All GNUTAR-based backups fail after the package update to1:3.5.1-8ubuntu1.1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
amanda (Debian) |
Fix Released
|
Unknown
|
|||
amanda (Ubuntu) |
Fix Released
|
Undecided
|
David Lane | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
After updating our Ubuntu 22.04 LTS servers yesterday to the Amanda package version 1:3.5.1-8ubuntu1.1, all our server backups configured to use the 'GNUTAR' backup program failed. The failure all has the same messages:
colony.
colony.
colony.
colony.
and a specific report of:
/-- colony.
sendbackup: start [colony.
sendbackup: info BACKUP=/usr/bin/tar
sendbackup: info RECOVER_
sendbackup: info end
? runtar: error [runtar invalid option: -]
sendbackup: error [no backup size line]
\--------
The sendbackup log file in /var/log/amanda/... says:
Tue Mar 21 20:10:16.108110031 2023: pid 2784691: thd-0x5572211f0800: sendbackup: doing level 1 dump as listed-incremental from '/var/lib/
Tue Mar 21 20:10:16.108409938 2023: pid 2784691: thd-0x5572211f0800: sendbackup: Spawning "/usr/lib/
[...]
Tue Mar 21 20:10:16.134876924 2023: pid 2784691: thd-0x5572211f0800: sendbackup: 119: strange(?): runtar: error [runtar invalid option: -]
The dump type used here is configured with:
estimate server
index yes
program "GNUTAR"
record yes
Other backups using amgtar worked so this is not a total Amanda backup failure, this is a failure specifically in GNUTAR. Given that 1:3.5.1-8ubuntu1.1 specifically says it includes a change to runtar option parsing, I believe this fix may be incorrect:
* SECURITY UPDATE: privilege escalation via runtar SUID binary
- d/p/48-
- CVE-2022-37705
This is a critical bug for anyone using GNUTAR Amanda backups on Ubuntu 22.04 (and possibly other Ubuntu versions).
CVE References
no longer affects: | amanda |
Changed in amanda (Ubuntu): | |
assignee: | nobody → David Lane (dclane) |
Changed in amanda (Debian): | |
status: | Unknown → Fix Released |
Changed in amanda (Ubuntu): | |
status: | Confirmed → Fix Released |
Status changed to 'Confirmed' because the bug affects multiple users.