Am Montag, den 26.10.2009, 12:55 +0100 schrieb Giuseppe Iuculano: > Daniel Leidert ha scritto: > > The dpatch patch is already available at > > http://svn.debian.org/wsvn/debian-xml-sgml/packages/expat/trunk/debian/patches/551936_CVE_2009_2625.dpatch > > > > Shall I prepare the packages (I'm registered as DM for expat > 2.0.1, > > but not for expat in oldstable) or do you want to do this? > > Please prepare packages for stable and oldstable, and mail us the debdiffs > (DMs > can't upload on security-master).
Attached are the debdiffs for stable and oldstable. Regards, Daniel
diff -u expat-1.95.8/debian/changelog expat-1.95.8/debian/changelog
--- expat-1.95.8/debian/changelog
+++ expat-1.95.8/debian/changelog
@@ -1,3 +1,10 @@
+expat (1.95.8-3.4+etch1) oldstable-security; urgency=medium
+
+ * NMU to old stable to fix security issues.
+ * CVE-2009-2625: Fix DoS vulnerability (closes: #551936).
+
+ -- Daniel Leidert (dale) <daniel.leid...@wgdd.de> Mon, 26 Oct 2009 15:21:49 +0100
+
expat (1.95.8-3.4) unstable; urgency=low
* Porter NMU.
only in patch2:
unchanged:
--- expat-1.95.8.orig/lib/xmltok_impl.c
+++ expat-1.95.8/lib/xmltok_impl.c
@@ -1741,7 +1741,7 @@
const char *end,
POSITION *pos)
{
- while (ptr != end) {
+ while (ptr < end) {
switch (BYTE_TYPE(enc, ptr)) {
#define LEAD_CASE(n) \
case BT_LEAD ## n: \
diff -u expat-2.0.1/debian/changelog expat-2.0.1/debian/changelog --- expat-2.0.1/debian/changelog +++ expat-2.0.1/debian/changelog @@ -1,3 +1,13 @@ +expat (2.0.1-4+lenny1) stable-security; urgency=medium + + * Upload to stable to fix security issues. + * debian/patches/551936_CVE_2009_2625.dpatch: Added. + - lib/xmltok_impl.c (updatePosition): Fix DoS vulnerability CVE-2009-2625 + (closes: #551936). + * debian/patches/00list: Adjusted. + + -- Daniel Leidert (dale) <daniel.leid...@wgdd.de> Mon, 26 Oct 2009 15:13:25 +0100 + expat (2.0.1-4) unstable; urgency=low * debian/libexpat1-dev.install: Install the libtool .la files again and drop diff -u expat-2.0.1/debian/patches/00list expat-2.0.1/debian/patches/00list --- expat-2.0.1/debian/patches/00list +++ expat-2.0.1/debian/patches/00list @@ -5,0 +6 @@ +551936_CVE_2009_2625 only in patch2: unchanged: --- expat-2.0.1.orig/debian/patches/551936_CVE_2009_2625.dpatch +++ expat-2.0.1/debian/patches/551936_CVE_2009_2625.dpatch @@ -0,0 +1,24 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 551936_CVE_2009_2625.dpatch by Daniel Leidert (dale) <daniel.leid...@wgdd.de> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: A vulnarability allows remote attackers to cause a denial of service +## DP: infinite loop and application hang) via malformed XML input. +## DP: +## DP: <URL:http://bugs.debian.org/551936> +## DP: <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625> +## DP: <URL:http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.15&r2=1.13> + +...@dpatch@ +diff -urNad trunk~/lib/xmltok_impl.c trunk/lib/xmltok_impl.c +--- trunk~/lib/xmltok_impl.c 2006-11-26 18:34:46.000000000 +0100 ++++ trunk/lib/xmltok_impl.c 2009-10-22 21:42:41.000000000 +0200 +@@ -1744,7 +1744,7 @@ + const char *end, + POSITION *pos) + { +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ + case BT_LEAD ## n: \
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
