CVE-2023-30577: 
Linux Debian vulnerability analysis and mitigation

AMANDA (Advanced Maryland Automatic Network Disk Archiver) versions before tag-community-3.5.4 contain a vulnerability related to improper argument checking in runtar.c. The vulnerability was discovered in July 2023 and affects the SUID binary 'runtar' component of the AMANDA backup system (GitHub Advisory).

The vulnerability stems from improper argument validation in the SUID binary 'runtar'. The binary can accept potentially malicious GNU tar options when provided with non-argument options starting with '--exclude' (e.g., --exclude-vcs). This can lead to the execution of arbitrary options with root permissions. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows a local attacker with access to the unprivileged backup user to perform privilege escalation to root. This could lead to complete system compromise with high impacts on confidentiality, integrity, and availability of the affected system (GitHub Advisory).

The vulnerability has been fixed in AMANDA version 3.5.4. System administrators are advised to upgrade to this version or apply the available security patches. Multiple distributions have released security updates, including Ubuntu (versions 23.10, 22.04 LTS, 20.04 LTS, and 18.04 ESM) and Fedora (versions 37 and 38) (Ubuntu Notice, Fedora Update).