Hi, Attached is a debdiff of the changes I made for 2.5.4-3.1 0-day NMU.
Cheers, Giuseppe
diff -u python2.5-2.5.4/debian/rules python2.5-2.5.4/debian/rules
--- python2.5-2.5.4/debian/rules
+++ python2.5-2.5.4/debian/rules
@@ -959,6 +959,8 @@
readline6 \
calendar \
makesetup-bashism \
+ CVE-2009-3560 \
+ CVE-2009-3720 \
# svn-updates \
# svn-doc-updates \
diff -u python2.5-2.5.4/debian/changelog python2.5-2.5.4/debian/changelog
--- python2.5-2.5.4/debian/changelog
+++ python2.5-2.5.4/debian/changelog
@@ -1,3 +1,11 @@
+python2.5 (2.5.4-3.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix two denial-of-service vulnerabilities: CVE-2009-3560 and CVE-2009-3720.
+ (Closes: #560912)
+
+ -- Giuseppe Iuculano <iucul...@debian.org> Sun, 24 Jan 2010 12:48:21 +0100
+
python2.5 (2.5.4-3) unstable; urgency=low
* Fix compatibility issues with readline6. Closes: #551759.
only in patch2:
unchanged:
--- python2.5-2.5.4.orig/debian/patches/CVE-2009-3720.dpatch
+++ python2.5-2.5.4/debian/patches/CVE-2009-3720.dpatch
@@ -0,0 +1,38 @@
+#! /bin/sh -e
+## CVE-2009-3720.dpatch by Giuseppe Iuculano <iucul...@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2009-3720
+
+dir=
+if [ $# -eq 3 -a "$2" = '-d' ]; then
+ pdir="-d $3"
+ dir="$3/"
+elif [ $# -ne 1 ]; then
+ echo >&2 "usage: `basename $0`: -patch|-unpatch [-d <srcdir>]"
+ exit 1
+fi
+case "$1" in
+ -patch)
+ patch $pdir -f --no-backup-if-mismatch -p0 < $0
+ ;;
+ -unpatch)
+ patch $pdir -f --no-backup-if-mismatch -R -p0 < $0
+ ;;
+ *)
+ echo >&2 "usage: `basename $0`: -patch|-unpatch [-d <srcdir>]"
+ exit 1
+esac
+exit 0
+
+--- Modules/expat/xmltok_impl.c 2006-06-20 01:21:25.000000000 +0200
++++ Modules/expat/xmltok_impl.c 2010-01-24 12:37:57.000000000 +0100
+@@ -1741,7 +1741,7 @@
+ const char *end,
+ POSITION *pos)
+ {
+- while (ptr != end) {
++ while (ptr < end) {
+ switch (BYTE_TYPE(enc, ptr)) {
+ #define LEAD_CASE(n) \
+ case BT_LEAD ## n: \
only in patch2:
unchanged:
--- python2.5-2.5.4.orig/debian/patches/CVE-2009-3560.dpatch
+++ python2.5-2.5.4/debian/patches/CVE-2009-3560.dpatch
@@ -0,0 +1,39 @@
+#! /bin/sh -e
+## CVE-2009-3560.dpatch by Giuseppe Iuculano <iucul...@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2009-3560
+
+dir=
+if [ $# -eq 3 -a "$2" = '-d' ]; then
+ pdir="-d $3"
+ dir="$3/"
+elif [ $# -ne 1 ]; then
+ echo >&2 "usage: `basename $0`: -patch|-unpatch [-d <srcdir>]"
+ exit 1
+fi
+case "$1" in
+ -patch)
+ patch $pdir -f --no-backup-if-mismatch -p0 < $0
+ ;;
+ -unpatch)
+ patch $pdir -f --no-backup-if-mismatch -R -p0 < $0
+ ;;
+ *)
+ echo >&2 "usage: `basename $0`: -patch|-unpatch [-d <srcdir>]"
+ exit 1
+esac
+exit 0
+
+--- Modules/expat/xmlparse.c 2006-08-13 20:12:26.000000000 +0200
++++ Modules/expat/xmlparse.c 2010-01-24 12:40:51.000000000 +0100
+@@ -3682,6 +3682,9 @@
+ return XML_ERROR_UNCLOSED_TOKEN;
+ case XML_TOK_PARTIAL_CHAR:
+ return XML_ERROR_PARTIAL_CHAR;
++ case -XML_TOK_PROLOG_S:
++ tok = -tok;
++ break;
+ case XML_TOK_NONE:
+ #ifdef XML_DTD
+ /* for internal PE NOT referenced between declarations */
signature.asc
Description: OpenPGP digital signature
