[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security fixes for libXaw derivatives still not in potato-updates

Ben Collins <bcollins@debian.org> writes:

> On Fri, Mar 16, 2001 at 11:33:38AM -0500, Branden Robinson wrote:
> > On Fri, Mar 16, 2001 at 11:22:08AM -0500, Ben Collins wrote:
> > > On Fri, Mar 16, 2001 at 12:02:28AM -0800, Philippe Troin wrote:
> > > > I found out that the libXaw derivatives still have not been fixed for
> > > > the sparc arch (insecure /tmp handling, DSA037).
> > > > 
> > > > Is that because nobody has stepped forward (in which case I would
> > > > volunteer to do it) or because of something else ?
> > > 
> > > Is this from the xfree86 3.3.6 update? If so, it should already be
> > > there. If not, I don't show it on my build list.
> > 
> > He's referring to xaw3d, nextaw, and xaw95.
> Oh yeah, those failed to compile on sparc because they assumed libc5
> packages. So I summarily ignored them on the buildd.

I got them to build and they're on
ftp-master.d.o:/home/phil/athena-security-update .

I will move them to incoming tonight so that they will be picked by
Saturday's dinstall/katie run, unless somebody objects.

Only nextaw had problems building.

I've noted that in potato 2.2r2, nextaw is actually linked to xlib6g
and thus is equivalent to nextawg:

   Package: nextaw
   Architecture: sparc
   Version: 0.5.1-29
   Depends: ldso (>= 1.8.9-1), libc6 (>= 2.0.105), libc6 (>= 2.0.99), 
            xlib6g (>=

   Package: nextawg
   Architecture: sparc
   Version: 0.5.1-34
   Depends: ldso (>= 1.8.9-1), libc6 (>= 2.0.105), xlib6g (>= 3.3.5)

Ideally, nextaw should be dropped. However since people might have
installed it, I built both nextaw and nextawg.

I had to *slightly* modify debian/rules to add "sparc" to the list of
architectures that need to build nextaw. Without this change, the
package does not build on sparc anyways.

What I'll do:

   1. Open a grave bug against nextaw (not building on sparc/potato,
      and add sparc to the list of arches needing to build nextaw). We
      shouldn't have packages that cannot be rebuilt in the archive.

   2. Since these package fix a security risk, and despite 1, these
      packages will be moved to incoming tonight.

   3. Draft an updated security advisory, and forward it to the powers
      that be.


Reply to: