NetBSD Problem Report #59874
From mlelstv@arnold.1st.de Thu Jan 1 11:20:08 2026
Return-Path: <mlelstv@arnold.1st.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 1E6331A923C
for <gnats-bugs@gnats.NetBSD.org>; Thu, 1 Jan 2026 11:20:08 +0000 (UTC)
Message-Id: <20260101111924.0DCC3BC164@arnold.1st.de>
Date: Thu, 01 Jan 2026 12:19:24 +0100 (CET)
From: mlelstv@serpens.de
Reply-To: mlelstv@serpens.de
To: gnats-bugs@NetBSD.org
Subject: amanda client fails with gtar backups
X-Send-Pr-Version: 3.95
>Number: 59874
>Category: pkg
>Synopsis: amanda client fails with gtar backups
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jan 01 11:25:00 +0000 2026
>Last-Modified: Fri Jan 23 02:55:01 +0000 2026
>Originator: Michael van Elst
>Release: NetBSD 11.99.4
>Organization:
>Environment:
System: NetBSD arnold 11.99.4 NetBSD 11.99.4 (EGGHED64) #7: Tue Dec 23 08:31:47 UTC 2025 mlelstv@slowpoke:/home/netbsd-current/obj.evbarm64-el/scratch/netbsd-current/src/sys/arch/evbarm/compile/EGGHED64 evbarm
Architecture: aarch64
Machine: evbarm
>Description:
Amanda from 2025Q4 fails when trying to run a backup using gtar with
something like:
thd-0x753dbede0040: runtar: critical (fatal): error [runtar invalid option: -]
The reason is patches/patch-client-src_runtar.c which commits a "security fix"
for CVE-2022-37705 that modifies the option checking in the runtar program.
runtar is a setuid wrapper for gtar that should insure that gtar is only
run with "safe" options. The patch however breaks option parsing so
that the option '--create --file -' is parsed as two options where '-' is invalid.
IMHO, this is completely broken and should affect upstream. The upstream
fix is from 2023.
When looking for the issue, I also detected:
% /usr/pkg/libexec/amanda/runtar foo bar
Segmentation fault
which is completely unacceptable for a setuid program.
>How-To-Repeat:
Run amanda backup with a GNUTAR backup, which is needed to back up
individual directories instead of using a disk dump.
>Fix:
Please.
>Release-Note:
>Audit-Trail:
From: Michael van Elst <mlelstv@serpens.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/59874 amanda client fails with gtar backups
Date: Wed, 7 Jan 2026 08:45:38 +0100
Updating runtar.c to the current version, with some small adaptions
to match it to amanda 3.3.9 helps.
As a quick measure, we could just replace the existing runtar.c
"security patch" with such a point upgrade.
The alternative is to upgrade the whole package, e.g. Debian delivers
amanda 3.5.4.
Greetings,
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
From: "Michael van Elst" <mlelstv@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59874 CVS commit: pkgsrc/sysutils
Date: Tue, 13 Jan 2026 21:01:59 +0000
Module Name: pkgsrc
Committed By: mlelstv
Date: Tue Jan 13 21:01:59 UTC 2026
Modified Files:
pkgsrc/sysutils/amanda-client: Makefile
pkgsrc/sysutils/amanda-common: distinfo
pkgsrc/sysutils/amanda-common/patches: patch-client-src_runtar.c
Log Message:
Replace broken security patch for runtar.c with backport from
current amanda version.
Fixes PR 59874.
To generate a diff of this commit:
cvs rdiff -u -r1.73 -r1.74 pkgsrc/sysutils/amanda-client/Makefile
cvs rdiff -u -r1.27 -r1.28 pkgsrc/sysutils/amanda-common/distinfo
cvs rdiff -u -r1.1 -r1.2 \
pkgsrc/sysutils/amanda-common/patches/patch-client-src_runtar.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Maya Rashish" <maya@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59874 CVS commit: [pkgsrc-2025Q4] pkgsrc/sysutils
Date: Fri, 23 Jan 2026 02:54:33 +0000
Module Name: pkgsrc
Committed By: maya
Date: Fri Jan 23 02:54:33 UTC 2026
Modified Files:
pkgsrc/sysutils/amanda-client [pkgsrc-2025Q4]: Makefile
pkgsrc/sysutils/amanda-common [pkgsrc-2025Q4]: distinfo
pkgsrc/sysutils/amanda-common/patches [pkgsrc-2025Q4]:
patch-client-src_runtar.c
Log Message:
Pullup ticket #7045 - requested by mlelstv
sysutils/amanda-client: Bug fix
sysutils/amanda-common: Bug fix
Revisions pulled up:
- sysutils/amanda-client/Makefile 1.74
- sysutils/amanda-common/distinfo 1.28
- sysutils/amanda-common/patches/patch-client-src_runtar.c 1.2
---
Module Name: pkgsrc
Committed By: mlelstv
Date: Tue Jan 13 21:01:59 UTC 2026
Modified Files:
pkgsrc/sysutils/amanda-client: Makefile
pkgsrc/sysutils/amanda-common: distinfo
pkgsrc/sysutils/amanda-common/patches: patch-client-src_runtar.c
Log Message:
Replace broken security patch for runtar.c with backport from
current amanda version.
Fixes PR 59874.
To generate a diff of this commit:
cvs rdiff -u -r1.73 -r1.73.2.1 pkgsrc/sysutils/amanda-client/Makefile
cvs rdiff -u -r1.27 -r1.27.2.1 pkgsrc/sysutils/amanda-common/distinfo
cvs rdiff -u -r1.1 -r1.1.2.1 \
pkgsrc/sysutils/amanda-common/patches/patch-client-src_runtar.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2026
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home