[Pkg-apache-commits] r963 - in /branches/lenny-apr-util: changelog patches/00list patches/018_expat_entity_expansion.dpatch patches/019_CVE-2009-1956.dpatch

sf at alioth.debian.org sf at alioth.debian.org
Tue Jun 9 19:51:08 UTC 2009


Author: sf
Date: Tue Jun  9 19:51:08 2009
New Revision: 963

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=963
Log:
yay, another one: CVE-2009-1956

Added:
    branches/lenny-apr-util/patches/019_CVE-2009-1956.dpatch
Modified:
    branches/lenny-apr-util/changelog
    branches/lenny-apr-util/patches/00list
    branches/lenny-apr-util/patches/018_expat_entity_expansion.dpatch

Modified: branches/lenny-apr-util/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apr-util/changelog?rev=963&op=diff
==============================================================================
--- branches/lenny-apr-util/changelog (original)
+++ branches/lenny-apr-util/changelog Tue Jun  9 19:51:08 2009
@@ -1,9 +1,18 @@
+apr-util (1.2.12+dfsg-8+lenny3) UNRELEASED; urgency=low
+
+  * CVE-2009-1956: Fix potential information disclosure bug on big-endian
+    architectures. On little-endian systems, this is not security relevant
+    but may still cause data corruption.
+  * Add CVE reference to previous changelog entry.
+
+ -- Stefan Fritsch <sf at debian.org>  Tue, 09 Jun 2009 21:22:33 +0200
+
 apr-util (1.2.12+dfsg-8+lenny2) stable-security; urgency=high
 
   * CVE-2009-0023: Fix underflow in apr_strmatch_precompile() which causes
     remotely exploitable DoS vulnerabilities in mod_dav_svn and libapreq2.
-  * Fix DoS vulnerability (memory consumption) in handling of internal xml
-    entities.
+  * CVE-2009-1955: Fix DoS vulnerability (memory consumption) in handling
+    of internal xml entities.
 
  -- Stefan Fritsch <sf at debian.org>  Wed, 03 Jun 2009 22:53:01 +0200
 

Modified: branches/lenny-apr-util/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apr-util/patches/00list?rev=963&op=diff
==============================================================================
--- branches/lenny-apr-util/patches/00list (original)
+++ branches/lenny-apr-util/patches/00list Tue Jun  9 19:51:08 2009
@@ -8,4 +8,5 @@
 016_omit_mysql_from_APRUTIL_LDFLAGS.dpatch
 017_CVE-2009-0023.dpatch
 018_expat_entity_expansion.dpatch
+019_CVE-2009-1956.dpatch
 099_alternate_md4_md5_impl

Modified: branches/lenny-apr-util/patches/018_expat_entity_expansion.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apr-util/patches/018_expat_entity_expansion.dpatch?rev=963&op=diff
==============================================================================
--- branches/lenny-apr-util/patches/018_expat_entity_expansion.dpatch (original)
+++ branches/lenny-apr-util/patches/018_expat_entity_expansion.dpatch Tue Jun  9 19:51:08 2009
@@ -2,7 +2,7 @@
 ## 018_expat_entity_expansion.dpatch by Stefan Fritsch <sf at debian.org>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
+## DP: CVE-2009-1955
 
 @DPATCH@
 diff -urNad apr-util-1.2.12+dfsg~/test/billion-laughs.xml apr-util-1.2.12+dfsg/test/billion-laughs.xml

Added: branches/lenny-apr-util/patches/019_CVE-2009-1956.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apr-util/patches/019_CVE-2009-1956.dpatch?rev=963&op=file
==============================================================================
--- branches/lenny-apr-util/patches/019_CVE-2009-1956.dpatch (added)
+++ branches/lenny-apr-util/patches/019_CVE-2009-1956.dpatch Tue Jun  9 19:51:08 2009
@@ -1,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2009-1956
+
+ at DPATCH@
+--- a/buckets/apr_brigade.c	(Revision 777282)
++++ a/buckets/apr_brigade.c	(Revision 777283)
+@@ -689,9 +689,6 @@
+       return -1;
+     }
+ 
+-    /* tack on null terminator to remaining string */
+-    *(vd.vbuff.curpos) = '\0';
+-
+     /* write out what remains in the buffer */
+     return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos - buf);
+ }
+




More information about the Pkg-apache-commits mailing list