Hi Andrew, On Sun, Jul 06, 2025 at 11:31:38AM +0100, Andrew Bower wrote: > On Sat, Jun 28, 2025 at 01:25:41PM -0300, Carlos Henrique Lima Melara wrote: > > On Sat, Jun 28, 2025 at 04:35:36PM +0100, Andrew Bower wrote: > > > On Thu, Jun 19, 2025 at 09:15:48AM +0100, Andrew Bower wrote: > > > > On Mon, Jun 16, 2025 at 09:36:05AM -0300, Carlos Henrique Lima Melara > > > > wrote: > > > > > On Sat, Jun 14, 2025 at 08:11:40AM +0100, Andrew Bower wrote: > > > [...] > > > The first three commits I think are candidates for including in trixie. > > > > > > 1) Import a buffer overflow patch applied in Ubuntu (#1108428). > > > 2) Update metadata for the above. > > > 3) Add autopkgtest > > > > > > The autopkgtest could reduce the load on the release team if we seek to > > > add the Ubuntu patch. I am aware there's a risk that a failing > > > autopkgtest makes things worse but I think we could derisk that by > > > cycling it through 'experimental' and simply removing the test if > > > the pseudo-excuses show it to be necessary and not be in a worse > > > position than before the test. > > > > Ok, will read the backlog and probably we can go the proposed way of > > experimental -> check test results -> file unblock bug. > > Excellent! I have raised a new MR !9 that is specifically the commits I > propose we upload to experimental first: > > 1. Apply the Ubuntu patch commit untouched. > 2. Add DEP-3 metadata suitable for its new state in Debian. > 3. Add the autopkgtest that should help the package through the freeze. > 4. A changelog suitable for this proposed upload. > > Then I will rebase the general packet refresh MR !8 at a suitable future > time.
Cool! That is perfect. Is there a place I can message you directly? Something like matrix or irc works, I'm reviewing the changes and I'd like to ask some questions but this back and forth via mail sometimes makes a lot of overhead. I'm charles on oftc and libera, I'm also in the #debian-pkg-security on oftc. You can find me as @charles:matrix.debian.social. Anyway, I'm having a bad time trying to reproduce the buffer overflow on a trixie vm, basically doing accton on; lastcomm; dump-acct /var/log/account/pacct; works just fine. All the reports [1][2][3] says I should see a core dump either in lastcomm or dump-acct, but thing just work (tm) and I'm a bit confused hahahahahaha Cheers, Charles [1] https://bugs.launchpad.net/ubuntu/+source/acct/+bug/2095035 [2] https://bugzilla.redhat.com/show_bug.cgi?id=2190057 [3] https://bugs.gentoo.org/925419
