ELA-731-1 sysstat security update

Remote Code Execution (RCE)

2022-11-14
Packagesysstat
Version11.0.1-1+deb8u1 (jessie), 11.4.3-2+deb9u1 (stretch)
Related CVEs CVE-2022-39377


On 32 bit systems, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE).



For Debian 8 jessie, these problems have been fixed in version 11.0.1-1+deb8u1.

For Debian 9 stretch, these problems have been fixed in version 11.4.3-2+deb9u1.

We recommend that you upgrade your sysstat packages.

Further information about Extended LTS security advisories can be found at: debian Extended Long term support