| Message ID | 20221120102531.16432-1-fontaine.fabrice@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [v2,1/1] package/sysstat: security bump to version 12.6.1 | expand |
Fabrice, All, On 2022-11-20 11:25 +0100, Fabrice Fontaine spake thusly: > Fix CVE-2022-39377: sysstat is a set of system performance tools for the > Linux operating system. On 32 bit systems, in versions 9.1.16 and newer > but prior to 12.7.1, allocate_structures contains a size_t overflow in > sa_common.c. The allocate_structures function insufficiently checks > bounds before arithmetic multiplication, allowing for an overflow in the > size allocated for the buffer representing system activities. This issue > may lead to Remote Code Execution (RCE). > > Despite what is written above in the CVE announcement, and as written in > the Changelog, the fix is also included in version 12.6.1 (12.7.1 is a > development version): > https://github.com/sysstat/sysstat/commit/c1e631eddc50c04e4dcea169ba396bee2bd6b0ab The issue is that the NVD considers 12.6.1 to be impacted; with your patch applied, and a configuration that enables sysstat: $ make pkg-stats [...] $ jq .packages.sysstat.cves < pkg-stats.json [ "CVE-2022-39377" ] So, you also need to push to the NVD the fact that versions 12.6.x are not affected, but 12.6.0 which still is. In the meantime, I guess we need an exclusion in the the .mk, but I am not sure what our policy is in this respect... > Someone suspicious of the github warning that "this commit does not > belong to any branch on this repository" could check that the > check_overflow function is defined in common.c and used in sa_common.c. Sorry, but I don't buy that. So I had to investigate to understand where that commit hash comes from. So, Github reports that "commit does not belong to any branch on this repository", and indeed there is no branch which history contains that commit hash. However, said commit hash *is* reachable from the 12.6.1 _tag_. That is, the sysstat repository does not contain any branch but master, and fix releases are only pushed as tags with their history. So, the warning by Github is misleading, as the referenced commit does belong to the repository via a tag. Regards, Yann E. MORIN. > https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x > https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > --- > Changes v1 -> v2 (after review of Yann E. Morin): > - Update commit message > > package/sysstat/sysstat.hash | 4 ++-- > package/sysstat/sysstat.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/package/sysstat/sysstat.hash b/package/sysstat/sysstat.hash > index b573f312c6..b47f000e57 100644 > --- a/package/sysstat/sysstat.hash > +++ b/package/sysstat/sysstat.hash > @@ -1,5 +1,5 @@ > # From: http://sebastien.godard.pagesperso-orange.fr/download.html > -sha1 1e38bc029979def730ae1fb1e39f631bd1a3bc73 sysstat-12.4.2.tar.xz > +sha1 a730982e0c2d4964a0022c1509f3ea0a345402bc sysstat-12.6.1.tar.xz > # Locally calculated > -sha256 3701b2c1883d50eb384d7b95ce5b6df0a71fdcb3c23f96cb58098d1bcffa018f sysstat-12.4.2.tar.xz > +sha256 18ff5a4e149e2568e43385637f72437fe6bafcc1322a93d13d1981e9464a0342 sysstat-12.6.1.tar.xz > sha256 db296f2f7f35bca3a174efb0eb392b3b17bd94b341851429a3dff411b1c2fc73 COPYING > diff --git a/package/sysstat/sysstat.mk b/package/sysstat/sysstat.mk > index 6948f6b390..377396d986 100644 > --- a/package/sysstat/sysstat.mk > +++ b/package/sysstat/sysstat.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -SYSSTAT_VERSION = 12.4.2 > +SYSSTAT_VERSION = 12.6.1 > SYSSTAT_SOURCE = sysstat-$(SYSSTAT_VERSION).tar.xz > SYSSTAT_SITE = http://pagesperso-orange.fr/sebastien.godard > SYSSTAT_CONF_OPTS = --disable-file-attr > -- > 2.35.1 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
Fabrice, All, On 2022-11-20 11:49 +0100, Yann E. MORIN spake thusly: > On 2022-11-20 11:25 +0100, Fabrice Fontaine spake thusly: > > Fix CVE-2022-39377: sysstat is a set of system performance tools for the > > Linux operating system. On 32 bit systems, in versions 9.1.16 and newer > > but prior to 12.7.1, allocate_structures contains a size_t overflow in > > sa_common.c. The allocate_structures function insufficiently checks > > bounds before arithmetic multiplication, allowing for an overflow in the > > size allocated for the buffer representing system activities. This issue > > may lead to Remote Code Execution (RCE). > > > > Despite what is written above in the CVE announcement, and as written in > > the Changelog, the fix is also included in version 12.6.1 (12.7.1 is a > > development version): > > https://github.com/sysstat/sysstat/commit/c1e631eddc50c04e4dcea169ba396bee2bd6b0ab > > The issue is that the NVD considers 12.6.1 to be impacted; with your > patch applied, and a configuration that enables sysstat: > > $ make pkg-stats > [...] > $ jq .packages.sysstat.cves < pkg-stats.json > [ > "CVE-2022-39377" > ] > > So, you also need to push to the NVD the fact that versions 12.6.x are > not affected, but 12.6.0 which still is. > > In the meantime, I guess we need an exclusion in the the .mk, but I am > not sure what our policy is in this respect... > > > Someone suspicious of the github warning that "this commit does not > > belong to any branch on this repository" could check that the > > check_overflow function is defined in common.c and used in sa_common.c. > > Sorry, but I don't buy that. So I had to investigate to understand where > that commit hash comes from. > > So, Github reports that "commit does not belong to any branch on this > repository", and indeed there is no branch which history contains that > commit hash. > > However, said commit hash *is* reachable from the 12.6.1 _tag_. That is, > the sysstat repository does not contain any branch but master, and fix > releases are only pushed as tags with their history. > > So, the warning by Github is misleading, as the referenced commit does > belong to the repository via a tag. > > Regards, > Yann E. MORIN. > > > https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x > > https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES > > > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Applied to master, with tweaks about the mentioned issues, thanks. Regards, Yann E. MORIN. > > --- > > Changes v1 -> v2 (after review of Yann E. Morin): > > - Update commit message > > > > package/sysstat/sysstat.hash | 4 ++-- > > package/sysstat/sysstat.mk | 2 +- > > 2 files changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/package/sysstat/sysstat.hash b/package/sysstat/sysstat.hash > > index b573f312c6..b47f000e57 100644 > > --- a/package/sysstat/sysstat.hash > > +++ b/package/sysstat/sysstat.hash > > @@ -1,5 +1,5 @@ > > # From: http://sebastien.godard.pagesperso-orange.fr/download.html > > -sha1 1e38bc029979def730ae1fb1e39f631bd1a3bc73 sysstat-12.4.2.tar.xz > > +sha1 a730982e0c2d4964a0022c1509f3ea0a345402bc sysstat-12.6.1.tar.xz > > # Locally calculated > > -sha256 3701b2c1883d50eb384d7b95ce5b6df0a71fdcb3c23f96cb58098d1bcffa018f sysstat-12.4.2.tar.xz > > +sha256 18ff5a4e149e2568e43385637f72437fe6bafcc1322a93d13d1981e9464a0342 sysstat-12.6.1.tar.xz > > sha256 db296f2f7f35bca3a174efb0eb392b3b17bd94b341851429a3dff411b1c2fc73 COPYING > > diff --git a/package/sysstat/sysstat.mk b/package/sysstat/sysstat.mk > > index 6948f6b390..377396d986 100644 > > --- a/package/sysstat/sysstat.mk > > +++ b/package/sysstat/sysstat.mk > > @@ -4,7 +4,7 @@ > > # > > ################################################################################ > > > > -SYSSTAT_VERSION = 12.4.2 > > +SYSSTAT_VERSION = 12.6.1 > > SYSSTAT_SOURCE = sysstat-$(SYSSTAT_VERSION).tar.xz > > SYSSTAT_SITE = http://pagesperso-orange.fr/sebastien.godard > > SYSSTAT_CONF_OPTS = --disable-file-attr > > -- > > 2.35.1 > > > > _______________________________________________ > > buildroot mailing list > > buildroot@buildroot.org > > https://lists.buildroot.org/mailman/listinfo/buildroot > > -- > .-----------------.--------------------.------------------.--------------------. > | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | > | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | > | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | > '------------------------------^-------^------------------^--------------------' > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
diff --git a/package/sysstat/sysstat.hash b/package/sysstat/sysstat.hash index b573f312c6..b47f000e57 100644 --- a/package/sysstat/sysstat.hash +++ b/package/sysstat/sysstat.hash @@ -1,5 +1,5 @@ # From: http://sebastien.godard.pagesperso-orange.fr/download.html -sha1 1e38bc029979def730ae1fb1e39f631bd1a3bc73 sysstat-12.4.2.tar.xz +sha1 a730982e0c2d4964a0022c1509f3ea0a345402bc sysstat-12.6.1.tar.xz # Locally calculated -sha256 3701b2c1883d50eb384d7b95ce5b6df0a71fdcb3c23f96cb58098d1bcffa018f sysstat-12.4.2.tar.xz +sha256 18ff5a4e149e2568e43385637f72437fe6bafcc1322a93d13d1981e9464a0342 sysstat-12.6.1.tar.xz sha256 db296f2f7f35bca3a174efb0eb392b3b17bd94b341851429a3dff411b1c2fc73 COPYING diff --git a/package/sysstat/sysstat.mk b/package/sysstat/sysstat.mk index 6948f6b390..377396d986 100644 --- a/package/sysstat/sysstat.mk +++ b/package/sysstat/sysstat.mk @@ -4,7 +4,7 @@ # ################################################################################ -SYSSTAT_VERSION = 12.4.2 +SYSSTAT_VERSION = 12.6.1 SYSSTAT_SOURCE = sysstat-$(SYSSTAT_VERSION).tar.xz SYSSTAT_SITE = http://pagesperso-orange.fr/sebastien.godard SYSSTAT_CONF_OPTS = --disable-file-attr
Fix CVE-2022-39377: sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). Despite what is written above in the CVE announcement, and as written in the Changelog, the fix is also included in version 12.6.1 (12.7.1 is a development version): https://github.com/sysstat/sysstat/commit/c1e631eddc50c04e4dcea169ba396bee2bd6b0ab Someone suspicious of the github warning that "this commit does not belong to any branch on this repository" could check that the check_overflow function is defined in common.c and used in sa_common.c. https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- Changes v1 -> v2 (after review of Yann E. Morin): - Update commit message package/sysstat/sysstat.hash | 4 ++-- package/sysstat/sysstat.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)