Re: Security fixes for libXaw derivatives still not in potato-updates

Fri, 16 Mar 2001 15:27:48 -0600 

Ben Collins <[EMAIL PROTECTED]> writes:

> On Fri, Mar 16, 2001 at 11:33:38AM -0500, Branden Robinson wrote:
> > On Fri, Mar 16, 2001 at 11:22:08AM -0500, Ben Collins wrote:
> > > On Fri, Mar 16, 2001 at 12:02:28AM -0800, Philippe Troin wrote:
> > > > I found out that the libXaw derivatives still have not been fixed for
> > > > the sparc arch (insecure /tmp handling, DSA037).
> > > > 
> > > > Is that because nobody has stepped forward (in which case I would
> > > > volunteer to do it) or because of something else ?
> > > 
> > > Is this from the xfree86 3.3.6 update? If so, it should already be
> > > there. If not, I don't show it on my build list.
> > 
> > He's referring to xaw3d, nextaw, and xaw95.
> 
> Oh yeah, those failed to compile on sparc because they assumed libc5
> packages. So I summarily ignored them on the buildd.

I got them to build and they're on
ftp-master.d.o:/home/phil/athena-security-update .

I will move them to incoming tonight so that they will be picked by
Saturday's dinstall/katie run, unless somebody objects.

Only nextaw had problems building.

I've noted that in potato 2.2r2, nextaw is actually linked to xlib6g
and thus is equivalent to nextawg:

   Package: nextaw
   Architecture: sparc
   Version: 0.5.1-29
   Depends: ldso (>= 1.8.9-1), libc6 (>= 2.0.105), libc6 (>= 2.0.99), 
            xlib6g (>= 3.3.2.3a-2)

   Package: nextawg
   Architecture: sparc
   Version: 0.5.1-34
   Depends: ldso (>= 1.8.9-1), libc6 (>= 2.0.105), xlib6g (>= 3.3.5)

Ideally, nextaw should be dropped. However since people might have
installed it, I built both nextaw and nextawg.

I had to *slightly* modify debian/rules to add "sparc" to the list of
architectures that need to build nextaw. Without this change, the
package does not build on sparc anyways.

What I'll do:

   1. Open a grave bug against nextaw (not building on sparc/potato,
      and add sparc to the list of arches needing to build nextaw). We
      shouldn't have packages that cannot be rebuilt in the archive.

   2. Since these package fix a security risk, and despite 1, these
      packages will be moved to incoming tonight.

   3. Draft an updated security advisory, and forward it to the powers
      that be.

Phil.

Reply via email to