From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v2, 1/1] package/sysstat: security bump to version 12.6.1
Date: Sun, 20 Nov 2022 11:49:29 +0100 [thread overview]
Message-ID: <20221120104929.GB2516@scaer> (raw)
In-Reply-To: <20221120102531.16432-1-fontaine.fabrice@gmail.com>
Fabrice, All,
On 2022-11-20 11:25 +0100, Fabrice Fontaine spake thusly:
> Fix CVE-2022-39377: sysstat is a set of system performance tools for the
> Linux operating system. On 32 bit systems, in versions 9.1.16 and newer
> but prior to 12.7.1, allocate_structures contains a size_t overflow in
> sa_common.c. The allocate_structures function insufficiently checks
> bounds before arithmetic multiplication, allowing for an overflow in the
> size allocated for the buffer representing system activities. This issue
> may lead to Remote Code Execution (RCE).
>
> Despite what is written above in the CVE announcement, and as written in
> the Changelog, the fix is also included in version 12.6.1 (12.7.1 is a
> development version):
> https://github.com/sysstat/sysstat/commit/c1e631eddc50c04e4dcea169ba396bee2bd6b0ab
The issue is that the NVD considers 12.6.1 to be impacted; with your
patch applied, and a configuration that enables sysstat:
$ make pkg-stats
[...]
$ jq .packages.sysstat.cves < pkg-stats.json
[
"CVE-2022-39377"
]
So, you also need to push to the NVD the fact that versions 12.6.x are
not affected, but 12.6.0 which still is.
In the meantime, I guess we need an exclusion in the the .mk, but I am
not sure what our policy is in this respect...
> Someone suspicious of the github warning that "this commit does not
> belong to any branch on this repository" could check that the
> check_overflow function is defined in common.c and used in sa_common.c.
Sorry, but I don't buy that. So I had to investigate to understand where
that commit hash comes from.
So, Github reports that "commit does not belong to any branch on this
repository", and indeed there is no branch which history contains that
commit hash.
However, said commit hash *is* reachable from the 12.6.1 _tag_. That is,
the sysstat repository does not contain any branch but master, and fix
releases are only pushed as tags with their history.
So, the warning by Github is misleading, as the referenced commit does
belong to the repository via a tag.
Regards,
Yann E. MORIN.
> https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
> https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> Changes v1 -> v2 (after review of Yann E. Morin):
> - Update commit message
>
> package/sysstat/sysstat.hash | 4 ++--
> package/sysstat/sysstat.mk | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/package/sysstat/sysstat.hash b/package/sysstat/sysstat.hash
> index b573f312c6..b47f000e57 100644
> --- a/package/sysstat/sysstat.hash
> +++ b/package/sysstat/sysstat.hash
> @@ -1,5 +1,5 @@
> # From: http://sebastien.godard.pagesperso-orange.fr/download.html
> -sha1 1e38bc029979def730ae1fb1e39f631bd1a3bc73 sysstat-12.4.2.tar.xz
> +sha1 a730982e0c2d4964a0022c1509f3ea0a345402bc sysstat-12.6.1.tar.xz
> # Locally calculated
> -sha256 3701b2c1883d50eb384d7b95ce5b6df0a71fdcb3c23f96cb58098d1bcffa018f sysstat-12.4.2.tar.xz
> +sha256 18ff5a4e149e2568e43385637f72437fe6bafcc1322a93d13d1981e9464a0342 sysstat-12.6.1.tar.xz
> sha256 db296f2f7f35bca3a174efb0eb392b3b17bd94b341851429a3dff411b1c2fc73 COPYING
> diff --git a/package/sysstat/sysstat.mk b/package/sysstat/sysstat.mk
> index 6948f6b390..377396d986 100644
> --- a/package/sysstat/sysstat.mk
> +++ b/package/sysstat/sysstat.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -SYSSTAT_VERSION = 12.4.2
> +SYSSTAT_VERSION = 12.6.1
> SYSSTAT_SOURCE = sysstat-$(SYSSTAT_VERSION).tar.xz
> SYSSTAT_SITE = http://pagesperso-orange.fr/sebastien.godard
> SYSSTAT_CONF_OPTS = --disable-file-attr
> --
> 2.35.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2022-11-20 10:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-20 10:25 [Buildroot] [PATCH v2, 1/1] package/sysstat: security bump to version 12.6.1 Fabrice Fontaine
2022-11-20 10:49 ` Yann E. MORIN [this message]
2022-11-20 11:07 ` Yann E. MORIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221120104929.GB2516@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=fontaine.fabrice@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox