- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 202505-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
    Title: Atop: Heap Corruption
     Date: May 14, 2025
     Bugs: #952921
       ID: 202505-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
A vulnerability has been discovered in Atop, which can possibly lead to
arbitrary code execution.

Background
=========
Atop is an ASCII full-screen performance monitor for Linux that is
capable of reporting the activity of all processes (even if processes
have finished during the interval), daily logging of system and process
activity for long-term analysis, highlighting overloaded system
resources by using colors, etc. At regular intervals, it shows system-
level activity related to the CPU, memory, swap, disks (including LVM)
and network layers, and for every process (and thread) it shows e.g. the
CPU utilization, memory growth, disk utilization, priority, username,
state, and exit code.

Affected packages
================
Package           Vulnerable    Unaffected
----------------  ------------  ------------
sys-process/atop  < 2.11.1      >= 2.11.1

Description
==========
A vulnerability has been discovered in Atop. Please review the CVE
identifier referenced below for details.

Impact
=====
Atop allows local users to cause a denial of service (e.g., assertion
failure and application exit) or possibly have unspecified other impact
by running certain types of unprivileged processes while a different
user runs atop.

Workaround
=========
There is no known workaround at this time.

Resolution
=========
All Atop users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=sys-process/atop-2.11.1"

References
=========
[ 1 ] CVE-2025-31160
      https://nvd.nist.gov/vuln/detail/CVE-2025-31160

Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202505-09

Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
======
Copyright 2025 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5