Hi SRMs, there is another minor security issue in apr-util that would be suitable for a fix in a S-P-U. Unfotunately, I missed the security implications of this bug when preparing the recent DSA. Debdiff is attached. Is it still in time for 5.0.2? Is a OS-P-U also planned in the near future? Cheers, Stefan
diff -u apr-util-1.2.12+dfsg/debian/changelog apr-util-1.2.12+dfsg/debian/changelog --- apr-util-1.2.12+dfsg/debian/changelog +++ apr-util-1.2.12+dfsg/debian/changelog @@ -1,9 +1,18 @@ +apr-util (1.2.12+dfsg-8+lenny3) stable; urgency=low + + * CVE-2009-1956: Fix potential information disclosure bug on big-endian + architectures. On little-endian systems, this is not security relevant + but may still cause data corruption. + * Add CVE reference to previous changelog entry. + + -- Stefan Fritsch <sf@debian.org> Tue, 09 Jun 2009 21:51:09 +0200 + apr-util (1.2.12+dfsg-8+lenny2) stable-security; urgency=high * CVE-2009-0023: Fix underflow in apr_strmatch_precompile() which causes remotely exploitable DoS vulnerabilities in mod_dav_svn and libapreq2. - * Fix DoS vulnerability (memory consumption) in handling of internal xml - entities. + * CVE-2009-1955: Fix DoS vulnerability (memory consumption) in handling + of internal xml entities. -- Stefan Fritsch <sf@debian.org> Wed, 03 Jun 2009 22:53:01 +0200 diff -u apr-util-1.2.12+dfsg/debian/patches/018_expat_entity_expansion.dpatch apr-util-1.2.12+dfsg/debian/patches/018_expat_entity_expansion.dpatch --- apr-util-1.2.12+dfsg/debian/patches/018_expat_entity_expansion.dpatch +++ apr-util-1.2.12+dfsg/debian/patches/018_expat_entity_expansion.dpatch @@ -2,7 +2,7 @@ ## 018_expat_entity_expansion.dpatch by Stefan Fritsch <sf@debian.org> ## ## All lines beginning with `## DP:' are a description of the patch. -## DP: No description. +## DP: CVE-2009-1955 @DPATCH@ diff -urNad apr-util-1.2.12+dfsg~/test/billion-laughs.xml apr-util-1.2.12+dfsg/test/billion-laughs.xml diff -u apr-util-1.2.12+dfsg/debian/patches/00list apr-util-1.2.12+dfsg/debian/patches/00list --- apr-util-1.2.12+dfsg/debian/patches/00list +++ apr-util-1.2.12+dfsg/debian/patches/00list @@ -10,2 +10,3 @@ 018_expat_entity_expansion.dpatch +019_CVE-2009-1956.dpatch 099_alternate_md4_md5_impl only in patch2: unchanged: --- apr-util-1.2.12+dfsg.orig/debian/patches/019_CVE-2009-1956.dpatch +++ apr-util-1.2.12+dfsg/debian/patches/019_CVE-2009-1956.dpatch @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2009-1956 + +@DPATCH@ +--- a/buckets/apr_brigade.c (Revision 777282) ++++ a/buckets/apr_brigade.c (Revision 777283) +@@ -689,9 +689,6 @@ + return -1; + } + +- /* tack on null terminator to remaining string */ +- *(vd.vbuff.curpos) = '\0'; +- + /* write out what remains in the buffer */ + return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos - buf); + } +
Attachment:
signature.asc
Description: This is a digitally signed message part.