Debian-LTS has issued an advisory today (November 14): https://www.debian.org/lts/security/2022/dla-3188 The issue is fixed upstream in 12.6.1: http://sebastien.godard.pagesperso-orange.fr/ https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
Status comment: (none) => Fixed upstream in 12.6.1
DavidW has just put v12.6.1 (fixes CVE-2022-39377) in Cauldron. It is not his duty to push updates, so assigning this one globally. Note M8 only.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). (CVE-2022-39377) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39377 https://www.debian.org/lts/security/2022/dla-3188 http://sebastien.godard.pagesperso-orange.fr/ https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x ======================== Updated package in core/updates_testing: ======================== sysstat-12.5.2-1.1.mga8 from SRPM: sysstat-12.5.2-1.1.mga8.src.rpm
Status: NEW => ASSIGNEDCVE: (none) => CVE-2022-39377Assignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 12.6.1 => (none)
MGA8-64 MATE on Acer Aspire 5253 No installation issues Ref bug 26067 for testing $ iostat Linux 5.15.74-server-1.mga8 (mach7.hviaene.thuis) 18/11/22 _x86_64_ (2 CPU) avg-cpu: %user %nice %system %iowait %steal %idle 40.24 2.50 12.24 15.56 0.00 29.46 Device tps kB_read/s kB_wrtn/s kB_dscd/s kB_read kB_wrtn kB_dscd sda 60.27 1456.36 213.63 0.00 905198 132781 0 sr0 0.02 0.00 0.00 0.00 2 0 0 [tester8@mach7 ~]$ mpstat Linux 5.15.74-server-1.mga8 (mach7.hviaene.thuis) 18/11/22 _x86_64_ (2 CPU) 15:01:41 CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle 15:01:41 all 39.36 2.39 11.40 14.89 0.00 0.44 0.00 0.00 0.00 31.52 [tester8@mach7 ~]$ pidstat Linux 5.15.74-server-1.mga8 (mach7.hviaene.thuis) 18/11/22 _x86_64_ (2 CPU) 15:02:33 UID PID %usr %system %guest %wait %CPU CPU Command 15:02:33 0 1 0.44 0.52 0.00 0.21 0.97 1 systemd 15:02:33 0 2 0.00 0.00 0.00 0.02 0.00 1 kthreadd 15:02:33 0 9 0.00 0.14 0.00 0.02 0.14 1 kworker/u8:0-flush-8:0 15:02:33 0 13 0.00 0.03 0.00 0.21 0.03 0 ksoftirqd/0 etc.......$ sadf no feedback [tester8@mach7 ~]$ sar Linux 5.15.74-server-1.mga8 (mach7.hviaene.thuis) 18/11/22 _x86_64_ (2 CPU) I still have no idea how Len got his output as in bug 26067 Comment 6, so Len or someone else plse jump in to test those last two commands.
CC: (none) => herman.viaene
[dave@x3 ~]$ sadf|tail -n 5 x3.hodgins.homeip.net 600 2022-11-18 16:41:03 UTC all %nice 0.00 x3.hodgins.homeip.net 600 2022-11-18 16:41:03 UTC all %system 1.02 x3.hodgins.homeip.net 600 2022-11-18 16:41:03 UTC all %iowait 0.08 x3.hodgins.homeip.net 600 2022-11-18 16:41:03 UTC all %steal 0.00 x3.hodgins.homeip.net 600 2022-11-18 16:41:03 UTC all %idle 96.21 [dave@x3 ~]$ sar|tail -n 5 11:11:03 all 1.77 0.00 0.61 0.05 0.00 97.57 11:21:03 all 1.86 0.00 0.61 0.04 0.00 97.49 11:31:03 all 1.81 0.00 0.61 0.04 0.00 97.53 11:41:03 all 2.70 0.00 1.02 0.08 0.00 96.21 Average: all 2.11 0.02 0.72 0.08 0.00 97.07 [dave@x3 ~]$ rpm -q sysstat sysstat-12.5.2-1.1.mga8
CC: (none) => davidwhodgins, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0433.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED