In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path. http://www.amanda.org/ https://github.com/MaherAzzouzi/CVE-2022-37703
Created amanda tracking bugs for this issue: Affects: fedora-all [bug 2126849]
Note that the calcsize binary isn't executable by users in Fedora; the exploit would work only in the exceptional case that the user is in the "disk" group.
Upstream PR & commit: https://github.com/zmanda/amanda/pull/198 https://github.com/zmanda/amanda/commit/b1dd708728fcab5e3a49ba5c0fb754776242efc3