Your message dated Thu, 29 May 2025 10:34:07 +0000
with message-id <e1ukaan-006cnj...@respighi.debian.org>
and subject line unblock atop
has caused the Debian Bug report #1106544,
regarding unblock: atop/2.11.1-3 or atop/2.11.2-1 (pre-approval)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1106544: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106544
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: a...@packages.debian.org
Control: affects -1 + src:atop
User: release.debian....@packages.debian.org
Usertags: unblock
Hi,
the atop upstream has added robustness patches to atop 2.11.1: They have
replaced all instances of sprintf in the code with snprintf calls, and
they have identified and fixed a buffer overflow crash that only happens
on the Raspberry Pi 5 (which Debian doesn't officially support then). I
think that Debian downstreams such as Raspberry Pi OS will profit from
thie change though.
https://salsa.debian.org/debian/atop/-/tree/mh/wip-security/debian/patches?ref_type=heads
show three new patches in quilt format
with 0016-replace-sprintf-with-snprintf.patch being all straightforward
sprintf/snprintf changes,
0017-new-parameter-for-formatr_bandw-to-get-rid-of-sprint.patch being a new
prototype for the format_bandw function, giving more information into
the function for a sprintf/snprintf conversion and
0018-fix-buffer-overflow-crash-on-Raspberry-Pi-5-fake-NUM.patch being the fake
NUMA patch for the Raspi 5.
These three patches will bring a future atop 2.11.1-3 to the same code
base as the 2.11.2 upstream version that upstream will release shortly.
Please indicate whether you would be willing to pre-approve either a
2.11.2-1 with the new upstream version, or a 2.11.1-3 with an arbitrary
subset of the three patches I have prepared.
[ Reason ]
The sprintf/snprintf changes will obviously increase the atop's
security, and the fake NUMA patch will make atop work on the Raspberry
Pi 5 when Rasperry Pi OS will pull the package from trixie instead of
immediatly segfaulting.
[ Impact ]
Reduced security for all systems, package ununseable on Raspi 5
[ Tests ]
I can only check manually whether the package works. Sadly, the atop
package does only have superficial autopkgtests since I don't have a
clue how to test a package that is interactive and does automated things
at midnigh.
[ Risks ]
atop is a leaf package, nothing depends on it, only the hollywood
package (a gag package itself) Recommends it, there are numerous
alternatives (htop, btop, top etc) available.
[ Checklist ]
Will fill the checklist out once pre-approval is given and it was
decided how to proceed
Thanks for your consideration. atop upstream has been extremely helpful
in the last months, they are a real pleasure to cooperate with. I would
love to have their latest security patches in trixie if just to be nice
to them.
Greetings
Marc
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
