Version in base suite: 1.2.7-8.2
Version in overlay suite: (not present)

Base version: apr_1.2.7-8.2
Target version: apr_1.2.7-9
Base file: /org/ftp.debian.org/ftp/pool/main/a/apr/apr_1.2.7-8.2.dsc
Target file: /org/ftp.debian.org/queue/o-p-u-new/apr_1.2.7-9.dsc

 apr-1.2.7/debian/changelog              |    7 +++
 apr-1.2.7/debian/patches/00list         |    1 
 debian/patches/001_cve-2009-2412.dpatch |   71 ++++++++++++++++++++++++++++++++
 debian/patches/015sendfile-amd64.dpatch |   26 -----------
 4 files changed, 79 insertions(+), 26 deletions(-)

diff -u apr-1.2.7/debian/changelog apr-1.2.7/debian/changelog
--- apr-1.2.7/debian/changelog
+++ apr-1.2.7/debian/changelog
@@ -1,3 +1,10 @@
+apr (1.2.7-9) oldstable-security; urgency=high
+
+  * Fix CVE-2009-2412: overflow in pool allocations, where size alignment
+    was taking place.
+
+ -- Peter Samuelson <peter@p12n.org>  Thu, 06 Aug 2009 09:01:34 -0500
+
 apr (1.2.7-8.2) unstable; urgency=high
 
   * Non-maintainer upload.
reverted:
--- apr-1.2.7/debian/patches/015sendfile-amd64.dpatch
+++ apr-1.2.7.orig/debian/patches/015sendfile-amd64.dpatch
@@ -1,26 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 015sendfile-amd64.dpatch by  <thom@debian.org>
-## Ensure that we only send 2GB chunks on 64bit platforms thanks
-## to extreme linux kernel bustage.
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
-
-@DPATCH@
-diff -urNad apr-1.2.2~/network_io/unix/sendrecv.c apr-1.2.2/network_io/unix/sendrecv.c
---- apr-1.2.2~/network_io/unix/sendrecv.c	2005-06-12 18:54:25.000000000 +0100
-+++ apr-1.2.2/network_io/unix/sendrecv.c	2006-06-04 17:14:04.000000000 +0100
-@@ -264,6 +264,14 @@
- 
- #else
-     off_t off = *offset;
-+
-+    /* Multiple reports have shown sendfile failing with EINVAL if
-+     * passed a >=2Gb count value on some 64-bit kernels.  It won't
-+     * noticably hurt performance to limit each call to <2Gb at a
-+     * time, so avoid that issue here: */
-+    if (sizeof(off_t) == 8 && *len > INT_MAX) {
-+        *len = INT_MAX;
-+    }
- #endif
- 
-     if (!hdtr) {
diff -u apr-1.2.7/debian/patches/00list apr-1.2.7/debian/patches/00list
--- apr-1.2.7/debian/patches/00list
+++ apr-1.2.7/debian/patches/00list
@@ -1,3 +1,4 @@
+001_cve-2009-2412
 011_fix_apr-config
 013_ship_find_apr.m4
 014_fix-apr.pc
only in patch2:
unchanged:
--- apr-1.2.7.orig/debian/patches/001_cve-2009-2412.dpatch
+++ apr-1.2.7/debian/patches/001_cve-2009-2412.dpatch
@@ -0,0 +1,71 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 001_cve-2009-2412.dpatch by William Rowe <wrowe@rowe-clan.net>
+##
+## DP: SECURITY: CVE-2009-2412 (cve.mitre.org)
+## DP: Fix overflow in pools, where size alignment was taking place.
+## DP: 
+## DP: Reported by: Matt Lewis <mattlewis@google.com>
+## DP: 
+## DP: * memory/unix/apr_pools.c
+## DP:   (allocator_alloc, apr_palloc): Check for overflow after aligning size.
+## DP:   (apr_pcalloc): Drop aligning of size; clearing what the caller asked for should suffice.
+## DP: 
+## DP: SEE ALSO: apr-util-1.x-CVE-2009-2412.patch
+
+@DPATCH@
+--- a/memory/unix/apr_pools.c
++++ b/memory/unix/apr_pools.c
+@@ -191,16 +191,19 @@
+ }
+ 
+ static APR_INLINE
+-apr_memnode_t *allocator_alloc(apr_allocator_t *allocator, apr_size_t size)
++apr_memnode_t *allocator_alloc(apr_allocator_t *allocator, apr_size_t in_size)
+ {
+     apr_memnode_t *node, **ref;
+     apr_uint32_t max_index;
+-    apr_size_t i, index;
++    apr_size_t size, i, index;
+ 
+     /* Round up the block size to the next boundary, but always
+      * allocate at least a certain size (MIN_ALLOC).
+      */
+-    size = APR_ALIGN(size + APR_MEMNODE_T_SIZE, BOUNDARY_SIZE);
++    size = APR_ALIGN(in_size + APR_MEMNODE_T_SIZE, BOUNDARY_SIZE);
++    if (size < in_size) {
++        return NULL;
++    }
+     if (size < MIN_ALLOC)
+         size = MIN_ALLOC;
+ 
+@@ -628,13 +631,19 @@
+  * Memory allocation
+  */
+ 
+-APR_DECLARE(void *) apr_palloc(apr_pool_t *pool, apr_size_t size)
++APR_DECLARE(void *) apr_palloc(apr_pool_t *pool, apr_size_t in_size)
+ {
+     apr_memnode_t *active, *node;
+     void *mem;
+-    apr_size_t free_index;
++    apr_size_t size, free_index;
+ 
+-    size = APR_ALIGN_DEFAULT(size);
++    size = APR_ALIGN_DEFAULT(in_size);
++    if (size < in_size) {
++        if (pool->abort_fn)
++            pool->abort_fn(APR_ENOMEM);
++
++        return NULL;
++    }
+     active = pool->active;
+ 
+     /* If the active node has enough bytes left, use it. */
+@@ -699,7 +708,6 @@
+ {
+     void *mem;
+ 
+-    size = APR_ALIGN_DEFAULT(size);
+     if ((mem = apr_palloc(pool, size)) != NULL) {
+         memset(mem, 0, size);
+     }