[Buildroot] [PATCH 1/1] package/sysstat: security bump to version 12.6.1

Yann E. MORIN yann.morin.1998 at free.fr
Sun Nov 20 10:05:34 UTC 2022 

Fabrice, All,

On 2022-11-20 10:49 +0100, Fabrice Fontaine spake thusly:
> Le dim. 20 nov. 2022 à 10:09, Yann E. MORIN < [1]yann.morin.1998 at free.fr> a écrit :
>   As you quote the NVD description, it states that versions lower than
>   12.7.1 are impacted, yet you only bump to 12.6.1.
> 12.7.1 is a development version: [2]http://sebastien.godard.pagesperso-orange.fr/
> 
>   Also, the pointer you provided to the changelog does not mention
>   CVE-2022-39377. Besides, github warns that it is not part of the
> Changelog is mentioning GHSL-2022-074 (a.k.a. CVE-2022-39377):
> 2022/11/06: Version 12.6.1 - Sebastien Godard (sysstat <at> [3]orange.fr)
> * Fix possible overflow in sa_common.c (GHSL-2022-074).

It's rather hard to correlate "GHSL-2022-074" with "CVE-2022-39377". ;-)

OK, can you mention both info in the commit log when you respin?

>   sysstat repository (/!\ This commit does not belong to any branch on
>   this repository, and may belong to a fork outside of the repository).
> 
>   Can you double-check, please: if 12.6.1 indeed fixes the issue, then
>   extend the commit log with the appropriate references; if not then we
>   should bump to 12.7.1.
> 
> And finally, here is the commit that fixes the issue on 12.6.1:
> [4]https://github.com/sysstat/sysstat/commit/c1e631eddc50c04e4dcea169ba396bee2bd6b0ab

That's again weird, because github still warns that the referenced
commit is not part of any branch in the sysstat repository...

I don't know how you came up with that commit, but I couldfind
9c4eaf150662ad40607923389d4519bc83b93540 in the upstream repository.

Regards,
Yann E. MORIN.

>   Regards,
>   Yann E. MORIN.
> 
>   > sa_common.c. The allocate_structures function insufficiently checks
>   > bounds before arithmetic multiplication, allowing for an overflow in the
>   > size allocated for the buffer representing system activities. This issue
>   > may lead to Remote Code Execution (RCE).
>   >
>   > [5]https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
>   > [6]https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES
>   >
>   > Signed-off-by: Fabrice Fontaine < [7]fontaine.fabrice at gmail.com>
>   > ---
>   >  package/sysstat/sysstat.hash | 4 ++--
>   >  package/sysstat/ [8]sysstat.mk   | 2 +-
>   >  2 files changed, 3 insertions(+), 3 deletions(-)
>   >
>   > diff --git a/package/sysstat/sysstat.hash b/package/sysstat/sysstat.hash
>   > index b573f312c6..b47f000e57 100644
>   > --- a/package/sysstat/sysstat.hash
>   > +++ b/package/sysstat/sysstat.hash
>   > @@ -1,5 +1,5 @@
>   >  # From: [9]http://sebastien.godard.pagesperso-orange.fr/download.html
>   > -sha1  1e38bc029979def730ae1fb1e39f631bd1a3bc73  sysstat-12.4.2.tar.xz
>   > +sha1  a730982e0c2d4964a0022c1509f3ea0a345402bc  sysstat-12.6.1.tar.xz
>   >  # Locally calculated
>   > -sha256  3701b2c1883d50eb384d7b95ce5b6df0a71fdcb3c23f96cb58098d1bcffa018f  sysstat-12.4.2.tar.xz
>   > +sha256  18ff5a4e149e2568e43385637f72437fe6bafcc1322a93d13d1981e9464a0342  sysstat-12.6.1.tar.xz
>   >  sha256  db296f2f7f35bca3a174efb0eb392b3b17bd94b341851429a3dff411b1c2fc73  COPYING
>   > diff --git a/package/sysstat/ [10]sysstat.mk b/package/sysstat/ [11]sysstat.mk
>   > index 6948f6b390..377396d986 100644
>   > --- a/package/sysstat/ [12]sysstat.mk
>   > +++ b/package/sysstat/ [13]sysstat.mk
>   > @@ -4,7 +4,7 @@
>   >  #
>   >  ################################################################################
>>   > -SYSSTAT_VERSION = 12.4.2
>   > +SYSSTAT_VERSION = 12.6.1
>   >  SYSSTAT_SOURCE = sysstat-$(SYSSTAT_VERSION).tar.xz
>   >  SYSSTAT_SITE = [14]http://pagesperso-orange.fr/sebastien.godard
>   >  SYSSTAT_CONF_OPTS = --disable-file-attr
>   > --
>   > 2.35.1
>   >
>   > _______________________________________________
>   > buildroot mailing list
>   > [15]buildroot at buildroot.org
>   > [16]https://lists.buildroot.org/mailman/listinfo/buildroot
> 
>   --
>   .-----------------.--------------------.------------------.--------------------.
>   |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
>   | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___           
>      |
>   | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
>   | [17]http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
>   '------------------------------^-------^------------------^--------------------'
> 
> Best Regards,
> Fabrice
> 
> Links:
> 1. mailto:yann.morin.1998 at free.fr
> 2. http://sebastien.godard.pagesperso-orange.fr/
> 3. http://orange.fr
> 4. https://github.com/sysstat/sysstat/commit/c1e631eddc50c04e4dcea169ba396bee2bd6b0ab
> 5. https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
> 6. https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES
> 7. mailto:fontaine.fabrice at gmail.com
> 8. http://sysstat.mk
> 9. http://sebastien.godard.pagesperso-orange.fr/download.html
> 10. http://sysstat.mk
> 11. http://sysstat.mk
> 12. http://sysstat.mk
> 13. http://sysstat.mk
> 14. http://pagesperso-orange.fr/sebastien.godard
> 15. mailto:buildroot at buildroot.org
> 16. https://lists.buildroot.org/mailman/listinfo/buildroot
> 17. http://ymorin.is-a-geek.org/

> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot


-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

More information about the buildroot mailing list