Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 907254 - GLSA 202211-07 misfires on fixed versions of app-admin/sysstat
Summary: GLSA 202211-07 misfires on fixed versions of app-admin/sysstat
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-27 18:44 UTC by Hank Leininger
Modified: 2023-05-29 00:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2023-05-27 18:44:27 UTC 
There was some discussion in an existing sysstat bug that GLSA 202211-07 only listed a test version as fixed, and that version has since been removed from ::gentoo, but the latest stable actually included upstream fixes; see https://bugs.gentoo.org/880543#c8 and https://bugs.gentoo.org/880543#c11

Now an addon to fully address CVE-2022-39377 has been merged, see https://bugs.gentoo.org/907121 and https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ecf13248bdaba63272a52d2678ce688ffb161a9d

The GLSA can be updated to use the correct/current sysstat version as including the fix. I don't think the GLSA repo lives somewhere I can submit a PR for, so:

diff --git a/glsa-202211-07.xml b/glsa-202211-07.xml
index 045ffe0..1f5479a 100644
--- a/glsa-202211-07.xml
+++ b/glsa-202211-07.xml
@@ -5,13 +5,13 @@
     <synopsis>An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution.</syno>
     <product type="ebuild">sysstat</product>
     <announced>2022-11-22</announced>
-    <revised count="1">2022-11-22</revised>
+    <revised count="2">2023-05-27</revised>
     <bug>880543</bug>
     <access>local</access>
     <affected>
         <package name="app-admin/sysstat" auto="yes" arch="*">
-            <unaffected range="ge">12.7.1</unaffected>
-            <vulnerable range="lt">12.7.1</vulnerable>
+            <unaffected range="ge">12.6.2-r1</unaffected>
+            <vulnerable range="lt">12.6.2-r1</vulnerable>
         </package>
     </affected>
     <background>
@@ -31,7 +31,7 @@
         
         <code>
           # emerge --sync
-          # emerge --ask --oneshot --verbose ">=app-admin/sysstat-12.7.1"
+          # emerge --ask --oneshot --verbose ">=app-admin/sysstat-12.6.2-r1"
         </code>
     </resolution>
     <references>
@@ -39,4 +39,4 @@
     </references>
     <metadata tag="requester" timestamp="2022-11-22T03:51:28.943709Z">ajak</metadata>
     <metadata tag="submitter" timestamp="2022-11-22T03:51:28.948154Z">ajak</metadata>
-</glsa>
\ No newline at end of file
+</glsa>
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-05-28 17:24:51 UTC 
Ah, life gets much easier now there's a fixed version in both ~arch and stable. I'll handle it shortly
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 00:12:54 UTC 
commit a6a400bae6d717caa4806a3987d3810b3c66d0f3 (HEAD -> master, origin/master, origin/HEAD)
Author: Hank Leininger <hlein@korelogic.com>
Date:   Mon May 29 01:11:37 2023 +0100

    [ GLSA 202211-07 ] sysstat: Fix affected versions

    Bug: https://bugs.gentoo.org/880543
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Signed-off-by: Sam James <sam@gentoo.org>


(Sorry, I lost the bug tag for this one.)

Thanks!