Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.3058 sysstat security update 29 May 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: sysstat Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2023-33204 CVE-2022-39377 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/05/msg00026.html Comment: CVSS (Max): 7.8 CVE-2023-33204 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3434-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler May 27, 2023 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : sysstat Version : 12.0.3-2+deb10u2 CVE ID : CVE-2023-33204 Debian Bug : 1036294 It was discovered that sysstat, a system performance tools for Linux, incompletely fixed CVE-2022-39377 (as published in DLA-3188-1), which could lead to crashes and possibly remote code execution. CVE-2023-33204 sysstat allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377. For reference, the initial vulnerability was: CVE-2022-39377 On 32 bit systems, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). For Debian 10 buster, these problems have been fixed in version 12.0.3-2+deb10u2. We recommend that you upgrade your sysstat packages. For the detailed security status of sysstat please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sysstat Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmRx67IACgkQDTl9HeUl XjBx+g//YOJo8g5hKqX2Zi0RhGa5C7rXTKDZ79h1wSllpsCrxxPnKLZVbm2swrM7 sF8EqrHHBSZY4pIdLeclIxvwXZ4eAhL8YyPf1TAl7pRKY9NcveoAHPo4sOby5ZMg 0A2k9op+FErF9cdZl42ZZ2zHgElI0k7GkG1/ObnKOiKhWIkd7no+8LGrErxLveQD aDimfEHuNEwxmMgy7n6qOX9R57YG0gyQgtm3/epngbyQP7agOCYbHHi4JrMFghOh 0MQ48Qsz9Jy5bR4SceD8r1fsLms8YnWQ4UyOL6ydleJnRGqyrlYPrgVqDoCcyT+o RU4S+Mr841GqtFGlXoU7Hg9EbPrkgbRa04CkOhQbOrpd5WXY+6e9KWV4WTI/qoY8 knqG1CA6rFTeSHqiVSnldle7g+ZW/VHHrVW/QjqpcEElMiQTOHwK/gN0d1if7GGa KscAfTRkaTpqwR61gcp/lDmVbtTrMMxTB5Kzdy6hKoIbbflm2WvUNUqm4QH4kebm mfVdhw5EIZhL5kuYzVKnKMkflSwgLnp9FapIXmyvYF2FYzWASufZy8laQT4IeCLp LHCgywMO/unLpvu3TszXNgz4qIGKvM7H1AUXTlxX3l38nshZkIIW4gOjKpsIZf3O /NI+Drya6Iy2hILsfyIjEAwIzyG4AdBSFqiNPRiwBrH4TMCE61A= =oYDm - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZHQR0ckNZI30y1K9AQgqaQ//S8VTvWC9RV/izYD1uG2gvvfMCAVvE7Di XXWgSGxq0qql0TOz0ni7SL8cI+COHij5QQeL3rLJIOKi+kSJmt4CJnq8fAlSKIzb HwC5Fspk0zbWdgrkVSUGLmyIHPEv/QHGuLHH+OxGKKeRfyfYNpxtNA4MFGKq+G3H uAQxksb/0bRXyI7VkOyPUyvq/Tr7ZAD+AkIMFAdROZfWrKUidD8kv6s25+saGezd TPdEiBIgZaX7W3v/QmJGfR6WkFxoAeKccFlnrkHqwRVCoz0bACLphP3sHBn2cpxd dvCKJCHgApZr8Z/Zpdu/O+RqivdDNT5UyvJTnUEhJZ7Rf69peObQHLTXBxuGR3wv lyyGJbnsnWpcaOQKTE9i1ZE7Nwecl05xG+CeO2yWhRfYDguvb3Yk6ovTA+cFahDy TlwLhS8Ro1KKYwS//JVHxbcs5GEgJgtnJiT8A6wPxaZepgzxP/xDQ6Ah2AyDode1 uxxoeAYfGK8cjHNrs9YR9oBt3DU+jObgReGPu26qUloCILpHoIVBMgsg1L+jyN7x eKFTtlX5+os9tC6vvlYXvnHNgDyHGOlo8rkm3noI5u/RMJfFCycU15ZzWmcLVNkL 6GZmrGaaC/NtnzhFllU8krscrLVOqp4BkGMq3qNBbCI91L58kUpnT6z6Ob0O6Xna 3Xs/J0+sU8Y= =ejbt -----END PGP SIGNATURE-----