Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 880543 (CVE-2022-39377) - <app-admin/sysstat-12.7.1: buffer overflow on 32 bit systems
Summary: <app-admin/sysstat-12.7.1: buffer overflow on 32 bit systems
Status: CONFIRMED
Alias: CVE-2022-39377
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/sysstat/sysstat/se...
Whiteboard: B2 [glsa+]
Keywords:
Depends on: 880673
Blocks:
  Show dependency tree
 
Reported: 2022-11-08 22:21 UTC by John Helmert III
Modified: 2022-11-28 03:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-08 22:21:00 UTC
CVE-2022-39377:

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

Please bump.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-18 19:53:08 UTC
Please cleanup
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-18 21:26:12 UTC
GLSA request filed.
Comment 3 Larry the Git Cow gentoo-dev 2022-11-20 22:17:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb9441d9484f3108307d5c1540d077c813eb454d

commit bb9441d9484f3108307d5c1540d077c813eb454d
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2022-11-20 22:12:58 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2022-11-20 22:13:26 +0000

    app-admin/sysstat: drop 12.6.0
    
    No versions vulnerable to CVE-2022-39377 left in the tree.
    
    Bug: https://bugs.gentoo.org/880543
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 app-admin/sysstat/Manifest              |  1 -
 app-admin/sysstat/sysstat-12.6.0.ebuild | 83 ---------------------------------
 2 files changed, 84 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2022-11-22 04:01:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=49b1a08d3ed497346380ada7225793a6d6665271

commit 49b1a08d3ed497346380ada7225793a6d6665271
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-11-22 03:51:29 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-22 03:59:40 +0000

    [ GLSA 202211-07 ] sysstat: Arbitrary Code Execution
    
    Bug: https://bugs.gentoo.org/880543
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202211-07.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 04:04:37 UTC
GLSA released, all done!
Comment 6 Hank Leininger 2022-11-24 17:07:28 UTC
Noting here in case others are surprised to discover: this GLSA will fire on systems where this CVE is not applicable.

From the description's "On 32 bit systems, ..." it sounds like CVE-2022-39377 does not apply to amd64 systems. The sysstat package doesn't appear to support USE=abi_x86_32, so you can't easily build a vulnerable version on amd64 if you tried.

But the GLSA will fire, because it is for arch="*".

Could it be arch="hppa mips ppc x86" or somesuch, instead?
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-28 03:52:24 UTC
(In reply to Hank Leininger from comment #6)
> Noting here in case others are surprised to discover: this GLSA will fire on
> systems where this CVE is not applicable.
> 
> From the description's "On 32 bit systems, ..." it sounds like
> CVE-2022-39377 does not apply to amd64 systems. The sysstat package doesn't
> appear to support USE=abi_x86_32, so you can't easily build a vulnerable
> version on amd64 if you tried.

Well, note that the multilib USE flags don't necessarily indicate anything useful for a GLSA. Not everything has such flags, anyway.

> But the GLSA will fire, because it is for arch="*".
> 
> Could it be arch="hppa mips ppc x86" or somesuch, instead?

While this might be possible, I'm not certain that it'd be the best way to solve the problem. This is a good topic for further discussion though, could you open a bug under "GLSA errors" for this? And I'll reopen this bug so the new one can block it.