Launchpad CVE tracker

CVE 2022-37705

A privilege escalation flaw was found in Amanda 3.5.1 in which the backup user can acquire root privileges. The vulnerable component is the runtar SUID program, which is a wrapper to run /usr/bin/tar with specific arguments that are controllable by the attacker. This program mishandles the arguments passed to tar binary (it expects that the argument name and value are separated with a space; however, separating them with an equals sign is also supported),

Related bugs and status

CVE-2022-37705 (Candidate) is related to these bugs:

Bug #2012536: All GNUTAR-based backups fail after the package update to1:3.5.1-8ubuntu1.1

		In	Importance	Status
2012536	All GNUTAR-based backups fail after the package update to1:3.5.1-8ubuntu1.1	amanda (Ubuntu)	Undecided	Fix Released
2012536	All GNUTAR-based backups fail after the package update to1:3.5.1-8ubuntu1.1	amanda (Debian)	Unknown	Fix Released
2012536	All GNUTAR-based backups fail after the package update to1:3.5.1-8ubuntu1.1	amanda (Ubuntu Bionic)	Undecided	Fix Released
2012536	All GNUTAR-based backups fail after the package update to1:3.5.1-8ubuntu1.1	amanda (Ubuntu Jammy)	Undecided	Fix Released
2012536	All GNUTAR-based backups fail after the package update to1:3.5.1-8ubuntu1.1	amanda (Ubuntu Focal)	Undecided	Fix Released
2012536	All GNUTAR-based backups fail after the package update to1:3.5.1-8ubuntu1.1	amanda (Ubuntu Xenial)	Undecided	Fix Released
2012536	All GNUTAR-based backups fail after the package update to1:3.5.1-8ubuntu1.1	amanda (Ubuntu Trusty)	Undecided	Fix Released
2012536	All GNUTAR-based backups fail after the package update to1:3.5.1-8ubuntu1.1	amanda (Ubuntu Kinetic)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2022-37705

References