CVE-2022-39377

NameCVE-2022-39377
Descriptionsysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3188-1, ELA-731-1
Debian Bugs1023832

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sysstat (PTS)jessie, jessie (lts)11.0.1-1+deb8u2fixed
stretch (lts), stretch11.4.3-2+deb9u2fixed
buster12.0.3-2vulnerable
buster (security)12.0.3-2+deb10u2fixed
bullseye12.5.2-2vulnerable
bookworm12.6.1-1fixed
sid, trixie12.7.5-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sysstatsourcejessie11.0.1-1+deb8u1ELA-731-1
sysstatsourcestretch11.4.3-2+deb9u1ELA-731-1
sysstatsourcebuster12.0.3-2+deb10u1DLA-3188-1
sysstatsource(unstable)12.6.1-11023832

Notes

[bullseye] - sysstat <no-dsa> (Minor issue)
https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540 (v12.7.1)
The original fix is incomplete and opens up CVE-2023-33204.
Search for package or bug name: Reporting problems