kumquat-buildroot/package/sysstat/sysstat.mk
Fabrice Fontaine e4ef408e8f package/sysstat: security bump to version 12.6.1
Fix CVE-2022-39377: sysstat is a set of system performance tools for the
Linux operating system. On 32 bit systems, in versions 9.1.16 and newer
but prior to 12.7.1, allocate_structures contains a size_t overflow in
sa_common.c. The allocate_structures function insufficiently checks
bounds before arithmetic multiplication, allowing for an overflow in the
size allocated for the buffer representing system activities. This issue
may lead to Remote Code Execution (RCE).

Despite what is written above in the CVE announcement, and as written in
the Changelog, the fix is also included in version 12.6.1 (12.7.1 is a
development version):
    c1e631eddc

As a consequence, 12.6.1 is still reported as being affected. Until the
NVD is updated appropriately, we mark the CVE as ignored with a comment
that explains why.

Note: that commit is not reachable from any branch in the sysstat
repository, and Github warns about that, but the commit does belong to
the upstream repository and is reachable from the 12.6.1 tag (it looks
like sysstat only pushes tags-with-history for fix releases).

https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
https://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
  - ignore the CVE, explain why
  - explain why github warns about the fix commit
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2022-11-20 12:05:13 +01:00

28 lines
854 B
Makefile

################################################################################
#
# sysstat
#
################################################################################
SYSSTAT_VERSION = 12.6.1
SYSSTAT_SOURCE = sysstat-$(SYSSTAT_VERSION).tar.xz
SYSSTAT_SITE = http://pagesperso-orange.fr/sebastien.godard
SYSSTAT_CONF_OPTS = --disable-file-attr
SYSSTAT_DEPENDENCIES = host-gettext $(TARGET_NLS_DEPENDENCIES)
SYSSTAT_LICENSE = GPL-2.0+
SYSSTAT_LICENSE_FILES = COPYING
SYSSTAT_CPE_ID_VENDOR = sysstat_project
SYSSTAT_SELINUX_MODULES = sysstat
# NVD is not up-to-date; 12.6.1 includes c1e631eddc50, which fixes the issue
SYSSTAT_IGNORE_CVES += CVE-2022-39377
ifeq ($(BR2_PACKAGE_LM_SENSORS),y)
SYSSTAT_DEPENDENCIES += lm-sensors
SYSSTAT_CONF_OPTS += --enable-sensors
else
SYSSTAT_CONF_OPTS += --disable-sensors
endif
$(eval $(autotools-package))