CVE-2022-39377: sysstat Incorrect Buffer Size calculation on 32-bit systems results in RCE via buffer overflow
First published: Tue Nov 08 2022(Updated: )
sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sysstat Project Sysstat | >=9.1.6<12.6.1 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
- https://lists.debian.org/debian-lts-announce/2022/11/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6F26ALXWYHT4LN2AHPZM34OQEXTJE3JZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7X6WKTODOUDV6M3HZMASYNZP6EM4N7W4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PHUVUDIVDJZ7AVXD3XX3NBXXXKPOKN3N/
- https://security.gentoo.org/glsa/202211-07
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHUVUDIVDJZ7AVXD3XX3NBXXXKPOKN3N/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7X6WKTODOUDV6M3HZMASYNZP6EM4N7W4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6F26ALXWYHT4LN2AHPZM34OQEXTJE3JZ/
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2022-39377.
What is the severity of CVE-2022-39377?
The severity of CVE-2022-39377 is high.
What is the affected software?
The affected software includes sysstat versions 9.1.16 to 12.6.1, Debian Linux 10.0, and Fedora 35, 36, and 37.
What is the CWE ID of CVE-2022-39377?
The CWE ID of CVE-2022-39377 is CWE-120 and CWE-131.
Are there any references available for CVE-2022-39377?
Yes, there are references available for CVE-2022-39377. You can find them [here](https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x), [here](https://lists.debian.org/debian-lts-announce/2022/11/msg00014.html), and [here](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6F26ALXWYHT4LN2AHPZM34OQEXTJE3JZ/).
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/references
- agent/title
- agent/severity
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/sysstat project
- canonical/sysstat project sysstat
- version/sysstat project sysstat/9.1.6
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37