Re: Bug#769129: unblock: busybox/1:1.22.0-10
11.11.2014 18:08, Michael Tokarev wrote:
> Please unblock package busybox. Last upload has one security bugfix
> (CVE-2014-4607, #768945), the fix is from upstream stable branch,
> fixing an integer overflow in lzo decompressor; it adds a Built-Using
> control field for busybox-static variant (#768926), and also arranges
> build system to only produce binary or indep .debs (or both), depending
> on the d/rules target (binary-all vs binary-indep vs binary) -- this
> is a long-standing lintian bug which I overlooked previously.
> (The Built-Using field generation is a bit fun here: I asked on IRC
> how people identify which libc is in use, and got various somewhat-
> incpmplete replies (the prob is that on different arches, libc package
> is named differently). So I invented my own way for busybox, because
> this package allows me to do that -- I took the contents of $shlibs:Depends
> variable for the dynamically-linked version, and transformed it into
> a list of sources required for Built-Using using dpkg-query.
So this was a bit preliminary (following the "notify the release team
early" rule too aggressively) -- this very Built-Using generation was
broken due to an error on my part (trivial) and due to bug in dpkg,
#588505. I just uploaded new release fixing this, 1:1.22.0-11, will
see how it goes first, and will ping this bug if everything is okay.
(Yes, I verified the fixed release builds on kfreebsd-amd64 where
the problematic release failed).