Re: [linux-alert] LSF Update#13: Vulnerability of mount/umount utilities from util-linux 2.5
(Note wide crossposting - please trim followups.)
Alexander O. Yuriev writes:
...
> Until the official fix-kits are available for those
> systems, it is advised that system administrators
> obtain the source code of fixed mount program used
> in Debian/GNU Linux 1.1, compile it and replace the
> vulnerable binaries.
...
Debian is now phasing in a new source packaging format, which has some
advantages for internal uses, notably automatic building.
The procedure for unpacking the source without using our own tools
will change - I'm afraid it's a little more complicated, though fairly
obvious.
I've placed a description of what to do in
/debian/doc/source-unpack.txt in the Debian FTP archive, and made
links called README.source-unpack in /debian/unstable/source,
/debian/contrib and /debian/non-free.
A copy of the file is below.
Ian.
HOW TO UNPACK A DEBIAN SOURCE PACKAGE
There are two kinds of Debian source packages: old ones and new ones.
A. Old ones look like this:
hello-1.3-4.tar.gz
hello-1.3-4.diff.gz
You unpack them by untarring the .tar.gz. There is NO need to apply
the diff.
B. New ones look like this:
hello_1.3-11.dsc
hello_1.3-11.diff.gz
hello_1.3-11.orig.tar.gz - note the `.orig' part
Here you MUST use dpkg-source or apply the diff manually - see below.
If you have `dpkg-source' you should put the files in the same
directory and type `dpkg-source -x <whatever>.dsc'.
If you do not you can extract the Debian source as follows:
1. untar P_V.orig.tar.gz.
2. rename the resulting P-V.orig directory to P-V.
3. mkdir P-V/debian.
4. apply the diff with patch -p0.
(where P is the package name and V the version.)
C. There are some packages where the Debian source is the upstream
source. In this case there will be no .diff.gz and you can just use
the .tar.gz. If a .dsc is provided you can use `dpkg-source -x'.
-- Ian Jackson <ijackson@gnu.ai.mit.edu> Sat, 31 Aug 1996
Reply to: