Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 880543 (CVE-2022-39377)

Summary: <app-admin/sysstat-12.7.1: buffer overflow on 32 bit systems
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: gyakovlev, marecki
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
Whiteboard: B2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 880673    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-08 22:21:00 UTC
CVE-2022-39377:

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

Please bump.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-18 19:53:08 UTC
Please cleanup
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-18 21:26:12 UTC
GLSA request filed.
Comment 3 Larry the Git Cow gentoo-dev 2022-11-20 22:17:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb9441d9484f3108307d5c1540d077c813eb454d

commit bb9441d9484f3108307d5c1540d077c813eb454d
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2022-11-20 22:12:58 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2022-11-20 22:13:26 +0000

    app-admin/sysstat: drop 12.6.0
    
    No versions vulnerable to CVE-2022-39377 left in the tree.
    
    Bug: https://bugs.gentoo.org/880543
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 app-admin/sysstat/Manifest              |  1 -
 app-admin/sysstat/sysstat-12.6.0.ebuild | 83 ---------------------------------
 2 files changed, 84 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2022-11-22 04:01:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=49b1a08d3ed497346380ada7225793a6d6665271

commit 49b1a08d3ed497346380ada7225793a6d6665271
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-11-22 03:51:29 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-22 03:59:40 +0000

    [ GLSA 202211-07 ] sysstat: Arbitrary Code Execution
    
    Bug: https://bugs.gentoo.org/880543
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202211-07.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 04:04:37 UTC
GLSA released, all done!
Comment 6 Hank Leininger 2022-11-24 17:07:28 UTC
Noting here in case others are surprised to discover: this GLSA will fire on systems where this CVE is not applicable.

From the description's "On 32 bit systems, ..." it sounds like CVE-2022-39377 does not apply to amd64 systems. The sysstat package doesn't appear to support USE=abi_x86_32, so you can't easily build a vulnerable version on amd64 if you tried.

But the GLSA will fire, because it is for arch="*".

Could it be arch="hppa mips ppc x86" or somesuch, instead?
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-28 03:52:24 UTC
(In reply to Hank Leininger from comment #6)
> Noting here in case others are surprised to discover: this GLSA will fire on
> systems where this CVE is not applicable.
> 
> From the description's "On 32 bit systems, ..." it sounds like
> CVE-2022-39377 does not apply to amd64 systems. The sysstat package doesn't
> appear to support USE=abi_x86_32, so you can't easily build a vulnerable
> version on amd64 if you tried.

Well, note that the multilib USE flags don't necessarily indicate anything useful for a GLSA. Not everything has such flags, anyway.

> But the GLSA will fire, because it is for arch="*".
> 
> Could it be arch="hppa mips ppc x86" or somesuch, instead?

While this might be possible, I'm not certain that it'd be the best way to solve the problem. This is a good topic for further discussion though, could you open a bug under "GLSA errors" for this? And I'll reopen this bug so the new one can block it.