Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

celejar
On Wed, 14 Jan 2009 21:28:56 +0100
Steffen Joeris <[hidden email]> wrote:

> Debian Security Advisory DSA-1704                    [hidden email]
> http://www.debian.org/security/                           Steffen Joeris
> January 14, 2009                      http://www.debian.org/security/faq
> - ------------------------------------------------------------------------
>
> Package        : xulrunner
> Vulnerability  : several vulnerabilities
> Problem type   : remote
> Debian-specific: no
> CVE ID         : CVE-2008-5500 CVE-2008-5503 CVE-2008-5506 CVE-2008-5507 CVE-2008-5508 CVE-2008-5511 CVE-2008-5512

...

> For the stable distribution (etch) these problems have been fixed in
> version 1.8.0.15~pre080614i-0etch1.
>
> For the testing distribution (lenny) and the unstable distribution (sid)
> these problems have been fixed in version 1.9.0.5-1.
>
> We recommend that you upgrade your xulrunner packages.

On my Sid box, I only have 'xulrunner-1.9' from the official repo, and
xulrunner only from 'debian-multimedia.org'.  Shouldn't the DSA mention
'xulrunner-1.9'?

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

Cyril Brulebois-4
Celejar <[hidden email]> (14/01/2009):
> > We recommend that you upgrade your xulrunner packages.
>
> On my Sid box, I only have 'xulrunner-1.9' from the official repo, and
> xulrunner only from 'debian-multimedia.org'.

That's the source package name. Binaries built from this source:
| $ LANG=C apt-cache showsrc xulrunner|grep ^Binary:|tr -d ,|sed -e 's/ /\n/g'|sort
| Binary:
| libmozillainterfaces-java
| libmozjs1d
| libmozjs1d-dbg
| libmozjs-dev
| python-xpcom
| spidermonkey-bin
| xulrunner-1.9
| xulrunner-1.9-dbg
| xulrunner-1.9-gnome-support
| xulrunner-dev

Mraw,
KiBi.

signature.asc (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

celejar
On Thu, 15 Jan 2009 04:13:45 +0100
Cyril Brulebois <[hidden email]> wrote:

> Celejar <[hidden email]> (14/01/2009):
> > > We recommend that you upgrade your xulrunner packages.
> >
> > On my Sid box, I only have 'xulrunner-1.9' from the official repo, and
> > xulrunner only from 'debian-multimedia.org'.
>
> That's the source package name. Binaries built from this source:

Thanks; sorry I missed that.

> Mraw,
> KiBi.

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

celejar
In reply to this post by Cyril Brulebois-4
On Thu, 15 Jan 2009 04:13:45 +0100
Cyril Brulebois <[hidden email]> wrote:

> Celejar <[hidden email]> (14/01/2009):
> > > We recommend that you upgrade your xulrunner packages.
> >
> > On my Sid box, I only have 'xulrunner-1.9' from the official repo, and
> > xulrunner only from 'debian-multimedia.org'.
>
> That's the source package name. Binaries built from this source:
> | $ LANG=C apt-cache showsrc xulrunner|grep ^Binary:|tr -d ,|sed -e 's/ /\n/g'|sort

Just FTR, I'll mention here that to determine the packages built from a
given source package (without having any source uris in sources.list)
one can navigate to:

http://packages.debian.org/src:package_name

Is there any automatic way to check whether a given system has any of
the binary packages built from a given source package installed?

> Mraw,
> KiBi.

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

Cyril Brulebois-4
Celejar <[hidden email]> (15/01/2009):
> Is there any automatic way to check whether a given system has any of
> the binary packages built from a given source package installed?

(without any deb-src) It looks like the following does what you want:
| grep-status -sPackage -F Package $source_package

Works for me with blender, xulrunner, graphviz as source package names.

Mraw,
KiBi.

signature.asc (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

celejar
On Fri, 16 Jan 2009 00:53:06 +0100
Cyril Brulebois <[hidden email]> wrote:

> Celejar <[hidden email]> (15/01/2009):
> > Is there any automatic way to check whether a given system has any of
> > the binary packages built from a given source package installed?
>
> (without any deb-src) It looks like the following does what you want:
> | grep-status -sPackage -F Package $source_package
>
> Works for me with blender, xulrunner, graphviz as source package names.

Thanks, but I don't think this is correct.  On my system:

$ grep-status -sPackage -F Package xulrunner
Package: xulrunner-1.9
Package: xulrunner-gnome-support
Package: xulrunner-1.9-gnome-support
Package: liferea-xulrunner

These are just the packages whose names contain the string xulrunner,
regardless if they're installed (e.g., liferea-xulrunner isn't), and it
omits many of the packages that are built from the xulrunner source
package, even installed ones, whose names don't contain the string
(e.g., I tried installing spidermonkey-bin, and it didn't show up).

According to the man page, your command merely prints the package
fields of those packages whose package fields contains the string
$source_package, as above.  Have I missed something?

> Mraw,
> KiBi.

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

Cyril Brulebois-4
Celejar <[hidden email]> (15/01/2009):
> > (without any deb-src) It looks like the following does what you want:
> > | grep-status -sPackage -F Package $source_package
> >
> > Works for me with blender, xulrunner, graphviz as source package names.

Bleh. Needed sleep :)

Make “-F Package” become “-F Source”. Unfortunately, if a binary package
is built from a source package with the same name, it isn't printed.
E.g.  “grep-status -sPackage -F Source graphviz” won't return graphviz,
even if it's installed, so you'll have to add a special-case.

Using --exact-match should help. What about the following?
| grep-status -X -sPackage -F Source $p; grep-status -X -sPackage -F Package $p

Might be suboptimal but oh well, it does (this time I hope…) answer your
question.

> According to the man page, your command merely prints the package
> fields of those packages whose package fields contains the string
> $source_package, as above.  Have I missed something?

Sorry about that.

Mraw,
KiBi.

signature.asc (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

celejar
On Fri, 16 Jan 2009 07:46:12 +0100
Cyril Brulebois <[hidden email]> wrote:

> Celejar <[hidden email]> (15/01/2009):
> > > (without any deb-src) It looks like the following does what you want:
> > > | grep-status -sPackage -F Package $source_package
> > >
> > > Works for me with blender, xulrunner, graphviz as source package names.
>
> Bleh. Needed sleep :)
>
> Make “-F Package” become “-F Source”. Unfortunately, if a binary package
> is built from a source package with the same name, it isn't printed.
> E.g.  “grep-status -sPackage -F Source graphviz” won't return graphviz,
> even if it's installed, so you'll have to add a special-case.
>
> Using --exact-match should help. What about the following?
> | grep-status -X -sPackage -F Source $p; grep-status -X -sPackage -F Package $p

Thanks.  This prints the packages built from the given source package,
but it doesn't distinguish between those that are actually installed on
the system, and those that are merely available in the cache.  It's not
a big deal to just check them all one by one, but now that you've given
me the clue, I would modify your command to (using some of the shorthand
mentioned in the man page and adding -n to just print the package
names):

grep-status -X -n -sPackage -S $p -a -F Status -r '^install'

This seems to do what I want; thanks for the help,

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]