Bug#560940: CVE-2009-3560 and CVE-2009-3720 denial-of-services

To: 560940@bugs.debian.org
Cc: Ben Hutchings <ben@decadent.org.uk>
Subject: Bug#560940: CVE-2009-3560 and CVE-2009-3720 denial-of-services
From: Sylvain Beucler <beuc@beuc.net>
Date: Thu, 24 Dec 2009 15:46:50 +0100
Message-id: <[🔎] 20091224144650.GA16396@perso.beuc.net>
Reply-to: Sylvain Beucler <beuc@beuc.net>, 560940@bugs.debian.org
In-reply-to: <[🔎] 20091224113541.GA14875@perso.beuc.net>
References: <[🔎] 20091214225836.GA32115@perso.beuc.net> <handler.560940.B560940.12608315265661.ackinfo@bugs.debian.org> <20091214233922.GB32115@perso.beuc.net> <[🔎] 20091215123130.GA16920@perso.beuc.net> <[🔎] 20091224113541.GA14875@perso.beuc.net>

> > Patched package available at:
> > http://mentors.debian.net/cgi-bin/sponsor-pkglist?action=details;package=tla

The fixed version is up.

$ interdiff tla1.diff tla2.diff | diffstat
 patches/06-disable_builtin_expat.dpatch |   50 +++++++++++++++++++-------------
 rules                                   |    5 +--
 2 files changed, 34 insertions(+), 21 deletions(-)


diff -u tla-1.3.5+dfsg/debian/rules tla-1.3.5+dfsg/debian/rules
--- tla-1.3.5+dfsg/debian/rules
+++ tla-1.3.5+dfsg/debian/rules
@@ -56,8 +56,9 @@
 
        # Disable builtin expat
        # See also patches/06-disable_builtin_expat.dpatch
-       rm -f src/expat/PLUGIN/AUTOCONF
-       rm -f src/expat/PLUGIN/REQ
+       #rm -f src/expat/PLUGIN/AUTOCONF
+       #rm -f src/expat/PLUGIN/REQ
+       rm -rf src/expat/  # Let's play safe
        rm -f src/libneon/PLUGIN/REQ
 
        # Cleaning package
diff -u tla-1.3.5+dfsg/debian/patches/06-disable_builtin_expat.dpatch tla-1.3.5+dfsg/debian/patches/06-disable_builtin_expat.dpatch
--- tla-1.3.5+dfsg/debian/patches/06-disable_builtin_expat.dpatch
+++ tla-1.3.5+dfsg/debian/patches/06-disable_builtin_expat.dpatch
@@ -2,22 +2,12 @@
 ## 06-disable_builtin_expat.dpatch by Sylvain Beucler <beuc@beuc.net>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: use system expat to address CVE-2009-3560 and CVE-2009-3720 DoS
-## DP: see also debian/rules, target 'clean'
+## DP: No description.
 
---- tla-1.3.5+dfsg.orig/src/tla/tla/Makefile.in
-+++ tla-1.3.5+dfsg/src/tla/tla/Makefile.in
-@@ -21,7 +21,7 @@
- endif
- 
- $(programs):%$(cfg__exec_suffix):%.o $(thelib) $(filter-out -L%, $(filter-out -l%, $(libs)))
--      $(SHELL) $(objroot)/libneon/libtool --mode=link $(CC) $(CFLAGS) -L../../expat -o $@ $< $(thelib) $(libs)
-+      $(SHELL) $(objroot)/libneon/libtool --mode=link $(CC) $(CFLAGS) -o $@ $< $(thelib) $(libs)
- 
- clean: clean-prog
- 
---- tla-1.3.5+dfsg.orig/src/libneon/Makefile.in
-+++ tla-1.3.5+dfsg/src/libneon/Makefile.in
+@DPATCH@
+diff -urNad tla-1.3.5+dfsg~/src/libneon/Makefile.in tla-1.3.5+dfsg/src/libneon/Makefile.in
+--- tla-1.3.5+dfsg~/src/libneon/Makefile.in    2009-12-24 12:30:27.000000000 +0100
++++ tla-1.3.5+dfsg/src/libneon/Makefile.in     2009-12-24 12:30:41.000000000 +0100
 @@ -33,7 +33,7 @@
  
  @SET_MAKE@
@@ -30,11 +20,33 @@
---- tla-1.3.5+dfsg.orig/src/libneon/src/Makefile.in
-+++ tla-1.3.5+dfsg/src/libneon/src/Makefile.in
-@@ -26,7 +26,7 @@
+diff -urNad tla-1.3.5+dfsg~/src/libneon/src/Makefile.in tla-1.3.5+dfsg/src/libneon/src/Makefile.in
+--- tla-1.3.5+dfsg~/src/libneon/src/Makefile.in        2009-12-24 12:30:27.000000000 +0100
++++ tla-1.3.5+dfsg/src/libneon/src/Makefile.in 2009-12-24 12:31:28.000000000 +0100
+@@ -25,14 +25,14 @@
+ 
  # Flags
  CPPFLAGS = @DEFS@ @CPPFLAGS@
- CFLAGS = @CFLAGS@  -I$(top_builddir) -I$(top_srcdir)/../expat/lib @NEON_CFLAGS@
+-CFLAGS = @CFLAGS@  -I$(top_builddir) -I$(top_srcdir)/../expat/lib @NEON_CFLAGS@
 -LDFLAGS = -L$(top_builddir)/../expat @LDFLAGS@
++CFLAGS = @CFLAGS@  -I$(top_builddir) @NEON_CFLAGS@
 +LDFLAGS = @LDFLAGS@
  NEON_LINK_FLAGS = @NEON_LINK_FLAGS@
  # Note: don't substitute @LIBS@ in here; during a bundled
  # build of this directory, @LIBS@ may include -lneon.
+ LIBS = @NEON_LIBS@ @NEON_LTLIBS@
+ 
+-COMPILE = $(CC) $(CPPFLAGS) $(CFLAGS)  -I$(top_builddir) -I$(top_srcdir)/../expat/lib @NEON_CFLAGS@
++COMPILE = $(CC) $(CPPFLAGS) $(CFLAGS)  -I$(top_builddir) @NEON_CFLAGS@
+ LINK = $(LIBTOOL) --quiet --mode=link $(CC) $(LDFLAGS)
+ 
+ NEON_BASEOBJS = ne_request.@NEON_OBJEXT@ ne_session.@NEON_OBJEXT@         \
+diff -urNad tla-1.3.5+dfsg~/src/tla/tla/Makefile.in tla-1.3.5+dfsg/src/tla/tla/Makefile.in
+--- tla-1.3.5+dfsg~/src/tla/tla/Makefile.in    2009-12-24 12:30:27.000000000 +0100
++++ tla-1.3.5+dfsg/src/tla/tla/Makefile.in     2009-12-24 12:30:41.000000000 +0100
+@@ -21,7 +21,7 @@
+ endif
+ 
+ $(programs):%$(cfg__exec_suffix):%.o $(thelib) $(filter-out -L%, $(filter-out -l%, $(libs)))
+-      $(SHELL) $(objroot)/libneon/libtool --mode=link $(CC) $(CFLAGS) -L../../expat -o $@ $< $(thelib) $(libs)
++      $(SHELL) $(objroot)/libneon/libtool --mode=link $(CC) $(CFLAGS) -o $@ $< $(thelib) $(libs)
+ 
+ clean: clean-prog
+

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Bug#560940: CVE-2009-3560 and CVE-2009-3720 denial-of-services
  - From: Sylvain Beucler <beuc@beuc.net>
- Bug#560940: CVE-2009-3560 and CVE-2009-3720 denial-of-services
  - From: Sylvain Beucler <beuc@beuc.net>
- Bug#560940: CVE-2009-3560 and CVE-2009-3720 denial-of-services
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Bug#562407: graphviz: Depends on python2.4 packages
Next by Date: Bug#562407: graphviz: Depends on python2.4 packages
Previous by thread: Bug#560940: CVE-2009-3560 and CVE-2009-3720 denial-of-services
Next by thread: Processed: severity of 493974 is serious
Index(es):
- Date
- Thread