Package: release.debian.org Severity: normal X-Debbugs-Cc: a...@packages.debian.org Control: affects -1 + src:atop User: release.debian....@packages.debian.org Usertags: unblock
Hi, the atop upstream has added robustness patches to atop 2.11.1: They have replaced all instances of sprintf in the code with snprintf calls, and they have identified and fixed a buffer overflow crash that only happens on the Raspberry Pi 5 (which Debian doesn't officially support then). I think that Debian downstreams such as Raspberry Pi OS will profit from thie change though. https://salsa.debian.org/debian/atop/-/tree/mh/wip-security/debian/patches?ref_type=heads show three new patches in quilt format with 0016-replace-sprintf-with-snprintf.patch being all straightforward sprintf/snprintf changes, 0017-new-parameter-for-formatr_bandw-to-get-rid-of-sprint.patch being a new prototype for the format_bandw function, giving more information into the function for a sprintf/snprintf conversion and 0018-fix-buffer-overflow-crash-on-Raspberry-Pi-5-fake-NUM.patch being the fake NUMA patch for the Raspi 5. These three patches will bring a future atop 2.11.1-3 to the same code base as the 2.11.2 upstream version that upstream will release shortly. Please indicate whether you would be willing to pre-approve either a 2.11.2-1 with the new upstream version, or a 2.11.1-3 with an arbitrary subset of the three patches I have prepared. [ Reason ] The sprintf/snprintf changes will obviously increase the atop's security, and the fake NUMA patch will make atop work on the Raspberry Pi 5 when Rasperry Pi OS will pull the package from trixie instead of immediatly segfaulting. [ Impact ] Reduced security for all systems, package ununseable on Raspi 5 [ Tests ] I can only check manually whether the package works. Sadly, the atop package does only have superficial autopkgtests since I don't have a clue how to test a package that is interactive and does automated things at midnigh. [ Risks ] atop is a leaf package, nothing depends on it, only the hollywood package (a gag package itself) Recommends it, there are numerous alternatives (htop, btop, top etc) available. [ Checklist ] Will fill the checklist out once pre-approval is given and it was decided how to proceed Thanks for your consideration. atop upstream has been extremely helpful in the last months, they are a real pleasure to cooperate with. I would love to have their latest security patches in trixie if just to be nice to them. Greetings Marc
