Control: tags -1 + patch
This vulnerability appears to be very hard to fix and the buggy part
appears to be the Linux kernel. Currently vlock therefore is not part of
Debian jessie. Rather than releasing jessie without vlock, I am
proposing to reduce its functionality in a way the removes this
vulnerability. Let's just remove new.so. Other use cases will continue
to work. Should there be an actual fix to the underlying vulnerability
(which still has no CVE assigned btw), enabling new.so can be
reconsidered of course.
Helmut
diff -u vlock-2.2.2/debian/changelog vlock-2.2.2/debian/changelog
--- vlock-2.2.2/debian/changelog
+++ vlock-2.2.2/debian/changelog
@@ -1,3 +1,11 @@
+vlock (2.2.2-3.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Disable the new.so module, because it is unfixably broken. (Closes:
+ #702705)
+
+ -- Helmut Grohne <hel...@subdivi.de> Sun, 29 Jun 2014 19:30:03 +0200
+
vlock (2.2.2-3) unstable; urgency=low
* Don't try to chgrp to "vlock" during build time (Closes: #486665)
diff -u vlock-2.2.2/debian/rules vlock-2.2.2/debian/rules
--- vlock-2.2.2/debian/rules
+++ vlock-2.2.2/debian/rules
@@ -14,6 +14,7 @@
config.status: configure
dh_testdir
./configure VLOCK_GROUP=root
+ sed -i 's/new\.so//' config.mk # disable unfixably insecure module
#702705
clean:
dh_testdir
dh_testroot
