Re: [Buildroot] [PATCH v2, 1/1] package/sysstat: security bump to version 12.6.1

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v2, 1/1] package/sysstat: security bump to version 12.6.1
Date: Sun, 20 Nov 2022 12:07:37 +0100	[thread overview]
Message-ID: <20221120110737.GC2516@scaer> (raw)
In-Reply-To: <20221120104929.GB2516@scaer>

Fabrice, All,

On 2022-11-20 11:49 +0100, Yann E. MORIN spake thusly:
> On 2022-11-20 11:25 +0100, Fabrice Fontaine spake thusly:
> > Fix CVE-2022-39377: sysstat is a set of system performance tools for the
> > Linux operating system. On 32 bit systems, in versions 9.1.16 and newer
> > but prior to 12.7.1, allocate_structures contains a size_t overflow in
> > sa_common.c. The allocate_structures function insufficiently checks
> > bounds before arithmetic multiplication, allowing for an overflow in the
> > size allocated for the buffer representing system activities. This issue
> > may lead to Remote Code Execution (RCE).
> > 
> > Despite what is written above in the CVE announcement, and as written in
> > the Changelog, the fix is also included in version 12.6.1 (12.7.1 is a
> > development version):
> > https://github.com/sysstat/sysstat/commit/c1e631eddc50c04e4dcea169ba396bee2bd6b0ab
> 
> The issue is that the NVD considers 12.6.1 to be impacted; with your
> patch applied, and a configuration that enables sysstat:
> 
>     $ make pkg-stats
>     [...]
>     $ jq .packages.sysstat.cves < pkg-stats.json
>     [
>       "CVE-2022-39377"
>     ]
> 
> So, you also need to push to the NVD the fact that versions 12.6.x are
> not affected, but 12.6.0 which still is.
> 
> In the meantime, I guess we need an exclusion in the the .mk, but I am
> not sure what our policy is in this respect...
> 
> > Someone suspicious of the github warning that "this commit does not
> > belong to any branch on this repository" could check that the
> > check_overflow function is defined in common.c and used in sa_common.c.
> 
> Sorry, but I don't buy that. So I had to investigate to understand where
> that commit hash comes from.
> 
> So, Github reports that "commit does not belong to any branch on this
> repository", and indeed there is no branch which history contains that
> commit hash.
> 
> However, said commit hash *is* reachable from the 12.6.1 _tag_. That is,
> the sysstat repository does not contain any branch but master, and fix
> releases are only pushed as tags with their history.
> 
> So, the warning by Github is misleading, as the referenced commit does
> belong to the repository via a tag.
> 
> Regards,
> Yann E. MORIN.
> 
> > https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
> > https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES
> > 
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Applied to master, with tweaks about the mentioned issues, thanks.

Regards,
Yann E. MORIN.

> > ---
> > Changes v1 -> v2 (after review of Yann E. Morin):
> >  - Update commit message
> > 
> >  package/sysstat/sysstat.hash | 4 ++--
> >  package/sysstat/sysstat.mk   | 2 +-
> >  2 files changed, 3 insertions(+), 3 deletions(-)
> > 
> > diff --git a/package/sysstat/sysstat.hash b/package/sysstat/sysstat.hash
> > index b573f312c6..b47f000e57 100644
> > --- a/package/sysstat/sysstat.hash
> > +++ b/package/sysstat/sysstat.hash
> > @@ -1,5 +1,5 @@
> >  # From: http://sebastien.godard.pagesperso-orange.fr/download.html
> > -sha1  1e38bc029979def730ae1fb1e39f631bd1a3bc73  sysstat-12.4.2.tar.xz
> > +sha1  a730982e0c2d4964a0022c1509f3ea0a345402bc  sysstat-12.6.1.tar.xz
> >  # Locally calculated
> > -sha256  3701b2c1883d50eb384d7b95ce5b6df0a71fdcb3c23f96cb58098d1bcffa018f  sysstat-12.4.2.tar.xz
> > +sha256  18ff5a4e149e2568e43385637f72437fe6bafcc1322a93d13d1981e9464a0342  sysstat-12.6.1.tar.xz
> >  sha256  db296f2f7f35bca3a174efb0eb392b3b17bd94b341851429a3dff411b1c2fc73  COPYING
> > diff --git a/package/sysstat/sysstat.mk b/package/sysstat/sysstat.mk
> > index 6948f6b390..377396d986 100644
> > --- a/package/sysstat/sysstat.mk
> > +++ b/package/sysstat/sysstat.mk
> > @@ -4,7 +4,7 @@
> >  #
> >  ################################################################################
> >  
> > -SYSSTAT_VERSION = 12.4.2
> > +SYSSTAT_VERSION = 12.6.1
> >  SYSSTAT_SOURCE = sysstat-$(SYSSTAT_VERSION).tar.xz
> >  SYSSTAT_SITE = http://pagesperso-orange.fr/sebastien.godard
> >  SYSSTAT_CONF_OPTS = --disable-file-attr
> > -- 
> > 2.35.1
> > 
> > _______________________________________________
> > buildroot mailing list
> > buildroot@buildroot.org
> > https://lists.buildroot.org/mailman/listinfo/buildroot
> 
> -- 
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> '------------------------------^-------^------------------^--------------------'
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot