Re: Proposed RC fix for acct
Hi Andrew,
On Sun, Jul 06, 2025 at 11:31:38AM +0100, Andrew Bower wrote:
> On Sat, Jun 28, 2025 at 01:25:41PM -0300, Carlos Henrique Lima Melara wrote:
> > On Sat, Jun 28, 2025 at 04:35:36PM +0100, Andrew Bower wrote:
> > > On Thu, Jun 19, 2025 at 09:15:48AM +0100, Andrew Bower wrote:
> > > > On Mon, Jun 16, 2025 at 09:36:05AM -0300, Carlos Henrique Lima Melara wrote:
> > > > > On Sat, Jun 14, 2025 at 08:11:40AM +0100, Andrew Bower wrote:
> > > [...]
> > > The first three commits I think are candidates for including in trixie.
> > >
> > > 1) Import a buffer overflow patch applied in Ubuntu (#1108428).
> > > 2) Update metadata for the above.
> > > 3) Add autopkgtest
> > >
> > > The autopkgtest could reduce the load on the release team if we seek to
> > > add the Ubuntu patch. I am aware there's a risk that a failing
> > > autopkgtest makes things worse but I think we could derisk that by
> > > cycling it through 'experimental' and simply removing the test if
> > > the pseudo-excuses show it to be necessary and not be in a worse
> > > position than before the test.
> >
> > Ok, will read the backlog and probably we can go the proposed way of
> > experimental -> check test results -> file unblock bug.
>
> Excellent! I have raised a new MR !9 that is specifically the commits I
> propose we upload to experimental first:
>
> 1. Apply the Ubuntu patch commit untouched.
> 2. Add DEP-3 metadata suitable for its new state in Debian.
> 3. Add the autopkgtest that should help the package through the freeze.
> 4. A changelog suitable for this proposed upload.
>
> Then I will rebase the general packet refresh MR !8 at a suitable future
> time.
Cool! That is perfect.
Is there a place I can message you directly? Something like matrix or
irc works, I'm reviewing the changes and I'd like to ask some questions
but this back and forth via mail sometimes makes a lot of overhead. I'm
charles on oftc and libera, I'm also in the #debian-pkg-security on
oftc. You can find me as @charles:matrix.debian.social.
Anyway, I'm having a bad time trying to reproduce the buffer overflow on
a trixie vm, basically doing accton on; lastcomm; dump-acct
/var/log/account/pacct; works just fine. All the reports [1][2][3]
says I should see a core dump either in lastcomm or dump-acct, but thing
just work (tm) and I'm a bit confused hahahahahaha
Cheers,
Charles
[1] https://bugs.launchpad.net/ubuntu/+source/acct/+bug/2095035
[2] https://bugzilla.redhat.com/show_bug.cgi?id=2190057
[3] https://bugs.gentoo.org/925419
Reply to: