sysstat: Arbitrary Code Execution — GLSA 202211-07

An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution.

Affected packages

app-admin/sysstat on all architectures
Affected versions < 12.7.1
Unaffected versions >= 12.7.1

Background

sysstat is a package containing a number of performance monitoring utilities for Linux, including sar, mpstat, iostat and sa tools.

Description

On 32 bit systems, an integer overflow can be triggered when displaying activity data files.

Impact

Arbitrary code execution can be achieved via sufficiently crafted malicious input.

Workaround

There is no known workaround at this time.

Resolution

All sysstat users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-admin/sysstat-12.7.1"
 

References

Release date
November 22, 2022

Latest revision
November 22, 2022: 1

Severity
normal

Exploitable
local

Bugzilla entries