Hi All Gentoo has hard masked LTSP and is (re)considering tagging it for removal for the Portage tree because it is not currently maintained and has a security issue (apparently). We are picking up maintainership of this package. First off, I need to verify whether there is infact an exploit in LTSP 4.1/2's libvncserver packages. The exploit concerned is: CVE-2006-2450 >From what I can see, LTSP-4.2 uses LibVNCServer-0.7pre.tar.gz and and per Gentoo bug #136916, the rest of Gentoo upgraded to LibVNCServer-0.8.2.tar.gz. The Changelog for the 0.8.2 release contains the following entry: 2006-07-12 Karl Runge <[EMAIL PROTECTED]> * libvncserver: release for CVE-2006-2450 fix. I assume it would be prudent that LibVNCServer be upgraded to 0.8.2 for the next maintenance release of LTSP 4.2, but, from what I can see in the package.def file in the LBE, all this package is used for is x11vnc and nothing else: INSTALL = cp contrib/x11vnc ${LTSP_ROOT}/usr/X11R6/bin/x11vnc It also appears that LibVNCServer-0.8.2 does not build an x11vnc binary any longer. If this is the case, we should infact remove libvncserver from LTSP and use x11vnc-0.8.3 instead: 1. Rename libvncserver in /usr/local/lbe/ltsp-src/package_list to x11vnc 2. mv /usr/local/lbe/ltsp-src/libvncserver /usr/local/lbe/ltsp-src/x11vnc 3. Edit the package.def file as per example included below 4. Compile breaks on linux fb support, so I have added the --without-fbdev option the configure tcs lbe # cat ltsp-src/x11vnc/package.def # # package.def file for building a package in the the LTSP build environment # # Copyright (c) 2003 by James A. McQuillan (McQuillan Systems, LLC) # # This software is licensed under the Gnu General Public License. # The full text of which can be found at http://www.LTSP.org/license.txt # VERSION = 1.1 RELEASE = 1 PKG1COMPONENT = ltsp_core PKG1NAME = ltsp-libvncserver DEPENDS = ltsp-ltsptree, ltsp-glibc, ltsp-xorg PKG1 = x11vnc-0.8.3.tar.gz MD5SUM1 = 8f94bb7180d1a0c303a125f4ae31ca2a SOURCE1 = ${TARBALL_SOURCE}/${PKG1} UNPACK1 = gunzip < ${TARBALL} | tar xf - BUILDDIR = x11vnc-0.8.3 CONFIGURE = export CFLAGS="-march=i386" && \ ./configure --without-fbdev BUILD = make -j ${CPUS} CFLAGS="-march=i386 -I .." INSTALL = cp x11vnc/x11vnc ${LTSP_ROOT}/usr/X11R6/bin/x11vnc CLEAN = rm -rf ${BUILDDIR} ${SOURCEDIR} Note: The Gentoo bug as regard LTSP being hard masked in the portage tree is 142661: http://bugs.gentoo.org/show_bug.cgi?id=142661 Thanks! --
|
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net