CVE-2022-39377

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-39377
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39377.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-39377
Aliases
  • GHSA-q8r6-g56f-9w7x
Related
Published
2022-11-08T20:15:11Z
Modified
2024-10-12T10:06:53.666240Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocatestructures contains a sizet overflow in sacommon.c. The allocatestructures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

References

Affected packages

Debian:11 / sysstat

Package

Name
sysstat
Purl
pkg:deb/debian/sysstat?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

12.*

12.5.2-2
12.5.6-1
12.6.1-1
12.6.1-1.1
12.6.1-2
12.7.5-1
12.7.5-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / sysstat

Package

Name
sysstat
Purl
pkg:deb/debian/sysstat?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
12.6.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / sysstat

Package

Name
sysstat
Purl
pkg:deb/debian/sysstat?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
12.6.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/sysstat/sysstat

Affected ranges

Type
GIT
Repo
https://github.com/sysstat/sysstat
Events