Hello stable release managers, I would like to upload a security update for Lenny, for package 'tla'. http://www.debian.org/security/2009/dsa-1953 As it's a minor issue, the security team asked me to upload it through a point-release update (cf. forwarded message below). A package can be found at: http://www.beuc.net/tmp/tla/lenny-stable/tla_1.3.5+dfsg-14+lenny1.dsc Is it OK with you? Here's the interdiff: diff -u tla-1.3.5+dfsg/debian/changelog tla-1.3.5+dfsg/debian/changelog --- tla-1.3.5+dfsg/debian/changelog +++ tla-1.3.5+dfsg/debian/changelog @@ -1,3 +1,11 @@ +tla (1.3.5+dfsg-14+lenny1) stable; urgency=low + + * QA upload. + * Fix CVE-2009-3560 and CVE-2009-3720 denial-of-services by patching + bundled libexpat (closes: #560940). + + -- Sylvain Beucler <beuc@beuc.net> Tue, 13 Apr 2010 17:55:51 +0200 + tla (1.3.5+dfsg-14) unstable; urgency=low * QA upload. diff -u tla-1.3.5+dfsg/debian/patches/00list tla-1.3.5+dfsg/debian/patches/00list --- tla-1.3.5+dfsg/debian/patches/00list +++ tla-1.3.5+dfsg/debian/patches/00list @@ -5,0 +6,2 @@ +CVE-2009-3560.dpatch +CVE-2009-3720.dpatch only in patch2: unchanged: --- tla-1.3.5+dfsg.orig/debian/patches/CVE-2009-3720.dpatch +++ tla-1.3.5+dfsg/debian/patches/CVE-2009-3720.dpatch @@ -0,0 +1,22 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2009-3720.dpatch by Sylvain Beucler <beuc@beuc.net> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix CVE-2009-3720 vulnerability +## DP: Check: +## DP: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&diff_format=l +## DP: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560940 + +@DPATCH@ +diff -urNad tla-1.3.5+dfsg~/src/expat/lib/xmltok_impl.c tla-1.3.5+dfsg/src/expat/lib/xmltok_impl.c +--- tla-1.3.5+dfsg~/src/expat/lib/xmltok_impl.c 2006-07-20 08:34:33.000000000 +0200 ++++ tla-1.3.5+dfsg/src/expat/lib/xmltok_impl.c 2010-01-23 19:35:20.000000000 +0100 +@@ -1741,7 +1741,7 @@ + const char *end, + POSITION *pos) + { +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ + case BT_LEAD ## n: \ only in patch2: unchanged: --- tla-1.3.5+dfsg.orig/debian/patches/CVE-2009-3560.dpatch +++ tla-1.3.5+dfsg/debian/patches/CVE-2009-3560.dpatch @@ -0,0 +1,23 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2009-3560.dpatch by Sylvain Beucler <beuc@beuc.net> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix CVE-2009-3560 vulnerability +## DP: Check: +## DP: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.166&diff_format=h +## DP: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560940 + +@DPATCH@ +diff -urNad tla-1.3.5+dfsg~/src/expat/lib/xmlparse.c tla-1.3.5+dfsg/src/expat/lib/xmlparse.c +--- tla-1.3.5+dfsg~/src/expat/lib/xmlparse.c 2006-07-20 08:34:33.000000000 +0200 ++++ tla-1.3.5+dfsg/src/expat/lib/xmlparse.c 2010-01-23 19:32:26.000000000 +0100 +@@ -3615,6 +3615,9 @@ + return XML_ERROR_UNCLOSED_TOKEN; + case XML_TOK_PARTIAL_CHAR: + return XML_ERROR_PARTIAL_CHAR; ++ case -XML_TOK_PROLOG_S: ++ tok = -tok; ++ break; + case XML_TOK_NONE: + #ifdef XML_DTD + /* for internal PE NOT referenced between declarations */ Best regards, - Sylvain ----- Forwarded message from Moritz Muehlenhoff <jmm@inutil.org> ----- Date: Mon, 22 Mar 2010 18:56:22 +0100 From: Moritz Muehlenhoff <jmm@inutil.org> To: Sylvain Beucler <beuc@beuc.net> Cc: team@security.debian.org, ben@decadent.org.uk Subject: Re: Versioning: security updates and binary uploads User-Agent: Mutt/1.5.20 (2009-06-14) On Mon, Mar 22, 2010 at 02:19:13PM +0100, Sylvain Beucler wrote: > Ciao! > > On Mon, Mar 22, 2010 at 01:21:55PM +0100, Giuseppe Iuculano wrote: > > Il 21/03/2010 14:16, Sylvain Beucler ha scritto: > > > There's no conflict right now, because 'b' '<' 'etch', but there would > > > be a conflict if 'etch' had been called instead 'alfred' or anything > > > that is '<' 'b'. > > > > > > So maybe I should use: > > > -> tla-1.3.5+dfsg-9+b1+etch1 > > > as a rule? > > > > As you wrote, there is no conflict right now, so you should use > > tla-1.3.5+dfsg-9+etch1. > > Ok, thanks. > > > BTW, currently there isn't any security issues opened for tla, what are > > you preparing? > > tla includes a copy of libexpat, so it's affected by: > http://www.debian.org/security/2009/dsa-1953 > A fix was uploaded to testing, but not to stable and old-stable. This specific issue doesn't warrant a DSA, please update it through a stable point update: http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable > Btw, do you still accept old-stable uploads? Support for Etch has ended some weeks ago. Cheers, Moritz ----- End forwarded message -----
Attachment:
signature.asc
Description: Digital signature