Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 706206 (CVE-2019-19725)

Summary: <app-admin/sysstat-12.2.1 : double free in check_file_actlst() in sa_common.c may lead to arbitrary code execution (CVE-2019-19725)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: jer
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+ cve]
Package list:
=app-admin/sysstat-12.2.1
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2020-01-23 21:55:47 UTC
CVE-2019-19844 (https://nvd.nist.gov/vuln/detail/CVE-2019-19844):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
Comment 1 Thomas Deutschmann gentoo-dev Security 2020-01-23 21:57:20 UTC
@maintainer(s): Please call for stabilization when ready!
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2020-01-23 22:55:34 UTC
(In reply to Thomas Deutschmann from comment #1)
> @maintainer(s): Please call for stabilization when ready!

The development branch is never ready for stabilisation.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2020-01-24 08:53:43 UTC
2019/12/27: Version 12.2.1 - Sebastien Godard (sysstat <at> orange.fr)
        * sadf: Fix double free in check_file_actlst().
Comment 4 Agostino Sarubbo gentoo-dev 2020-01-24 15:57:54 UTC
amd64 stable
Comment 5 Rolf Eike Beer 2020-01-25 17:52:46 UTC
hppa/sparc stable
Comment 6 Thomas Deutschmann gentoo-dev Security 2020-01-26 20:57:47 UTC
x86 stable
Comment 7 Sergei Trofimovich gentoo-dev 2020-01-27 10:35:02 UTC
ppc/ppc64 stable
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-01-27 12:36:44 UTC
arm stable
Comment 9 Larry the Git Cow gentoo-dev 2020-02-10 11:12:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25edd3619dfe9725db502bad897c2e2fe9edbe64

commit 25edd3619dfe9725db502bad897c2e2fe9edbe64
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-02-10 11:11:47 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-02-10 11:12:10 +0000

    app-admin/sysstat: Old
    
    Package-Manager: Portage-2.3.88, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=706206
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 app-admin/sysstat/Manifest                 |  2 -
 app-admin/sysstat/sysstat-12.0.5.ebuild    | 81 ------------------------------
 app-admin/sysstat/sysstat-12.2.0-r1.ebuild | 81 ------------------------------
 3 files changed, 164 deletions(-)
Comment 10 Sam James archtester gentoo-dev Security 2020-03-19 20:43:38 UTC
Tree is clean.
Comment 11 NATTkA bot gentoo-dev 2020-04-06 14:57:14 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 00:11:46 UTC
This issue was resolved and addressed in
 GLSA 202007-22 at https://security.gentoo.org/glsa/202007-22
by GLSA coordinator Sam James (sam_c).