Version in base suite: 1.2.7+dfsg-2
Version in overlay suite: (not present)

Base version: apr-util_1.2.7+dfsg-2
Target version: apr-util_1.2.7+dfsg-2+etch2
Base file: /org/ftp.debian.org/ftp/pool/main/a/apr-util/apr-util_1.2.7+dfsg-2.dsc
Target file: /org/ftp.debian.org/queue/o-p-u-new/apr-util_1.2.7+dfsg-2+etch2.dsc

 apr-util-1.2.7+dfsg/debian/changelog             |    9 +++
 apr-util-1.2.7+dfsg/debian/patches/00list        |    1 
 debian/patches/017_CVE-2009-0023.dpatch          |   31 +++++++++++++
 debian/patches/018_expat_entity_expansion.dpatch |   54 +++++++++++++++++++++++
 4 files changed, 94 insertions(+), 1 deletion(-)

diff -u apr-util-1.2.7+dfsg/debian/patches/00list apr-util-1.2.7+dfsg/debian/patches/00list
--- apr-util-1.2.7+dfsg/debian/patches/00list
+++ apr-util-1.2.7+dfsg/debian/patches/00list
@@ -7 +7,3 @@
-099_alternate_md4_md5_impl
\ No newline at end of file
+017_CVE-2009-0023
+018_expat_entity_expansion.dpatch
+099_alternate_md4_md5_impl
diff -u apr-util-1.2.7+dfsg/debian/changelog apr-util-1.2.7+dfsg/debian/changelog
--- apr-util-1.2.7+dfsg/debian/changelog
+++ apr-util-1.2.7+dfsg/debian/changelog
@@ -1,3 +1,12 @@
+apr-util (1.2.7+dfsg-2+etch2) oldstable-security; urgency=high
+
+  * CVE-2009-0023: Fix underflow in apr_strmatch_precompile() which causes
+    remotely exploitable DoS vulnerabilities in mod_dav_svn and libapreq2.
+  * Fix DoS vulnerability (memory consumption) in handling of internal xml
+    entities.
+
+ -- Stefan Fritsch <sf@debian.org>  Wed, 03 Jun 2009 23:12:43 +0200
+
 apr-util (1.2.7+dfsg-2) unstable; urgency=low
 
   * Fix stupid code duplication in apr_md[45].c resulting from C&P.
only in patch2:
unchanged:
--- apr-util-1.2.7+dfsg.orig/debian/patches/018_expat_entity_expansion.dpatch
+++ apr-util-1.2.7+dfsg/debian/patches/018_expat_entity_expansion.dpatch
@@ -0,0 +1,54 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 018_expat_entity_expansion.dpatch by Stefan Fritsch <sf@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad apr-util-1.2.12+dfsg~/xml/apr_xml.c apr-util-1.2.12+dfsg/xml/apr_xml.c
+--- apr-util-1.2.12+dfsg~/xml/apr_xml.c	2007-11-01 15:07:19.000000000 +0100
++++ apr-util-1.2.12+dfsg/xml/apr_xml.c	2009-06-02 19:02:28.063634350 +0200
+@@ -347,6 +347,25 @@
+     return APR_SUCCESS;
+ }
+ 
++#if XML_MAJOR_VERSION > 0
++/* XML_StopParser is present in expat 2.x */
++#define HAVE_XML_STOPPARSER
++#endif
++
++#ifdef HAVE_XML_STOPPARSER
++/* Stop the parser if an entity declaration is hit. */
++static void entity_declaration(void *userData, const XML_Char *entityName,
++                               int is_parameter_entity, const XML_Char *value,
++                               int value_length, const XML_Char *base,
++                               const XML_Char *systemId, const XML_Char *publicId,
++                               const XML_Char *notationName)
++{
++    apr_xml_parser *parser = userData;
++
++    XML_StopParser(parser->xp, XML_FALSE);
++}
++#endif
++
+ APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
+ {
+     apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
+@@ -372,6 +391,17 @@
+     XML_SetElementHandler(parser->xp, start_handler, end_handler);
+     XML_SetCharacterDataHandler(parser->xp, cdata_handler);
+ 
++    /* Prevent the "billion laughs" attack against expat by disabling
++     * internal entity expansion.  With 2.x, forcibly stop the parser
++     * if an entity is declared - this is safer and a more obvious
++     * failure mode.  With older versions, simply prevent expenansion
++     * of such entities. */
++#ifdef HAVE_XML_STOPPARSER
++    XML_SetEntityDeclHandler(parser->xp, entity_declaration);
++#else
++    XML_SetDefaultHandler(parser->xp, NULL);
++#endif
++
+     return parser;
+ }
+ 
only in patch2:
unchanged:
--- apr-util-1.2.7+dfsg.orig/debian/patches/017_CVE-2009-0023.dpatch
+++ apr-util-1.2.7+dfsg/debian/patches/017_CVE-2009-0023.dpatch
@@ -0,0 +1,31 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+diff -urNad apr-util-1.2.12+dfsg~/strmatch/apr_strmatch.c apr-util-1.2.12+dfsg/strmatch/apr_strmatch.c
+--- apr-util-1.2.12+dfsg~/strmatch/apr_strmatch.c	2009-06-02 18:58:49.000000000 +0200
++++ apr-util-1.2.12+dfsg/strmatch/apr_strmatch.c	2009-06-03 23:03:55.650337096 +0200
+@@ -74,7 +74,7 @@
+             }
+             s_tmp--;
+         }
+-        s_next += shift[apr_tolower(*s_next)];
++        s_next += shift[(unsigned char)apr_tolower(*s_next)];
+     }
+     return NULL;
+ }
+@@ -103,13 +103,13 @@
+     if (case_sensitive) {
+         pattern->compare = match_boyer_moore_horspool;
+         for (i = 0; i < pattern->length - 1; i++) {
+-            shift[(int)s[i]] = pattern->length - i - 1;
++            shift[(unsigned char)s[i]] = pattern->length - i - 1;
+         }
+     }
+     else {
+         pattern->compare = match_boyer_moore_horspool_nocase;
+         for (i = 0; i < pattern->length - 1; i++) {
+-            shift[apr_tolower(s[i])] = pattern->length - i - 1;
++            shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1;
+         }
+     }
+     pattern->context = shift;