24765 – sysstat new security issues CVE-2018-19416 and CVE-2018-19517

Bug 24765 - sysstat new security issues CVE-2018-19416 and CVE-2018-19517

Summary: sysstat new security issues CVE-2018-19416 and CVE-2018-19517

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2019-05-03 21:17 CEST by David Walser
Modified:	2019-05-12 11:37 CEST (History)
CC List:	7 users (show)

See Also:
Source RPM:	sysstat-11.4.4-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-05-03 21:17:24 CEST

openSUSE has issued an advisory on April 8:
https://lists.opensuse.org/opensuse-updates/2019-04/msg00086.html

Mageia 6 is also affected.

David Walser 2019-05-03 21:17:30 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-05-03 21:41:02 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing two committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11, smelror

Comment 2 David GEIGER 2019-05-04 05:29:54 CEST

Already fixed in current 12.1.4 release from Cauldron!

Comment 3 David GEIGER 2019-05-04 07:54:54 CEST

Fixed for mga6 updating to latest 12.1.4 release!

Comment 4 David Walser 2019-05-04 23:20:30 CEST

Advisory:
========================

Updated sysstat package fix security vulnerabilities:

Out-of-bounds read during a memmove call inside the remap_struct function
(CVE-2018-19416).

Out-of-bounds read during a memset call inside the remap_struct function
(CVE-2018-19517).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19416
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19517
https://lists.opensuse.org/opensuse-updates/2019-04/msg00086.html
========================

Updated packages in core/updates_testing:
========================
sysstat-12.1.4-1.mga6

from sysstat-12.1.4-1.mga6.src.rpm

Source RPM: sysstat-12.1.4-1.mga7.src.rpm => sysstat-11.4.4-1.mga6.src.rpm
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 5 PC LX 2019-05-06 12:24:27 CEST

Installed and tested without issue.

Tested all command with various arguments. All seems correct. No issues noticed.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.116-desktop-1.mga6 #1 SMP Sat May 4 08:34:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q sysstat
sysstat-12.1.4-1.mga6

Whiteboard: (none) => MGA6-64-OK
CC: (none) => mageia

Comment 6 Thomas Andrews 2019-05-10 01:26:36 CEST

Should be good. Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-05-12 10:24:51 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Mageia Robot 2019-05-12 11:37:22 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0168.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.