Hello stable release managers,
I would like to upload a security update for Lenny, for package 'tla'.
http://www.debian.org/security/2009/dsa-1953
As it's a minor issue, the security team asked me to upload it through
a point-release update (cf. forwarded message below).
A package can be found at:
http://www.beuc.net/tmp/tla/lenny-stable/tla_1.3.5+dfsg-14+lenny1.dsc
Is it OK with you?
Here's the interdiff:
diff -u tla-1.3.5+dfsg/debian/changelog tla-1.3.5+dfsg/debian/changelog
--- tla-1.3.5+dfsg/debian/changelog
+++ tla-1.3.5+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+tla (1.3.5+dfsg-14+lenny1) stable; urgency=low
+
+ * QA upload.
+ * Fix CVE-2009-3560 and CVE-2009-3720 denial-of-services by patching
+ bundled libexpat (closes: #560940).
+
+ -- Sylvain Beucler <beuc@beuc.net> Tue, 13 Apr 2010 17:55:51 +0200
+
tla (1.3.5+dfsg-14) unstable; urgency=low
* QA upload.
diff -u tla-1.3.5+dfsg/debian/patches/00list tla-1.3.5+dfsg/debian/patches/00list
--- tla-1.3.5+dfsg/debian/patches/00list
+++ tla-1.3.5+dfsg/debian/patches/00list
@@ -5,0 +6,2 @@
+CVE-2009-3560.dpatch
+CVE-2009-3720.dpatch
only in patch2:
unchanged:
--- tla-1.3.5+dfsg.orig/debian/patches/CVE-2009-3720.dpatch
+++ tla-1.3.5+dfsg/debian/patches/CVE-2009-3720.dpatch
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2009-3720.dpatch by Sylvain Beucler <beuc@beuc.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2009-3720 vulnerability
+## DP: Check:
+## DP: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&diff_format=l
+## DP: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560940
+
+@DPATCH@
+diff -urNad tla-1.3.5+dfsg~/src/expat/lib/xmltok_impl.c tla-1.3.5+dfsg/src/expat/lib/xmltok_impl.c
+--- tla-1.3.5+dfsg~/src/expat/lib/xmltok_impl.c 2006-07-20 08:34:33.000000000 +0200
++++ tla-1.3.5+dfsg/src/expat/lib/xmltok_impl.c 2010-01-23 19:35:20.000000000 +0100
+@@ -1741,7 +1741,7 @@
+ const char *end,
+ POSITION *pos)
+ {
+- while (ptr != end) {
++ while (ptr < end) {
+ switch (BYTE_TYPE(enc, ptr)) {
+ #define LEAD_CASE(n) \
+ case BT_LEAD ## n: \
only in patch2:
unchanged:
--- tla-1.3.5+dfsg.orig/debian/patches/CVE-2009-3560.dpatch
+++ tla-1.3.5+dfsg/debian/patches/CVE-2009-3560.dpatch
@@ -0,0 +1,23 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2009-3560.dpatch by Sylvain Beucler <beuc@beuc.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2009-3560 vulnerability
+## DP: Check:
+## DP: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.166&diff_format=h
+## DP: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560940
+
+@DPATCH@
+diff -urNad tla-1.3.5+dfsg~/src/expat/lib/xmlparse.c tla-1.3.5+dfsg/src/expat/lib/xmlparse.c
+--- tla-1.3.5+dfsg~/src/expat/lib/xmlparse.c 2006-07-20 08:34:33.000000000 +0200
++++ tla-1.3.5+dfsg/src/expat/lib/xmlparse.c 2010-01-23 19:32:26.000000000 +0100
+@@ -3615,6 +3615,9 @@
+ return XML_ERROR_UNCLOSED_TOKEN;
+ case XML_TOK_PARTIAL_CHAR:
+ return XML_ERROR_PARTIAL_CHAR;
++ case -XML_TOK_PROLOG_S:
++ tok = -tok;
++ break;
+ case XML_TOK_NONE:
+ #ifdef XML_DTD
+ /* for internal PE NOT referenced between declarations */
Best regards,
- Sylvain
----- Forwarded message from Moritz Muehlenhoff <jmm@inutil.org> -----
Date: Mon, 22 Mar 2010 18:56:22 +0100
From: Moritz Muehlenhoff <jmm@inutil.org>
To: Sylvain Beucler <beuc@beuc.net>
Cc: team@security.debian.org, ben@decadent.org.uk
Subject: Re: Versioning: security updates and binary uploads
User-Agent: Mutt/1.5.20 (2009-06-14)
On Mon, Mar 22, 2010 at 02:19:13PM +0100, Sylvain Beucler wrote:
> Ciao!
>
> On Mon, Mar 22, 2010 at 01:21:55PM +0100, Giuseppe Iuculano wrote:
> > Il 21/03/2010 14:16, Sylvain Beucler ha scritto:
> > > There's no conflict right now, because 'b' '<' 'etch', but there would
> > > be a conflict if 'etch' had been called instead 'alfred' or anything
> > > that is '<' 'b'.
> > >
> > > So maybe I should use:
> > > -> tla-1.3.5+dfsg-9+b1+etch1
> > > as a rule?
> >
> > As you wrote, there is no conflict right now, so you should use
> > tla-1.3.5+dfsg-9+etch1.
>
> Ok, thanks.
>
> > BTW, currently there isn't any security issues opened for tla, what are
> > you preparing?
>
> tla includes a copy of libexpat, so it's affected by:
> http://www.debian.org/security/2009/dsa-1953
> A fix was uploaded to testing, but not to stable and old-stable.
This specific issue doesn't warrant a DSA, please update it through a stable
point update:
http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
> Btw, do you still accept old-stable uploads?
Support for Etch has ended some weeks ago.
Cheers,
Moritz
----- End forwarded message -----
Attachment:
signature.asc
Description: Digital signature