32019 – sysstat new security issue CVE-2023-33204

Bug 32019 - sysstat new security issue CVE-2023-33204

Summary: sysstat new security issue CVE-2023-33204

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-06-15 23:53 CEST by David Walser
Modified:	2023-06-19 18:30 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	sysstat-12.5.2-1.2.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-06-15 23:53:36 CEST

Debian-LTS has issued an advisory on May 27:
https://www.debian.org/lts/security/2023/dla-3434

Mageia 8 is also affected.

David Walser 2023-06-15 23:53:46 CEST

Status comment: (none) => Patches available from upstream and Debian
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Salguero 2023-06-16 14:17:27 CEST

Suggested advisory:
========================

The updated package fixes a security vulnerability:

sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377. (CVE-2023-33204)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33204
https://www.debian.org/lts/security/2023/dla-3434
========================

Updated package in core/updates_testing:
========================
sysstat-12.5.2-1.2.mga8

from SRPM:
sysstat-12.5.2-1.2.mga8.src.rpm

Source RPM: sysstat-12.7.2-1.mga9.src.rpm => sysstat-12.5.2-1.2.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Status comment: Patches available from upstream and Debian => (none)
Assignee: bugsquad => qa-bugs

Comment 2 Len Lawrence 2023-06-17 18:39:12 CEST

Testing this for mga8, x64.
Groundwork in bug 26067.
It appears that munin-node uses sysstat so I installed munin and munin-node.  Documentation is mainly online.  No handholding for a noddy so after a couple of hours fiddling about with configuration files gave up on that.

$ sar
Linux 5.15.117-1.mga8 (canopus) 	17/06/23 	_x86_64_	(20 CPU)

16:01:01        CPU     %user     %nice   %system   %iowait    %steal     %idle
16:11:01        all      0.12      0.01      0.24      0.01      0.00     99.61
16:21:01        all      0.40      0.01      0.35      0.01      0.00     99.22
[...]
Average:        all      0.19      0.01      0.24      0.01      0.00     99.55

$ sadf
canopus 600     2023-06-17 15:11:01 UTC all     %user   0.12
canopus 600     2023-06-17 15:11:01 UTC all     %nice   0.01
[...]
canopus 600     2023-06-17 16:21:01 UTC all     %system 0.26
canopus 600     2023-06-17 16:21:01 UTC all     %iowait 0.01
canopus 600     2023-06-17 16:21:01 UTC all     %steal  0.00
canopus 600     2023-06-17 16:21:01 UTC all     %idle   99.38

$ iostat
Linux 5.15.117-1.mga8 (canopus) 	17/06/23 	_x86_64_	(20 CPU)

avg-cpu:  %user   %nice %system %iowait  %steal   %idle
           0.26    0.01    0.25    0.02    0.00   99.47

Device             tps    kB_read/s    kB_wrtn/s    kB_dscd/s    kB_read    kB_wrtn    kB_dscd
nvme0n1           2.50        85.06        11.33         0.00    1662253     221383          0
sda               3.10        81.59        17.89         0.00    1594493     349717          0
...

$ mpstat
Linux 5.15.117-1.mga8 (canopus) 	17/06/23 	_x86_64_	(20 CPU)

17:33:27     CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal  %guest  %gnice   %idle
17:33:27     all    0.26    0.01    0.25    0.02    0.00    0.00    0.00    0.00    0.00   99.47

$ pidstat
Linux 5.15.117-1.mga8 (canopus)         17/06/23        _x86_64_        (20 CPU)

17:34:37      UID       PID    %usr %system  %guest   %wait    %CPU   CPU  Command
17:34:37        0         1    0.02    0.04    0.00    0.00    0.05     7  systemd
17:34:37        0         2    0.00    0.00    0.00    0.00    0.00     5  kthreadd
1
[...]
17:34:37     1000    638408    0.03    0.00    0.00    0.00    0.03     8  emacs
17:34:37     1000    640932    0.00    0.00    0.00    0.00    0.00     0  Web Content
17:34:37        0    646577    0.00    0.00    0.00    0.00    0.00    13  kworker/13:0-events
17:34:37        0    648461    0.00    0.00    0.00    0.00    0.00     9  kworker/u40:3-events_unbound
17:34:37     1000    654742    0.00    0.00    0.00    0.00    0.00     6  pidstat

Good enough.  The cli utilities worked fine before the update so no regressions.

CC: (none) => tarazed25

Len Lawrence 2023-06-17 18:39:37 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2023-06-19 13:58:59 CEST

Validating. Advisory in comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-06-19 17:10:29 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2023-06-19 18:30:13 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0203.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.