Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2022-39377

Published: 8 November 2022

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

Notes

AuthorNote
rodrigo-zaiden
incomplete fix for this CVE caused CVE-2023-33204.

Priority

Medium

Cvss 3 Severity Score

7.8

Score breakdown

Status

Package Release Status
sysstat
Launchpad, Ubuntu, Debian
bionic
Released (11.6.1-1ubuntu0.2)
focal
Released (12.2.0-2ubuntu0.2)
jammy
Released (12.5.2-2ubuntu0.1)
kinetic
Released (12.5.6-1ubuntu0.1)
lunar
Released (12.5.6-1ubuntu1)
upstream
Released (12.6.1-1, 12.7.1)
xenial
Released (11.2.0-1ubuntu0.3+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
trusty
Released (10.2.0-1ubuntu0.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
Patches:
upstream: https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540
upstream: https://github.com/sysstat/sysstat/commit/c9a11d35df4aecfcf22aef827bac6cd57def9d4e
upstream: https://github.com/sysstat/sysstat/commit/44f1dc159242c1e434a3b836cda49f084c5a96cc

Severity score breakdown

Parameter Value
Base score 7.8
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H