[Buildroot] [PATCH 1/1] package/sysstat: security bump to version 12.6.1
Yann E. MORIN
yann.morin.1998 at free.fr
Sun Nov 20 10:05:34 UTC 2022
Fabrice, All,
On 2022-11-20 10:49 +0100, Fabrice Fontaine spake thusly:
> Le dim. 20 nov. 2022 à 10:09, Yann E. MORIN < [1]yann.morin.1998 at free.fr> a écrit :
> As you quote the NVD description, it states that versions lower than
> 12.7.1 are impacted, yet you only bump to 12.6.1.
> 12.7.1 is a development version: [2]http://sebastien.godard.pagesperso-orange.fr/
>
> Also, the pointer you provided to the changelog does not mention
> CVE-2022-39377. Besides, github warns that it is not part of the
> Changelog is mentioning GHSL-2022-074 (a.k.a. CVE-2022-39377):
> 2022/11/06: Version 12.6.1 - Sebastien Godard (sysstat <at> [3]orange.fr)
> * Fix possible overflow in sa_common.c (GHSL-2022-074).
It's rather hard to correlate "GHSL-2022-074" with "CVE-2022-39377". ;-)
OK, can you mention both info in the commit log when you respin?
> sysstat repository (/!\ This commit does not belong to any branch on
> this repository, and may belong to a fork outside of the repository).
>
> Can you double-check, please: if 12.6.1 indeed fixes the issue, then
> extend the commit log with the appropriate references; if not then we
> should bump to 12.7.1.
>
> And finally, here is the commit that fixes the issue on 12.6.1:
> [4]https://github.com/sysstat/sysstat/commit/c1e631eddc50c04e4dcea169ba396bee2bd6b0ab
That's again weird, because github still warns that the referenced
commit is not part of any branch in the sysstat repository...
I don't know how you came up with that commit, but I couldfind
9c4eaf150662ad40607923389d4519bc83b93540 in the upstream repository.
Regards,
Yann E. MORIN.
> Regards,
> Yann E. MORIN.
>
> > sa_common.c. The allocate_structures function insufficiently checks
> > bounds before arithmetic multiplication, allowing for an overflow in the
> > size allocated for the buffer representing system activities. This issue
> > may lead to Remote Code Execution (RCE).
> >
> > [5]https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
> > [6]https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES
> >
> > Signed-off-by: Fabrice Fontaine < [7]fontaine.fabrice at gmail.com>
> > ---
> > package/sysstat/sysstat.hash | 4 ++--
> > package/sysstat/ [8]sysstat.mk | 2 +-
> > 2 files changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/package/sysstat/sysstat.hash b/package/sysstat/sysstat.hash
> > index b573f312c6..b47f000e57 100644
> > --- a/package/sysstat/sysstat.hash
> > +++ b/package/sysstat/sysstat.hash
> > @@ -1,5 +1,5 @@
> > # From: [9]http://sebastien.godard.pagesperso-orange.fr/download.html
> > -sha1 1e38bc029979def730ae1fb1e39f631bd1a3bc73 sysstat-12.4.2.tar.xz
> > +sha1 a730982e0c2d4964a0022c1509f3ea0a345402bc sysstat-12.6.1.tar.xz
> > # Locally calculated
> > -sha256 3701b2c1883d50eb384d7b95ce5b6df0a71fdcb3c23f96cb58098d1bcffa018f sysstat-12.4.2.tar.xz
> > +sha256 18ff5a4e149e2568e43385637f72437fe6bafcc1322a93d13d1981e9464a0342 sysstat-12.6.1.tar.xz
> > sha256 db296f2f7f35bca3a174efb0eb392b3b17bd94b341851429a3dff411b1c2fc73 COPYING
> > diff --git a/package/sysstat/ [10]sysstat.mk b/package/sysstat/ [11]sysstat.mk
> > index 6948f6b390..377396d986 100644
> > --- a/package/sysstat/ [12]sysstat.mk
> > +++ b/package/sysstat/ [13]sysstat.mk
> > @@ -4,7 +4,7 @@
> > #
> > ################################################################################
> >
> > -SYSSTAT_VERSION = 12.4.2
> > +SYSSTAT_VERSION = 12.6.1
> > SYSSTAT_SOURCE = sysstat-$(SYSSTAT_VERSION).tar.xz
> > SYSSTAT_SITE = [14]http://pagesperso-orange.fr/sebastien.godard
> > SYSSTAT_CONF_OPTS = --disable-file-attr
> > --
> > 2.35.1
> >
> > _______________________________________________
> > buildroot mailing list
> > [15]buildroot at buildroot.org
> > [16]https://lists.buildroot.org/mailman/listinfo/buildroot
>
> --
> .-----------------.--------------------.------------------.--------------------.
> | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___
> |
> | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
> | [17]http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
> '------------------------------^-------^------------------^--------------------'
>
> Best Regards,
> Fabrice
>
> Links:
> 1. mailto:yann.morin.1998 at free.fr
> 2. http://sebastien.godard.pagesperso-orange.fr/
> 3. http://orange.fr
> 4. https://github.com/sysstat/sysstat/commit/c1e631eddc50c04e4dcea169ba396bee2bd6b0ab
> 5. https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
> 6. https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES
> 7. mailto:fontaine.fabrice at gmail.com
> 8. http://sysstat.mk
> 9. http://sebastien.godard.pagesperso-orange.fr/download.html
> 10. http://sysstat.mk
> 11. http://sysstat.mk
> 12. http://sysstat.mk
> 13. http://sysstat.mk
> 14. http://pagesperso-orange.fr/sebastien.godard
> 15. mailto:buildroot at buildroot.org
> 16. https://lists.buildroot.org/mailman/listinfo/buildroot
> 17. http://ymorin.is-a-geek.org/
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list