group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #44939
[Bug 2012536] Re: All GNUTAR-based backups fail after the package update to1:3.5.1-8ubuntu1.1
We've reverted in the meantime all the patches that were applied in amanda. Dave will continue to investigate and re-patch those CVEs.
In the meantime sorry for the inconvenience.
** Changed in: amanda (Ubuntu Xenial)
Status: New => Fix Released
** Changed in: amanda (Ubuntu Trusty)
Status: New => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2012536
Title:
All GNUTAR-based backups fail after the package update
to1:3.5.1-8ubuntu1.1
Status in amanda package in Ubuntu:
Confirmed
Status in amanda source package in Trusty:
Fix Released
Status in amanda source package in Xenial:
Fix Released
Status in amanda source package in Bionic:
Fix Released
Status in amanda source package in Focal:
Fix Released
Status in amanda source package in Jammy:
Fix Released
Status in amanda source package in Kinetic:
Fix Released
Status in amanda package in Debian:
Unknown
Bug description:
After updating our Ubuntu 22.04 LTS servers yesterday to the Amanda
package version 1:3.5.1-8ubuntu1.1, all our server backups configured
to use the 'GNUTAR' backup program failed. The failure all has the
same messages:
colony.cs.toronto.edu / lev 1 FAILED [no backup size line]
colony.cs.toronto.edu / lev 1 FAILED [Got empty header]
colony.cs.toronto.edu / lev 1 FAILED [no backup size line]
colony.cs.toronto.edu / lev 1 FAILED [Got empty header]
and a specific report of:
/-- colony.cs.toronto.edu / lev 1 FAILED [no backup size line]
sendbackup: start [colony.cs.toronto.edu:/ level 1]
sendbackup: info BACKUP=/usr/bin/tar
sendbackup: info RECOVER_CMD=/usr/bin/tar -xpGf - ...
sendbackup: info end
? runtar: error [runtar invalid option: -]
sendbackup: error [no backup size line]
\--------
The sendbackup log file in /var/log/amanda/... says:
Tue Mar 21 20:10:16.108110031 2023: pid 2784691: thd-0x5572211f0800: sendbackup: doing level 1 dump as listed-incremental from '/var/lib/amanda/gnutar-lists/colony.cs.toronto.edu__0' to '/var/lib/amanda/gnutar-lists/colony.cs.toronto.edu__1.new'
Tue Mar 21 20:10:16.108409938 2023: pid 2784691: thd-0x5572211f0800: sendbackup: Spawning "/usr/lib/amanda/runtar runtar n_tape /usr/bin/tar --create --file - --directory / --one-file-system --listed-incremental /var/lib/amanda/gnutar-lists/colony.cs.toronto.edu__1.new --sparse --ignore-failed-read --totals ." in pipeline
[...]
Tue Mar 21 20:10:16.134876924 2023: pid 2784691: thd-0x5572211f0800: sendbackup: 119: strange(?): runtar: error [runtar invalid option: -]
The dump type used here is configured with:
estimate server
index yes
program "GNUTAR"
record yes
Other backups using amgtar worked so this is not a total Amanda backup
failure, this is a failure specifically in GNUTAR. Given that
1:3.5.1-8ubuntu1.1 specifically says it includes a change to runtar
option parsing, I believe this fix may be incorrect:
* SECURITY UPDATE: privilege escalation via runtar SUID binary
- d/p/48-fix-CVE-2022-37705: fix option parsing
- CVE-2022-37705
This is a critical bug for anyone using GNUTAR Amanda backups on
Ubuntu 22.04 (and possibly other Ubuntu versions).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/amanda/+bug/2012536/+subscriptions
