Sysstat through 12.2.0 has a double free in check_file_actlst in sa_common.c. Upstream Issue: https://github.com/sysstat/sysstat/issues/242
Created sysstat tracking bugs for this issue: Affects: fedora-all [bug 1785293]
Upstream fix: https://github.com/sysstat/sysstat/commit/a5c8abd4a481ee6e27a3acf00e6d9b0f023e20ed
The flaw has been introduced upstream in version 12.1.7 with an update to sar/sadf to handle a possible new file format in saved binary data files: https://github.com/sysstat/sysstat/commit/44c826602a3d7d899c728bd9e6c3488397c5009f More specifically, new code has been included in function check_file_actlst() to check if extra structures (`extra_desc`) are present in saved files. In case of malformed data, a previously freed buffer is freed again, leading to a double free vulnerability. The patch assigns a NULL value to the buffer pointer after the first free(). This implicitly avoids the second free(), which only occurs if the buffer is not NULL.
Statement: This flaw does not affect the versions of sysstat as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8 as they do not include support for `extra_desc` structures in binary data files created by the `sar` command. Consequently, they do not include the vulnerable code leading to the double free vulnerability either.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19725