[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1106544: marked as done (unblock: atop/2.11.1-3 or atop/2.11.2-1 (pre-approval))

Your message dated Thu, 29 May 2025 10:34:07 +0000
with message-id <E1uKaaN-006CNJ-1S@respighi.debian.org>
and subject line unblock atop
has caused the Debian Bug report #1106544,
regarding unblock: atop/2.11.1-3 or atop/2.11.2-1 (pre-approval)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1106544: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106544
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: atop@packages.debian.org
Control: affects -1 + src:atop
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

the atop upstream has added robustness patches to atop 2.11.1: They have 
replaced all instances of sprintf in the code with snprintf calls, and 
they have identified and fixed a buffer overflow crash that only happens 
on the Raspberry Pi 5 (which Debian doesn't officially support then). I 
think that Debian downstreams such as Raspberry Pi OS will profit from 
thie change though.

https://salsa.debian.org/debian/atop/-/tree/mh/wip-security/debian/patches?ref_type=heads

show three new patches in quilt format
with 0016-replace-sprintf-with-snprintf.patch being all straightforward
sprintf/snprintf changes,
0017-new-parameter-for-formatr_bandw-to-get-rid-of-sprint.patch being a new
prototype for the format_bandw function, giving more information into 
the function for a sprintf/snprintf conversion and
0018-fix-buffer-overflow-crash-on-Raspberry-Pi-5-fake-NUM.patch being the fake
NUMA patch for the Raspi 5.

These three patches will bring a future atop 2.11.1-3 to the same code 
base as the 2.11.2 upstream version that upstream will release shortly.

Please indicate whether you would be willing to pre-approve either a 
2.11.2-1 with the new upstream version, or a 2.11.1-3 with an arbitrary 
subset of the three patches I have prepared.

[ Reason ]
The sprintf/snprintf changes will obviously increase the atop's 
security, and the fake NUMA patch will make atop work on the Raspberry 
Pi 5 when Rasperry Pi OS will pull the package from trixie instead of 
immediatly segfaulting.

[ Impact ]
Reduced security for all systems, package ununseable on Raspi 5

[ Tests ]
I can only check manually whether the package works. Sadly, the atop 
package does only have superficial autopkgtests since I don't have a 
clue how to test a package that is interactive and does automated things 
at midnigh.

[ Risks ]
atop is a leaf package, nothing depends on it, only the hollywood 
package (a gag package itself) Recommends it, there are numerous 
alternatives (htop, btop, top etc) available.

[ Checklist ]
Will fill the checklist out once pre-approval is given and it was 
decided how to proceed

Thanks for your consideration. atop upstream has been extremely helpful 
in the last months, they are a real pleasure to cooperate with. I would 
love to have their latest security patches in trixie if just to be nice 
to them.

Greetings
Marc

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: