Bug 26067 - sysstat new security issue CVE-2019-19725
Summary: sysstat new security issue CVE-2019-19725
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-01-13 23:36 CET by David Walser
Modified: 2020-01-28 12:34 CET (History)
6 users (show)

See Also:
Source RPM: sysstat-12.2.0-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-01-13 23:36:11 CET
SUSE has issued an advisory on January 7:
http://lists.suse.com/pipermail/sle-security-updates/2020-January/006302.html

Mageia 7 is also affected.
David Walser 2020-01-13 23:36:25 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-01-14 17:48:49 CET
Commit to fix the issue is linked from the SUSE bug:
https://bugzilla.suse.com/show_bug.cgi?id=1159104

Status comment: (none) => Fix available in upstream commit

Comment 2 Lewis Smith 2020-01-16 19:39:30 CET
Assigning to you (yet another one!) DavidG, as you have done several recent commits.

Assignee: bugsquad => geiger.david68210

Comment 3 David Walser 2020-01-21 13:02:30 CET
Updated package uploaded by David.

Advisory:
========================

Updated sysstat package fixes security vulnerability:

Double free in check_file_actlst in sa_common.c (CVE-2019-19725).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19725
http://lists.suse.com/pipermail/sle-security-updates/2020-January/006302.html
========================

Updated packages in core/updates_testing:
========================
sysstat-12.2.1-1.mga7

from sysstat-12.2.1-1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
Version: Cauldron => 7
CC: (none) => geiger.david68210
Status comment: Fix available in upstream commit => (none)
Whiteboard: MGA7TOO => (none)

Comment 4 Herman Viaene 2020-01-23 15:55:46 CET
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref  bug 25804 for tests:
$ iostat
Linux 5.4.12-desktop-1.mga7 (FQDN)       23-01-20        _x86_64_        (4 CPU)

avg-cpu:  %user   %nice %system %iowait  %steal   %idle
           5,87    0,18    3,39   17,98    0,00   72,58

Device             tps    kB_read/s    kB_wrtn/s    kB_dscd/s    kB_read    kB_wrtn    kB_dscd
sda              83,29      3276,30       201,57         0,00    1081931      66565          0

$ mpstat
Linux 5.4.12-desktop-1.mga7 (FQDN)       23-01-20        _x86_64_        (4 CPU)

15:33:02     CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal  %guest  %gnice   %idle
15:33:02     all    5,59    0,18    3,11   16,92    0,00    0,17    0,00    0,00    0,00   74,03

$ pidstat
Linux 5.4.12-desktop-1.mga7 (FQDN)       23-01-20        _x86_64_        (4 CPU)

15:33:31      UID       PID    %usr %system  %guest   %wait    %CPU   CPU  Command
15:33:31        0         1    0,14    0,35    0,00    0,01    0,49     1  systemd
15:33:31        0         5    0,00    0,23    0,00    0,02    0,23     0  kworker/0:0-events
15:33:31        0         8    0,00    0,01    0,00    0,00    0,01     0  kworker/u8:0-i915
etc.......

but:
$ sadf
Kan /var/log/sa/sa23 niet openen: Bestand of map bestaat niet (file or folder does not exist
Controleer of gegevensverzameling ingeschakeld is. (check whether data collaction is switched on)
[tester7@mach5 ~]$ sar
Kan /var/log/sa/sa23 niet openen: Bestand of map bestaat niet
Controleer of gegevensverzameling ingeschakeld is.


Googling shows different sites where reference is made to /etc/cron.d/sysstat, but that does not exist in this installation, so I guess data collection s indeed not activated.

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2020-01-23 16:12:44 CET
Correction: the cron is in cron.daily and cron.hourly, where is  stated to run every 10 min
Found also https://www.thomas-krenn.com/en/wiki/Collect_and_report_Linux_System_Activity_Information_with_sar
Where it is stated that an ENABLe=true should be in the config. Added that line in /etc/sysconfig/sysstat, but more than 10 min. later, still nothing. But that might be due to  the daily cron which did not run yet.
Running the scripts manually changes the results to:
$ sar
Linux 5.4.12-desktop-1.mga7 (FQDN)       23-01-20        _x86_64_        (4 CPU)

$ sadf
no feedback

Leaving for the higher powers to judge whether this is good enough.
Comment 6 Len Lawrence 2020-01-23 21:45:16 CET
@Herman: in response to your request have run the tests here and saw a response to
$ sadf

difda   600     2020-01-23 00:11:01 UTC all     %user   0.76
difda   600     2020-01-23 00:11:01 UTC all     %nice   0.04
difda   600     2020-01-23 00:11:01 UTC all     %system 0.39
[...]
difda   600     2020-01-23 20:31:01 UTC all     %iowait 0.02
difda   600     2020-01-23 20:31:01 UTC all     %steal  0.00
difda   600     2020-01-23 20:31:01 UTC all     %idle   98.00

738 lines of output.

$ sar
Linux 5.4.12-desktop-1.mga7 (difda)     23/01/20        _x86_64_        (8 CPU)

00:01:01        CPU     %user     %nice   %system   %iowait    %steal     %idle
00:11:01        all      0.76      0.04      0.39      0.02      0.00     98.79
00:21:01        all      0.76      0.01      0.39      0.02      0.00     98.82
[...]
20:31:01        CPU     %user     %nice   %system   %iowait    %steal     %idle
20:41:01        all      2.58      0.02      0.75      0.03      0.00     96.63
Average:        all      1.08      0.01      0.45      0.02      0.00     98.42

It looks fine AFAICS so go ahead with the OK

Len = *a lower power* ;-)

CC: (none) => tarazed25

Herman Viaene 2020-01-24 08:18:35 CET

Whiteboard: (none) => MGA7-64-OK

Comment 7 Thomas Andrews 2020-01-24 13:50:47 CET
Good enough to suit me, guys. Validating. Advisory in Comment 3.

TJ = *deluded into thinking he actually has some power* ;-)

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-01-28 11:55:12 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 8 Mageia Robot 2020-01-28 12:34:03 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0064.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.