[SRM] Stable upgrade for apr-util

[Stefan Fritsch <sf@debian.org>]

Hi SRMs,

there is another minor security issue in apr-util that would be 
suitable for a fix in a S-P-U. Unfotunately, I missed the security 
implications of this bug when preparing the recent DSA.

Debdiff is attached. Is it still in time for 5.0.2? Is a OS-P-U also 
planned in the near future?

Cheers,
Stefan

diff -u apr-util-1.2.12+dfsg/debian/changelog apr-util-1.2.12+dfsg/debian/changelog
--- apr-util-1.2.12+dfsg/debian/changelog
+++ apr-util-1.2.12+dfsg/debian/changelog
@@ -1,9 +1,18 @@
+apr-util (1.2.12+dfsg-8+lenny3) stable; urgency=low
+
+  * CVE-2009-1956: Fix potential information disclosure bug on big-endian
+    architectures. On little-endian systems, this is not security relevant
+    but may still cause data corruption.
+  * Add CVE reference to previous changelog entry.
+
+ -- Stefan Fritsch <sf@debian.org>  Tue, 09 Jun 2009 21:51:09 +0200
+
 apr-util (1.2.12+dfsg-8+lenny2) stable-security; urgency=high
 
   * CVE-2009-0023: Fix underflow in apr_strmatch_precompile() which causes
     remotely exploitable DoS vulnerabilities in mod_dav_svn and libapreq2.
-  * Fix DoS vulnerability (memory consumption) in handling of internal xml
-    entities.
+  * CVE-2009-1955: Fix DoS vulnerability (memory consumption) in handling
+    of internal xml entities.
 
  -- Stefan Fritsch <sf@debian.org>  Wed, 03 Jun 2009 22:53:01 +0200
 
diff -u apr-util-1.2.12+dfsg/debian/patches/018_expat_entity_expansion.dpatch apr-util-1.2.12+dfsg/debian/patches/018_expat_entity_expansion.dpatch
--- apr-util-1.2.12+dfsg/debian/patches/018_expat_entity_expansion.dpatch
+++ apr-util-1.2.12+dfsg/debian/patches/018_expat_entity_expansion.dpatch
@@ -2,7 +2,7 @@
 ## 018_expat_entity_expansion.dpatch by Stefan Fritsch <sf@debian.org>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
+## DP: CVE-2009-1955
 
 @DPATCH@
 diff -urNad apr-util-1.2.12+dfsg~/test/billion-laughs.xml apr-util-1.2.12+dfsg/test/billion-laughs.xml
diff -u apr-util-1.2.12+dfsg/debian/patches/00list apr-util-1.2.12+dfsg/debian/patches/00list
--- apr-util-1.2.12+dfsg/debian/patches/00list
+++ apr-util-1.2.12+dfsg/debian/patches/00list
@@ -10,2 +10,3 @@
 018_expat_entity_expansion.dpatch
+019_CVE-2009-1956.dpatch
 099_alternate_md4_md5_impl
only in patch2:
unchanged:
--- apr-util-1.2.12+dfsg.orig/debian/patches/019_CVE-2009-1956.dpatch
+++ apr-util-1.2.12+dfsg/debian/patches/019_CVE-2009-1956.dpatch
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2009-1956
+
+@DPATCH@
+--- a/buckets/apr_brigade.c	(Revision 777282)
++++ a/buckets/apr_brigade.c	(Revision 777283)
+@@ -689,9 +689,6 @@
+       return -1;
+     }
+ 
+-    /* tack on null terminator to remaining string */
+-    *(vd.vbuff.curpos) = '\0';
+-
+     /* write out what remains in the buffer */
+     return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos - buf);
+ }
+

Attachment: signature.asc
Description: This is a digitally signed message part.