The package at mentors by Kai Lüke uploaded there on 2012-09-15 18:21 looks perfect to me.
It's just that debian/rules automatically replaces config.guess and config.sub and don't know whether this is OK for the debian-release team for wheezy. With the attached debdiff the config.guess and config.sub versions already in 1:2.4-1 are preserved. Kai, have you already talked to the debian-release team for this package ? If not, can you ask them what they prefer ? I can upload the result if you want. Regards, Bart Martens
diff -u libxcrypt-2.4/debian/rules libxcrypt-2.4/debian/rules --- libxcrypt-2.4/debian/rules +++ libxcrypt-2.4/debian/rules @@ -42,6 +42,7 @@ build: build-stamp build-stamp: config.status dh_testdir + dh_quilt_patch # Add here commands to compile the package. $(MAKE) @@ -51,15 +52,16 @@ clean: dh_testdir dh_testroot + dh_quilt_unpatch rm -f build-stamp # Add here commands to clean up after the build process. -$(MAKE) distclean ifneq "$(wildcard /usr/share/misc/config.sub)" "" - cp -f /usr/share/misc/config.sub config.sub + #cp -f /usr/share/misc/config.sub config.sub endif ifneq "$(wildcard /usr/share/misc/config.guess)" "" - cp -f /usr/share/misc/config.guess config.guess + #cp -f /usr/share/misc/config.guess config.guess endif diff -u libxcrypt-2.4/debian/changelog libxcrypt-2.4/debian/changelog --- libxcrypt-2.4/debian/changelog +++ libxcrypt-2.4/debian/changelog @@ -1,3 +1,14 @@ +libxcrypt (1:2.4-1.1) unstable; urgency=low + + * Non-Maintainer Upload to fix RC security bug + * Added patch (casting to unsigned) in order to prevent weak password + hashes.See http://security-tracker.debian.org/tracker/CVE-2011-2483 + (closes: #679628) + * debian/rules: #commented out two cp commands to preserve the config.guess + and config.sub versions already in 1:2.4-1. + + -- Kai Lüke <kailu...@riseup.net> Sat, 15 Sep 2012 20:14:32 +0200 + libxcrypt (1:2.4-1) unstable; urgency=low * Alas, we have to use an epoch to revert from 3.0 to 2.4 for now. diff -u libxcrypt-2.4/debian/control libxcrypt-2.4/debian/control --- libxcrypt-2.4/debian/control +++ libxcrypt-2.4/debian/control @@ -2,7 +2,7 @@ Section: libs Priority: optional Maintainer: Ivan Kohler <ivan-deb...@420.am> -Build-Depends: debhelper (>= 4.0.0) +Build-Depends: debhelper (>= 4.0.0), quilt Standards-Version: 3.6.0 Package: libxcrypt-dev only in patch2: unchanged: --- libxcrypt-2.4.orig/debian/patches/CVE-2011-2483.patch +++ libxcrypt-2.4/debian/patches/CVE-2011-2483.patch @@ -0,0 +1,11 @@ +--- a/src/crypt_blowfish.c ++++ b/src/crypt_blowfish.c +@@ -554,7 +554,7 @@ + tmp = 0; + for (j = 0; j < 4; j++) { + tmp <<= 8; +- tmp |= *ptr; ++ tmp |= (unsigned char)*ptr; + + if (!*ptr) ptr = key; else ptr++; + } only in patch2: unchanged: --- libxcrypt-2.4.orig/debian/patches/series +++ libxcrypt-2.4/debian/patches/series @@ -0,0 +1 @@ +CVE-2011-2483.patch
