On Mon, Dec 2, 2013 at 12:38:26 +0100, intrigeri wrote: > Hi, > > Julien Cristau wrote (23 Oct 2013 20:02:13 GMT) : > > On Wed, Oct 23, 2013 at 09:47:39 +0200, intrigeri wrote: > >> do you have any plans to fix CVE-2013-4396 in squeeze-backports? > >> (Rationale: Tails ships Xorg from squeeze-backports.) > >> > >> If you don't, may I assume that the following would work: > >> > >> 1. set up a Squeeze + backports chroot > >> 2. retrieve the xorg-server source package from squeeze-backports > >> 3. add the patch that was applied in the Wheezy security update > >> 4. build in the aforementioned chroot > >> > >> ? > >> > > That should work. I think either the squeeze or the wheezy patch should > > apply just fine, modulo whitespace. > > I did it, and the resulting packages seem to work fine (I've tested > xserver-common and xserver-xorg-core in a live Squeeze + X from > squeeze-backports system). I did not try to exploit the CVE and see if > it is really fixed, though. > > Anyone willing to ACK the attached commits and push them to the > debian-squeeze-backports branch, before I upload to the archive? > Looks plausible, I'm happy to merge this if you give me a repo to pull from. Or give you write access to pkg-xorg.
Cheers, Julien
signature.asc
Description: Digital signature
