In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path.
Created amanda tracking bugs for this issue:
Affects: fedora-all [bug 2126849]
Note that the calcsize binary isn't executable by users in Fedora; the exploit would work only in the exceptional case that the user is in the "disk" group.