amanda regression

2023-04-0300:00:00

ubuntu.com

ubuntu 22.10

ubuntu 22.04 lts

ubuntu 20.04 lts

ubuntu 18.04 esm

information disclosure vulnerability

privilege escalation

sensitive file system

6.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.2 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

18.1%

JSON

Releases

Ubuntu 22.10
Ubuntu 22.04 LTS
Ubuntu 20.04 LTS
Ubuntu 18.04 ESM

Packages

amanda - Advanced Maryland Automatic Network Disk Archiver (Client)

Details

USN-5966-1 fixed vulnerabilities in amanda. Unfortunately that update
caused a regression and was reverted in USN-5966-2. This update provides
security fixes for Ubuntu 22.10, Ubuntu 22.04 LTS, Ubuntu 20.04
LTS and Ubuntu 18.04 LTS.

We apologize for the inconvenience.

Original advisory details:

Maher Azzouzi discovered an information disclosure vulnerability in the
calcsize binary within amanda. calcsize is a suid binary owned by root that
could possibly be used by a malicious local attacker to expose sensitive
file system information. (CVE-2022-37703)

Maher Azzouzi discovered a privilege escalation vulnerability in the
rundump binary within amanda. rundump is a suid binary owned by root that
did not perform adequate sanitization of environment variables or
commandline options and could possibly be used by a malicious local
attacker to escalate privileges. (CVE-2022-37704)

Maher Azzouzi discovered a privilege escalation vulnerability in the runtar
binary within amanda. runtar is a suid binary owned by root that did not
perform adequate sanitization of commandline options and could possibly be
used by a malicious local attacker to escalate privileges. (CVE-2022-37705)

OSVersionArchitecturePackageVersionFilename
Ubuntu22.10noarchamanda-client< 1:3.5.1-9ubuntu0.3UNKNOWN
Ubuntu22.10noarchamanda-client-dbgsym< 1:3.5.1-9ubuntu0.3UNKNOWN
Ubuntu22.10noarchamanda-common< 1:3.5.1-9ubuntu0.3UNKNOWN
Ubuntu22.10noarchamanda-common-dbgsym< 1:3.5.1-9ubuntu0.3UNKNOWN
Ubuntu22.10noarchamanda-server< 1:3.5.1-9ubuntu0.3UNKNOWN
Ubuntu22.10noarchamanda-server-dbgsym< 1:3.5.1-9ubuntu0.3UNKNOWN
Ubuntu22.04noarchamanda-client< 1:3.5.1-8ubuntu1.3UNKNOWN
Ubuntu22.04noarchamanda-client-dbgsym< 1:3.5.1-8ubuntu1.3UNKNOWN
Ubuntu22.04noarchamanda-common< 1:3.5.1-8ubuntu1.3UNKNOWN
Ubuntu22.04noarchamanda-common-dbgsym< 1:3.5.1-8ubuntu1.3UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Ubuntu	22.10	noarch	amanda-client	< 1:3.5.1-9ubuntu0.3	UNKNOWN
Ubuntu	22.10	noarch	amanda-client-dbgsym	< 1:3.5.1-9ubuntu0.3	UNKNOWN
Ubuntu	22.10	noarch	amanda-common	< 1:3.5.1-9ubuntu0.3	UNKNOWN
Ubuntu	22.10	noarch	amanda-common-dbgsym	< 1:3.5.1-9ubuntu0.3	UNKNOWN
Ubuntu	22.10	noarch	amanda-server	< 1:3.5.1-9ubuntu0.3	UNKNOWN
Ubuntu	22.10	noarch	amanda-server-dbgsym	< 1:3.5.1-9ubuntu0.3	UNKNOWN
Ubuntu	22.04	noarch	amanda-client	< 1:3.5.1-8ubuntu1.3	UNKNOWN
Ubuntu	22.04	noarch	amanda-client-dbgsym	< 1:3.5.1-8ubuntu1.3	UNKNOWN
Ubuntu	22.04	noarch	amanda-common	< 1:3.5.1-8ubuntu1.3	UNKNOWN
Ubuntu	22.04	noarch	amanda-common-dbgsym	< 1:3.5.1-8ubuntu1.3	UNKNOWN