Bug 2126847 (CVE-2022-37703) - CVE-2022-37703 amanda: information leak (discovery of directory existence)
Summary: CVE-2022-37703 amanda: information leak (discovery of directory existence)
Keywords:
Status: NEW
Alias: CVE-2022-37703
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2126848 2126849
Blocks: 2126837
TreeView+ depends on / blocked
 
Reported: 2022-09-14 14:30 UTC by Sandipan Roy
Modified: 2023-07-07 08:29 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An information leak vulnerability was found in Amanda in the calcsize SUID binary. This flaw allows an attacker to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Sandipan Roy 2022-09-14 14:30:53 UTC
In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path.

http://www.amanda.org/
https://github.com/MaherAzzouzi/CVE-2022-37703

Comment 1 Sandipan Roy 2022-09-14 14:35:04 UTC
Created amanda tracking bugs for this issue:

Affects: fedora-all [bug 2126849]

Comment 3 Jason Tibbitts 2022-09-14 17:05:13 UTC
Note that the calcsize binary isn't executable by users in Fedora; the exploit would work only in the exceptional case that the user is in the "disk" group.


Note You need to log in before you can comment on or make changes to this bug.