CVE-2022-39377
sysstat Incorrect Buffer Size calculation on 32-bit systems results in RCE via buffer overflow
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.
sysstat es un conjunto de herramientas de rendimiento del System para el sistema operativo Linux. En sistemas de 32 bits, en las versiones 9.1.16 y posteriores, pero anteriores a la 12.7.1, allocate_structures contiene un desbordamiento size_t en sa_common.c. La función allocate_structures no comprueba suficientemente los límites antes de la multiplicación aritmética, lo que permite un desbordamiento en el tamaño asignado para el búfer que representa las actividades del sistema. Este problema puede provocar la ejecución remota de código (RCE). Este problema se solucionó en la versión 12.7.1.
An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files and may lead to memory corruption or possibly arbitrary code execution due to an incorrectly sized buffer.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-09-02 CVE Reserved
- 2022-11-08 CVE Published
- 2024-06-29 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CWE-131: Incorrect Calculation of Buffer Size
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2022/11/msg00014.html | Mailing List |
URL | Date | SRC |
---|---|---|
https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x | 2024-08-03 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Sysstat Project Search vendor "Sysstat Project" | Sysstat Search vendor "Sysstat Project" for product "Sysstat" | >= 9.1.6 < 12.6.1 Search vendor "Sysstat Project" for product "Sysstat" and version " >= 9.1.6 < 12.6.1" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
|