Re: libspring-java security patch

To: debian-java@lists.debian.org
Subject: Re: libspring-java security patch
From: tony mancill <tmancill@debian.org>
Date: Wed, 27 Aug 2014 10:55:11 -0700
Message-id: <[🔎] 53FE1B7F.1050908@debian.org>
In-reply-to: <[🔎] CAHpHs3mMFMZRbUW+_fQsM12Lbg1Bio+pSBJOi0_6RZP=j_GTJQ@mail.gmail.com>
References: <[🔎] CAHpHs3mMFMZRbUW+_fQsM12Lbg1Bio+pSBJOi0_6RZP=j_GTJQ@mail.gmail.com>

On 08/25/2014 03:02 AM, Stephen Nelson wrote:
> Hi,
> 
> I've started work on backporting CVE-2014-0255 [1] to the version of
> Spring in wheezy to fix [2]. However I'm having a few problems building
> it in pbuilder/cowbuilder and wondered if anyone has any pointers to get
> it building?
> 
> I'm getting the following error:
> 
> BUILD FAILED
> /home/stephen/spring/libspring-java/projects/build-spring-framework/build.xml:38:
> Cannot find
> /home/stephen/spring/libspring-java/projects/spring-build/multi-bundle/default.xml
> imported from
> /home/stephen/spring/libspring-java/projects/build-spring-framework/build.xml
> 
> I have the spring-build package installed. I see in debian/rules it is
> creating a symbolic link to the spring-build package from
> libspring-java/projects/spring-build:
> 
> ln -s /usr/share/spring-build projects/spring-build
> 
> I tried adding that as the first command in override_dh_auto_clean which
> makes the build get further, but ultimately it fails again with the
> error above.
> 
> I've built spring before on this box but it was not in a
> pbuilder/cowbuilder - just a sid install.
> 
> [1] https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=753470

Hi Stephen,

I just checked and it builds fine for me, but I suspect that it's
because my cowbuilder bind mounts my build area so that its path looks
the same to the bits of the build that run before entering the chroot to
those after entering that chroot.  That is, /path/to/foo is accessible
to both because /path exists both inside and outside the chroot.

One thing you might try is running a shell the in chroot using --login,
doing an apt-get build-dep $foo, and then initiating the build from
within the chroot with debuild or similar.  I do this frequently enough
that I have a bash function that does something like this:

sudo cowbuilder --bindmounts /buildarea --bindmounts $HOME --login
--basepath=/var/cache/pbuilder/base-${chroot}.cow $@

(Note: bind-mounting $HOME is potentially dangerous - anything you
delete/modify is changed outside of the chroot as well.)

Cheers,
tony

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: libspring-java security patch
  - From: Stephen Nelson <stephen@eccostudio.com>

References:
- libspring-java security patch
  - From: Stephen Nelson <stephen@eccostudio.com>

Prev by Date: Re: RFS: java-comment-preprocessor/5.3.3 - [UPLOADED]
Next by Date: debian java BoF - 2014/08/25
Previous by thread: libspring-java security patch
Next by thread: Re: libspring-java security patch
Index(es):
- Date
- Thread