[Pkg-voip-commits] r4999 - in /pwlib/trunk/debian: changelog patches/00list patches/CVE-2007-4897.dpatch

kilian at alioth.debian.org kilian at alioth.debian.org
Mon Dec 3 12:54:30 UTC 2007 

Author: kilian
Date: Mon Dec  3 12:54:29 2007
New Revision: 4999

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=4999
Log:
* Remove compat symlinks in libpt-dev that are not used anyway.
* Fix remote denial of service vulnerability caused
  by a call to PString::vsprintf if the used object already
  contained more than 1000 characters (CVE-2007-4897; Closes: #454133).

Added:
    pwlib/trunk/debian/patches/CVE-2007-4897.dpatch
Modified:
    pwlib/trunk/debian/changelog
    pwlib/trunk/debian/patches/00list

Modified: pwlib/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/pwlib/trunk/debian/changelog?rev=4999&op=diff
==============================================================================
--- pwlib/trunk/debian/changelog (original)
+++ pwlib/trunk/debian/changelog Mon Dec  3 12:54:29 2007
@@ -1,4 +1,4 @@
-pwlib (1.10.10-2) UNRELEASED; urgency=low
+pwlib (1.10.10-2) UNRELEASED; urgency=high
 
   * NOT RELEASED YET
   * Add Replaces/Conflicts/Provides for old versions of plugins packages.
@@ -6,10 +6,13 @@
     plugins are sorted into namespaces that provide for having *one* -dbg
     package again.
   * Fix debian/watch to use sf.net instead of voxgratia.org (Closes: #453539, #453139)
-  * Remove compat symlinks in libpt-dev that are not used anyway. 
+  * Remove compat symlinks in libpt-dev that are not used anyway.
     (Closes: #453694)
-
- -- Kilian Krause <kilian at debian.org>  Tue, 09 Oct 2007 14:12:19 +0200
+  * Fix remote denial of service vulnerability caused
+    by a call to PString::vsprintf if the used object already
+    contained more than 1000 characters (CVE-2007-4897; Closes: #454133).
+
+ -- Kilian Krause <kilian at debian.org>  Mon,  3 Dec 2007 13:53:34 +0100
 
 pwlib (1.10.10-1) unstable; urgency=low
 

Modified: pwlib/trunk/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-voip/pwlib/trunk/debian/patches/00list?rev=4999&op=diff
==============================================================================
--- pwlib/trunk/debian/patches/00list (original)
+++ pwlib/trunk/debian/patches/00list Mon Dec  3 12:54:29 2007
@@ -2,3 +2,4 @@
 04_names
 05_hppa
 06_plugins_shared
+CVE-2007-4897

Added: pwlib/trunk/debian/patches/CVE-2007-4897.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/pwlib/trunk/debian/patches/CVE-2007-4897.dpatch?rev=4999&op=file
==============================================================================
--- pwlib/trunk/debian/patches/CVE-2007-4897.dpatch (added)
+++ pwlib/trunk/debian/patches/CVE-2007-4897.dpatch Mon Dec  3 12:54:29 2007
@@ -1,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-4897.dpatch by Nico Golde <nion at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad pwlib-1.10.10~/src/ptlib/common/contain.cxx pwlib-1.10.10/src/ptlib/common/contain.cxx
+--- pwlib-1.10.10~/src/ptlib/common/contain.cxx	2005-11-30 13:47:41.000000000 +0100
++++ pwlib-1.10.10/src/ptlib/common/contain.cxx	2007-12-03 13:45:00.000000000 +0100
+@@ -2465,7 +2465,7 @@
+   PAssert(SetSize(2000), POutOfMemory);
+   ::vsprintf(theArray+len, fmt, arg);
+ #else
+-  PINDEX size = 0;
++  PINDEX size = len;
+   do {
+     size += 1000;
+     PAssert(SetSize(size), POutOfMemory);

More information about the Pkg-voip-commits mailing list