-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3434-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler May 27, 2023 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : sysstat Version : 12.0.3-2+deb10u2 CVE ID : CVE-2023-33204 Debian Bug : 1036294 It was discovered that sysstat, a system performance tools for Linux, incompletely fixed CVE-2022-39377 (as published in DLA-3188-1), which could lead to crashes and possibly remote code execution. CVE-2023-33204 sysstat allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377. For reference, the initial vulnerability was: CVE-2022-39377 On 32 bit systems, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). For Debian 10 buster, these problems have been fixed in version 12.0.3-2+deb10u2. We recommend that you upgrade your sysstat packages. For the detailed security status of sysstat please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sysstat Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmRx67IACgkQDTl9HeUl XjBx+g//YOJo8g5hKqX2Zi0RhGa5C7rXTKDZ79h1wSllpsCrxxPnKLZVbm2swrM7 sF8EqrHHBSZY4pIdLeclIxvwXZ4eAhL8YyPf1TAl7pRKY9NcveoAHPo4sOby5ZMg 0A2k9op+FErF9cdZl42ZZ2zHgElI0k7GkG1/ObnKOiKhWIkd7no+8LGrErxLveQD aDimfEHuNEwxmMgy7n6qOX9R57YG0gyQgtm3/epngbyQP7agOCYbHHi4JrMFghOh 0MQ48Qsz9Jy5bR4SceD8r1fsLms8YnWQ4UyOL6ydleJnRGqyrlYPrgVqDoCcyT+o RU4S+Mr841GqtFGlXoU7Hg9EbPrkgbRa04CkOhQbOrpd5WXY+6e9KWV4WTI/qoY8 knqG1CA6rFTeSHqiVSnldle7g+ZW/VHHrVW/QjqpcEElMiQTOHwK/gN0d1if7GGa KscAfTRkaTpqwR61gcp/lDmVbtTrMMxTB5Kzdy6hKoIbbflm2WvUNUqm4QH4kebm mfVdhw5EIZhL5kuYzVKnKMkflSwgLnp9FapIXmyvYF2FYzWASufZy8laQT4IeCLp LHCgywMO/unLpvu3TszXNgz4qIGKvM7H1AUXTlxX3l38nshZkIIW4gOjKpsIZf3O /NI+Drya6Iy2hILsfyIjEAwIzyG4AdBSFqiNPRiwBrH4TMCE61A= =oYDm -----END PGP SIGNATURE-----