Bug 13325

Summary: [CVE 21] sysstat 12.5.3 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: a.proklov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2022-39377,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-05-03 18:03:20 MSK 
Please patch CVEs for package sysstat version 12.5.3
  
INFO (CVEs are): sysstat 12.5.3
 cves found
CVE-2022-39377
Desc: sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-39377
Severity: HIGH
Comment 1 Aleksandr Proklov 2023-05-23 11:29:51 MSK 
обновил версию до 12.7.2 и добавил патч для закрытия CVE-2022-39377
заодно стало собираться на e2k и riscv64

https://abf.io/build_lists/4443251
https://abf.io/build_lists/4443252
https://abf.io/build_lists/4443253
https://abf.io/build_lists/4443254
https://abf.io/build_lists/4443255
Comment 2 Dmitry Postnikov 2023-05-23 12:47:24 MSK 
***************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-05-31 09:40:25 MSK 
sysstat-12.7.2-1
https://abf.io/build_lists/4443251
https://abf.io/build_lists/4443252
https://abf.io/build_lists/4443253
https://abf.io/build_lists/4443254
https://abf.io/build_lists/4443255
*************************** Advisory ***********************
up to 12.7.2 and fix CVE-2022-39377 by patch
************************************************************
QA Verified
Comment 4 Yury 2023-07-05 11:23:49 MSK 
Secteam Approved