Bug 2141207 (CVE-2022-39377)

Summary: CVE-2022-39377 sysstat: arithmetic overflow in allocate_structures() on 32 bit systems
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: msekleta
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sysstat 12.7.1 Doc Type: If docs needed, set a value
Doc Text:
An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files and may lead to memory corruption or possibly arbitrary code execution due to an incorrectly sized buffer.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 18:34:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2141208, 2141209, 2141211, 2141212    
Bug Blocks: 2141210    

Description TEJ RATHI 2022-11-09 06:41:50 UTC 
Sysstat On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
Comment 1 TEJ RATHI 2022-11-09 06:50:48 UTC 
Created sysstat tracking bugs for this issue:

Affects: fedora-35 [bug 2141208]
Affects: fedora-36 [bug 2141209]
Comment 2 TEJ RATHI 2022-11-09 06:55:23 UTC 
Upstream Commits:
https://github.com/sysstat/sysstat/commit/076313903801533470fad5199443bc387cd66f10
https://github.com/sysstat/sysstat/commit/a953ee3307d51255cc96e1f211882e97f795eed9
Comment 4 errata-xmlrpc 2023-05-09 07:19:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2234 https://access.redhat.com/errata/RHSA-2023:2234
Comment 5 errata-xmlrpc 2023-05-16 08:12:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2800 https://access.redhat.com/errata/RHSA-2023:2800
Comment 6 Product Security DevOps Team 2023-05-16 18:34:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-39377