From ${URL} : An issue was discovered in sysstat 12.1.1. The remap_struct function in sa_common.c has an out-of-bounds read during a memset call, as demonstrated by sadf. Upstream issue: https://github.com/sysstat/sysstat/issues/199 Upstream patch: https://github.com/sysstat/sysstat/commit/fbc691eaaa10d0bcea6741d5a223dc3906106548 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b57ce53cb0a17c010d0e16143137b0ca7269a2c2 commit b57ce53cb0a17c010d0e16143137b0ca7269a2c2 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2019-02-22 09:30:37 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2019-02-22 09:31:03 +0000 app-admin/sysstat: Old Package-Manager: Portage-2.3.62, Repoman-2.3.12 Bug: https://bugs.gentoo.org/678550 Signed-off-by: Jeroen Roovers <jer@gentoo.org> app-admin/sysstat/Manifest | 1 - app-admin/sysstat/sysstat-12.0.2.ebuild | 85 --------------------------------- 2 files changed, 86 deletions(-)
2018/12/14: Version 12.0.3 - Sebastien Godard (sysstat <at> orange.fr) * sadf: Fix out of bound reads security issues (CVE-2018-19416 and CVE-2018-19517). 2018/12/14: Version 12.1.2 - Sebastien Godard (sysstat <at> orange.fr) * sadf: Fix out of bound reads security issues (CVE-2018-19416 and CVE-2018-19517) [12.0.3].
No vulnerable versions are left in the tree now.