Headline
RHSA-2023:2234: Red Hat Security Advisory: sysstat security and bug fix update
An update for sysstat is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-39377: An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files and may lead to memory corruption or possibly arbitrary code execution due to an incorrectly sized buffer.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-09
Updated:
2023-05-09
RHSA-2023:2234 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: sysstat security and bug fix update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for sysstat is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The sysstat packages provide the sar and iostat commands. These commands enable system monitoring of disk, network, and other I/O activity.
Security Fix(es):
- sysstat: arithmetic overflow in allocate_structures() on 32 bit systems (CVE-2022-39377)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- BZ - 2141207 - CVE-2022-39377 sysstat: arithmetic overflow in allocate_structures() on 32 bit systems
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index
Red Hat Enterprise Linux for x86_64 9
SRPM
sysstat-12.5.4-5.el9.src.rpm
SHA-256: 2072264747b2ca6ffaa7dc97f79d3edc1744e92eeca4acfdcf8b8017a2b2e1ed
x86_64
sysstat-12.5.4-5.el9.x86_64.rpm
SHA-256: 0a0714685cca15063110e18b5d6e7bfebb11733ba17efc2a46712d1c5b0f5c68
sysstat-debuginfo-12.5.4-5.el9.x86_64.rpm
SHA-256: 8f9dce02957ed92822ecea916d677b1811075ae0ea4fba5d98578c20ce581d3b
sysstat-debugsource-12.5.4-5.el9.x86_64.rpm
SHA-256: 7948102d4fd4e7275c91cf24d387d974e3a1f7e232fe43da945fe6ee3591c439
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
sysstat-12.5.4-5.el9.src.rpm
SHA-256: 2072264747b2ca6ffaa7dc97f79d3edc1744e92eeca4acfdcf8b8017a2b2e1ed
s390x
sysstat-12.5.4-5.el9.s390x.rpm
SHA-256: c674618b39a9d11dbe36d3b07a65818340d52693be13030c0a683c302cd88af3
sysstat-debuginfo-12.5.4-5.el9.s390x.rpm
SHA-256: 347f3b8ed67a140ed31df5bec7c426773dd991b4e72a788455cea5931160ea7c
sysstat-debugsource-12.5.4-5.el9.s390x.rpm
SHA-256: 9d6503e6ba3d9ab1e32cda301bebd1aa1b8369e096e1878f3a55f439c7224d6f
Red Hat Enterprise Linux for Power, little endian 9
SRPM
sysstat-12.5.4-5.el9.src.rpm
SHA-256: 2072264747b2ca6ffaa7dc97f79d3edc1744e92eeca4acfdcf8b8017a2b2e1ed
ppc64le
sysstat-12.5.4-5.el9.ppc64le.rpm
SHA-256: 55cc47f8397edec90cfbcbb3be9cff7b5d318809a7745703a79b53b9e6affefa
sysstat-debuginfo-12.5.4-5.el9.ppc64le.rpm
SHA-256: 3f2f9b8385dce2a204e77ba255e3034e2d960044f3ee9d7ec701d8617a4b02b4
sysstat-debugsource-12.5.4-5.el9.ppc64le.rpm
SHA-256: 877879b5d938d798521a3966d757f2db3d8ff8de708e07844d68e87a3510f2a4
Red Hat Enterprise Linux for ARM 64 9
SRPM
sysstat-12.5.4-5.el9.src.rpm
SHA-256: 2072264747b2ca6ffaa7dc97f79d3edc1744e92eeca4acfdcf8b8017a2b2e1ed
aarch64
sysstat-12.5.4-5.el9.aarch64.rpm
SHA-256: 1935b60c55cf01e93407b68037573205dd7f2a9bf408843751cf384fb22f4678
sysstat-debuginfo-12.5.4-5.el9.aarch64.rpm
SHA-256: ec6e9d04cffdaaec36360de843ca5a4db26447d98e184b9dd9bb48462460fae5
sysstat-debugsource-12.5.4-5.el9.aarch64.rpm
SHA-256: 396ccb1567c7ff35c7c55ff0f1ceb705ce5f9b2ad583467b3683cc72c05afd84
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Ubuntu Security Notice 6145-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue was only fixed for Ubuntu 16.04 LTS. It was discovered that Sysstat incorrectly handled certain arithmetic multiplications in 64-bit systems, as a result of an incomplete fix for CVE-2022-39377. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.
An update for sysstat is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-39377: An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files ...
Red Hat Security Advisory 2023-2234-01 - The sysstat packages provide the sar and iostat commands. These commands enable system monitoring of disk, network, and other I/O activity.
Ubuntu Security Notice 5748-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.
Ubuntu Security Notice 5735-1 - It was discovered that Sysstat did not properly check bounds when performing certain arithmetic operations on 32 bit systems. An attacker could possibly use this issue to cause a crash or arbitrary code execution.
Gentoo Linux Security Advisory 202211-7 - An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution. Versions less than 12.7.1 are affected.
sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.