Re: How to deal with wireshark CVE affecting Squeeze

To: Raphael Hertzog <hertzog@debian.org>, Ben Hutchings <ben@decadent.org.uk>, "balint@balintreczey.hu via RT" <balint@balintreczey.hu>, debian-lts@lists.debian.org
Subject: Re: How to deal with wireshark CVE affecting Squeeze
From: Bálint Réczey <balint@balintreczey.hu>
Date: Sun, 12 Apr 2015 19:14:13 +0200
Message-id: <[🔎] CAK0OdpyxhhU2M=5Tm4R5yxHzCfd9iQyOWpdDtVOcjrYdA8S3uw@mail.gmail.com>
Reply-to: balint@balintreczey.hu
In-reply-to: <[🔎] 20150412071430.GB8577@home.ouaza.com>
References: <[🔎] 20150410215944.GA22236@home.ouaza.com> <[🔎] CAK0OdpxFv+4dX4eC1ZrBQnVr+nwpBjsXFUTreTp+HZBvC+OK=Q@mail.gmail.com> <[🔎] 1428795530.29665.32.camel@decadent.org.uk> <[🔎] 20150412071430.GB8577@home.ouaza.com>

Hi,

2015-04-12 9:14 GMT+02:00 Raphael Hertzog <hertzog@debian.org>:
> Hi,
>
> On Sun, 12 Apr 2015, Ben Hutchings wrote:
>> On Sun, 2015-04-12 at 01:05 +0200, Bálint Réczey wrote:
>> [...]
>> > I assume this situation is not unique to Wireshark. What do you think,
>> > what would be the best for the LTS project in Wireshark's case and
>> > what is the general LTS strategy in similar cases?
>>
>> I think the best approach would be either:
>> a. remove it from support and upload wireshark 1.8 to squeeze-backports
>>    if possible, or
>> b. upload the backported wireshark 1.8 package to squeeze-lts
>
> I agree with Ben and I actually favor (b) when it doesn't introduce
> backwards incompatibilities (ie few risks to break a working setup
> just with the upgrade).
I have prepared the attached patch implementing b.). If no one opposes
I will upload it on Tuesday.
The change is not backwards-compatible in a sense that custom software
may break, but those
who build systems using wireshark should have upgraded to more recent
versions already.

>
> And you are right Balint, there are more packages in similar situations.
> We should have some discussion on the topic but this list has been rather
> quiet when we had concrete questions (like yours), for example about what
> to do with mysql 5.1 that is no longer supported upstream and where CVE
> details are hard to find. That's why I expect to have some discussion
> about this during Debconf (and possibly also today in the minidebconf in
> Lyon where I give a talk about Debian).
Good, lets discuss that during Debconf.

Cheers,
Balint

diff -Nru wireshark-1.8.2/debian/changelog wireshark-1.8.2/debian/changelog
--- wireshark-1.8.2/debian/changelog	2015-03-26 21:06:26.000000000 +0100
+++ wireshark-1.8.2/debian/changelog	2015-04-12 16:08:00.000000000 +0200
@@ -1,3 +1,9 @@
+wireshark (1.8.2-5wheezy15~deb6u1) squeeze-lts; urgency=high
+
+  * Rebuild for Squeeze LTS
+
+ -- Balint Reczey <balint@balintreczey.hu>  Sun, 12 Apr 2015 16:08:00 +0200
+
 wireshark (1.8.2-5wheezy15) wheezy-security; urgency=high
 
   * security fixes from Wireshark 1.12.4 (Closes: #780372):
diff -Nru wireshark-1.8.2/debian/compat wireshark-1.8.2/debian/compat
--- wireshark-1.8.2/debian/compat	2012-05-23 14:16:09.000000000 +0200
+++ wireshark-1.8.2/debian/compat	2015-04-12 16:08:00.000000000 +0200
@@ -1 +1 @@
-9
+8
diff -Nru wireshark-1.8.2/debian/control wireshark-1.8.2/debian/control
--- wireshark-1.8.2/debian/control	2013-04-03 03:23:35.000000000 +0200
+++ wireshark-1.8.2/debian/control	2015-04-12 16:08:00.000000000 +0200
@@ -4,7 +4,7 @@
 Maintainer: Balint Reczey <balint@balintreczey.hu>
 DM-Upload-Allowed: yes
 Standards-Version: 3.9.3
-Build-Depends: libgtk2.0-dev (>=2.4.0-0), libpcap0.8-dev, flex, libz-dev, debhelper (>= 9), po-debconf, libtool, python (>= 2.6.6-3~), python-ply, automake, autoconf, autotools-dev, libc-ares-dev, xsltproc, docbook-xsl (>= 1.64.1.0-0), libxml2-utils, libpcre3-dev, libcap2-dev [linux-any] | libcap-dev (>= 2.17) [linux-any], bison, libgnutls-dev, portaudio19-dev, libkrb5-dev, liblua5.1-0-dev, libsmi2-dev, libgeoip-dev, dpkg-dev (>= 1.16.1~)
+Build-Depends: libgtk2.0-dev (>=2.4.0-0), libpcap0.8-dev, flex, libz-dev, debhelper (>= 8), po-debconf, libtool, python (>= 2.6.6-3~), python-ply, automake, autoconf, autotools-dev, libc-ares-dev, xsltproc, docbook-xsl (>= 1.64.1.0-0), libxml2-utils, libpcre3-dev, libcap2-dev [linux-any] | libcap-dev (>= 2.17) [linux-any], bison, libgnutls-dev, portaudio19-dev, libkrb5-dev, liblua5.1-0-dev, libsmi2-dev, libgeoip-dev, hardening-wrapper
 Build-Conflicts: libsnmp4.2-dev, libsnmp-dev
 Vcs-Svn: svn://svn.debian.org/svn/collab-maint/ext-maint/wireshark/trunk
 Vcs-Browser: http://svn.debian.org/wsvn/collab-maint/ext-maint/wireshark/trunk/
diff -Nru wireshark-1.8.2/debian/patches/backport-to-squeeze.patch wireshark-1.8.2/debian/patches/backport-to-squeeze.patch
--- wireshark-1.8.2/debian/patches/backport-to-squeeze.patch	1970-01-01 01:00:00.000000000 +0100
+++ wireshark-1.8.2/debian/patches/backport-to-squeeze.patch	2015-04-12 16:07:40.000000000 +0200
@@ -0,0 +1,34 @@
+Author: Balint Reczey <balint@balintreczey.hu>
+Description: Change d/control and d/rules to use build on Squeeze
+ This is useful for back-porting.
+
+--- ./debian/compat	(revision 26101)
++++ ./debian/compat	(working copy)
+@@ -1 +1 @@
+-9
++8
+--- ./debian/control	(revision 26101)
++++ ./debian/control	(working copy)
+@@ -4,7 +4,7 @@
+ Maintainer: Balint Reczey <balint@balintreczey.hu>
+ DM-Upload-Allowed: yes
+ Standards-Version: 3.9.3
+-Build-Depends: libgtk2.0-dev (>=2.4.0-0), libpcap0.8-dev, flex, libz-dev, debhelper (>= 9), po-debconf, libtool, python (>= 2.6.6-3~), python-ply, automake, autoconf, autotools-dev, libc-ares-dev, xsltproc, docbook-xsl (>= 1.64.1.0-0), libxml2-utils, libpcre3-dev, libcap2-dev [linux-any] | libcap-dev (>= 2.17) [linux-any], bison, libgnutls-dev, portaudio19-dev, libkrb5-dev, liblua5.1-0-dev, libsmi2-dev, libgeoip-dev, dpkg-dev (>= 1.16.1~)
++Build-Depends: libgtk2.0-dev (>=2.4.0-0), libpcap0.8-dev, flex, libz-dev, debhelper (>= 8), po-debconf, libtool, python (>= 2.6.6-3~), python-ply, automake, autoconf, autotools-dev, libc-ares-dev, xsltproc, docbook-xsl (>= 1.64.1.0-0), libxml2-utils, libpcre3-dev, libcap2-dev [linux-any] | libcap-dev (>= 2.17) [linux-any], bison, libgnutls-dev, portaudio19-dev, libkrb5-dev, liblua5.1-0-dev, libsmi2-dev, libgeoip-dev, hardening-wrapper
+ Build-Conflicts: libsnmp4.2-dev, libsnmp-dev
+ Vcs-Svn: svn://svn.debian.org/svn/collab-maint/ext-maint/wireshark/trunk
+ Vcs-Browser: http://svn.debian.org/wsvn/collab-maint/ext-maint/wireshark/trunk/
+--- ./debian/rules	(revision 26101)
++++ ./debian/rules	(working copy)
+@@ -5,10 +5,10 @@
+ 
+ # Uncomment this to turn on verbose mode.
+ #export DH_VERBOSE=1
+-export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+-DPKG_EXPORT_BUILDFLAGS = 1
+-include /usr/share/dpkg/buildflags.mk
+ 
++# Use hardening wrapper
++export DEB_BUILD_HARDENING=1
++
+ DB2MAN=/usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl
diff -Nru wireshark-1.8.2/debian/rules wireshark-1.8.2/debian/rules
--- wireshark-1.8.2/debian/rules	2012-06-22 19:26:27.000000000 +0200
+++ wireshark-1.8.2/debian/rules	2015-04-12 16:08:00.000000000 +0200
@@ -5,9 +5,9 @@
 
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
-export DEB_BUILD_MAINT_OPTIONS = hardening=+all
-DPKG_EXPORT_BUILDFLAGS = 1
-include /usr/share/dpkg/buildflags.mk
+
+# Use hardening wrapper
+export DEB_BUILD_HARDENING=1
 
 DB2MAN=/usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl

Reply to:

Follow-Ups:
- Re: How to deal with wireshark CVE affecting Squeeze
  - From: Raphael Hertzog <hertzog@debian.org>

References:
- How to deal with wireshark CVE affecting Squeeze
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: How to deal with wireshark CVE affecting Squeeze
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: How to deal with wireshark CVE affecting Squeeze
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: How to deal with wireshark CVE affecting Squeeze
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: squeeze update of firestarter
Next by Date: Re: squeeze update of firestarter
Previous by thread: Re: How to deal with wireshark CVE affecting Squeeze
Next by thread: Re: How to deal with wireshark CVE affecting Squeeze
Index(es):
- Date
- Thread