[SECURITY] [DLA 4336-1] sysstat security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4336-1] sysstat security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Fri, 17 Oct 2025 16:34:13 +0000 (UTC)
Message-id: <[🔎] 73b861aa-95ee-2a7e-c16f-157b30daecdc@alteholz.de>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4336-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
October 17, 2025                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : sysstat
Version        : 12.5.2-2+deb11u1
CVE ID         : CVE-2022-39377 CVE-2023-33204


An issue has been found in sysstat, a system performance tools for Linux.

CVE-2022-39377

    On 32 bit systems, allocate_structures contains a size_t overflow
    in sa_common.c. The allocate_structures function insufficiently
    checks bounds before arithmetic multiplication, allowing for an
    overflow in the size allocated for the buffer representing system
    activities. This issue may lead to Remote Code Execution (RCE).

CVE-2023-33204

    sysstat allows a multiplication integer overflow in check_overflow
    in common.c. NOTE: this issue exists because of an incomplete fix
    for CVE-2022-39377 (see above).


For Debian 11 bullseye, these problems have been fixed in version
12.5.2-2+deb11u1.

We recommend that you upgrade your sysstat packages.

For the detailed security status of sysstat please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sysstat

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmjycAVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEfZyg//XcHTqGc6j53R0aUuOGvLdpPAQgFs8EiTfAfItojfyjP8HfIsKH4JLomB
HH+RJFI3vj5F4aO1uZf8Ib62QxcV8PytUHRjtqj58DJdmzYdoC86Pd+vMZ8Stpev
EHRLmQSbBepC2ZNxjJO57pHDfjZHTwDvxpLOeEttdrd6DdW8a7zBnK39iJlNw+8z
PcHS9gOpiAqLVy5aPO5fXuPClflVw9560eM5BqIIiV/pM0rUwXhtV/8lYRbJtNpG
1uJK41inb3V+0tbz0/0SP34eoYuadt6UEgrRQsdNtBxUjYmPns829naQsZSkqTMI
tWWtm/jDV+VeVFWfwgvb5ehKOPHBX9Mi2Jwyw6+3Ix8CEnVmRfdhOLxiiNO+gx8L
ReSntxDm4WTelSQ5Ub+WMOzkIxKtN7MS42ZCjQ7yuFDxUotZtg+DIKd7aO+OAYuh
VuJVve0IJPHth6uIEY4n4S+aLlVWzqQ3cmjO0tdP7Ti9GKmJhlrKJljlr/yI75XT
RlHahn+gt4Qp8g9wECMTd4GrJVpm0jQ3ZaRFwc+hCwtIWgNCtEndms2rETkaemxU
uaN0iK1EkgToFPsPml8NTBAb1zYU5p2uv8FNAKWLJfXunM4ug4anWvvWYQlw5cn/
3v1Nz+Q5XFVifejEAQj5dHUtfrMQEXVcDFdcEnF2ko3NPMQNYhE=
=SkwL
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4337-1] svgpp security update
Next by Date: [SECURITY] [DLA 4338-1] pgagent security update
Previous by thread: [SECURITY] [DLA 4337-1] svgpp security update
Next by thread: [SECURITY] [DLA 4338-1] pgagent security update
Index(es):
- Date
- Thread