Hi, Attached is a debdiff of the changes I made for 2.5.4-3.1 0-day NMU.
Cheers, Giuseppe
diff -u python2.5-2.5.4/debian/rules python2.5-2.5.4/debian/rules --- python2.5-2.5.4/debian/rules +++ python2.5-2.5.4/debian/rules @@ -959,6 +959,8 @@ readline6 \ calendar \ makesetup-bashism \ + CVE-2009-3560 \ + CVE-2009-3720 \ # svn-updates \ # svn-doc-updates \ diff -u python2.5-2.5.4/debian/changelog python2.5-2.5.4/debian/changelog --- python2.5-2.5.4/debian/changelog +++ python2.5-2.5.4/debian/changelog @@ -1,3 +1,11 @@ +python2.5 (2.5.4-3.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix two denial-of-service vulnerabilities: CVE-2009-3560 and CVE-2009-3720. + (Closes: #560912) + + -- Giuseppe Iuculano <iucul...@debian.org> Sun, 24 Jan 2010 12:48:21 +0100 + python2.5 (2.5.4-3) unstable; urgency=low * Fix compatibility issues with readline6. Closes: #551759. only in patch2: unchanged: --- python2.5-2.5.4.orig/debian/patches/CVE-2009-3720.dpatch +++ python2.5-2.5.4/debian/patches/CVE-2009-3720.dpatch @@ -0,0 +1,38 @@ +#! /bin/sh -e +## CVE-2009-3720.dpatch by Giuseppe Iuculano <iucul...@debian.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2009-3720 + +dir= +if [ $# -eq 3 -a "$2" = '-d' ]; then + pdir="-d $3" + dir="$3/" +elif [ $# -ne 1 ]; then + echo >&2 "usage: `basename $0`: -patch|-unpatch [-d <srcdir>]" + exit 1 +fi +case "$1" in + -patch) + patch $pdir -f --no-backup-if-mismatch -p0 < $0 + ;; + -unpatch) + patch $pdir -f --no-backup-if-mismatch -R -p0 < $0 + ;; + *) + echo >&2 "usage: `basename $0`: -patch|-unpatch [-d <srcdir>]" + exit 1 +esac +exit 0 + +--- Modules/expat/xmltok_impl.c 2006-06-20 01:21:25.000000000 +0200 ++++ Modules/expat/xmltok_impl.c 2010-01-24 12:37:57.000000000 +0100 +@@ -1741,7 +1741,7 @@ + const char *end, + POSITION *pos) + { +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ + case BT_LEAD ## n: \ only in patch2: unchanged: --- python2.5-2.5.4.orig/debian/patches/CVE-2009-3560.dpatch +++ python2.5-2.5.4/debian/patches/CVE-2009-3560.dpatch @@ -0,0 +1,39 @@ +#! /bin/sh -e +## CVE-2009-3560.dpatch by Giuseppe Iuculano <iucul...@debian.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2009-3560 + +dir= +if [ $# -eq 3 -a "$2" = '-d' ]; then + pdir="-d $3" + dir="$3/" +elif [ $# -ne 1 ]; then + echo >&2 "usage: `basename $0`: -patch|-unpatch [-d <srcdir>]" + exit 1 +fi +case "$1" in + -patch) + patch $pdir -f --no-backup-if-mismatch -p0 < $0 + ;; + -unpatch) + patch $pdir -f --no-backup-if-mismatch -R -p0 < $0 + ;; + *) + echo >&2 "usage: `basename $0`: -patch|-unpatch [-d <srcdir>]" + exit 1 +esac +exit 0 + +--- Modules/expat/xmlparse.c 2006-08-13 20:12:26.000000000 +0200 ++++ Modules/expat/xmlparse.c 2010-01-24 12:40:51.000000000 +0100 +@@ -3682,6 +3682,9 @@ + return XML_ERROR_UNCLOSED_TOKEN; + case XML_TOK_PARTIAL_CHAR: + return XML_ERROR_PARTIAL_CHAR; ++ case -XML_TOK_PROLOG_S: ++ tok = -tok; ++ break; + case XML_TOK_NONE: + #ifdef XML_DTD + /* for internal PE NOT referenced between declarations */
signature.asc
Description: OpenPGP digital signature