CVE-2022-37703: 
Linux Debian vulnerability analysis and mitigation

An information leak vulnerability (CVE-2022-37703) was discovered in Amanda 3.5.1's calcsize SUID binary. The vulnerability was found by Maher Azzouzi and disclosed in September 2022. The affected component is the calcsize binary within Amanda, a network backup solution. This vulnerability impacts systems running Amanda version 3.5.1 and earlier versions (NVD, Ubuntu Notice).

The vulnerability exists in the calcsize SUID binary, which is owned by root. The binary uses the opendir() function as root directly without properly validating the provided path. This allows an attacker to supply arbitrary paths to determine if directories exist anywhere in the filesystem. The vulnerability stems from inadequate path validation before calling opendir() with root privileges (GitHub CVE, Debian LTS).

The vulnerability allows an attacker to determine if any directory exists anywhere in the filesystem. Since the binary runs with root privileges, this information disclosure could reveal sensitive information about the system's directory structure that would normally be inaccessible to regular users (Ubuntu Notice, NVD).

The vulnerability has been fixed in Amanda version 3.5.3. System administrators should update to this version or later. The fix includes proper path validation before calling opendir(). Various distributions have released security updates, including Ubuntu, Fedora, and Debian. For Ubuntu systems, the fix is available through standard system updates (Amanda Release, Fedora Update).