Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.3058
sysstat security update
29 May 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: sysstat
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2023-33204 CVE-2022-39377
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2023/05/msg00026.html
Comment: CVSS (Max): 7.8 CVE-2023-33204 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3434-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
May 27, 2023 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : sysstat
Version : 12.0.3-2+deb10u2
CVE ID : CVE-2023-33204
Debian Bug : 1036294
It was discovered that sysstat, a system performance tools for Linux,
incompletely fixed CVE-2022-39377 (as published in DLA-3188-1), which
could lead to crashes and possibly remote code execution.
CVE-2023-33204
sysstat allows a multiplication integer overflow in check_overflow
in common.c. NOTE: this issue exists because of an incomplete fix
for CVE-2022-39377.
For reference, the initial vulnerability was:
CVE-2022-39377
On 32 bit systems, allocate_structures contains a size_t overflow
in sa_common.c. The allocate_structures function insufficiently
checks bounds before arithmetic multiplication, allowing for an
overflow in the size allocated for the buffer representing system
activities. This issue may lead to Remote Code Execution (RCE).
For Debian 10 buster, these problems have been fixed in version
12.0.3-2+deb10u2.
We recommend that you upgrade your sysstat packages.
For the detailed security status of sysstat please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sysstat
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmRx67IACgkQDTl9HeUl
XjBx+g//YOJo8g5hKqX2Zi0RhGa5C7rXTKDZ79h1wSllpsCrxxPnKLZVbm2swrM7
sF8EqrHHBSZY4pIdLeclIxvwXZ4eAhL8YyPf1TAl7pRKY9NcveoAHPo4sOby5ZMg
0A2k9op+FErF9cdZl42ZZ2zHgElI0k7GkG1/ObnKOiKhWIkd7no+8LGrErxLveQD
aDimfEHuNEwxmMgy7n6qOX9R57YG0gyQgtm3/epngbyQP7agOCYbHHi4JrMFghOh
0MQ48Qsz9Jy5bR4SceD8r1fsLms8YnWQ4UyOL6ydleJnRGqyrlYPrgVqDoCcyT+o
RU4S+Mr841GqtFGlXoU7Hg9EbPrkgbRa04CkOhQbOrpd5WXY+6e9KWV4WTI/qoY8
knqG1CA6rFTeSHqiVSnldle7g+ZW/VHHrVW/QjqpcEElMiQTOHwK/gN0d1if7GGa
KscAfTRkaTpqwR61gcp/lDmVbtTrMMxTB5Kzdy6hKoIbbflm2WvUNUqm4QH4kebm
mfVdhw5EIZhL5kuYzVKnKMkflSwgLnp9FapIXmyvYF2FYzWASufZy8laQT4IeCLp
LHCgywMO/unLpvu3TszXNgz4qIGKvM7H1AUXTlxX3l38nshZkIIW4gOjKpsIZf3O
/NI+Drya6Iy2hILsfyIjEAwIzyG4AdBSFqiNPRiwBrH4TMCE61A=
=oYDm
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZHQR0ckNZI30y1K9AQgqaQ//S8VTvWC9RV/izYD1uG2gvvfMCAVvE7Di
XXWgSGxq0qql0TOz0ni7SL8cI+COHij5QQeL3rLJIOKi+kSJmt4CJnq8fAlSKIzb
HwC5Fspk0zbWdgrkVSUGLmyIHPEv/QHGuLHH+OxGKKeRfyfYNpxtNA4MFGKq+G3H
uAQxksb/0bRXyI7VkOyPUyvq/Tr7ZAD+AkIMFAdROZfWrKUidD8kv6s25+saGezd
TPdEiBIgZaX7W3v/QmJGfR6WkFxoAeKccFlnrkHqwRVCoz0bACLphP3sHBn2cpxd
dvCKJCHgApZr8Z/Zpdu/O+RqivdDNT5UyvJTnUEhJZ7Rf69peObQHLTXBxuGR3wv
lyyGJbnsnWpcaOQKTE9i1ZE7Nwecl05xG+CeO2yWhRfYDguvb3Yk6ovTA+cFahDy
TlwLhS8Ro1KKYwS//JVHxbcs5GEgJgtnJiT8A6wPxaZepgzxP/xDQ6Ah2AyDode1
uxxoeAYfGK8cjHNrs9YR9oBt3DU+jObgReGPu26qUloCILpHoIVBMgsg1L+jyN7x
eKFTtlX5+os9tC6vvlYXvnHNgDyHGOlo8rkm3noI5u/RMJfFCycU15ZzWmcLVNkL
6GZmrGaaC/NtnzhFllU8krscrLVOqp4BkGMq3qNBbCI91L58kUpnT6z6Ob0O6Xna
3Xs/J0+sU8Y=
=ejbt
-----END PGP SIGNATURE-----