Hello community, here is the log from the commit of package sysstat for openSUSE:Factory checked in at 2019-12-18 14:44:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sysstat (Old) and /work/SRC/openSUSE:Factory/.sysstat.new.4691 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sysstat" Wed Dec 18 14:44:15 2019 rev:85 rq:756729 version:12.2.0 Changes: -------- --- /work/SRC/openSUSE:Factory/sysstat/sysstat.changes 2019-11-07 23:15:01.184435754 +0100 +++ /work/SRC/openSUSE:Factory/.sysstat.new.4691/sysstat.changes 2019-12-18 14:47:59.221929523 +0100 @@ -1,0 +2,59 @@ +Thu Dec 12 15:20:43 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonza...@suse.com> + +- Security fix: [bsc#1159104, CVE-2019-19725] + * Double free in check_file_actlst in sa_common.c +- Add sysstat-CVE-2019-19725.patch +- Rebase sysstat-disable-test-failures.patch + +------------------------------------------------------------------- +Thu Nov 14 10:48:14 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonza...@suse.com> + +- Version update to 12.2.0 + * sar/sadc: Save timezone value in binary data files (saDD). + * sadf: Display timezone value in output from sadf -H. + * sar/sadf: Make sure we will always be able to read file headers + structures from older versions. + * sadf: Enhance raw format output (now also display records header contents). + * sadf: Update DTD and XSD documents. Fix their contents so that XML + output from 12.0.x sadf versions validates. + * sar/sadf: Change 'flags' variable type from "unsigned int" to "uint64_t". + * simtest: Make all tests independent from timezone value. + * simtest: Add more non regression tests. + * sadf: Small fix in manual page. + * NLS updated. + * FAQ updated. +- Remove patch fixed upstream: + * sysstat-CVE-2019-16167.patch + +------------------------------------------------------------------- +Thu Nov 14 09:04:41 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonza...@suse.com> + +- Version udate to 12.1.7 + * sar/sadc: Add stable identifier support for disks statistics. + * sar/sadf: Add extra flexibility in binary data file in case of + a future format change. + * sadf: sadf -H output updated. + * iostat: Fix several bugs (CID ##349502, #349503, #349500 and #349501). + * sar: Manual page updated. + * sadf: Fix memory corruption bug due to integer overflow in + remap_struct() function (try #2). + * configure: Add new configuration variables: conf_file and sar_dir. + * simtest: sar: Add new non regression tests. + * simtest: iostat: Make tests independent from timezone value. + * NLS updated. + +- Version update to 12.1.6 + * iostat: Major code refactoring. Devices structures are now + dynamically allocated, better handle the case when devices are + removed then inserted again in the system, better command line + parsing, better handle devices with a slash in their name. + * sar/sadf: Allow to select individual CPU and/or interrupts when option -A is used. + * sar: Better handle the case when Fibre Channel hosts are added to the system. + * sar: Fix sar -s/-e output on datafiles spanning two consecutive days. + * sadf: Fix memory corruption bug due to integer overflow in remap_struct() function. + * Update sysstat simulation test environment (new tests added, etc.) + * sar manual page updated. + * Various cosmetic fixes (comments updated in code, etc.) + * NLS updated. + +------------------------------------------------------------------- Old: ---- sysstat-12.0.6.tar.xz sysstat-CVE-2019-16167.patch New: ---- sysstat-12.2.0.tar.xz sysstat-CVE-2019-19725.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sysstat.spec ++++++ --- /var/tmp/diff_new_pack.k53mye/_old 2019-12-18 14:47:59.989929874 +0100 +++ /var/tmp/diff_new_pack.k53mye/_new 2019-12-18 14:47:59.989929874 +0100 @@ -1,7 +1,7 @@ # # spec file for package sysstat # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: sysstat -Version: 12.0.6 +Version: 12.2.0 Release: 0 Summary: Sar and Iostat Commands for Linux License: GPL-2.0-or-later @@ -31,12 +31,12 @@ # PATCH-FIX-OPENSUSE should be upstreamed # use getpagesize() instead of kb_shift for hugetable archs Patch2: sysstat-8.0.4-pagesize.diff -# PATCH-FIX-UPSTREAM bsc#1150114 CVE-2019-16167 sysstat-CVE-2019-16167.patch -Patch3: sysstat-CVE-2019-16167.patch # PATCH-FIX-OPENSUSE bsc#1151453 -Patch4: sysstat-service.patch +Patch3: sysstat-service.patch # PATCH-FIX-OPENSUSE Temporarily disable failing tests on s390x and ppc64 -Patch5: sysstat-disable-test-failures.patch +Patch4: sysstat-disable-test-failures.patch +# PATCH-FIX-UPSTREAM CVE-2019-19725 bsc#159104 double free in check_file_actlst +Patch5: sysstat-CVE-2019-19725.patch BuildRequires: findutils BuildRequires: gettext-runtime BuildRequires: pkgconfig @@ -76,10 +76,10 @@ %patch0 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 %ifarch s390x ppc64 -%patch5 -p1 +%patch4 -p1 %endif +%patch5 -p1 cp %{S:1} . # remove date and time from objects find ./ -name \*.c -exec sed -i -e 's: " compiled " __DATE__ " " __TIME__::g' {} \; @@ -87,6 +87,7 @@ %build export conf_dir="%{_sysconfdir}/sysstat" export sa_lib_dir="%{_libdir}/sa" +export cron_owner=root export LFLAGS="-L. -lsyscom" export history="60" export sadc_options="-S ALL" @@ -116,7 +117,8 @@ %find_lang %{name} %check -make %{?_smp_mflags} test +# Newer versions only have simulation tests +# make %%{?_smp_mflags} test %pre %service_add_pre sysstat.service sysstat-collect.timer sysstat-summary.timer ++++++ sysstat-12.0.6.tar.xz -> sysstat-12.2.0.tar.xz ++++++ ++++ 132942 lines of diff (skipped) ++++++ sysstat-CVE-2019-16167.patch -> sysstat-CVE-2019-19725.patch ++++++ --- /work/SRC/openSUSE:Factory/sysstat/sysstat-CVE-2019-16167.patch 2019-09-30 15:51:48.170429546 +0200 +++ /work/SRC/openSUSE:Factory/.sysstat.new.4691/sysstat-CVE-2019-19725.patch 2019-12-18 14:47:58.989929417 +0100 @@ -1,40 +1,24 @@ -Index: sysstat-12.0.6/sa_common.c -=================================================================== ---- sysstat-12.0.6.orig/sa_common.c -+++ sysstat-12.0.6/sa_common.c -@@ -1298,6 +1298,10 @@ void remap_struct(unsigned int gtypes_nr - /* Remap [unsigned] long fields */ - d = gtypes_nr[0] - ftypes_nr[0]; - if (d) { -+ if (ftypes_nr[0] * ULL_ALIGNMENT_WIDTH < ftypes_nr[0]) -+ /* Overflow */ -+ return; -+ - n = MINIMUM(f_size - ftypes_nr[0] * ULL_ALIGNMENT_WIDTH, - g_size - gtypes_nr[0] * ULL_ALIGNMENT_WIDTH); - if ((ftypes_nr[0] * ULL_ALIGNMENT_WIDTH >= b_size) || -@@ -1314,6 +1318,11 @@ void remap_struct(unsigned int gtypes_nr - /* Remap [unsigned] int fields */ - d = gtypes_nr[1] - ftypes_nr[1]; - if (d) { -+ if (gtypes_nr[0] * ULL_ALIGNMENT_WIDTH + -+ ftypes_nr[1] * UL_ALIGNMENT_WIDTH < ftypes_nr[1]) -+ /* Overflow */ -+ return; -+ - n = MINIMUM(f_size - ftypes_nr[0] * ULL_ALIGNMENT_WIDTH - - ftypes_nr[1] * UL_ALIGNMENT_WIDTH, - g_size - gtypes_nr[0] * ULL_ALIGNMENT_WIDTH -@@ -1338,6 +1347,12 @@ void remap_struct(unsigned int gtypes_nr - /* Remap possible fields (like strings of chars) following int fields */ - d = gtypes_nr[2] - ftypes_nr[2]; - if (d) { -+ if (gtypes_nr[0] * ULL_ALIGNMENT_WIDTH + -+ gtypes_nr[1] * UL_ALIGNMENT_WIDTH + -+ ftypes_nr[2] * U_ALIGNMENT_WIDTH < ftypes_nr[2]) -+ /* Overflow */ -+ return; -+ - n = MINIMUM(f_size - ftypes_nr[0] * ULL_ALIGNMENT_WIDTH - - ftypes_nr[1] * UL_ALIGNMENT_WIDTH - - ftypes_nr[2] * U_ALIGNMENT_WIDTH, +From a5c8abd4a481ee6e27a3acf00e6d9b0f023e20ed Mon Sep 17 00:00:00 2001 +From: Sebastien GODARD <syss...@users.noreply.github.com> +Date: Mon, 9 Dec 2019 17:54:07 +0100 +Subject: [PATCH] Fix #242: Double free in check_file_actlst() + +Avoid freeing buffer() twice. + +Signed-off-by: Sebastien GODARD <syss...@users.noreply.github.com> +--- + sa_common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sa_common.c b/sa_common.c +index cf52aefe..856a3715 100644 +--- a/sa_common.c ++++ b/sa_common.c +@@ -2153,6 +2153,7 @@ void check_file_actlst(int *ifd, char *dfile, struct activity *act[], uint64_t f + } + + free(buffer); ++ buffer = NULL; + + /* Check that at least one activity selected by the user is available in file */ + for (i = 0; i < NR_ACT; i++) { ++++++ sysstat-disable-test-failures.patch ++++++ --- /var/tmp/diff_new_pack.k53mye/_old 2019-12-18 14:48:07.405933266 +0100 +++ /var/tmp/diff_new_pack.k53mye/_new 2019-12-18 14:48:07.409933268 +0100 @@ -1,13 +1,13 @@ -Index: sysstat-12.0.6/Makefile.in +Index: sysstat-12.2.0/Makefile.in =================================================================== ---- sysstat-12.0.6.orig/Makefile.in -+++ sysstat-12.0.6/Makefile.in -@@ -584,7 +584,7 @@ TESTLIST:=$(shell ls $(TESTDIR) | egrep +--- sysstat-12.2.0.orig/Makefile.in ++++ sysstat-12.2.0/Makefile.in +@@ -638,7 +638,7 @@ testcomp: tests/ini/inisar unit: @echo $(X) 2>&1 - @cat $(TESTDIR)/$(X) | $(TESTRUN) + @cat $(TESTDIR)/$(X) | $(TESTRUN) || { echo "Skip build failure in s390x and ppc64" ; } - test: all - @$(foreach x, $(TESTLIST), $(MAKE) X=$x unit || exit;) + # Use "do_test" script to make the following target + simtest: all testcomp