[xml/sgml-commit] r1645 - in /packages/expat/branches/lenny/debian: changelog patches/00list patches/560901_CVE_2009_3560.dpatch
dleidert-guest at users.alioth.debian.org
dleidert-guest at users.alioth.debian.org
Sun Dec 13 11:00:16 UTC 2009
Author: dleidert-guest
Date: Sun Dec 13 11:00:13 2009
New Revision: 1645
URL: http://svn.debian.org/wsvn/debian-xml-sgml/?sc=1&rev=1645
Log:
* debian/patches/560901_CVE_2009_3560.dpatch: Added.
- lib/xmlparse.c (doProlog): Fix DoS vulnerability CVE-2009-3560 (closes:
#560901).
* debian/patches/00list: Adjusted.
Added:
packages/expat/branches/lenny/debian/patches/560901_CVE_2009_3560.dpatch (with props)
Modified:
packages/expat/branches/lenny/debian/changelog
packages/expat/branches/lenny/debian/patches/00list
Modified: packages/expat/branches/lenny/debian/changelog
URL: http://svn.debian.org/wsvn/debian-xml-sgml/packages/expat/branches/lenny/debian/changelog?rev=1645&op=diff
==============================================================================
--- packages/expat/branches/lenny/debian/changelog (original)
+++ packages/expat/branches/lenny/debian/changelog Sun Dec 13 11:00:13 2009
@@ -1,6 +1,10 @@
-expat (2.0.1-4+lenny2) UNRELEASED; urgency=low
-
- *
+expat (2.0.1-4+lenny2) UNRELEASED; urgency=medium
+
+ * Upload to stable to fix security issues.
+ * debian/patches/560901_CVE_2009_3560.dpatch: Added.
+ - lib/xmlparse.c (doProlog): Fix DoS vulnerability CVE-2009-3560 (closes:
+ #560901).
+ * debian/patches/00list: Adjusted.
-- Daniel Leidert (dale) <daniel.leidert at wgdd.de> Sun, 13 Dec 2009 11:32:31 +0100
Modified: packages/expat/branches/lenny/debian/patches/00list
URL: http://svn.debian.org/wsvn/debian-xml-sgml/packages/expat/branches/lenny/debian/patches/00list?rev=1645&op=diff
==============================================================================
--- packages/expat/branches/lenny/debian/patches/00list (original)
+++ packages/expat/branches/lenny/debian/patches/00list Sun Dec 13 11:00:13 2009
@@ -4,3 +4,4 @@
412786_xmlwf_man_standard_fix
485129_fix_underquotation_in_m4
551936_CVE_2009_2625
+560901_CVE_2009_3560
Added: packages/expat/branches/lenny/debian/patches/560901_CVE_2009_3560.dpatch
URL: http://svn.debian.org/wsvn/debian-xml-sgml/packages/expat/branches/lenny/debian/patches/560901_CVE_2009_3560.dpatch?rev=1645&op=file
==============================================================================
--- packages/expat/branches/lenny/debian/patches/560901_CVE_2009_3560.dpatch (added)
+++ packages/expat/branches/lenny/debian/patches/560901_CVE_2009_3560.dpatch Sun Dec 13 11:00:13 2009
@@ -1,0 +1,28 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 560901_CVE_2009_3560.dpatch by Daniel Leidert (dale) <daniel.leidert at wgdd.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as
+## DP: used in the XML-Twig module for Perl, allows context-dependent attackers
+## DP: to cause a denial of service (application crash) via an XML document
+## DP: with malformed UTF-8 sequences that trigger a buffer over-read, related
+## DP: to the doProlog function in lib/xmlparse.c, a different vulnerability
+## DP: than CVE-2009-2625 and CVE-2009-3720.
+## DP:
+## DP: <URL:http://bugs.debian.org/560901>
+## DP: <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560>
+## DP: <URL:http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165>
+## DP: <URL:http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.165>
+
+ at DPATCH@
+diff -urNad lenny~/lib/xmlparse.c lenny/lib/xmlparse.c
+--- lenny~/lib/xmlparse.c 2007-05-08 04:25:35.000000000 +0200
++++ lenny/lib/xmlparse.c 2009-12-13 11:39:18.671629559 +0100
+@@ -3725,7 +3725,6 @@
+ return XML_ERROR_NO_ELEMENTS;
+ default:
+ tok = -tok;
+- next = end;
+ break;
+ }
+ }
Propchange: packages/expat/branches/lenny/debian/patches/560901_CVE_2009_3560.dpatch
------------------------------------------------------------------------------
svn:executable = *
More information about the debian-xml-sgml-commit
mailing list