All GNUTAR-based backups fail after the package update to1:3.5.1-8ubuntu1.1

Bug #2012536 reported by Chris Siebenmann
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
amanda (Debian)
Fix Released
Unknown
amanda (Ubuntu)
Fix Released
Undecided
David Lane
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Fix Released
Undecided
Unassigned

Bug Description

After updating our Ubuntu 22.04 LTS servers yesterday to the Amanda package version 1:3.5.1-8ubuntu1.1, all our server backups configured to use the 'GNUTAR' backup program failed. The failure all has the same messages:

  colony.cs.toronto.edu / lev 1 FAILED [no backup size line]
  colony.cs.toronto.edu / lev 1 FAILED [Got empty header]
  colony.cs.toronto.edu / lev 1 FAILED [no backup size line]
  colony.cs.toronto.edu / lev 1 FAILED [Got empty header]

and a specific report of:
  /-- colony.cs.toronto.edu / lev 1 FAILED [no backup size line]
  sendbackup: start [colony.cs.toronto.edu:/ level 1]
  sendbackup: info BACKUP=/usr/bin/tar
  sendbackup: info RECOVER_CMD=/usr/bin/tar -xpGf - ...
  sendbackup: info end
  ? runtar: error [runtar invalid option: -]
  sendbackup: error [no backup size line]
  \--------

The sendbackup log file in /var/log/amanda/... says:
Tue Mar 21 20:10:16.108110031 2023: pid 2784691: thd-0x5572211f0800: sendbackup: doing level 1 dump as listed-incremental from '/var/lib/amanda/gnutar-lists/colony.cs.toronto.edu__0' to '/var/lib/amanda/gnutar-lists/colony.cs.toronto.edu__1.new'
Tue Mar 21 20:10:16.108409938 2023: pid 2784691: thd-0x5572211f0800: sendbackup: Spawning "/usr/lib/amanda/runtar runtar n_tape /usr/bin/tar --create --file - --directory / --one-file-system --listed-incremental /var/lib/amanda/gnutar-lists/colony.cs.toronto.edu__1.new --sparse --ignore-failed-read --totals ." in pipeline
[...]
Tue Mar 21 20:10:16.134876924 2023: pid 2784691: thd-0x5572211f0800: sendbackup: 119: strange(?): runtar: error [runtar invalid option: -]

The dump type used here is configured with:
    estimate server
    index yes
    program "GNUTAR"
    record yes

Other backups using amgtar worked so this is not a total Amanda backup failure, this is a failure specifically in GNUTAR. Given that 1:3.5.1-8ubuntu1.1 specifically says it includes a change to runtar option parsing, I believe this fix may be incorrect:

  * SECURITY UPDATE: privilege escalation via runtar SUID binary
    - d/p/48-fix-CVE-2022-37705: fix option parsing
    - CVE-2022-37705

This is a critical bug for anyone using GNUTAR Amanda backups on Ubuntu 22.04 (and possibly other Ubuntu versions).

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in amanda (Ubuntu):
status: New → Confirmed
Revision history for this message
matt organ (matt-organ) wrote (last edit ):

I've made a workaround for our environment by moving to the previously mentioned amgtar after finding this article that had some implementation examples:
https://serverfault.com/questions/915726/difference-between-amgtar-and-gnutar

It sounds like a better way moving forward now that I know about it.

These are my exact changes to amanda.conf as a diff

+ define application-tool app_amgtar {
+ plugin "amgtar"
+ }

...cut...

define dumptype server-encrypt {
    global
- program "GNUTAR"
+ program "APPLICATION"
+ application "app_amgtar"
     comment "dump with server symmetric encryption"
     compress none
+ estimate server
     encrypt server
    server_encrypt "/usr/sbin/amcrypt-ossl"
    server_decrypt_option "-d"
}

I also had to add this extra line to /etc/amanda-security.conf to allow the appropriate access
amgtar:gnutar_path=/usr/bin/tar

I haven't completed the backup to confirm its restore-ability yet but I'm no longer receiving the warnings.

no longer affects: amanda
Revision history for this message
Nathan Stratton Treadway (nathanst) wrote :

Debian just released amanda 1:3.5.1-11 with the following:

Changes:
 amanda (1:3.5.1-11) unstable; urgency=medium
 .
   * d/p/49-fix-CVE-2022-37705_part_2: 48-fix-CVE-2022-37705 broken one use
     case at least, this patch fix it, fixing the following two bugs.
   * Bug fix: "backups fail with the following summary "FAILED [no
     backup size line]"", thanks to Norman Lyon (Closes: #1032330).
   * Bug fix: "Amanda is unusable", thanks to Kamil Jonca (Closes:
     #1032884).

So it would seem that the fix for the "no backup size line" line regression is found in https://sources.debian.org/src/amanda/1:3.5.1-11/debian/patches/49-fix-CVE-2022-37705_part_2/

David Lane (dclane)
Changed in amanda (Ubuntu):
assignee: nobody → David Lane (dclane)
Revision history for this message
David Lane (dclane) wrote :

Thank you for reporting this regression, and an extra thank you for also highlighting the fix. I will begin work on updating the effected packages.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package amanda - 1:3.5.1-1ubuntu0.2

---------------
amanda (1:3.5.1-1ubuntu0.2) bionic-security; urgency=medium

  * SECURITY REGRESSION: Remove all patches from version 1:3.5.1-1ubuntu0.1
    getting the package back to the state of 1:3.5.1-1build2. Pending further
    investigation. (LP: #2012536)

 -- Eduardo Barretto <email address hidden> Thu, 23 Mar 2023 11:17:18 +0100

Changed in amanda (Ubuntu Bionic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package amanda - 1:3.5.1-9ubuntu0.2

---------------
amanda (1:3.5.1-9ubuntu0.2) kinetic-security; urgency=medium

  * SECURITY REGRESSION: Remove all patches from version 1:3.5.1-9ubuntu0.1
    getting the package back to the state of 1:3.5.1-9. Pending further
    investigation. (LP: #2012536)

 -- Eduardo Barretto <email address hidden> Thu, 23 Mar 2023 11:03:36 +0100

Changed in amanda (Ubuntu Kinetic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package amanda - 1:3.5.1-2ubuntu0.2

---------------
amanda (1:3.5.1-2ubuntu0.2) focal-security; urgency=medium

  * SECURITY REGRESSION: Remove all patches from version 1:3.5.1-2ubuntu0.1
    getting the package back to the state of 1:3.5.1-2build3. Pending further
    investigation. (LP: #2012536)

 -- Eduardo Barretto <email address hidden> Thu, 23 Mar 2023 11:12:27 +0100

Changed in amanda (Ubuntu Focal):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package amanda - 1:3.5.1-8ubuntu1.2

---------------
amanda (1:3.5.1-8ubuntu1.2) jammy-security; urgency=medium

  * SECURITY REGRESSION: Remove all patches from version 1:3.5.1-8ubuntu1.1
    getting the package back to the state of 1:3.5.1-8ubuntu1.1. Pending further
    investigation. (LP: #2012536)

 -- Eduardo Barretto <email address hidden> Thu, 23 Mar 2023 11:06:24 +0100

Changed in amanda (Ubuntu Jammy):
status: New → Fix Released
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

We've reverted in the meantime all the patches that were applied in amanda. Dave will continue to investigate and re-patch those CVEs.
In the meantime sorry for the inconvenience.

Changed in amanda (Ubuntu Xenial):
status: New → Fix Released
Changed in amanda (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Geert Uytterhoeven (geert-linux-m68k) wrote :

Yesterday, I saw the same issue had been plaguing one of my backup clients since a few days (shame on me for not checking the backup logs daily).
I can confirm the update to 1:3.5.1-8ubuntu1.2 fixed the issue in Ubuntu 22.04.2 LTS.
Thanks for fixing!

Changed in amanda (Debian):
status: Unknown → Fix Released
David Lane (dclane)
Changed in amanda (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.