Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-6145-1

Ubuntu Security Notice 6145-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue was only fixed for Ubuntu 16.04 LTS. It was discovered that Sysstat incorrectly handled certain arithmetic multiplications in 64-bit systems, as a result of an incomplete fix for CVE-2022-39377. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.

Packet Storm
#vulnerability#ubuntu#linux#dos

==========================================================================
Ubuntu Security Notice USN-6145-1
June 07, 2023

sysstat vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 23.04
  • Ubuntu 22.10
  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS (Available with Ubuntu Pro)
  • Ubuntu 16.04 LTS (Available with Ubuntu Pro)
  • Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Sysstat could be made to crash or run programs if it processed specially
crafted data.

Software Description:

  • sysstat: system performance tools for Linux

Details:

It was discovered that Sysstat incorrectly handled certain arithmetic
multiplications. An attacker could use this issue to cause Sysstat to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue was only fixed for Ubuntu 16.04 LTS. (CVE-2022-39377)

It was discovered that Sysstat incorrectly handled certain arithmetic
multiplications in 64-bit systems, as a result of an incomplete fix for
CVE-2022-39377. An attacker could use this issue to cause Sysstat to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2023-33204)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
sysstat 12.6.1-1ubuntu0.1

Ubuntu 22.10:
sysstat 12.5.6-1ubuntu0.2

Ubuntu 22.04 LTS:
sysstat 12.5.2-2ubuntu0.2

Ubuntu 20.04 LTS:
sysstat 12.2.0-2ubuntu0.3

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
sysstat 11.6.1-1ubuntu0.2+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
sysstat 11.2.0-1ubuntu0.3+esm2

Ubuntu 14.04 LTS (Available with Ubuntu Pro):
sysstat 10.2.0-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6145-1
CVE-2022-39377, CVE-2023-33204

Package Information:
https://launchpad.net/ubuntu/+source/sysstat/12.6.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/sysstat/12.5.6-1ubuntu0.2
https://launchpad.net/ubuntu/+source/sysstat/12.5.2-2ubuntu0.2
https://launchpad.net/ubuntu/+source/sysstat/12.2.0-2ubuntu0.3

Related news

CVE-2023-33204: Fix an overflow which is still possible for some values. by pkopylov · Pull Request #360 · sysstat/sysstat

sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377.

RHSA-2023:2800: Red Hat Security Advisory: sysstat security and bug fix update

An update for sysstat is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-39377: An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files ...

Red Hat Security Advisory 2023-2234-01

Red Hat Security Advisory 2023-2234-01 - The sysstat packages provide the sar and iostat commands. These commands enable system monitoring of disk, network, and other I/O activity.

RHSA-2023:2234: Red Hat Security Advisory: sysstat security and bug fix update

An update for sysstat is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-39377: An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files ...

Ubuntu Security Notice USN-5748-1

Ubuntu Security Notice 5748-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.

Ubuntu Security Notice USN-5735-1

Ubuntu Security Notice 5735-1 - It was discovered that Sysstat did not properly check bounds when performing certain arithmetic operations on 32 bit systems. An attacker could possibly use this issue to cause a crash or arbitrary code execution.

Gentoo Linux Security Advisory 202211-07

Gentoo Linux Security Advisory 202211-7 - An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution. Versions less than 12.7.1 are affected.

CVE-2022-39377: sysstat overflow on 32-bit systems

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

Packet Storm: Latest News

Ubuntu Security Notice USN-7089-6