sysstat: CVE-2018-19416: the remap_struct function in sa_common.c has an out-of-bounds read during a memmove call

Debian Bug report logs - #914384
sysstat: CVE-2018-19416: the remap_struct function in sa_common.c has an out-of-bounds read during a memmove call

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: sysstat: CVE-2018-19416: the remap_struct function in sa_common.c has an out-of-bounds read during a memmove call

Date: Thu, 22 Nov 2018 21:35:39 +0100

Source: sysstat
Version: 12.0.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/sysstat/sysstat/issues/196

Hi,

The following vulnerability was published for sysstat.

CVE-2018-19416[0]:
| An issue was discovered in sysstat 12.1.1. The remap_struct function in
| sa_common.c has an out-of-bounds read during a memmove call, as
| demonstrated by sadf.

The poc to verify a fix (base64 encoded here):

ltV1ITAwMDBIAQAAMDAwMAEAAAABAAAAMAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAgAAADAwMDAAAAAAAAAAAAkA
AAAC/////wAAAAAAAAAkAAAAEAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMAAwAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDABAAAAMDAwMDAwMAAwAAAA
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19416
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19416
[1] https://github.com/sysstat/sysstat/issues/196
[2] https://bugzilla.novell.com/show_bug.cgi?id=1117001

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 914384@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 914384@bugs.debian.org

Subject: Re: sysstat: CVE-2018-19416: the remap_struct function in sa_common.c has an out-of-bounds read during a memmove call

Date: Sat, 24 Nov 2018 20:26:12 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Thu, 22 Nov 2018 21:35:39 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: sysstat
> Version: 12.0.1-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/sysstat/sysstat/issues/196
> 
> Hi,
> 
> The following vulnerability was published for sysstat.
[...]

I can't reproduce the issue on Jessie. By executing the POC with sadf
stack_oob I get

Invalid system activity file: stack_oob
File created by sar/sadc from sysstat version 48.48.48.48
Current sysstat version can no longer read the format of this file (0x2175)

Looking closer at the affected source code I see that the vulnerable
function remap_struct was first introduced on 22.9.2017.

https://github.com/sysstat/sysstat/commit/65ac30359e49ee717397e39950d7c24a6610d57c#diff-cccb0877d1539c562536a98e0d17428f

Hence I think Jessie is not affected. If I am correct then Stretch
should be safe as well, double-checking that would be appreciated.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #17 received at 914384@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: robert@debian.org

Cc: 914384@bugs.debian.org

Subject: Re: sysstat: CVE-2018-19416: the remap_struct function in sa_common.c has an out-of-bounds read during a memmove call

Date: Wed, 20 Feb 2019 23:34:16 +0100

On Thu, Nov 22, 2018 at 09:35:39PM +0100, Salvatore Bonaccorso wrote:
> Source: sysstat
> Version: 12.0.1-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/sysstat/sysstat/issues/196
> 
> Hi,
> 
> The following vulnerability was published for sysstat.
> 
> CVE-2018-19416[0]:
> | An issue was discovered in sysstat 12.1.1. The remap_struct function in
> | sa_common.c has an out-of-bounds read during a memmove call, as
> | demonstrated by sadf.

Fixed https://github.com/sysstat/sysstat/commit/fbc691eaaa10d0bcea6741d5a223dc3906106548

Can we please get that fixed for buster?

Cheers,
        Moritz

Message #22 received at 914384-close@bugs.debian.org (full text, mbox, reply):

From: Robert Luberda <robert@debian.org>

To: 914384-close@bugs.debian.org

Subject: Bug#914384: fixed in sysstat 12.0.3-1

Date: Sun, 17 Mar 2019 22:36:00 +0000

Source: sysstat
Source-Version: 12.0.3-1

We believe that the bug you reported is fixed in the latest version of
sysstat, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 914384@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Luberda <robert@debian.org> (supplier of updated sysstat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 17 Mar 2019 23:09:46 +0100
Source: sysstat
Binary: isag sysstat sysstat-dbgsym
Architecture: source all amd64
Version: 12.0.3-1
Distribution: experimental
Urgency: medium
Maintainer: Robert Luberda <robert@debian.org>
Changed-By: Robert Luberda <robert@debian.org>
Description:
 isag       - Interactive System Activity Grapher for sysstat
 sysstat    - system performance tools for Linux
Closes: 914384 914553 924864
Changes:
 sysstat (12.0.3-1) experimental; urgency=medium
 .
   * New upstream stable version:
     + sadf: Fix out of bound reads security issues (CVE-2018-19416 and
       CVE-2018-19517, closes: #914384, #914553);
     + sadf: Fix possible infinite loop;
     + sar: Fortify remap_struct() function to prevent possible crashes on
       reading binary datafiles generated by older versions of sysstat.
   * systat.init.d: revert a change introduced in 11.5.5-1, as it caused
     the start script to fail to execute the command that adds "Linux Restart"
     marker into statistics file on systems on which systemd is not used.
     Thanks to Georgios Zarkadas for noticing this (closes: #924864).
   * debian/rules: replace deprecated dh_systemd_start by dh_installsystemd,
     as suggested by lintian; the former command wass ignored by debhelper v11,
     what in turn resulted in the `--no-start' option being ignored, and the
     restart markers were incorrectly added during package upgrades.
Checksums-Sha1:
 e709c1e278119c64468a72e0bbfbc8ce1ca2be27 1921 sysstat_12.0.3-1.dsc
 add05e1d50cddf7f0b49939567fc33921e494ae8 603064 sysstat_12.0.3.orig.tar.xz
 9c6ae577626d42ce0c06233dbb2f492363fa4828 33136 sysstat_12.0.3-1.debian.tar.xz
 21fec0e85806d83af9c1b2562b5ab61a6179dca6 64324 isag_12.0.3-1_all.deb
 bdc7e4db1403d7456dc6d0383284879b7267c7ca 748836 sysstat-dbgsym_12.0.3-1_amd64.deb
 b16063c7b21504260b0163ff2ad113272ef3b3be 5998 sysstat_12.0.3-1_amd64.buildinfo
 c7d4d7a2c84c7870ef87c8d5e147114fd1234ddd 561848 sysstat_12.0.3-1_amd64.deb
Checksums-Sha256:
 eeb12edfaa7c045ae99abd58f36f896be9324d5b3702ddc24a85a167bb23a1a3 1921 sysstat_12.0.3-1.dsc
 3dec08069eb240b367c3ad8356ae44710f8ed7e2c23e26683df154250ce5bcd9 603064 sysstat_12.0.3.orig.tar.xz
 b462abf2303de3cb5eecad4f744f29084eb9cdafeb10783aafeb9798b2db5b4b 33136 sysstat_12.0.3-1.debian.tar.xz
 31dc0199528d858033a0a94a81c5e2524ad90d7fbcfab9984f336b993fe6ed59 64324 isag_12.0.3-1_all.deb
 2ba3300b1f19c29b2d86bc226d06435e2895f98eb1aeb288ed6e54266f919b76 748836 sysstat-dbgsym_12.0.3-1_amd64.deb
 df8de72c2fc1564473d826e5027147f4b9f0253686ee1fc8aaab75456a48f6ca 5998 sysstat_12.0.3-1_amd64.buildinfo
 4872b3dace5a6e75e30a68ef0955f7e5090bb5e3963e3b315a01c32101dae838 561848 sysstat_12.0.3-1_amd64.deb
Files:
 f1464253704fccfbc0eab95002bf7192 1921 admin optional sysstat_12.0.3-1.dsc
 325befaa77664e9d393db0b2296f37e3 603064 admin optional sysstat_12.0.3.orig.tar.xz
 b365ff2deed674beef160ce526765148 33136 admin optional sysstat_12.0.3-1.debian.tar.xz
 6ec0359d8de0a538b232194d86ae4f25 64324 admin optional isag_12.0.3-1_all.deb
 d61776fe9dfbd0862261802c9b1780b2 748836 debug optional sysstat-dbgsym_12.0.3-1_amd64.deb
 4352dbbebee5a3eaa9097e2a2709a664 5998 admin optional sysstat_12.0.3-1_amd64.buildinfo
 ed70c54ddb46b3a8bb29f93fa78cc05b 561848 admin optional sysstat_12.0.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENeh4+rTTcy6TtNI3Yx3nVTvor9QFAlyOxpAACgkQYx3nVTvo
r9TlnxAAqoYgpmM1A0ij7VIZTiiO+CMeBS4c89rqa18AfFXc8rrzdAcbyY47muHv
P4M3RKtHZRHPMCO/eZZZsMA9XZG4cu5JpGIE+iI14o1n06TKYuODU+CK2PA/dXEp
IYYXdz8V2dGyILFrIgKVtX2LJYKbtUSAgukbnz4WCB8H9VDuOjDu32CbHvFbgxEG
J9WOTVMGQnGgdAQjjgJbOooLLy45AFcRs7wq0p2K3yQKXB+GOcixwvhP1hxgfl+9
97OJ1ExM4xiXdl9QSctc/iCiAhVdArAL905IgzxrnX/ceY0uLQc5n0TK85W///jg
uLQpeeIvf8TJk8HHaW+LKC+ZyHlZSroJkZb3sEU/kIGUCxH8YuukeUzuWInrO3uK
rZYpn0ztmtDJHp3qbemeQtbcJSftx/0oakGJZBPN9JDJnNjvDGCsj4cnKEV8jfGz
yCj1+TdgfXyoMJvvIJahjAAErJvqK1GEIRe8rmvsvmHqO7ltJYHh0Wyn6Se6rGMF
MPr9pcFhPePq3PwYrnJAftZZnVvZ7mQMaaDUnF1wx5CGMEELwEcRVamytWRLobq1
0Fx5g1B6SeXNhcIKsb5Rj9bLV/CgIjiCkkswvWk5paRrvmNTEl2S24iIgZ7b9pxL
cuBWqATBvO4VCtZeo9CnN+ieMmQ/veUKS+rYt2ehAMPXcnsSYAI=
=3qkv
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.