[Pkg-ltsp-devel] #469462: X access wide open on LTSP clients

vagrant at freegeek.org vagrant at freegeek.org
Mon Mar 17 23:41:49 UTC 2008


On Mon, Mar 17, 2008 at 02:23:30PM -0700, vagrant at freegeek.org wrote:
> On Mon, Mar 17, 2008 at 08:30:44PM +0100, Nico Golde wrote:
> > * vagrant at freegeek.org <vagrant at freegeek.org> [2008-03-17 20:25]:
> > > On Mon, Mar 17, 2008 at 06:05:13PM +0100, Nico Golde wrote:
> > > > * vagrant at freegeek.org <vagrant at freegeek.org> [2008-03-17 17:50]:
> 
> > > so that's 3 proposed patches:
> > > 
> > > * the security bugfix
> > > * patching to not conflict with ltspfs
> > > * adding the attached script as /usr/lib/ltsp/screen.d/ldm
> > > 
> > > the security patch will actually need changes to the upstream source;
> > > i'm most familiar with using dpatch.
> > > 
> > > let me know which to include, and i can prepare and test an upload.
> > 
> > Looking at your arguing every patch seems to be fine with 
> > me. 
> 
> > About the conflict patch. Is this conflict already present in testing
> > or not? If yes please do not include the fix because we want to keep
> > the changes as minimal as possible regarding the security issue and if
> > no please go ahead include it in the package.
> 
> maybe i'm misinterpreting what you're saying, but it seems a little
> backwards from what i would think...
> 
> the conflicting package is ltspfs (same version in testing and
> unstable), and conflicts on versions of ldm equal to or less than the
> version in testing(2:0.1~bzr20071217-1).  so, when uploading a newer
> version, i believe it would either be required to apply the fix (by not
> installing the files causing the conflict), or to add a reverse
> conflicts on ltspfs. without fixing the conflict, it's in a similar boat
> as the added script- it makes ltsp-client uninstallable.
> 
> i'll prepare an upload with all included, but hold off on uploading
> until i can confirm all three are ok.

well, i made the upload without confirmation on the grounds that you
need to approve it anyways. i hope that's ok.

it includes the 3 changes mentioned above, and the security fix was
added using dpatch. all fixes are basically backported from sid.

debdiff'ed the sources and binaries, and the only unexpected change is
presence of manpages that were added on i386. this was due to a bug in
debian/rules causing the manpages to not get installed when built on a
buildd, and was fixed in sid.

tested that it actually works in a debian lenny LTSP install.

thanks for your help and review. :)

live well,
  vagrant



More information about the Pkg-ltsp-devel mailing list