On Fri, Aug 26, 2016 at 12:11:30AM +0000, Mark Fletcher wrote:
> However I also have Linux machines that don't use a package management
> system, and there I also have a version of flex with the vulnerability, so
> I wanted to get the source tarball of the fixed version (v2.6.1) so I could
> build it for there too.
Debian security fixes in stable (or oldstable/LTS) releases aren't done
by switching to a new upstream version. They're done by backporting the
smallest possible fix to the same version that stable (or oldstable/LTS)
is already using.
The current Debian version of flex in stable is 2.5.39-8+deb8u1.
This means it's based on upstream version 2.5.39, with a bunch of
Debian-specific changes/patches applied to it.
If you want to obtain the Debian-patched source and then build it on
another system, then you have two options. The first is to use the
"apt-get source" command on a Debian system. This will retrieve the
three files that constitute a Debian source package, extract the upstream
tarball, and apply the Debian patches to it. You will be left with
an extracted & patched directory, ready to build, assuming your target
system has all of the tools needed to build it.
The second is to mimic that process yourself. Go to the package's page
(e.g. https://packages.debian.org/jessie/flex) and look on the right hand
side, where it says "Download Source Package". Under that, you will see
the three files (.dsc and .orig.tar.gz and .debian.tar.xz). Download all
three of those (or you can skip the .dsc file, but not the other two).
Extract the .orig.tar.gz file, and then cd into the directory it creates.
>From there, extract the .debian.tar.xz file. This will create a debian/
subdirectory with patches in it. Apply those patches manually. Now you
should, in theory, have the same patched-and-ready-to-build directory
that you would have got from apt-get source.
Yep, thanks. My question isn't "how do I get the patched source of stable?", it is "why can't I see the source tarball of the version that is in stretch / sid anywhere except on Debian's (and now Arch's as well) package site?"
Stretch and sid are quoting version 2.6.1 and I can't see where they got that from, as upstream (sourceforge) latest version seems to be 2.6.0. And 2.6.1 claims to be the version with the fix.
Maybe I presented my situation in a confusing way to start with. I run a Jessie box which includes security updates. My regular weekend updates will take care of installing the security fix for my Jessie box. But I also run an LFS machine which of course I have to take care of package updates for myself. Debian security updates are a really good way for me to become aware of situations when I should be considering updating packages on my LFS box. This one for flex caught my eye so I checked what version I had on my LFS box and it was 2.6.0. According to the Debian security advisory, the fixed upstream version is 2.6.1, and that is what is in stretch and sid right now. So I trotted off to Sourceforge to get the upstream v2.6.1 and... couldn't find it. The latest version offered there is v2.6.0.
So I can get the 2.6.1 source tarball by downloading the source package from
ftp.jp.debian.org (my local mirror), and indeed have already done so, but I am hoping to understand why I can't see a version 2.6.1 in upstream, and therefore where the Debian 2.6.1 came from.
Also, I appreciate your consideration in cc'ing me on your reply, but it is not necessary as I am subscribed to the list.
Thanks
Mark