Fix --dec argument validation

Resolves: rhbz#2080650
This commit is contained in:
Lukáš Zaoral 2023-02-21 13:26:40 +01:00
parent b3dcb93f16
commit ef63c0211a
No known key found for this signature in database
GPG Key ID: 39157506DD67752D
2 changed files with 118 additions and 1 deletions

View File

@ -0,0 +1,112 @@
From 398585bfe7b1340d41143f50dfc868ef8ab9a5e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= <lzaoral@redhat.com>
Date: Tue, 21 Feb 2023 12:43:42 +0100
Subject: [PATCH] Tools that take --dec=X option should only accept digits
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Right now the argument of --dec is passed to atoi(3) which returns 0
on conversion error. Therefore, --dec=A was not rejected and was
equivalent to --dec=0 by mistake.
Signed-off-by: Lukáš Zaoral <lzaoral@redhat.com>
---
cifsiostat.c | 5 +++++
iostat.c | 5 +++++
mpstat.c | 5 +++++
pidstat.c | 5 +++++
sar.c | 6 ++++++
5 files changed, 26 insertions(+)
diff --git a/cifsiostat.c b/cifsiostat.c
index 375b1ff..849583b 100644
--- a/cifsiostat.c
+++ b/cifsiostat.c
@@ -522,6 +522,11 @@ int main(int argc, char **argv)
}
else if (!strncmp(argv[opt], "--dec=", 6) && (strlen(argv[opt]) == 7)) {
+ /* Check that the argument is a digit */
+ if (!isdigit(argv[opt][6])) {
+ usage(argv[0]);
+ }
+
/* Get number of decimal places */
dplaces_nr = atoi(argv[opt] + 6);
if ((dplaces_nr < 0) || (dplaces_nr > 2)) {
diff --git a/iostat.c b/iostat.c
index 1d7ea3c..7ac56ef 100644
--- a/iostat.c
+++ b/iostat.c
@@ -2142,6 +2142,11 @@ int main(int argc, char **argv)
#endif
else if (!strncmp(argv[opt], "--dec=", 6) && (strlen(argv[opt]) == 7)) {
+ /* Check that the argument is a digit */
+ if (!isdigit(argv[opt][6])) {
+ usage(argv[0]);
+ }
+
/* Get number of decimal places */
dplaces_nr = atoi(argv[opt] + 6);
if ((dplaces_nr < 0) || (dplaces_nr > 2)) {
diff --git a/mpstat.c b/mpstat.c
index 90d6226..5045e45 100644
--- a/mpstat.c
+++ b/mpstat.c
@@ -2221,6 +2221,11 @@ int main(int argc, char **argv)
while (++opt < argc) {
if (!strncmp(argv[opt], "--dec=", 6) && (strlen(argv[opt]) == 7)) {
+ /* Check that the argument is a digit */
+ if (!isdigit(argv[opt][6])) {
+ usage(argv[0]);
+ }
+
/* Get number of decimal places */
dplaces_nr = atoi(argv[opt] + 6);
if ((dplaces_nr < 0) || (dplaces_nr > 2)) {
diff --git a/pidstat.c b/pidstat.c
index 21fed6c..d550605 100644
--- a/pidstat.c
+++ b/pidstat.c
@@ -2633,6 +2633,11 @@ int main(int argc, char **argv)
}
else if (!strncmp(argv[opt], "--dec=", 6) && (strlen(argv[opt]) == 7)) {
+ /* Check that the argument is a digit */
+ if (!isdigit(argv[opt][6])) {
+ usage(argv[0]);
+ }
+
/* Get number of decimal places */
dplaces_nr = atoi(argv[opt] + 6);
if ((dplaces_nr < 0) || (dplaces_nr > 2)) {
diff --git a/sar.c b/sar.c
index 4f06172..7691793 100644
--- a/sar.c
+++ b/sar.c
@@ -28,6 +28,7 @@
#include <errno.h>
#include <signal.h>
#include <sys/stat.h>
+#include <ctype.h>
#include "version.h"
#include "sa.h"
@@ -1372,6 +1373,11 @@ int main(int argc, char **argv)
}
else if (!strncmp(argv[opt], "--dec=", 6) && (strlen(argv[opt]) == 7)) {
+ /* Check that the argument is a digit */
+ if (!isdigit(argv[opt][6])) {
+ usage(argv[0]);
+ }
+
/* Get number of decimal places */
dplaces_nr = atoi(argv[opt] + 6);
if ((dplaces_nr < 0) || (dplaces_nr > 2)) {
--
2.39.2

View File

@ -1,7 +1,7 @@
Summary: Collection of performance monitoring tools for Linux Summary: Collection of performance monitoring tools for Linux
Name: sysstat Name: sysstat
Version: 12.5.4 Version: 12.5.4
Release: 4%{?dist} Release: 5%{?dist}
License: GPLv2+ License: GPLv2+
URL: http://sebastien.godard.pagesperso-orange.fr/ URL: http://sebastien.godard.pagesperso-orange.fr/
Source: https://github.com/sysstat/sysstat/archive/v%{version}.tar.gz Source: https://github.com/sysstat/sysstat/archive/v%{version}.tar.gz
@ -12,6 +12,8 @@ Source2: colorsysstat.sh
# arithmetic overflow in allocate_structures() on 32 bit systems (CVE-2022-39377) # arithmetic overflow in allocate_structures() on 32 bit systems (CVE-2022-39377)
Patch1: sysstat-12.5.4-CVE-2022-39377.patch Patch1: sysstat-12.5.4-CVE-2022-39377.patch
# {cifsio,io,mp,pid}stat --dec and sar --dec report values from single alphabet other than defined (bz2080650)
Patch2: sysstat-12.5.4-bz2080650.patch
BuildRequires: make BuildRequires: make
BuildRequires: gcc, gettext, lm_sensors-devel, pcp-libs-devel, systemd, git BuildRequires: gcc, gettext, lm_sensors-devel, pcp-libs-devel, systemd, git
@ -89,6 +91,9 @@ fi
%{_localstatedir}/log/sa %{_localstatedir}/log/sa
%changelog %changelog
* Tue Feb 21 2023 Lukáš Zaoral <lzaoral@redhat.com> - 12.5.4-5
- Fix --dec argument validation (rhbz#2080650)
* Thu Nov 10 2022 Lukáš Zaoral <lzaoral@redhat.com> - 12.5.4-4 * Thu Nov 10 2022 Lukáš Zaoral <lzaoral@redhat.com> - 12.5.4-4
- arithmetic overflow in allocate_structures() on 32 bit systems (CVE-2022-39377) - arithmetic overflow in allocate_structures() on 32 bit systems (CVE-2022-39377)