Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sysstat for openSUSE:Factory checked in at 2023-05-28 19:21:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sysstat (Old) and /work/SRC/openSUSE:Factory/.sysstat.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sysstat" Sun May 28 19:21:38 2023 rev:105 rq:1089240 version:12.6.2 Changes: -------- --- /work/SRC/openSUSE:Factory/sysstat/sysstat.changes 2023-04-16 19:12:59.853315129 +0200 +++ /work/SRC/openSUSE:Factory/.sysstat.new.1533/sysstat.changes 2023-05-28 19:21:46.720582207 +0200 @@ -1,0 +2,7 @@ +Tue May 23 18:36:01 UTC 2023 - David Anes <[email protected]> + +- Security fix: (CVE-2023-33204, bsc#1211507) + * Fix an overflow which is still possible for some values. + * Added patch sysstat-CVE-2023-33204.patch + +------------------------------------------------------------------- New: ---- sysstat-CVE-2023-33204.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sysstat.spec ++++++ --- /var/tmp/diff_new_pack.k6ALew/_old 2023-05-28 19:21:47.212585135 +0200 +++ /var/tmp/diff_new_pack.k6ALew/_new 2023-05-28 19:21:47.216585159 +0200 @@ -34,6 +34,8 @@ # PATCH-FIX-OPENSUSE bsc#1151453 Patch3: sysstat-service.patch Patch4: harden_sysstat.service.patch +# PATCH-FIX-UPSTREAM CVE-2023-33204, bsc#1211507 https://github.com/sysstat/sysstat/pull/360.patch +Patch5: sysstat-CVE-2023-33204.patch BuildRequires: findutils BuildRequires: gettext-runtime BuildRequires: libpcp-devel @@ -79,6 +81,7 @@ # remove date and time from objects find ./ -name \*.c -exec sed -i -e 's: " compiled " __DATE__ " " __TIME__::g' {} \; %patch4 -p1 +%patch5 -p1 %build export conf_dir="%{_sysconfdir}/sysstat" ++++++ sysstat-CVE-2023-33204.patch ++++++ >From 954ff2e2673cef48f0ed44668c466eab041db387 Mon Sep 17 00:00:00 2001 From: Pavel Kopylov <[email protected]> Date: Wed, 17 May 2023 11:33:45 +0200 Subject: [PATCH] Fix an overflow which is still possible for some values. --- common.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) Index: sysstat-12.6.2/common.c =================================================================== --- sysstat-12.6.2.orig/common.c +++ sysstat-12.6.2/common.c @@ -447,15 +447,17 @@ int check_dir(char *dirname) void check_overflow(unsigned int val1, unsigned int val2, unsigned int val3) { - if ((unsigned long long) val1 * (unsigned long long) val2 * - (unsigned long long) val3 > UINT_MAX) { + if ((val1 != 0) && (val2 != 0) && (val3 != 0) && + (((unsigned long long) UINT_MAX / (unsigned long long) val1 < + (unsigned long long) val2) || + ((unsigned long long) UINT_MAX / ((unsigned long long) val1 * (unsigned long long) val2) < + (unsigned long long) val3))) { #ifdef DEBUG - fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", - __FUNCTION__, (unsigned long long) val1 * (unsigned long long) val2 * - (unsigned long long) val3); + fprintf(stderr, "%s: Overflow detected (%u,%u,%u). Aborting...\n", + __FUNCTION__, val1, val2, val3); #endif - exit(4); - } + exit(4); + } } #ifndef SOURCE_SADC
