[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1106544: unblock: atop/2.11.1-3 or atop/2.11.2-1 (pre-approval)

Control: tags -1 moreinfo

On 2025-05-25 21:31:33 +0200, Marc Haber wrote:
> Package: release.debian.org
> Severity: normal
> X-Debbugs-Cc: atop@packages.debian.org
> Control: affects -1 + src:atop
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi,
> 
> the atop upstream has added robustness patches to atop 2.11.1: They have 
> replaced all instances of sprintf in the code with snprintf calls, and 
> they have identified and fixed a buffer overflow crash that only happens 
> on the Raspberry Pi 5 (which Debian doesn't officially support then). I 
> think that Debian downstreams such as Raspberry Pi OS will profit from 
> thie change though.
> 
> https://salsa.debian.org/debian/atop/-/tree/mh/wip-security/debian/patches?ref_type=heads
> 
> show three new patches in quilt format
> with 0016-replace-sprintf-with-snprintf.patch being all straightforward
> sprintf/snprintf changes,
> 0017-new-parameter-for-formatr_bandw-to-get-rid-of-sprint.patch being a new
> prototype for the format_bandw function, giving more information into 
> the function for a sprintf/snprintf conversion and
> 0018-fix-buffer-overflow-crash-on-Raspberry-Pi-5-fake-NUM.patch being the fake
> NUMA patch for the Raspi 5.
> 
> These three patches will bring a future atop 2.11.1-3 to the same code 
> base as the 2.11.2 upstream version that upstream will release shortly.
> 
> Please indicate whether you would be willing to pre-approve either a 
> 2.11.2-1 with the new upstream version, or a 2.11.1-3 with an arbitrary 
> subset of the three patches I have prepared.

If it's the same codebase anyway, uploading the new upstream release as
2.11.2-1 would better reflect the situation. But if you want a definite
answer, please provide debdiffs of both cases

Cheers

> 
> [ Reason ]
> The sprintf/snprintf changes will obviously increase the atop's 
> security, and the fake NUMA patch will make atop work on the Raspberry 
> Pi 5 when Rasperry Pi OS will pull the package from trixie instead of 
> immediatly segfaulting.
> 
> [ Impact ]
> Reduced security for all systems, package ununseable on Raspi 5
> 
> [ Tests ]
> I can only check manually whether the package works. Sadly, the atop 
> package does only have superficial autopkgtests since I don't have a 
> clue how to test a package that is interactive and does automated things 
> at midnigh.
> 
> [ Risks ]
> atop is a leaf package, nothing depends on it, only the hollywood 
> package (a gag package itself) Recommends it, there are numerous 
> alternatives (htop, btop, top etc) available.
> 
> [ Checklist ]
> Will fill the checklist out once pre-approval is given and it was 
> decided how to proceed
> 
> Thanks for your consideration. atop upstream has been extremely helpful 
> in the last months, they are a real pleasure to cooperate with. I would 
> love to have their latest security patches in trixie if just to be nice 
> to them.
> 
> Greetings
> Marc
> 

-- 
Sebastian Ramacher
Reply to: