CVE-2022-39377: sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1. Please bump.
Please cleanup
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb9441d9484f3108307d5c1540d077c813eb454d commit bb9441d9484f3108307d5c1540d077c813eb454d Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2022-11-20 22:12:58 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2022-11-20 22:13:26 +0000 app-admin/sysstat: drop 12.6.0 No versions vulnerable to CVE-2022-39377 left in the tree. Bug: https://bugs.gentoo.org/880543 Signed-off-by: Marek Szuba <marecki@gentoo.org> app-admin/sysstat/Manifest | 1 - app-admin/sysstat/sysstat-12.6.0.ebuild | 83 --------------------------------- 2 files changed, 84 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=49b1a08d3ed497346380ada7225793a6d6665271 commit 49b1a08d3ed497346380ada7225793a6d6665271 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-11-22 03:51:29 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-22 03:59:40 +0000 [ GLSA 202211-07 ] sysstat: Arbitrary Code Execution Bug: https://bugs.gentoo.org/880543 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202211-07.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
GLSA released, all done!
Noting here in case others are surprised to discover: this GLSA will fire on systems where this CVE is not applicable. From the description's "On 32 bit systems, ..." it sounds like CVE-2022-39377 does not apply to amd64 systems. The sysstat package doesn't appear to support USE=abi_x86_32, so you can't easily build a vulnerable version on amd64 if you tried. But the GLSA will fire, because it is for arch="*". Could it be arch="hppa mips ppc x86" or somesuch, instead?
(In reply to Hank Leininger from comment #6) > Noting here in case others are surprised to discover: this GLSA will fire on > systems where this CVE is not applicable. > > From the description's "On 32 bit systems, ..." it sounds like > CVE-2022-39377 does not apply to amd64 systems. The sysstat package doesn't > appear to support USE=abi_x86_32, so you can't easily build a vulnerable > version on amd64 if you tried. Well, note that the multilib USE flags don't necessarily indicate anything useful for a GLSA. Not everything has such flags, anyway. > But the GLSA will fire, because it is for arch="*". > > Could it be arch="hppa mips ppc x86" or somesuch, instead? While this might be possible, I'm not certain that it'd be the best way to solve the problem. This is a good topic for further discussion though, could you open a bug under "GLSA errors" for this? And I'll reopen this bug so the new one can block it.
In spite of the vulnerability report not having been updated accordingly, upstream has eventually backported the fix to the production branch 12.6.x. This is relevant because gyakovlev and I want to only keep production version of sysstat in the tree, a plan temporarily derailed by this CVE.
after @world update, now glsa-check reports GLSA 202211-07 as affected. I assume you need to update the GLSA to reflect that 12.6.2 is NOT vulnerable?
(In reply to Fischl Anton from comment #9) > after @world update, now glsa-check reports GLSA 202211-07 as affected. I > assume you need to update the GLSA to reflect that 12.6.2 is NOT vulnerable? yes, I'll figure out how to do this later today/tomorrow.
FYI GLSA 202211-07 is still firing on systems with app-admin/sysstat-12.6.2, the latest in the tree, installed. 12.7.1 was removed from ::gentoo by commit 23654bdf8ff955a4dd2c72a21e0febfe62a785a3 on 2023-04-02. Note, further discussion since 12.6.2 was released indicates some of the fixes were incomplete: https://github.com/sysstat/sysstat/issues/359 Upstream merged a fix after that, just last week: https://github.com/sysstat/sysstat/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0 But no new release has been tagged since then. So perhaps we need a 12.6.2-r1 to fully address CVE-2022-39377 in addition to the GLSA being updated.
(In reply to Hank Leininger from comment #11) > Note, further discussion since 12.6.2 was released indicates some of the > fixes were incomplete: > > https://github.com/sysstat/sysstat/issues/359 > > Upstream merged a fix after that, just last week: Ooh, this is very useful information! Thank you for that, I'll push a fix shortly.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ecf13248bdaba63272a52d2678ce688ffb161a9d commit ecf13248bdaba63272a52d2678ce688ffb161a9d Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2023-05-23 19:23:23 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2023-05-23 19:39:35 +0000 app-admin/sysstat: backport second part of CVE-2022-39377 fix Bug: https://bugs.gentoo.org/880543 Signed-off-by: Marek Szuba <marecki@gentoo.org> .../files/sysstat-12.6.2-check_overflow.patch | 18 +++++ app-admin/sysstat/sysstat-12.6.2-r1.ebuild | 88 ++++++++++++++++++++++ 2 files changed, 106 insertions(+)
this patch triggers build failures now. usr/lib/gcc/powerpc64le-unknown-linux-gnu/12/../../../../powerpc64le-unknown-linux-gnu/bin/ar: creating librdsensors.a a - rd_sensors.o common.c: In function 'check_overflow': common.c:454:71: error: expected ')' before '{' token 454 | (unsigned long long)val2) < (unsigned long long)val3)) { | ^~ | ) common.c:450:12: note: to match this '(' 450 | if ((val1 != 0) && (val2 != 0) && (val3 != 0) && | ^ common.c:462:1: error: expected expression before '}' token 462 | } | ^ make: *** [Makefile:256: common_light.o] Error 1 make: *** Waiting for unfinished jobs.... common.c: In function 'check_overflow': common.c:454:71: error: expected ')' before '{' token 454 | (unsigned long long)val2) < (unsigned long long)val3)) { | ^~ | ) common.c:450:12: note: to match this '(' 450 | if ((val1 != 0) && (val2 != 0) && (val3 != 0) && | ^ common.c:462:1: error: expected expression before '}' token 462 | } | ^ make: *** [Makefile:248: common.o] Error 1 * ERROR: app-admin/sysstat-12.6.2-r1::gentoo failed (compile phase):
https://github.com/sysstat/sysstat/commit/954ff2e2673cef48f0ed44668c466eab041db387 looks like there was missing ) where did you get the patch?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bab92cdf6c95ed8cf09ed85122d307891528f094 commit bab92cdf6c95ed8cf09ed85122d307891528f094 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-05-23 22:29:33 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-05-23 22:29:33 +0000 app-admin/sysstat: update patch, fix build in 12.6.2-r1 Bug: https://bugs.gentoo.org/880543 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> app-admin/sysstat/files/sysstat-12.6.2-check_overflow.patch | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)
(In reply to Georgy Yakovlev from comment #15) > where did you get the patch? From the aforementioned GitHub link, except I piped it through scrub-patch and removed the preamble to get rid of QA warnings reported by said tool. No idea what happened here... Thanks for the correction!
Yeah patch on commit shows )), but actual git master file shows ))), while without commits to that file. Idk how that’s possible, probably some merge shenanigans that webui doesn’t show.
(In reply to Georgy Yakovlev from comment #18) > Yeah patch on commit shows )), but actual git master file shows ))), while > without commits to that file. Idk how that’s possible, probably some merge > shenanigans that webui doesn’t show. Shenanigans indeed. I encountered that when creating https://github.com/gentoo/gentoo/pull/31148 as well, which is obsolete now, which is fine. https://github.com/sysstat/sysstat/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0 shows different code changes from https://github.com/sysstat/sysstat/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0.patch Which I did not know was a thing. And if you cut-and-paste the diff from the HTML view, it is of course mangled. I ended up manually diffing old common.c and new common.c, which gives further complications because upstream has changed from the 12.6.2 release version so you have to cherry-pick just this change by hand.
(In reply to Marek Szuba from comment #12) > (In reply to Hank Leininger from comment #11) > > > Note, further discussion since 12.6.2 was released indicates some of the > > fixes were incomplete: > > > > https://github.com/sysstat/sysstat/issues/359 > > > > Upstream merged a fix after that, just last week: > > Ooh, this is very useful information! Thank you for that, I'll push a fix > shortly. Please file a new bug if there's more fixes for bugs being added on...
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=a6a400bae6d717caa4806a3987d3810b3c66d0f3 commit a6a400bae6d717caa4806a3987d3810b3c66d0f3 Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2023-05-29 00:11:37 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-29 00:12:21 +0000 [ GLSA 202211-07 ] sysstat: Fix affected versions Bug: https://bugs.gentoo.org/880543 Signed-off-by: Hank Leininger <hlein@korelogic.com> Signed-off-by: Sam James <sam@gentoo.org> glsa-202211-07.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
