Headline
Red Hat Security Advisory 2023-2234-01
Red Hat Security Advisory 2023-2234-01 - The sysstat packages provide the sar and iostat commands. These commands enable system monitoring of disk, network, and other I/O activity.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: sysstat security and bug fix update
Advisory ID: RHSA-2023:2234-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:2234
Issue date: 2023-05-09
CVE Names: CVE-2022-39377
====================================================================
- Summary:
An update for sysstat is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
- Description:
The sysstat packages provide the sar and iostat commands. These commands
enable system monitoring of disk, network, and other I/O activity.
Security Fix(es):
- sysstat: arithmetic overflow in allocate_structures() on 32 bit systems
(CVE-2022-39377)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.2 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2141207 - CVE-2022-39377 sysstat: arithmetic overflow in allocate_structures() on 32 bit systems
- Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
sysstat-12.5.4-5.el9.src.rpm
aarch64:
sysstat-12.5.4-5.el9.aarch64.rpm
sysstat-debuginfo-12.5.4-5.el9.aarch64.rpm
sysstat-debugsource-12.5.4-5.el9.aarch64.rpm
ppc64le:
sysstat-12.5.4-5.el9.ppc64le.rpm
sysstat-debuginfo-12.5.4-5.el9.ppc64le.rpm
sysstat-debugsource-12.5.4-5.el9.ppc64le.rpm
s390x:
sysstat-12.5.4-5.el9.s390x.rpm
sysstat-debuginfo-12.5.4-5.el9.s390x.rpm
sysstat-debugsource-12.5.4-5.el9.s390x.rpm
x86_64:
sysstat-12.5.4-5.el9.x86_64.rpm
sysstat-debuginfo-12.5.4-5.el9.x86_64.rpm
sysstat-debugsource-12.5.4-5.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-39377
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZFo1A9zjgjWX9erEAQir4g//XX4H0LjGGWdR0AAyuy9uG8FI0CLqk56O
gOdGdJ8x0H0t3VASRC/ebotFIwx8LFi8hDVXQ9zPkn3CfnnfdWwD/Eyt34GIETDr
YZa+8bClxZMQxgFFQRDJJ4FbpFRltbAfakXdWVACVgbMGs7vkbVIPPUSfcCXQfyv
YItQew/n/wYn1Cr8uxJplx5GmQzhlEfsc1kqf7EcVftvh4UFrF7Z42nxtKirmdxK
hqSfV9YMUvWsq2JdkDcFTiZVnK2jij4bKMwrpIvZrkZwJz3w5FcU+IwDj3B+J42p
Z/avVq3T1qUGlBCRv0bNvL+onGqbrDmJRHbbi4Z78XIpRN3CDFlD+iMLBgpTAwSw
Na0H1DO2ta1aUa/0ZOv6b0wcFuJEnIDLW5eOQgbL4VkYEQOGX3x2iRgpQiI++z0r
vIn49E13rTuHcRV3RSAfFwGlO2ZZCHVAYwACadl8dTSdZiiEsHfwDbK2j7kmajQH
+rRkb0naXa+BrVKFIfjua/y/FrUvgOnNkW2RjCFMvH4VVIFedx0OjFR11payT91S
hwt9C2/xoDJRqPlCnbMzFVBg7yAW0foIHtb7WMQ6jJRecAKDoLhUDcNSeWUgQV/f
bEQvB4Zlk2kqd7/dNChhxDfk5om13319h19NESJ+r/CoO/2ssRXQT9kHGbJKYudi
vfbXV8qBX8o=K3qT
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Ubuntu Security Notice 6145-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue was only fixed for Ubuntu 16.04 LTS. It was discovered that Sysstat incorrectly handled certain arithmetic multiplications in 64-bit systems, as a result of an incomplete fix for CVE-2022-39377. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.
An update for sysstat is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-39377: An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files ...
An update for sysstat is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-39377: An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files ...
Ubuntu Security Notice 5748-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.
Ubuntu Security Notice 5735-1 - It was discovered that Sysstat did not properly check bounds when performing certain arithmetic operations on 32 bit systems. An attacker could possibly use this issue to cause a crash or arbitrary code execution.
Gentoo Linux Security Advisory 202211-7 - An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution. Versions less than 12.7.1 are affected.
sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.