pkg/59874: amanda client fails with gtar backups

[mlelstv%serpens.de@localhost]

>Number:         59874
>Category:       pkg
>Synopsis:       amanda client fails with gtar backups
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jan 01 11:25:00 +0000 2026
>Originator:     Michael van Elst
>Release:        NetBSD 11.99.4
>Organization:
	
>Environment:
	
	
System: NetBSD arnold 11.99.4 NetBSD 11.99.4 (EGGHED64) #7: Tue Dec 23 08:31:47 UTC 2025 mlelstv@slowpoke:/home/netbsd-current/obj.evbarm64-el/scratch/netbsd-current/src/sys/arch/evbarm/compile/EGGHED64 evbarm
Architecture: aarch64
Machine: evbarm
>Description:
Amanda from 2025Q4 fails when trying to run a backup using gtar with
something like:

thd-0x753dbede0040: runtar: critical (fatal): error [runtar invalid option: -]

The reason is patches/patch-client-src_runtar.c which commits a "security fix"
for CVE-2022-37705 that modifies the option checking in the runtar program.

runtar is a setuid wrapper for gtar that should insure that gtar is only
run with "safe" options. The patch however breaks option parsing so
that the option '--create -' is parsed as two options where '-' is invalid.

IMHO, this is completely broken and should affect upstream. The upstream
fix is from 2023.

When looking for the issue, I also detected:

% /usr/pkg/libexec/amanda/runtar foo bar
Segmentation fault

which is completely unacceptable for a setuid program.
>How-To-Repeat:
Run amanda backup with a GNUTAR backup, which is needed to back up
individual directories instead of using a disk dump.
>Fix:
Please.

>Unformatted: