On Fri, Aug 26, 2016 at 12:11:30AM +0000, Mark Fletcher wrote: > However I also have Linux machines that don't use a package management > system, and there I also have a version of flex with the vulnerability, so > I wanted to get the source tarball of the fixed version (v2.6.1) so I could > build it for there too.
Debian security fixes in stable (or oldstable/LTS) releases aren't done by switching to a new upstream version. They're done by backporting the smallest possible fix to the same version that stable (or oldstable/LTS) is already using. The current Debian version of flex in stable is 2.5.39-8+deb8u1. This means it's based on upstream version 2.5.39, with a bunch of Debian-specific changes/patches applied to it. If you want to obtain the Debian-patched source and then build it on another system, then you have two options. The first is to use the "apt-get source" command on a Debian system. This will retrieve the three files that constitute a Debian source package, extract the upstream tarball, and apply the Debian patches to it. You will be left with an extracted & patched directory, ready to build, assuming your target system has all of the tools needed to build it. The second is to mimic that process yourself. Go to the package's page (e.g. https://packages.debian.org/jessie/flex) and look on the right hand side, where it says "Download Source Package". Under that, you will see the three files (.dsc and .orig.tar.gz and .debian.tar.xz). Download all three of those (or you can skip the .dsc file, but not the other two). Extract the .orig.tar.gz file, and then cd into the directory it creates. >From there, extract the .debian.tar.xz file. This will create a debian/ subdirectory with patches in it. Apply those patches manually. Now you should, in theory, have the same patched-and-ready-to-build directory that you would have got from apt-get source.