|Summary:||<app-admin/sysstat-12.7.1: buffer overflow on 32 bit systems|
|Product:||Gentoo Security||Reporter:||John Helmert III <ajak>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||880673|
Description John Helmert III 2022-11-08 22:21:00 UTC
CVE-2022-39377: sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1. Please bump.
Comment 1 John Helmert III 2022-11-18 19:53:08 UTC
Comment 2 John Helmert III 2022-11-18 21:26:12 UTC
GLSA request filed.
Comment 3 Larry the Git Cow 2022-11-20 22:17:14 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb9441d9484f3108307d5c1540d077c813eb454d commit bb9441d9484f3108307d5c1540d077c813eb454d Author: Marek Szuba <email@example.com> AuthorDate: 2022-11-20 22:12:58 +0000 Commit: Marek Szuba <firstname.lastname@example.org> CommitDate: 2022-11-20 22:13:26 +0000 app-admin/sysstat: drop 12.6.0 No versions vulnerable to CVE-2022-39377 left in the tree. Bug: https://bugs.gentoo.org/880543 Signed-off-by: Marek Szuba <email@example.com> app-admin/sysstat/Manifest | 1 - app-admin/sysstat/sysstat-12.6.0.ebuild | 83 --------------------------------- 2 files changed, 84 deletions(-)
Comment 4 Larry the Git Cow 2022-11-22 04:01:31 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=49b1a08d3ed497346380ada7225793a6d6665271 commit 49b1a08d3ed497346380ada7225793a6d6665271 Author: GLSAMaker <firstname.lastname@example.org> AuthorDate: 2022-11-22 03:51:29 +0000 Commit: John Helmert III <email@example.com> CommitDate: 2022-11-22 03:59:40 +0000 [ GLSA 202211-07 ] sysstat: Arbitrary Code Execution Bug: https://bugs.gentoo.org/880543 Signed-off-by: GLSAMaker <firstname.lastname@example.org> Signed-off-by: John Helmert III <email@example.com> glsa-202211-07.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
Comment 5 John Helmert III 2022-11-22 04:04:37 UTC
GLSA released, all done!
Comment 6 Hank Leininger 2022-11-24 17:07:28 UTC
Noting here in case others are surprised to discover: this GLSA will fire on systems where this CVE is not applicable. From the description's "On 32 bit systems, ..." it sounds like CVE-2022-39377 does not apply to amd64 systems. The sysstat package doesn't appear to support USE=abi_x86_32, so you can't easily build a vulnerable version on amd64 if you tried. But the GLSA will fire, because it is for arch="*". Could it be arch="hppa mips ppc x86" or somesuch, instead?
Comment 7 John Helmert III 2022-11-28 03:52:24 UTC
(In reply to Hank Leininger from comment #6) > Noting here in case others are surprised to discover: this GLSA will fire on > systems where this CVE is not applicable. > > From the description's "On 32 bit systems, ..." it sounds like > CVE-2022-39377 does not apply to amd64 systems. The sysstat package doesn't > appear to support USE=abi_x86_32, so you can't easily build a vulnerable > version on amd64 if you tried. Well, note that the multilib USE flags don't necessarily indicate anything useful for a GLSA. Not everything has such flags, anyway. > But the GLSA will fire, because it is for arch="*". > > Could it be arch="hppa mips ppc x86" or somesuch, instead? While this might be possible, I'm not certain that it'd be the best way to solve the problem. This is a good topic for further discussion though, could you open a bug under "GLSA errors" for this? And I'll reopen this bug so the new one can block it.