Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-5748-1

Ubuntu Security Notice 5748-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.

Packet Storm
#vulnerability#ubuntu#linux#dos

==========================================================================
Ubuntu Security Notice USN-5748-1
November 29, 2022

sysstat vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 22.10
  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS

Summary:

Sysstat could be made to crash or run programs if it processed specially
crafted data.

Software Description:

  • sysstat: system performance tools for Linux

Details:

It was discovered that Sysstat incorrectly handled certain arithmetic
multiplications. An attacker could use this issue to cause Sysstat to
crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
isag 12.5.6-1ubuntu0.1
sysstat 12.5.6-1ubuntu0.1

Ubuntu 22.04 LTS:
isag 12.5.2-2ubuntu0.1
sysstat 12.5.2-2ubuntu0.1

Ubuntu 20.04 LTS:
isag 12.2.0-2ubuntu0.2
sysstat 12.2.0-2ubuntu0.2

Ubuntu 18.04 LTS:
isag 11.6.1-1ubuntu0.2
sysstat 11.6.1-1ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5748-1
CVE-2022-39377

Package Information:
https://launchpad.net/ubuntu/+source/sysstat/12.5.6-1ubuntu0.1
https://launchpad.net/ubuntu/+source/sysstat/12.5.2-2ubuntu0.1
https://launchpad.net/ubuntu/+source/sysstat/12.2.0-2ubuntu0.2
https://launchpad.net/ubuntu/+source/sysstat/11.6.1-1ubuntu0.2

Related news

Ubuntu Security Notice USN-6145-1

Ubuntu Security Notice 6145-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue was only fixed for Ubuntu 16.04 LTS. It was discovered that Sysstat incorrectly handled certain arithmetic multiplications in 64-bit systems, as a result of an incomplete fix for CVE-2022-39377. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.

RHSA-2023:2800: Red Hat Security Advisory: sysstat security and bug fix update

An update for sysstat is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-39377: An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files ...

Red Hat Security Advisory 2023-2234-01

Red Hat Security Advisory 2023-2234-01 - The sysstat packages provide the sar and iostat commands. These commands enable system monitoring of disk, network, and other I/O activity.

RHSA-2023:2234: Red Hat Security Advisory: sysstat security and bug fix update

An update for sysstat is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-39377: An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files ...

Ubuntu Security Notice USN-5735-1

Ubuntu Security Notice 5735-1 - It was discovered that Sysstat did not properly check bounds when performing certain arithmetic operations on 32 bit systems. An attacker could possibly use this issue to cause a crash or arbitrary code execution.

Gentoo Linux Security Advisory 202211-07

Gentoo Linux Security Advisory 202211-7 - An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution. Versions less than 12.7.1 are affected.

CVE-2022-39377: sysstat overflow on 32-bit systems

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution