Skip to navigation

Security Advisory sysstat security update

Advisory: RHSA-2004:053-16
Type: Security Advisory
Severity: Moderate
Issued on: 2004-03-10
Last updated on: 2004-03-10
Affected Products: Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
CVEs (cve.mitre.org): CVE-2004-0107
CVE-2004-0108

Details

Updated sysstat packages that fix various bugs and security issues are now
available.

Sysstat is a tool for gathering system statistics. Isag is a utility for
graphically displaying these statistics.

A bug was found in the Red Hat sysstat package post and trigger scripts,
which used insecure temporary file names. A local attacker could overwrite
system files using carefully-crafted symbolic links in the /tmp directory.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0107 to this issue.

While fixing this issue, a flaw was discovered in the isag utility, which
also used insecure temporary file names. A local attacker could overwrite
files that the user running isag has write access to using
carefully-crafted symbolic links in the /tmp directory. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0108 to this issue.

Other issues addressed in this advisory include:

* iostat -x should return all partitions on the system (up to a maximum of
1024)

* sar should handle network device names with more than 8 characters properly

* mpstat should work correctly with more than 7 CPUs as well as generate
correct statistics when accessing individual CPUs. This issue only
affected Red Hat Enterprise Linux 2.1

* The sysstat package was not built with the proper dependencies;
therefore, it was possible that isag could not be run because the necessary
tools were not available. Therefore, isag was split off into its own
subpackage with the required dependencies in place. This issue only
affects Red Hat Enterprise Linux 2.1.

Users of sysstat and isag should upgrade to these updated packages, which
contain patches to correct these issues.

NOTE: In order to use isag on Red Hat Enterprise Linux 2.1, you must
install the sysstat-isag package after upgrading.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate. The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

Updated packages

Red Hat Enterprise Linux AS (v. 2.1)

SRPMS:
sysstat-4.0.1-12.src.rpm
File outdated by:  RHBA-2004:503
    MD5: 176f1fd17f8265c8de4bc93d1bd1b514
sysstat-4.0.1-12.src.rpm
File outdated by:  RHBA-2004:503
    MD5: 176f1fd17f8265c8de4bc93d1bd1b514
 
IA-32:
sysstat-4.0.1-12.i386.rpm
File outdated by:  RHBA-2004:503
    MD5: b80a452325ad02680631550c2c3b6a85
sysstat-isag-4.0.1-12.i386.rpm
File outdated by:  RHBA-2004:503
    MD5: 9aa4781c7439d156db671588dac188f3
 
IA-64:
sysstat-4.0.1-12.ia64.rpm
File outdated by:  RHBA-2004:503
    MD5: 49239a90e360bef7b37f7d554d259796
sysstat-isag-4.0.1-12.ia64.rpm
File outdated by:  RHBA-2004:503
    MD5: 34ba11ecc8131ee90ad2a365d7e5bee7
 
Red Hat Enterprise Linux AS (v. 3)

SRPMS:
sysstat-4.0.7-4.EL3.2.src.rpm
File outdated by:  RHBA-2006:0024
    MD5: 724dbc7aaed96c05eab1ce93f43e6c5f
sysstat-4.0.7-4.EL3.2.src.rpm
File outdated by:  RHBA-2006:0024
    MD5: 724dbc7aaed96c05eab1ce93f43e6c5f
 
IA-32:
sysstat-4.0.7-4.EL3.2.i386.rpm
File outdated by:  RHBA-2006:0024
    MD5: 1000e06056fd11484b2cf6f564e3bd52
 
IA-64:
sysstat-4.0.7-4.EL3.2.ia64.rpm
File outdated by:  RHBA-2006:0024
    MD5: 22fee83220ce18416e50e0a9873e6e20
 
PPC:
sysstat-4.0.7-4.EL3.2.ppc.rpm
File outdated by:  RHBA-2006:0024
    MD5: d3c02ee264f1bf914b370bd94339e358
 
s390:
sysstat-4.0.7-4.EL3.2.s390.rpm
File outdated by:  RHBA-2006:0024
    MD5: 834d6055749a352b536a2a7d65539c55
 
s390x:
sysstat-4.0.7-4.EL3.2.s390x.rpm
File outdated by:  RHBA-2006:0024
    MD5: 098e4e7fe84ffc54349071d4b9f24031
 
x86_64:
sysstat-4.0.7-4.EL3.2.x86_64.rpm
File outdated by:  RHBA-2006:0024
    MD5: b1dce2547aa02fed9a5adfa4648b762e
 
Red Hat Enterprise Linux ES (v. 2.1)

SRPMS:
sysstat-4.0.1-12.src.rpm
File outdated by:  RHBA-2004:503
    MD5: 176f1fd17f8265c8de4bc93d1bd1b514
sysstat-4.0.1-12.src.rpm
File outdated by:  RHBA-2004:503
    MD5: 176f1fd17f8265c8de4bc93d1bd1b514
 
IA-32:
sysstat-4.0.1-12.i386.rpm
File outdated by:  RHBA-2004:503
    MD5: b80a452325ad02680631550c2c3b6a85
sysstat-isag-4.0.1-12.i386.rpm
File outdated by:  RHBA-2004:503
    MD5: 9aa4781c7439d156db671588dac188f3
 
Red Hat Enterprise Linux ES (v. 3)

SRPMS:
sysstat-4.0.7-4.EL3.2.src.rpm
File outdated by:  RHBA-2006:0024
    MD5: 724dbc7aaed96c05eab1ce93f43e6c5f
sysstat-4.0.7-4.EL3.2.src.rpm
File outdated by:  RHBA-2006:0024
    MD5: 724dbc7aaed96c05eab1ce93f43e6c5f
 
IA-32:
sysstat-4.0.7-4.EL3.2.i386.rpm
File outdated by:  RHBA-2006:0024
    MD5: 1000e06056fd11484b2cf6f564e3bd52
 
Red Hat Enterprise Linux WS (v. 2.1)

SRPMS:
sysstat-4.0.1-12.src.rpm
File outdated by:  RHBA-2004:503
    MD5: 176f1fd17f8265c8de4bc93d1bd1b514
sysstat-4.0.1-12.src.rpm
File outdated by:  RHBA-2004:503
    MD5: 176f1fd17f8265c8de4bc93d1bd1b514
 
IA-32:
sysstat-4.0.1-12.i386.rpm
File outdated by:  RHBA-2004:503
    MD5: b80a452325ad02680631550c2c3b6a85
sysstat-isag-4.0.1-12.i386.rpm
File outdated by:  RHBA-2004:503
    MD5: 9aa4781c7439d156db671588dac188f3
 
Red Hat Enterprise Linux WS (v. 3)

SRPMS:
sysstat-4.0.7-4.EL3.2.src.rpm
File outdated by:  RHBA-2006:0024
    MD5: 724dbc7aaed96c05eab1ce93f43e6c5f
sysstat-4.0.7-4.EL3.2.src.rpm
File outdated by:  RHBA-2006:0024
    MD5: 724dbc7aaed96c05eab1ce93f43e6c5f
 
IA-32:
sysstat-4.0.7-4.EL3.2.i386.rpm
File outdated by:  RHBA-2006:0024
    MD5: 1000e06056fd11484b2cf6f564e3bd52
 
IA-64:
sysstat-4.0.7-4.EL3.2.ia64.rpm
File outdated by:  RHBA-2006:0024
    MD5: 22fee83220ce18416e50e0a9873e6e20
 
x86_64:
sysstat-4.0.7-4.EL3.2.x86_64.rpm
File outdated by:  RHBA-2006:0024
    MD5: b1dce2547aa02fed9a5adfa4648b762e
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor

SRPMS:
sysstat-4.0.1-12.src.rpm
File outdated by:  RHBA-2004:503
    MD5: 176f1fd17f8265c8de4bc93d1bd1b514
sysstat-4.0.1-12.src.rpm
File outdated by:  RHBA-2004:503
    MD5: 176f1fd17f8265c8de4bc93d1bd1b514
 
IA-64:
sysstat-4.0.1-12.ia64.rpm
File outdated by:  RHBA-2004:503
    MD5: 49239a90e360bef7b37f7d554d259796
sysstat-isag-4.0.1-12.ia64.rpm
File outdated by:  RHBA-2004:503
    MD5: 34ba11ecc8131ee90ad2a365d7e5bee7
 

Bugs fixed (see bugzilla for more information)

110822 - RHEL 3 U2: iostat -x only returns a small set of the partitions on the system
78212 - sysstat package post scripts, trigger scripts use insecure tmp files
90574 - mpstat doesn't report on more than 7 cpus
92052 - sar doesn't seem to handle interface names greater than eight chars


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/