|
|
Subscribe / Log in / New account

Debian alert DLA-4336-1 (sysstat)



From:
              Thorsten Alteholz <debian@alteholz.de>


To:
              debian-lts-announce@lists.debian.org


Subject:
              [SECURITY] [DLA 4336-1] sysstat security update


Date:
              Fri, 17 Oct 2025 16:34:13 +0000


Message-ID:
              <73b861aa-95ee-2a7e-c16f-157b30daecdc@alteholz.de>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4336-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
October 17, 2025                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : sysstat
Version        : 12.5.2-2+deb11u1
CVE ID         : CVE-2022-39377 CVE-2023-33204


An issue has been found in sysstat, a system performance tools for Linux.

CVE-2022-39377

     On 32 bit systems, allocate_structures contains a size_t overflow
     in sa_common.c. The allocate_structures function insufficiently
     checks bounds before arithmetic multiplication, allowing for an
     overflow in the size allocated for the buffer representing system
     activities. This issue may lead to Remote Code Execution (RCE).

CVE-2023-33204

     sysstat allows a multiplication integer overflow in check_overflow
     in common.c. NOTE: this issue exists because of an incomplete fix
     for CVE-2022-39377 (see above).


For Debian 11 bullseye, these problems have been fixed in version
12.5.2-2+deb11u1.

We recommend that you upgrade your sysstat packages.

For the detailed security status of sysstat please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sysstat

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmjycAVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEfZyg//XcHTqGc6j53R0aUuOGvLdpPAQgFs8EiTfAfItojfyjP8HfIsKH4JLomB
HH+RJFI3vj5F4aO1uZf8Ib62QxcV8PytUHRjtqj58DJdmzYdoC86Pd+vMZ8Stpev
EHRLmQSbBepC2ZNxjJO57pHDfjZHTwDvxpLOeEttdrd6DdW8a7zBnK39iJlNw+8z
PcHS9gOpiAqLVy5aPO5fXuPClflVw9560eM5BqIIiV/pM0rUwXhtV/8lYRbJtNpG
1uJK41inb3V+0tbz0/0SP34eoYuadt6UEgrRQsdNtBxUjYmPns829naQsZSkqTMI
tWWtm/jDV+VeVFWfwgvb5ehKOPHBX9Mi2Jwyw6+3Ix8CEnVmRfdhOLxiiNO+gx8L
ReSntxDm4WTelSQ5Ub+WMOzkIxKtN7MS42ZCjQ7yuFDxUotZtg+DIKd7aO+OAYuh
VuJVve0IJPHth6uIEY4n4S+aLlVWzqQ3cmjO0tdP7Ti9GKmJhlrKJljlr/yI75XT
RlHahn+gt4Qp8g9wECMTd4GrJVpm0jQ3ZaRFwc+hCwtIWgNCtEndms2rETkaemxU
uaN0iK1EkgToFPsPml8NTBAb1zYU5p2uv8FNAKWLJfXunM4ug4anWvvWYQlw5cn/
3v1Nz+Q5XFVifejEAQj5dHUtfrMQEXVcDFdcEnF2ko3NPMQNYhE=
=SkwL
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds