From e485b9128bced21910c1e2856c6526f2cee99f55 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 21 Sep 2023 20:32:08 +0000 Subject: [PATCH] import CS sysstat-12.5.4-7.el9 --- SOURCES/sysstat-12.5.4-CVE-2023-33204.patch | 23 ++++++++++++++ SOURCES/sysstat-12.5.4-bz2216805.patch | 34 +++++++++++++++++++++ SPECS/sysstat.spec | 12 +++++++- 3 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 SOURCES/sysstat-12.5.4-CVE-2023-33204.patch create mode 100644 SOURCES/sysstat-12.5.4-bz2216805.patch diff --git a/SOURCES/sysstat-12.5.4-CVE-2023-33204.patch b/SOURCES/sysstat-12.5.4-CVE-2023-33204.patch new file mode 100644 index 0000000..c5afb4e --- /dev/null +++ b/SOURCES/sysstat-12.5.4-CVE-2023-33204.patch @@ -0,0 +1,23 @@ +From 954ff2e2673cef48f0ed44668c466eab041db387 Mon Sep 17 00:00:00 2001 +From: Pavel Kopylov +Date: Wed, 17 May 2023 11:33:45 +0200 +Subject: [PATCH] Fix an overflow which is still possible for some values. +diff --git a/common.c b/common.c +index 583a0ca..6d73b1b 100644 +--- a/common.c ++++ b/common.c +@@ -1639,9 +1639,11 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char + */ + void check_overflow(size_t val1, size_t val2, size_t val3) + { +- if ((unsigned long long) val1 * +- (unsigned long long) val2 * +- (unsigned long long) val3 > UINT_MAX) { ++if ((val1 != 0) && (val2 != 0) && (val3 != 0) && ++ (((unsigned long long)UINT_MAX / (unsigned long long)val1 < ++ (unsigned long long)val2) || ++ ((unsigned long long)UINT_MAX / ((unsigned long long)val1 * ++ (unsigned long long)val2) < (unsigned long long)val3))) { + #ifdef DEBUG + fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", + __FUNCTION__, diff --git a/SOURCES/sysstat-12.5.4-bz2216805.patch b/SOURCES/sysstat-12.5.4-bz2216805.patch new file mode 100644 index 0000000..10915a3 --- /dev/null +++ b/SOURCES/sysstat-12.5.4-bz2216805.patch @@ -0,0 +1,34 @@ +From 370ad59826c2320288a1999ef9038e2a2655b8a0 Mon Sep 17 00:00:00 2001 +From: Sebastien GODARD +Date: Thu, 22 Jun 2023 17:47:59 +0200 +Subject: [PATCH] Add UMASK definition to sysstat(5) manual page (#362) + +Explain UMASK variable in sysstat(5) manual page. + +Signed-off-by: Sebastien GODARD +Cherry-picked-by: Lukáš Zaoral +Upstream-commit: 370ad59826c2320288a1999ef9038e2a2655b8a0 +--- + man/sysstat.in | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/man/sysstat.in b/man/sysstat.in +index 6ce6b473..89bdd3f4 100644 +--- a/man/sysstat.in ++++ b/man/sysstat.in +@@ -140,6 +140,15 @@ daily data files. + These options are used only when a new data file is created. They will be + ignored with an already existing one. + .TP ++.B UMASK ++.RB "The " "sa1" " and " "sa2" ++scripts generate system activity data and report files in the ++.IR /var/log/sa ++directory. By default the files are created with umask 0022 ++and are therefore readable for all users. Change this variable to restrict ++the permissions on the files (e.g. use 0027 to adhere to more strict ++security standards). ++.TP + .B YESTERDAY + .RB "By default " "sa2" + script generates yesterday's summary, since the diff --git a/SPECS/sysstat.spec b/SPECS/sysstat.spec index da6b112..c12475c 100644 --- a/SPECS/sysstat.spec +++ b/SPECS/sysstat.spec @@ -1,7 +1,7 @@ Summary: Collection of performance monitoring tools for Linux Name: sysstat Version: 12.5.4 -Release: 5%{?dist} +Release: 7%{?dist} License: GPLv2+ URL: http://sebastien.godard.pagesperso-orange.fr/ Source: https://github.com/sysstat/sysstat/archive/v%{version}.tar.gz @@ -14,6 +14,10 @@ Source2: colorsysstat.sh Patch1: sysstat-12.5.4-CVE-2022-39377.patch # {cifsio,io,mp,pid}stat --dec and sar --dec report values from single alphabet other than defined (bz2080650) Patch2: sysstat-12.5.4-bz2080650.patch +# check_overflow() function can work incorrectly that lead to an overflow (CVE-2023-33204) +Patch3: sysstat-12.5.4-CVE-2023-33204.patch +# add description of UMASK to man/systat.in (bz2216805) +Patch4: sysstat-12.5.4-bz2216805.patch BuildRequires: make BuildRequires: gcc, gettext, lm_sensors-devel, pcp-libs-devel, systemd, git @@ -91,6 +95,12 @@ fi %{_localstatedir}/log/sa %changelog +* Thu Jul 27 2023 Lukáš Zaoral - 12.5.4-7 +- add description of UMASK to man/systat.in (rhbz#2216805) + +* Fri Jun 30 2023 Pavel Šimovec - 12.5.4-6 +- fix the arithmetic overflow in allocate_structures() that is still possible on some 32 bit systems (CVE-2023-33204) + * Tue Feb 21 2023 Lukáš Zaoral - 12.5.4-5 - Fix --dec argument validation (rhbz#2080650)