Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package amanda for openSUSE:Factory checked
in at 2023-07-31 15:24:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/amanda (Old)
and /work/SRC/openSUSE:Factory/.amanda.new.32662 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "amanda"
Mon Jul 31 15:24:39 2023 rev:9 rq:1101484 version:3.5.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/amanda/amanda.changes 2023-07-03
17:44:24.569292272 +0200
+++ /work/SRC/openSUSE:Factory/.amanda.new.32662/amanda.changes 2023-07-31
15:24:44.575453607 +0200
@@ -1,0 +2,8 @@
+Fri Jul 28 08:53:07 UTC 2023 - pgaj...@suse.com
+
+- version update to 3.5.4
+ * Fixed: arg checking for runtar.c (CVE-2023-30577) [bsc#1213701]
+- modified patches
+ % amanda-2.6.1p1-avoid-perl-provides.patch (refreshed)
+
+-------------------------------------------------------------------
Old:
----
amanda-3.5.3.tar.gz
New:
----
amanda-3.5.4.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ amanda.spec ++++++
--- /var/tmp/diff_new_pack.RKoBhK/_old 2023-07-31 15:24:46.327463721 +0200
+++ /var/tmp/diff_new_pack.RKoBhK/_new 2023-07-31 15:24:46.367463953 +0200
@@ -19,7 +19,7 @@
%define amanda_group amanda
%define upstreamver tag-community-%{version}
Name: amanda
-Version: 3.5.3
+Version: 3.5.4
Release: 0
Summary: Network Disk Archiver
License: GPL-3.0-or-later
++++++ amanda-2.6.1p1-avoid-perl-provides.patch ++++++
--- /var/tmp/diff_new_pack.RKoBhK/_old 2023-07-31 15:24:46.647465569 +0200
+++ /var/tmp/diff_new_pack.RKoBhK/_new 2023-07-31 15:24:46.687465800 +0200
@@ -1,8 +1,8 @@
-Index: amanda-2.6.1p1/perl/Amanda/BigIntCompat.pm
+Index: amanda-tag-community-3.5.4/perl/Amanda/BigIntCompat.pm
===================================================================
---- amanda-2.6.1p1.orig/perl/Amanda/BigIntCompat.pm 2008-12-16
01:03:38.000000000 +0100
-+++ amanda-2.6.1p1/perl/Amanda/BigIntCompat.pm 2011-04-30 17:21:41.515787668
+0200
-@@ -60,7 +60,8 @@ our $stringify = overload::Method($test_
+--- amanda-tag-community-3.5.4.orig/perl/Amanda/BigIntCompat.pm
++++ amanda-tag-community-3.5.4/perl/Amanda/BigIntCompat.pm
+@@ -61,7 +61,8 @@ $stringify = $stringify;
if ($test_num =~ /^\+/) {
eval <<'EVAL';
@@ -12,7 +12,7 @@
use overload 'eq' => sub {
my ($self, $other) = @_;
return "$self" eq "$other";
-@@ -82,7 +83,8 @@ EVAL
+@@ -83,7 +84,8 @@ EVAL
# by bigint2uint64().
if (!$test_num->can("sign")) {
eval <<'EVAL';
@@ -22,7 +22,7 @@
sub sign { ($_[0] =~ /^-/)? "-" : "+"; }
EVAL
die $@ if $@;
-@@ -91,7 +93,8 @@ EVAL
+@@ -92,7 +94,8 @@ EVAL
# similarly for bstr
if (!$test_num->can("bstr")) {
eval <<'EVAL';
++++++ amanda-3.5.3.tar.gz -> amanda-3.5.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/amanda-tag-community-3.5.3/ChangeLog
new/amanda-tag-community-3.5.4/ChangeLog
--- old/amanda-tag-community-3.5.3/ChangeLog 2023-03-16 06:33:16.000000000
+0100
+++ new/amanda-tag-community-3.5.4/ChangeLog 2023-07-26 12:27:30.000000000
+0200
@@ -1,3 +1,6 @@
+2023-07-26 amandaTrusted <amandatrus...@zmanda.com>
+ * Fixed: arg checking for runtar.c (CVE-2023-30577)
+
2023-02-25 amandaTrusted <amandatrus...@zmanda.com>
* Fixed: removed vulnerable jQuery dependency
* Fixed: fix suppressed 1st char of error message in
common-src/bsdtcp-security.c
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/amanda-tag-community-3.5.3/VERSION
new/amanda-tag-community-3.5.4/VERSION
--- old/amanda-tag-community-3.5.3/VERSION 2023-03-16 06:33:16.000000000
+0100
+++ new/amanda-tag-community-3.5.4/VERSION 2023-07-26 12:27:30.000000000
+0200
@@ -1 +1 @@
-3.5.2
+3.5.4
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/amanda-tag-community-3.5.3/client-src/runtar.c
new/amanda-tag-community-3.5.4/client-src/runtar.c
--- old/amanda-tag-community-3.5.3/client-src/runtar.c 2023-03-16
06:33:16.000000000 +0100
+++ new/amanda-tag-community-3.5.4/client-src/runtar.c 2023-07-26
12:27:30.000000000 +0200
@@ -39,6 +39,11 @@
#include "amutil.h"
#include "conffile.h"
#include "client_util.h"
+#include <stdbool.h>
+
+static const char *whitelisted_args[] = {"--blocking-factor", "--file",
"--directory", "--exclude", "--transform", "--listed-incremental", "--newer",
"--exclude-from", "--files-from", NULL};
+
+bool check_whitelist(char* option);
int main(int argc, char **argv);
@@ -49,6 +54,7 @@
{
#ifdef GNUTAR
int i;
+ char **j;
char *e;
char *dbf;
char *cmdline;
@@ -182,20 +188,23 @@
g_str_has_prefix(argv[i],"--verbose")) {
/* Accept theses options */
good_option++;
- } else if (g_str_has_prefix(argv[i],"--blocking-factor") ||
- g_str_has_prefix(argv[i],"--file") ||
- g_str_has_prefix(argv[i],"--directory") ||
- g_str_has_prefix(argv[i],"--exclude") ||
- g_str_has_prefix(argv[i],"--transform") ||
- g_str_has_prefix(argv[i],"--listed-incremental") ||
- g_str_has_prefix(argv[i],"--newer") ||
- g_str_has_prefix(argv[i],"--exclude-from") ||
- g_str_has_prefix(argv[i],"--files-from")) {
+ } else if (check_whitelist(argv[i])) {
if (strchr(argv[i], '=')) {
good_option++;
} else {
/* Accept theses options with the following argument */
good_option += 2;
+
+ /* Whitelisting only the allowed arguments*/
+ for(j=whitelisted_args; *j; j++) {
+ if (strcmp(argv[i], *j) == 0) {
+ break;
+ }
+ }
+
+ if (!*j) {
+ good_option = 0; // not allowing arguments absent in the
whitelist
+ }
}
} else if (argv[i][0] != '-') {
good_option++;
@@ -227,6 +236,7 @@
env = safe_env();
execve(my_realpath, new_argv, env);
free_env(env);
+ free_env(new_argv);
e = strerror(errno);
dbreopen(dbf, "more");
@@ -239,3 +249,23 @@
return 1;
#endif
}
+
+bool
+check_whitelist(
+ gchar* option)
+{
+ bool result = TRUE;
+ char** i;
+
+ for(i=whitelisted_args; *i; i++) {
+ if (g_str_has_prefix(option, *i)) {
+ break;
+ }
+ }
+
+ if (!*i) {
+ result = FALSE; // not allowing arguments absent in the whitelist
+ }
+
+ return result;
+}
