~ubuntu-dev/ubuntu/lucid/expat/lucid-201002101902

Viewing changes to debian/patches/560901_CVE_2009_3560.dpatch

Committer: Bazaar Package Importer
Author(s): Daniel Leidert (dale)
Date: 2009-12-13 12:06:07 UTC
mto: This revision was merged to the branch mainline in revision 7.
Revision ID: james.westby@ubuntu.com-20091213120607-ohtngtmatledubt7

* debian/patches/560901_CVE_2009_3560.dpatch: Added.
- lib/xmlparse.c (doProlog): Fix DoS vulnerability CVE-2009-3560 (closes:
#560901).
* debian/patches/00list: Adjusted.

files added:
debian/patches/560901_CVE_2009_3560.dpatch

files modified:
debian/changelog

debian/patches/00list

Show diffs side-by-side

added added

removed removed

debian/patches/560901_CVE_2009_3560.dpatch

#! /bin/sh /usr/share/dpatch/dpatch-run

## 560901_CVE_2009_3560.dpatch by Daniel Leidert (dale) <daniel.leidert@wgdd.de>

## All lines beginning with `## DP:' are a description of the patch.

## DP: The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as

## DP: used in the XML-Twig module for Perl, allows context-dependent attackers

## DP: to cause a denial of service (application crash) via an XML document

## DP: with malformed UTF-8 sequences that trigger a buffer over-read, related

## DP: to the doProlog function in lib/xmlparse.c, a different vulnerability

## DP: than CVE-2009-2625 and CVE-2009-3720.

## DP:

## DP: <URL:http://bugs.debian.org/560901>

## DP: <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560>

## DP: <URL:http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165>

## DP: <URL:http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.165>

@DPATCH@

diff -urNad lenny~/lib/xmlparse.c lenny/lib/xmlparse.c

--- lenny~/lib/xmlparse.c 2007-05-08 04:25:35.000000000 +0200

+++ lenny/lib/xmlparse.c 2009-12-13 11:39:18.671629559 +0100

@@ -3725,7 +3725,6 @@

return XML_ERROR_NO_ELEMENTS;

default:

tok = -tok;

- next = end;

break;

}

Older »