Re: Proposed RC fix for acct

To: Andrew Bower <andrew@bower.uk>
Cc: Sven Geuer <sge@debian.org>, debian-security-tools@lists.debian.org
Subject: Re: Proposed RC fix for acct
From: Carlos Henrique Lima Melara <charles@debian.org>
Date: Sun, 6 Jul 2025 12:32:31 -0300
Message-id: <[🔎] tiskquc7z3v3kxrob2p5ks5gbsq64mnkym5jacr7xdftvvwqm7@37p6lrky7rbr>
In-reply-to: <[🔎] aGpQimx6YmhEl5Zt@shenstone.ab8.net>
References: <aEM7Vo5rS_5gk98U@arden.ab8.net> <8c6109e5d6fd2582d245c67ee1f9d2af2f65706e.camel@debian.org> <aEQGj7WKYnMh2BXA@shenstone.ab8.net> <6cpvkcbpvabzwuc4q72pbz2dnowvjf6ajrgquibptgtb56tmfi@nzsrmspzxb62> <aE0grFivIzQDkIDU@shenstone.ab8.net> <wai7m5eeystnvnxib44v4i6qkyys7xhouwhc4jozzex3z3azlq@cnqm5qfrftml> <aFPHNPiolzz6vF2l@arden.ab8.net> <aGALyEp-B0sdbiVy@shenstone.ab8.net> <37bc72d3jrcpiz3quogjmsav7etfakz6f4ceo5qs35ckmbbj4r@cmf2l4xyyoka> <[🔎] aGpQimx6YmhEl5Zt@shenstone.ab8.net>

Hi Andrew,

On Sun, Jul 06, 2025 at 11:31:38AM +0100, Andrew Bower wrote:
> On Sat, Jun 28, 2025 at 01:25:41PM -0300, Carlos Henrique Lima Melara wrote:
> > On Sat, Jun 28, 2025 at 04:35:36PM +0100, Andrew Bower wrote:
> > > On Thu, Jun 19, 2025 at 09:15:48AM +0100, Andrew Bower wrote:
> > > > On Mon, Jun 16, 2025 at 09:36:05AM -0300, Carlos Henrique Lima Melara wrote:
> > > > > On Sat, Jun 14, 2025 at 08:11:40AM +0100, Andrew Bower wrote:
> > > [...]
> > > The first three commits I think are candidates for including in trixie.
> > > 
> > >  1) Import a buffer overflow patch applied in Ubuntu (#1108428).
> > >  2) Update metadata for the above.
> > >  3) Add autopkgtest
> > > 
> > > The autopkgtest could reduce the load on the release team if we seek to
> > > add the Ubuntu patch. I am aware there's a risk that a failing
> > > autopkgtest makes things worse but I think we could derisk that by
> > > cycling it through 'experimental' and simply removing the test if
> > > the pseudo-excuses show it to be necessary and not be in a worse
> > > position than before the test.
> > 
> > Ok, will read the backlog and probably we can go the proposed way of
> > experimental -> check test results -> file unblock bug.
> 
> Excellent! I have raised a new MR !9 that is specifically the commits I
> propose we upload to experimental first:
> 
>  1. Apply the Ubuntu patch commit untouched.
>  2. Add DEP-3 metadata suitable for its new state in Debian.
>  3. Add the autopkgtest that should help the package through the freeze.
>  4. A changelog suitable for this proposed upload.
> 
> Then I will rebase the general packet refresh MR !8 at a suitable future
> time.

Cool! That is perfect.

Is there a place I can message you directly? Something like matrix or
irc works, I'm reviewing the changes and I'd like to ask some questions
but this back and forth via mail sometimes makes a lot of overhead. I'm
charles on oftc and libera, I'm also in the #debian-pkg-security on
oftc. You can find me as @charles:matrix.debian.social.

Anyway, I'm having a bad time trying to reproduce the buffer overflow on
a trixie vm, basically doing accton on; lastcomm; dump-acct
/var/log/account/pacct; works just fine. All the reports [1][2][3]
says I should see a core dump either in lastcomm or dump-acct, but thing
just work (tm) and I'm a bit confused hahahahahaha

Cheers,
Charles

[1] https://bugs.launchpad.net/ubuntu/+source/acct/+bug/2095035
[2] https://bugzilla.redhat.com/show_bug.cgi?id=2190057
[3] https://bugs.gentoo.org/925419

Reply to:

Follow-Ups:
- Re: Proposed RC fix for acct
  - From: Carlos Henrique Lima Melara <charles@debian.org>

References:
- Re: Proposed RC fix for acct
  - From: Andrew Bower <andrew@bower.uk>

Prev by Date: Re: Proposed RC fix for acct
Next by Date: Re: Proposed RC fix for acct
Previous by thread: Re: Proposed RC fix for acct
Next by thread: Re: Proposed RC fix for acct
Index(es):
- Date
- Thread