| Package | sysstat |
|---|---|
| Version | 11.0.1-1+deb8u2 (jessie), 11.4.3-2+deb9u2 (stretch) |
| Related CVEs | CVE-2023-33204 |
It was discovered that sysstat, a system performance tools for Linux, incompletely fixed CVE-2022-39377 (as published in ELA-731-1), which could lead to crashes and possibly remote code execution.
-
CVE-2023-33204
sysstat allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377.
For reference, the initial vulnerability was:
-
CVE-2022-39377
On 32 bit systems, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE).
For Debian 8 jessie, these problems have been fixed in version 11.0.1-1+deb8u2.
For Debian 9 stretch, these problems have been fixed in version 11.4.3-2+deb9u2.
We recommend that you upgrade your sysstat packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.