CVE-2022-39377

08.11.2022, 20:15

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

Classic Buffer Overflow

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7 HIGH	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
GitHub_M	CNA	7 HIGH	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 80%

Vendor	Product	Version
sysstat_project	sysstat	9.1.6 ≤ 𝑥 < 12.6.1
debian	debian_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

sysstat

bullseye	no-dsa
bookworm	12.6.1-1 fixed
sid	12.7.5-2 fixed
trixie	12.7.5-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

sysstat

lunar	Fixed 12.5.6-1ubuntu1 released
kinetic	Fixed 12.5.6-1ubuntu0.1 released
jammy	Fixed 12.5.2-2ubuntu0.1 released
focal	Fixed 12.2.0-2ubuntu0.2 released
bionic	Fixed 11.6.1-1ubuntu0.2 released
xenial	Fixed 11.2.0-1ubuntu0.3+esm1 released
trusty	Fixed 10.2.0-1ubuntu0.1~esm1 released

Known Exploits!

Common Weakness Enumeration

References

https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x

https://lists.debian.org/debian-lts-announce/2022/11/msg00014.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6F26ALXWYHT4LN2AHPZM34OQEXTJE3JZ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7X6WKTODOUDV6M3HZMASYNZP6EM4N7W4/