There was some discussion in an existing sysstat bug that GLSA 202211-07 only listed a test version as fixed, and that version has since been removed from ::gentoo, but the latest stable actually included upstream fixes; see https://bugs.gentoo.org/880543#c8 and https://bugs.gentoo.org/880543#c11 Now an addon to fully address CVE-2022-39377 has been merged, see https://bugs.gentoo.org/907121 and https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ecf13248bdaba63272a52d2678ce688ffb161a9d The GLSA can be updated to use the correct/current sysstat version as including the fix. I don't think the GLSA repo lives somewhere I can submit a PR for, so: diff --git a/glsa-202211-07.xml b/glsa-202211-07.xml index 045ffe0..1f5479a 100644 --- a/glsa-202211-07.xml +++ b/glsa-202211-07.xml @@ -5,13 +5,13 @@ <synopsis>An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution.</syno> <product type="ebuild">sysstat</product> <announced>2022-11-22</announced> - <revised count="1">2022-11-22</revised> + <revised count="2">2023-05-27</revised> <bug>880543</bug> <access>local</access> <affected> <package name="app-admin/sysstat" auto="yes" arch="*"> - <unaffected range="ge">12.7.1</unaffected> - <vulnerable range="lt">12.7.1</vulnerable> + <unaffected range="ge">12.6.2-r1</unaffected> + <vulnerable range="lt">12.6.2-r1</vulnerable> </package> </affected> <background> @@ -31,7 +31,7 @@ <code> # emerge --sync - # emerge --ask --oneshot --verbose ">=app-admin/sysstat-12.7.1" + # emerge --ask --oneshot --verbose ">=app-admin/sysstat-12.6.2-r1" </code> </resolution> <references> @@ -39,4 +39,4 @@ </references> <metadata tag="requester" timestamp="2022-11-22T03:51:28.943709Z">ajak</metadata> <metadata tag="submitter" timestamp="2022-11-22T03:51:28.948154Z">ajak</metadata> -</glsa> \ No newline at end of file +</glsa>
Ah, life gets much easier now there's a fixed version in both ~arch and stable. I'll handle it shortly
commit a6a400bae6d717caa4806a3987d3810b3c66d0f3 (HEAD -> master, origin/master, origin/HEAD) Author: Hank Leininger <hlein@korelogic.com> Date: Mon May 29 01:11:37 2023 +0100 [ GLSA 202211-07 ] sysstat: Fix affected versions Bug: https://bugs.gentoo.org/880543 Signed-off-by: Hank Leininger <hlein@korelogic.com> Signed-off-by: Sam James <sam@gentoo.org> (Sorry, I lost the bug tag for this one.) Thanks!