CVE-2019-19725

Name	CVE-2019-19725
Description	sysstat through 12.2.0 has a double free in check_file_actlst in sa_common.c.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3188-1
Debian Bugs	946657

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
sysstat (PTS)	jessie, jessie (lts)	11.0.1-1+deb8u2	fixed
	stretch (lts), stretch	11.4.3-2+deb9u2	fixed
	buster (security), buster, buster (lts)	12.0.3-2+deb10u2	fixed
	bullseye	12.5.2-2	fixed
	bookworm	12.6.1-1	fixed
	sid, trixie	12.7.5-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
sysstat	source	wheezy	(not affected)
sysstat	source	jessie	(not affected)
sysstat	source	stretch	(not affected)
sysstat	source	buster	12.0.3-2+deb10u1		DLA-3188-1
sysstat	source	(unstable)	12.2.0-2	unimportant		946657

Notes

[stretch] - sysstat <not-affected> (Vulnerable code introduced in v11.7.1)
[jessie] - sysstat <not-affected> (Vulnerable code introduced in v11.7.1)
https://github.com/sysstat/sysstat/issues/242
https://github.com/sysstat/sysstat/commit/a5c8abd4a481ee6e27a3acf00e6d9b0f023e20ed
Crash in CLI tool, no security impact
[wheezy] - sysstat <not-affected> (Vulnerable code introduced in v11.7.1)