Re: Security fixes for libXaw derivatives still not in potato-updates

To: Ben Collins <bcollins@debian.org>
Cc: debian-sparc@lists.debian.org
Subject: Re: Security fixes for libXaw derivatives still not in potato-updates
From: Philippe Troin <phil@fifi.org>
Date: 16 Mar 2001 13:03:52 -0800
Message-id: <[🔎] 87u24tqvd3.fsf@ceramic.fifi.org>
In-reply-to: <[🔎] 20010316120206.R22727@visi.net>
References: <[🔎] 87zoemjg4r.fsf@ceramic.fifi.org> <[🔎] 20010316112208.L22727@visi.net> <[🔎] 20010316113338.A20741@deadbeast.net> <[🔎] 20010316120206.R22727@visi.net>

Ben Collins <bcollins@debian.org> writes:

> On Fri, Mar 16, 2001 at 11:33:38AM -0500, Branden Robinson wrote:
> > On Fri, Mar 16, 2001 at 11:22:08AM -0500, Ben Collins wrote:
> > > On Fri, Mar 16, 2001 at 12:02:28AM -0800, Philippe Troin wrote:
> > > > I found out that the libXaw derivatives still have not been fixed for
> > > > the sparc arch (insecure /tmp handling, DSA037).
> > > > 
> > > > Is that because nobody has stepped forward (in which case I would
> > > > volunteer to do it) or because of something else ?
> > > 
> > > Is this from the xfree86 3.3.6 update? If so, it should already be
> > > there. If not, I don't show it on my build list.
> > 
> > He's referring to xaw3d, nextaw, and xaw95.
> 
> Oh yeah, those failed to compile on sparc because they assumed libc5
> packages. So I summarily ignored them on the buildd.

I got them to build and they're on
ftp-master.d.o:/home/phil/athena-security-update .

I will move them to incoming tonight so that they will be picked by
Saturday's dinstall/katie run, unless somebody objects.

Only nextaw had problems building.

I've noted that in potato 2.2r2, nextaw is actually linked to xlib6g
and thus is equivalent to nextawg:

   Package: nextaw
   Architecture: sparc
   Version: 0.5.1-29
   Depends: ldso (>= 1.8.9-1), libc6 (>= 2.0.105), libc6 (>= 2.0.99), 
            xlib6g (>= 3.3.2.3a-2)

   Package: nextawg
   Architecture: sparc
   Version: 0.5.1-34
   Depends: ldso (>= 1.8.9-1), libc6 (>= 2.0.105), xlib6g (>= 3.3.5)

Ideally, nextaw should be dropped. However since people might have
installed it, I built both nextaw and nextawg.

I had to *slightly* modify debian/rules to add "sparc" to the list of
architectures that need to build nextaw. Without this change, the
package does not build on sparc anyways.

What I'll do:

   1. Open a grave bug against nextaw (not building on sparc/potato,
      and add sparc to the list of arches needing to build nextaw). We
      shouldn't have packages that cannot be rebuilt in the archive.

   2. Since these package fix a security risk, and despite 1, these
      packages will be moved to incoming tonight.

   3. Draft an updated security advisory, and forward it to the powers
      that be.

Phil.

Reply to:

Follow-Ups:
- Re: Security fixes for libXaw derivatives still not in potato-updates
  - From: Philippe Troin <phil@fifi.org>

References:
- Security fixes for libXaw derivatives still not in potato-updates
  - From: Philippe Troin <phil@fifi.org>
- Re: Security fixes for libXaw derivatives still not in potato-updates
  - From: Ben Collins <bcollins@debian.org>
- Re: Security fixes for libXaw derivatives still not in potato-updates
  - From: Branden Robinson <branden@debian.org>
- Re: Security fixes for libXaw derivatives still not in potato-updates
  - From: Ben Collins <bcollins@debian.org>

Prev by Date: Re: Sparc Ultra 10 Potato keyboard setup
Next by Date: Does LPRng 3.7.4-2 work for you?
Previous by thread: Re: Security fixes for libXaw derivatives still not in potato-updates
Next by thread: Re: Security fixes for libXaw derivatives still not in potato-updates
Index(es):
- Date
- Thread