* [Buildroot] [PATCH 1/1] package/sysstat: security bump to version 12.6.1 @ 2022-11-19 23:37 Fabrice Fontaine 2022-11-20 9:09 ` Yann E. MORIN 2022-11-23 9:50 ` Peter Korsgaard 0 siblings, 2 replies; 5+ messages in thread From: Fabrice Fontaine @ 2022-11-19 23:37 UTC (permalink / raw) To: buildroot; +Cc: Fabrice Fontaine Fix CVE-2022-39377: sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/sysstat/sysstat.hash | 4 ++-- package/sysstat/sysstat.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/sysstat/sysstat.hash b/package/sysstat/sysstat.hash index b573f312c6..b47f000e57 100644 --- a/package/sysstat/sysstat.hash +++ b/package/sysstat/sysstat.hash @@ -1,5 +1,5 @@ # From: http://sebastien.godard.pagesperso-orange.fr/download.html -sha1 1e38bc029979def730ae1fb1e39f631bd1a3bc73 sysstat-12.4.2.tar.xz +sha1 a730982e0c2d4964a0022c1509f3ea0a345402bc sysstat-12.6.1.tar.xz # Locally calculated -sha256 3701b2c1883d50eb384d7b95ce5b6df0a71fdcb3c23f96cb58098d1bcffa018f sysstat-12.4.2.tar.xz +sha256 18ff5a4e149e2568e43385637f72437fe6bafcc1322a93d13d1981e9464a0342 sysstat-12.6.1.tar.xz sha256 db296f2f7f35bca3a174efb0eb392b3b17bd94b341851429a3dff411b1c2fc73 COPYING diff --git a/package/sysstat/sysstat.mk b/package/sysstat/sysstat.mk index 6948f6b390..377396d986 100644 --- a/package/sysstat/sysstat.mk +++ b/package/sysstat/sysstat.mk @@ -4,7 +4,7 @@ # ################################################################################ -SYSSTAT_VERSION = 12.4.2 +SYSSTAT_VERSION = 12.6.1 SYSSTAT_SOURCE = sysstat-$(SYSSTAT_VERSION).tar.xz SYSSTAT_SITE = http://pagesperso-orange.fr/sebastien.godard SYSSTAT_CONF_OPTS = --disable-file-attr -- 2.35.1 _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/sysstat: security bump to version 12.6.1 2022-11-19 23:37 [Buildroot] [PATCH 1/1] package/sysstat: security bump to version 12.6.1 Fabrice Fontaine @ 2022-11-20 9:09 ` Yann E. MORIN 2022-11-20 9:49 ` Fabrice Fontaine 2022-11-23 9:50 ` Peter Korsgaard 1 sibling, 1 reply; 5+ messages in thread From: Yann E. MORIN @ 2022-11-20 9:09 UTC (permalink / raw) To: Fabrice Fontaine; +Cc: buildroot Fabrice, All, On 2022-11-20 00:37 +0100, Fabrice Fontaine spake thusly: > Fix CVE-2022-39377: sysstat is a set of system performance tools for the > Linux operating system. On 32 bit systems, in versions 9.1.16 and newer > but prior to 12.7.1, allocate_structures contains a size_t overflow in As you quote the NVD description, it states that versions lower than 12.7.1 are impacted, yet you only bump to 12.6.1. Also, the pointer you provided to the changelog does not mention CVE-2022-39377. Besides, github warns that it is not part of the sysstat repository (/!\ This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository). Can you double-check, please: if 12.6.1 indeed fixes the issue, then extend the commit log with the appropriate references; if not then we should bump to 12.7.1. Regards, Yann E. MORIN. > sa_common.c. The allocate_structures function insufficiently checks > bounds before arithmetic multiplication, allowing for an overflow in the > size allocated for the buffer representing system activities. This issue > may lead to Remote Code Execution (RCE). > > https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x > https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > --- > package/sysstat/sysstat.hash | 4 ++-- > package/sysstat/sysstat.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/package/sysstat/sysstat.hash b/package/sysstat/sysstat.hash > index b573f312c6..b47f000e57 100644 > --- a/package/sysstat/sysstat.hash > +++ b/package/sysstat/sysstat.hash > @@ -1,5 +1,5 @@ > # From: http://sebastien.godard.pagesperso-orange.fr/download.html > -sha1 1e38bc029979def730ae1fb1e39f631bd1a3bc73 sysstat-12.4.2.tar.xz > +sha1 a730982e0c2d4964a0022c1509f3ea0a345402bc sysstat-12.6.1.tar.xz > # Locally calculated > -sha256 3701b2c1883d50eb384d7b95ce5b6df0a71fdcb3c23f96cb58098d1bcffa018f sysstat-12.4.2.tar.xz > +sha256 18ff5a4e149e2568e43385637f72437fe6bafcc1322a93d13d1981e9464a0342 sysstat-12.6.1.tar.xz > sha256 db296f2f7f35bca3a174efb0eb392b3b17bd94b341851429a3dff411b1c2fc73 COPYING > diff --git a/package/sysstat/sysstat.mk b/package/sysstat/sysstat.mk > index 6948f6b390..377396d986 100644 > --- a/package/sysstat/sysstat.mk > +++ b/package/sysstat/sysstat.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -SYSSTAT_VERSION = 12.4.2 > +SYSSTAT_VERSION = 12.6.1 > SYSSTAT_SOURCE = sysstat-$(SYSSTAT_VERSION).tar.xz > SYSSTAT_SITE = http://pagesperso-orange.fr/sebastien.godard > SYSSTAT_CONF_OPTS = --disable-file-attr > -- > 2.35.1 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/sysstat: security bump to version 12.6.1 2022-11-20 9:09 ` Yann E. MORIN @ 2022-11-20 9:49 ` Fabrice Fontaine 2022-11-20 10:05 ` Yann E. MORIN 0 siblings, 1 reply; 5+ messages in thread From: Fabrice Fontaine @ 2022-11-20 9:49 UTC (permalink / raw) To: Yann E. MORIN; +Cc: buildroot [-- Attachment #1.1: Type: text/plain, Size: 4197 bytes --] Yann, Le dim. 20 nov. 2022 à 10:09, Yann E. MORIN <yann.morin.1998@free.fr> a écrit : > Fabrice, All, > > On 2022-11-20 00:37 +0100, Fabrice Fontaine spake thusly: > > Fix CVE-2022-39377: sysstat is a set of system performance tools for the > > Linux operating system. On 32 bit systems, in versions 9.1.16 and newer > > but prior to 12.7.1, allocate_structures contains a size_t overflow in > > As you quote the NVD description, it states that versions lower than > 12.7.1 are impacted, yet you only bump to 12.6.1. > 12.7.1 is a development version: http://sebastien.godard.pagesperso-orange.fr/ > > Also, the pointer you provided to the changelog does not mention > CVE-2022-39377. Besides, github warns that it is not part of the > Changelog is mentioning GHSL-2022-074 (a.k.a. CVE-2022-39377): 2022/11/06: Version 12.6.1 - Sebastien Godard (sysstat <at> orange.fr) * Fix possible overflow in sa_common.c (GHSL-2022-074). > sysstat repository (/!\ This commit does not belong to any branch on > this repository, and may belong to a fork outside of the repository). > > Can you double-check, please: if 12.6.1 indeed fixes the issue, then > extend the commit log with the appropriate references; if not then we > should bump to 12.7.1. > And finally, here is the commit that fixes the issue on 12.6.1: https://github.com/sysstat/sysstat/commit/c1e631eddc50c04e4dcea169ba396bee2bd6b0ab > > Regards, > Yann E. MORIN. > > > sa_common.c. The allocate_structures function insufficiently checks > > bounds before arithmetic multiplication, allowing for an overflow in the > > size allocated for the buffer representing system activities. This issue > > may lead to Remote Code Execution (RCE). > > > > > https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x > > https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES > > > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > > --- > > package/sysstat/sysstat.hash | 4 ++-- > > package/sysstat/sysstat.mk | 2 +- > > 2 files changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/package/sysstat/sysstat.hash b/package/sysstat/sysstat.hash > > index b573f312c6..b47f000e57 100644 > > --- a/package/sysstat/sysstat.hash > > +++ b/package/sysstat/sysstat.hash > > @@ -1,5 +1,5 @@ > > # From: http://sebastien.godard.pagesperso-orange.fr/download.html > > -sha1 1e38bc029979def730ae1fb1e39f631bd1a3bc73 sysstat-12.4.2.tar.xz > > +sha1 a730982e0c2d4964a0022c1509f3ea0a345402bc sysstat-12.6.1.tar.xz > > # Locally calculated > > -sha256 > 3701b2c1883d50eb384d7b95ce5b6df0a71fdcb3c23f96cb58098d1bcffa018f > sysstat-12.4.2.tar.xz > > +sha256 > 18ff5a4e149e2568e43385637f72437fe6bafcc1322a93d13d1981e9464a0342 > sysstat-12.6.1.tar.xz > > sha256 > db296f2f7f35bca3a174efb0eb392b3b17bd94b341851429a3dff411b1c2fc73 COPYING > > diff --git a/package/sysstat/sysstat.mk b/package/sysstat/sysstat.mk > > index 6948f6b390..377396d986 100644 > > --- a/package/sysstat/sysstat.mk > > +++ b/package/sysstat/sysstat.mk > > @@ -4,7 +4,7 @@ > > # > > > ################################################################################ > > > > -SYSSTAT_VERSION = 12.4.2 > > +SYSSTAT_VERSION = 12.6.1 > > SYSSTAT_SOURCE = sysstat-$(SYSSTAT_VERSION).tar.xz > > SYSSTAT_SITE = http://pagesperso-orange.fr/sebastien.godard > > SYSSTAT_CONF_OPTS = --disable-file-attr > > -- > > 2.35.1 > > > > _______________________________________________ > > buildroot mailing list > > buildroot@buildroot.org > > https://lists.buildroot.org/mailman/listinfo/buildroot > > -- > > .-----------------.--------------------.------------------.--------------------. > | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' > conspiracy: | > | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ > | > | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is > no | > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v > conspiracy. | > > '------------------------------^-------^------------------^--------------------' > Best Regards, Fabrice [-- Attachment #1.2: Type: text/html, Size: 6968 bytes --] [-- Attachment #2: Type: text/plain, Size: 150 bytes --] _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/sysstat: security bump to version 12.6.1 2022-11-20 9:49 ` Fabrice Fontaine @ 2022-11-20 10:05 ` Yann E. MORIN 0 siblings, 0 replies; 5+ messages in thread From: Yann E. MORIN @ 2022-11-20 10:05 UTC (permalink / raw) To: Fabrice Fontaine; +Cc: buildroot Fabrice, All, On 2022-11-20 10:49 +0100, Fabrice Fontaine spake thusly: > Le dim. 20 nov. 2022 à 10:09, Yann E. MORIN < [1]yann.morin.1998@free.fr> a écrit : > As you quote the NVD description, it states that versions lower than > 12.7.1 are impacted, yet you only bump to 12.6.1. > 12.7.1 is a development version: [2]http://sebastien.godard.pagesperso-orange.fr/ > > Also, the pointer you provided to the changelog does not mention > CVE-2022-39377. Besides, github warns that it is not part of the > Changelog is mentioning GHSL-2022-074 (a.k.a. CVE-2022-39377): > 2022/11/06: Version 12.6.1 - Sebastien Godard (sysstat <at> [3]orange.fr) > * Fix possible overflow in sa_common.c (GHSL-2022-074). It's rather hard to correlate "GHSL-2022-074" with "CVE-2022-39377". ;-) OK, can you mention both info in the commit log when you respin? > sysstat repository (/!\ This commit does not belong to any branch on > this repository, and may belong to a fork outside of the repository). > > Can you double-check, please: if 12.6.1 indeed fixes the issue, then > extend the commit log with the appropriate references; if not then we > should bump to 12.7.1. > > And finally, here is the commit that fixes the issue on 12.6.1: > [4]https://github.com/sysstat/sysstat/commit/c1e631eddc50c04e4dcea169ba396bee2bd6b0ab That's again weird, because github still warns that the referenced commit is not part of any branch in the sysstat repository... I don't know how you came up with that commit, but I couldfind 9c4eaf150662ad40607923389d4519bc83b93540 in the upstream repository. Regards, Yann E. MORIN. > Regards, > Yann E. MORIN. > > > sa_common.c. The allocate_structures function insufficiently checks > > bounds before arithmetic multiplication, allowing for an overflow in the > > size allocated for the buffer representing system activities. This issue > > may lead to Remote Code Execution (RCE). > > > > [5]https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x > > [6]https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES > > > > Signed-off-by: Fabrice Fontaine < [7]fontaine.fabrice@gmail.com> > > --- > > package/sysstat/sysstat.hash | 4 ++-- > > package/sysstat/ [8]sysstat.mk | 2 +- > > 2 files changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/package/sysstat/sysstat.hash b/package/sysstat/sysstat.hash > > index b573f312c6..b47f000e57 100644 > > --- a/package/sysstat/sysstat.hash > > +++ b/package/sysstat/sysstat.hash > > @@ -1,5 +1,5 @@ > > # From: [9]http://sebastien.godard.pagesperso-orange.fr/download.html > > -sha1 1e38bc029979def730ae1fb1e39f631bd1a3bc73 sysstat-12.4.2.tar.xz > > +sha1 a730982e0c2d4964a0022c1509f3ea0a345402bc sysstat-12.6.1.tar.xz > > # Locally calculated > > -sha256 3701b2c1883d50eb384d7b95ce5b6df0a71fdcb3c23f96cb58098d1bcffa018f sysstat-12.4.2.tar.xz > > +sha256 18ff5a4e149e2568e43385637f72437fe6bafcc1322a93d13d1981e9464a0342 sysstat-12.6.1.tar.xz > > sha256 db296f2f7f35bca3a174efb0eb392b3b17bd94b341851429a3dff411b1c2fc73 COPYING > > diff --git a/package/sysstat/ [10]sysstat.mk b/package/sysstat/ [11]sysstat.mk > > index 6948f6b390..377396d986 100644 > > --- a/package/sysstat/ [12]sysstat.mk > > +++ b/package/sysstat/ [13]sysstat.mk > > @@ -4,7 +4,7 @@ > > # > > ################################################################################ > > > > -SYSSTAT_VERSION = 12.4.2 > > +SYSSTAT_VERSION = 12.6.1 > > SYSSTAT_SOURCE = sysstat-$(SYSSTAT_VERSION).tar.xz > > SYSSTAT_SITE = [14]http://pagesperso-orange.fr/sebastien.godard > > SYSSTAT_CONF_OPTS = --disable-file-attr > > -- > > 2.35.1 > > > > _______________________________________________ > > buildroot mailing list > > [15]buildroot@buildroot.org > > [16]https://lists.buildroot.org/mailman/listinfo/buildroot > > -- > .-----------------.--------------------.------------------.--------------------. > | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | > | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ > | > | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | > | [17]http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | > '------------------------------^-------^------------------^--------------------' > > Best Regards, > Fabrice > > Links: > 1. mailto:yann.morin.1998@free.fr > 2. http://sebastien.godard.pagesperso-orange.fr/ > 3. http://orange.fr > 4. https://github.com/sysstat/sysstat/commit/c1e631eddc50c04e4dcea169ba396bee2bd6b0ab > 5. https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x > 6. https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES > 7. mailto:fontaine.fabrice@gmail.com > 8. http://sysstat.mk > 9. http://sebastien.godard.pagesperso-orange.fr/download.html > 10. http://sysstat.mk > 11. http://sysstat.mk > 12. http://sysstat.mk > 13. http://sysstat.mk > 14. http://pagesperso-orange.fr/sebastien.godard > 15. mailto:buildroot@buildroot.org > 16. https://lists.buildroot.org/mailman/listinfo/buildroot > 17. http://ymorin.is-a-geek.org/ > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/sysstat: security bump to version 12.6.1 2022-11-19 23:37 [Buildroot] [PATCH 1/1] package/sysstat: security bump to version 12.6.1 Fabrice Fontaine 2022-11-20 9:09 ` Yann E. MORIN @ 2022-11-23 9:50 ` Peter Korsgaard 1 sibling, 0 replies; 5+ messages in thread From: Peter Korsgaard @ 2022-11-23 9:50 UTC (permalink / raw) To: Fabrice Fontaine; +Cc: buildroot >>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > Fix CVE-2022-39377: sysstat is a set of system performance tools for the > Linux operating system. On 32 bit systems, in versions 9.1.16 and newer > but prior to 12.7.1, allocate_structures contains a size_t overflow in > sa_common.c. The allocate_structures function insufficiently checks > bounds before arithmetic multiplication, allowing for an overflow in the > size allocated for the buffer representing system activities. This issue > may lead to Remote Code Execution (RCE). > https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x > https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2022.08.x and 2022.02.x, thanks. -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-11-23 9:51 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-11-19 23:37 [Buildroot] [PATCH 1/1] package/sysstat: security bump to version 12.6.1 Fabrice Fontaine 2022-11-20 9:09 ` Yann E. MORIN 2022-11-20 9:49 ` Fabrice Fontaine 2022-11-20 10:05 ` Yann E. MORIN 2022-11-23 9:50 ` Peter Korsgaard
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox