1211507 – (CVE-2023-33204) VUL-0: CVE-2023-33204: sysstat: sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for .

Bug 1211507 (CVE-2023-33204) - VUL-0: CVE-2023-33204: sysstat: sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for .

Summary: VUL-0: CVE-2023-33204: sysstat: sysstat through 12.7.2 allows a multiplicatio...

Status:	REOPENED
Duplicates (1):	1217270 (view as bug list)

Alias:	CVE-2023-33204

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	David Anes
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/366902/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-33204:5.3:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-05-18 12:58 UTC by Stoyan Manolov
Modified:	2023-11-17 08:47 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stoyan Manolov 2023-05-18 12:58:26 UTC

CVE-2023-33204

sysstat through 12.7.2 allows a multiplication integer overflow in
check_overflow in common.c. NOTE: this issue exists because of an incomplete fix
for CVE-2022-39377.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33204
https://www.cve.org/CVERecord?id=CVE-2023-33204
https://github.com/sysstat/sysstat/pull/360

Comment 2 David Anes 2023-05-23 18:48:47 UTC

Correct commit is:
* https://github.com/sysstat/sysstat/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0

Comment 3 David Anes 2023-05-23 19:10:54 UTC

From https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-39377:

** This only affects 32 bit systems, which we do not support. Closing.

I already sent the fix to TW here:
* https://build.opensuse.org/request/show/1088723

Shouldn't we just close it for other codestreams as we don't support 32 bit systems?

Comment 5 Simon Logan 2023-10-03 10:31:07 UTC

Hi folks,

Are you planning to provide a fix for Leap 15.4?

Thanks,
Simon

Comment 6 David Anes 2023-10-30 13:11:32 UTC

(In reply to Simon Logan from comment #5)
> Hi folks,
> 
> Are you planning to provide a fix for Leap 15.4?
> 
> Thanks,
> Simon

Do you  mind opening a new bug targeting the Leap package, please?

Comment 7 David Anes 2023-10-30 13:13:12 UTC

(In reply to David Anes from comment #6)
> (In reply to Simon Logan from comment #5)
> > Hi folks,
> > 
> > Are you planning to provide a fix for Leap 15.4?
> > 
> > Thanks,
> > Simon

Ooops, sorry, I think the patch is already there as we fixed it in SLE long ago :)

Comment 8 Simon Logan 2023-11-01 16:30:53 UTC

(In reply to David Anes from comment #7)
> (In reply to David Anes from comment #6)
> > (In reply to Simon Logan from comment #5)
> > > Hi folks,
> > > 
> > > Are you planning to provide a fix for Leap 15.4?
> > > 
> > > Thanks,
> > > Simon
> 
> Ooops, sorry, I think the patch is already there as we fixed it in SLE long
> ago :)

Thanks for looking at this David.
https://www.suse.com/security/cve/CVE-2023-33204.html shows a fix in tumbleweed, package version 12.6.2-2.1.
Leap 15.4 has version 12.0.2-3.33.1

If this was fixed in SLE long ago surely a fix wouldn't be needed in tumbleweed now. How confident are you about this fix already being in Leap 15.4?

Thanks.

Comment 9 David Anes 2023-11-14 08:36:23 UTC

(In reply to Simon Logan from comment #8)
> If this was fixed in SLE long ago surely a fix wouldn't be needed in
> tumbleweed now. How confident are you about this fix already being in Leap
> 15.4?

Fully, because that bug only affects 32-bit systems :)

Comment 10 Simon Logan 2023-11-16 20:12:05 UTC

(In reply to David Anes from comment #6)
> (In reply to Simon Logan from comment #5)
> > Hi folks,
> > 
> > Are you planning to provide a fix for Leap 15.4?
> > 
> > Thanks,
> > Simon
> 
> Do you  mind opening a new bug targeting the Leap package, please?

Sorry David, I just noticed your request for a separet bug report for 15.4.
Please see https://bugzilla.opensuse.org/show_bug.cgi?id=1217270

Thanks,
Simon

Comment 11 Marcus Meissner 2023-11-17 08:16:02 UTC

For leap we have not 32bit support, and this only affects 32bit.

Comment 12 Marcus Meissner 2023-11-17 08:17:02 UTC

*** Bug 1217270 has been marked as a duplicate of this bug. ***

Comment 13 Marcus Meissner 2023-11-17 08:23:07 UTC

Leap gets the update from the SLE codebase, so this is the central tracker bug.

I see no need however as its only 232bit problem.

Comment 14 Simon Logan 2023-11-17 08:39:13 UTC

Hi Marcus, no need for a 32 bit fix. I hadn't noticed it was 32 bit only, sorry for the noise.

Simon

Comment 15 Marcus Meissner 2023-11-17 08:41:21 UTC

I am currently reviewing the fix, and we will take a second look.

I am bit concerned the "32bit only" claim might be incorrect.

Comment 16 Marcus Meissner 2023-11-17 08:47:21 UTC

sysstat mainline git:

sa_common.c:
                /* Look for a possible overflow */
                check_overflow((unsigned int) a->xnr,
                               (unsigned int) nr_alloc,
                               (unsigned int) a->nr2);

                /* Allocate arrays for min and max values... */
                SREALLOC(a->spmin, void,
                         nr_alloc * (size_t) a->nr2 * (size_t) a->xnr * sizeof(double));
                SREALLOC(a->spmax, void,
                         nr_alloc * (size_t) a->nr2 * (size_t) a->xnr * sizeof(double));


- note that sizeof(double) factor is not taken into account when checking the overflow.

- also can multiplying 3 ints might not overflow even 64bit ints?


We also have no check_overflow in sysstat SLE15 at all currnetly.