XPost: linux.debian.devel.release

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:acct
User: [email protected]
Usertags: unblock

Please unblock package acct

Please reduce the required age for acct from 20 days to 18 or fewer days.

[ Reason ]
acct may be about a day too new to migrate to testing before the full freeze.

The reason for this version is to import a fix present in Ubuntu for a buffer overflow in the dump-acct tool.

The change also includes an autopkgtest designed to avoid needing release team intervention but unfortunately we timed this wrong and now need a bump!

acct (6.6.4-8) unstable; urgency=medium
acct (6.6.4-7) experimental; urgency=medium

* Import sprintf buffer overflow fix from Ubuntu. (Closes: #1108428)
* Add autopkgtest for process accounting

[ Impact ]
Trixie users run code with a known buffer overflow.

There is no known user impact from this in Debian as the bug has only been observed to cause problems with -D_FORTIFY_SOURCE=3, which is enabled for Ubuntu builds, where the dump-acct command will always crash but not Debian ones.

[ Tests ]
I and the sponsor of the package both verified that the crash can be
triggered when built with -D_FORTIFY_SOURCE=3 without the fix and that
with the fix this does not happen.

The affected tool works fine *from the user-visible perspective* in the *Debian-built* package as expected either way due to the lack of the
hardening build option.

[ Risks ]
The bugfix is trivial and has been in Ubuntu since February.

With the new autopkgtest this has been road-tested through Debian
experimental and unstable 13 days so far.

I see no risk in accepting this package into testing. Realistically, it's probably ready to migrate now.

[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing

[ Other info ]

https://bugs.debian.org/1108428

I also directly attach the patch that is applied to the upstream code for
your convenience - this is the only non-autopkgtest change present.

$ git diff --stat debian/6.6.4-6 debian/6.6.4-8
debian/changelog | 19 ++++++++++
debian/patches/07_sprintf-buffer-overflow.patch | 21 +++++++++++
debian/patches/series | 1 +
debian/tests/control | 3 ++
debian/tests/pacct | 59 +++++++++++++++++++++++++++++
debian/tests/src/Makefile | 16 ++++++++
debian/tests/src/fake-acct.c | 44 ++++++++++++++++++++++
debian/tests/src/gen-acct.c | 156 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
8 files changed, 319 insertions(+)

Thanks!

unblock acct/6.6.4-8


diff -Nru acct-6.6.4/debian/changelog acct-6.6.4/debian/changelog
--- acct-6.6.4/debian/changelog 2025-06-07 07:57:39.000000000 +0100
+++ acct-6.6.4/debian/changelog 2025-07-07 16:09:45.000000000 +0100
@@ -1,3 +1,22 @@
+acct (6.6.4-8) unstable; urgency=medium
+
+ * Team upload.
+ * Upload to unstable. Thanks to Andrew Bower for all the work.
+
+ -- Carlos Henrique Lima Melara <[email protected]> Mon, 07 Jul 2025 12:09:45 -0300
+
+acct (6.6.4-7) experimental; urgency=medium
+
+ * Team upload.
+
+ [ Matthew L. Dailey ]
+ * Import sprintf buffer overflow fix from Ubuntu. (Closes: #1108428)
+
+ [ Andrew Bower ]
+ * Add autopkgtest for process accounting
+
+ -- Andrew Bower <[email protected]> Sun, 06 Jul 2025 16:58:06 +0100
+
acct (6.6.4-6) unstable; urgency=medium

* Team upload.
diff -Nru acct-6.6.4/debian/patches/07_sprintf-buffer-overflow.patch acct-6.6.4/debian/patches/07_sprintf-buffer-overflow.patch
--- acct-6.6.4/debian/patches/07_sprintf-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ acct-6.6.4/debian/patches/