| Summary: | <app-admin/sysstat-12.7.1: buffer overflow on 32 bit systems | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | gyakovlev, marecki |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x | ||
| Whiteboard: | B2 [glsa+] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 880673 | ||
| Bug Blocks: | |||
|
Description
John Helmert III
2022-11-08 22:21:00 UTC
Please cleanup GLSA request filed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb9441d9484f3108307d5c1540d077c813eb454d commit bb9441d9484f3108307d5c1540d077c813eb454d Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2022-11-20 22:12:58 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2022-11-20 22:13:26 +0000 app-admin/sysstat: drop 12.6.0 No versions vulnerable to CVE-2022-39377 left in the tree. Bug: https://bugs.gentoo.org/880543 Signed-off-by: Marek Szuba <marecki@gentoo.org> app-admin/sysstat/Manifest | 1 - app-admin/sysstat/sysstat-12.6.0.ebuild | 83 --------------------------------- 2 files changed, 84 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=49b1a08d3ed497346380ada7225793a6d6665271 commit 49b1a08d3ed497346380ada7225793a6d6665271 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-11-22 03:51:29 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-22 03:59:40 +0000 [ GLSA 202211-07 ] sysstat: Arbitrary Code Execution Bug: https://bugs.gentoo.org/880543 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202211-07.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) GLSA released, all done! Noting here in case others are surprised to discover: this GLSA will fire on systems where this CVE is not applicable. From the description's "On 32 bit systems, ..." it sounds like CVE-2022-39377 does not apply to amd64 systems. The sysstat package doesn't appear to support USE=abi_x86_32, so you can't easily build a vulnerable version on amd64 if you tried. But the GLSA will fire, because it is for arch="*". Could it be arch="hppa mips ppc x86" or somesuch, instead? (In reply to Hank Leininger from comment #6) > Noting here in case others are surprised to discover: this GLSA will fire on > systems where this CVE is not applicable. > > From the description's "On 32 bit systems, ..." it sounds like > CVE-2022-39377 does not apply to amd64 systems. The sysstat package doesn't > appear to support USE=abi_x86_32, so you can't easily build a vulnerable > version on amd64 if you tried. Well, note that the multilib USE flags don't necessarily indicate anything useful for a GLSA. Not everything has such flags, anyway. > But the GLSA will fire, because it is for arch="*". > > Could it be arch="hppa mips ppc x86" or somesuch, instead? While this might be possible, I'm not certain that it'd be the best way to solve the problem. This is a good topic for further discussion though, could you open a bug under "GLSA errors" for this? And I'll reopen this bug so the new one can block it. |