/amanda/commit/e890d08e16ea0621966a7ae35cce53ccb44a472e
Backporst for 15.3 is no longer supported.
This is an autogenerated message for OBS integration: This bug (1208033) was mentioned in https://build.opensuse.org/request/show/1066928 Backports:SLE-15-SP4 / amanda
openSUSE-SU-2023:0069-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1208032,1208033 CVE References: CVE-2022-37704,CVE-2022-37705 JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): amanda-3.5.1-bp154.3.3.1
done, closing