Hi, Attached is a debdiff of the changes I made for 2.9.1-4.1 0-day NMU.
Cheers, Giuseppe
diff -u libxerces2-java-2.9.1/debian/changelog
libxerces2-java-2.9.1/debian/changelog
--- libxerces2-java-2.9.1/debian/changelog
+++ libxerces2-java-2.9.1/debian/changelog
@@ -1,3 +1,11 @@
+libxerces2-java (2.9.1-4.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fixed CVE-2009-2625: denial of service (infinite loop and application hang)
+ via malformed XML input (Closes: #548358)
+
+ -- Giuseppe Iuculano <iucul...@debian.org> Fri, 29 Jan 2010 11:19:09 +0100
+
libxerces2-java (2.9.1-4) unstable; urgency=low
* Upload to unstable.
only in patch2:
unchanged:
--- libxerces2-java-2.9.1.orig/debian/patches/04_CVE-2009-2625.patch
+++ libxerces2-java-2.9.1/debian/patches/04_CVE-2009-2625.patch
@@ -0,0 +1,20 @@
+CVE-2009-2625
+diff --git a/src/org/apache/xerces/impl/XMLScanner.java
b/src/org/apache/xerces/impl/XMLScanner.java
+index a64ce11..1abca0e 100644
+--- a/src/org/apache/xerces/impl/XMLScanner.java
++++ b/src/org/apache/xerces/impl/XMLScanner.java
+@@ -1027,6 +1027,14 @@ public abstract class XMLScanner
+ if (XMLChar.isMarkup(c) || c == ']') {
+ fStringBuffer.append((char)fEntityScanner.scanChar());
+ }
++ else if (XMLChar.isHighSurrogate(c)) {
++ scanSurrogates(fStringBuffer);
++ }
++ else if (isInvalidLiteral(c)) {
++ reportFatalError("InvalidCharInSystemID",
++ new Object[] { Integer.toHexString(c) });
++ fEntityScanner.scanChar();
++ }
+ } while (fEntityScanner.scanLiteral(quote, ident) != quote);
+ fStringBuffer.append(ident);
+ ident = fStringBuffer;
signature.asc
Description: OpenPGP digital signature
