[xml/sgml-commit] r1645 - in /packages/expat/branches/lenny/debian: changelog patches/00list patches/560901_CVE_2009_3560.dpatch

[dleidert-guest at users.alioth.debian.org]

Author: dleidert-guest
Date: Sun Dec 13 11:00:13 2009
New Revision: 1645

URL: http://svn.debian.org/wsvn/debian-xml-sgml/?sc=1&rev=1645
Log:
* debian/patches/560901_CVE_2009_3560.dpatch: Added.
  - lib/xmlparse.c (doProlog): Fix DoS vulnerability CVE-2009-3560 (closes:
    #560901).
* debian/patches/00list: Adjusted.

Added:
    packages/expat/branches/lenny/debian/patches/560901_CVE_2009_3560.dpatch   (with props)
Modified:
    packages/expat/branches/lenny/debian/changelog
    packages/expat/branches/lenny/debian/patches/00list

Modified: packages/expat/branches/lenny/debian/changelog
URL: http://svn.debian.org/wsvn/debian-xml-sgml/packages/expat/branches/lenny/debian/changelog?rev=1645&op=diff
==============================================================================
--- packages/expat/branches/lenny/debian/changelog (original)
+++ packages/expat/branches/lenny/debian/changelog Sun Dec 13 11:00:13 2009
@@ -1,6 +1,10 @@
-expat (2.0.1-4+lenny2) UNRELEASED; urgency=low
-
-  * 
+expat (2.0.1-4+lenny2) UNRELEASED; urgency=medium
+
+  * Upload to stable to fix security issues.
+  * debian/patches/560901_CVE_2009_3560.dpatch: Added.
+    - lib/xmlparse.c (doProlog): Fix DoS vulnerability CVE-2009-3560 (closes:
+      #560901).
+  * debian/patches/00list: Adjusted.
 
  -- Daniel Leidert (dale) <daniel.leidert at wgdd.de>  Sun, 13 Dec 2009 11:32:31 +0100
 

Modified: packages/expat/branches/lenny/debian/patches/00list
URL: http://svn.debian.org/wsvn/debian-xml-sgml/packages/expat/branches/lenny/debian/patches/00list?rev=1645&op=diff
==============================================================================
--- packages/expat/branches/lenny/debian/patches/00list (original)
+++ packages/expat/branches/lenny/debian/patches/00list Sun Dec 13 11:00:13 2009
@@ -4,3 +4,4 @@
 412786_xmlwf_man_standard_fix
 485129_fix_underquotation_in_m4
 551936_CVE_2009_2625
+560901_CVE_2009_3560

Added: packages/expat/branches/lenny/debian/patches/560901_CVE_2009_3560.dpatch
URL: http://svn.debian.org/wsvn/debian-xml-sgml/packages/expat/branches/lenny/debian/patches/560901_CVE_2009_3560.dpatch?rev=1645&op=file
==============================================================================
--- packages/expat/branches/lenny/debian/patches/560901_CVE_2009_3560.dpatch (added)
+++ packages/expat/branches/lenny/debian/patches/560901_CVE_2009_3560.dpatch Sun Dec 13 11:00:13 2009
@@ -1,0 +1,28 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 560901_CVE_2009_3560.dpatch by Daniel Leidert (dale) <daniel.leidert at wgdd.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as
+## DP: used in the XML-Twig module for Perl, allows context-dependent attackers
+## DP: to cause a denial of service (application crash) via an XML document
+## DP: with malformed UTF-8 sequences that trigger a buffer over-read, related
+## DP: to the doProlog function in lib/xmlparse.c, a different vulnerability
+## DP: than CVE-2009-2625 and CVE-2009-3720. 
+## DP:
+## DP: <URL:http://bugs.debian.org/560901>
+## DP: <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560>
+## DP: <URL:http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165>
+## DP: <URL:http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.165>
+
+ at DPATCH@
+diff -urNad lenny~/lib/xmlparse.c lenny/lib/xmlparse.c
+--- lenny~/lib/xmlparse.c	2007-05-08 04:25:35.000000000 +0200
++++ lenny/lib/xmlparse.c	2009-12-13 11:39:18.671629559 +0100
+@@ -3725,7 +3725,6 @@
+         return XML_ERROR_NO_ELEMENTS;
+       default:
+         tok = -tok;
+-        next = end;
+         break;
+       }
+     }

Propchange: packages/expat/branches/lenny/debian/patches/560901_CVE_2009_3560.dpatch
------------------------------------------------------------------------------
    svn:executable = *