Version in base suite: 0.48-1
Version in overlay suite: 0.48-1sarge1

Base version: libnet-dns-perl_0.48-1
Target version: libnet-dns-perl_0.48-1sarge1
Base file: /org/ftp.debian.org/ftp/pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1.dsc
Target file: /org/ftp.debian.org/ftp/pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1.dsc

diff -u libnet-dns-perl-0.48/debian/changelog libnet-dns-perl-0.48/debian/changelog
--- libnet-dns-perl-0.48/debian/changelog
+++ libnet-dns-perl-0.48/debian/changelog
@@ -1,3 +1,20 @@
+libnet-dns-perl (0.48-1sarge1) oldstable-security; urgency=high
+
+  * Malformed A records could lead to a Perl exception and program crash
+    (CVE-2007-6341).  Closes: #457445.
+  * A very weak random number generator was used for transaction IDs
+    (CVE-2007-3377).
+    Perl's rand() is used in the patch against this vulnerability--it is
+    initialized from /dev/urandom, but the underlying LCG has only got 48
+    bits of state, so at the very least, a brute-force attack is still
+    possible if an attacker has got three subsequently generated
+    transaction IDs.
+  * The Perl implementation of dn_expand could recurse infinitely
+    (CVE-2007-3409).  (On Debian systems, the C version is typically
+    used.)
+
+ -- Florian Weimer <fw@deneb.enyo.de>  Fri, 07 Mar 2008 23:03:36 +0100
+
 libnet-dns-perl (0.48-1) unstable; urgency=low
 
   * New upstream release
diff -u libnet-dns-perl-0.48/debian/patches/00list libnet-dns-perl-0.48/debian/patches/00list
--- libnet-dns-perl-0.48/debian/patches/00list
+++ libnet-dns-perl-0.48/debian/patches/00list
@@ -2,0 +3,3 @@
+50_random_id.dpatch
+51_endless_loop.dpatch
+52_A_croak.dpatch
only in patch2:
unchanged:
--- libnet-dns-perl-0.48.orig/debian/patches/52_A_croak.dpatch
+++ libnet-dns-perl-0.48/debian/patches/52_A_croak.dpatch
@@ -0,0 +1,18 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 52_A_croak.dpatch by Nico Golde <nion@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2007-6341
+
+@DPATCH@
+diff -urNad git~/lib/Net/DNS/RR/A.pm git/lib/Net/DNS/RR/A.pm
+--- git~/lib/Net/DNS/RR/A.pm	2008-01-22 21:36:10.000000000 +0100
++++ git/lib/Net/DNS/RR/A.pm	2008-01-22 21:36:16.000000000 +0100
+@@ -18,7 +18,7 @@
+ sub new {
+ 	my ($class, $self, $data, $offset) = @_;
+ 
+-	if ($self->{"rdlength"} > 0) {
++	if ($self->{"rdlength"} >= 4) {
+ 		$self->{"address"} = inet_ntoa(substr($$data, $offset, 4));
+ 	}
only in patch2:
unchanged:
--- libnet-dns-perl-0.48.orig/debian/patches/50_random_id.dpatch
+++ libnet-dns-perl-0.48/debian/patches/50_random_id.dpatch
@@ -0,0 +1,23 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 50_random_id.dpatch by  <scott@kitterman.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Randomize ID (LP: #125180) 
+
+@DPATCH@
+diff -urNad libnet-dns-perl-0.59~/lib/Net/DNS/Header.pm libnet-dns-perl-0.59/lib/Net/DNS/Header.pm
+--- libnet-dns-perl-0.59~/lib/Net/DNS/Header.pm	2006-09-18 15:22:12.000000000 -0400
++++ libnet-dns-perl-0.59/lib/Net/DNS/Header.pm	2007-07-11 00:40:12.000000000 -0400
+@@ -52,10 +52,9 @@
+ 
+ 
+ {
+-	my $id = int rand(MAX_ID);
+-	
++
+ 	sub nextid {
+-		return $id++ % (MAX_ID + 1);
++		int rand(MAX_ID);
+ 	}
+ }
+ 
only in patch2:
unchanged:
--- libnet-dns-perl-0.48.orig/debian/patches/51_endless_loop.dpatch
+++ libnet-dns-perl-0.48/debian/patches/51_endless_loop.dpatch
@@ -0,0 +1,79 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 51_endless_loop.dpatch by Kees Cook <kees@ubuntu.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: http://rt.cpan.org/Public/Bug/Display.html?id=27285
+
+@DPATCH@
+diff --git a/lib/Net/DNS/Packet.pm b/lib/Net/DNS/Packet.pm
+index ea28a89..f07a002 100644
+--- a/lib/Net/DNS/Packet.pm
++++ b/lib/Net/DNS/Packet.pm
+@@ -684,7 +684,7 @@ Returns B<(undef, undef)> if the domain name couldn't be expanded.
+ }
+ 
+ sub dn_expand_PP {
+-	my ($packet, $offset) = @_; # $seen from $_[2] for debugging
++	my ($packet, $pkt_offset) = @_; # $seen from $_[2] for debugging
+ 	my $name = "";
+ 	my $len;
+ 	my $packetlen = length $$packet;
+@@ -698,31 +698,37 @@ sub dn_expand_PP {
+ 	#}
+ 	#$seen->{$offset} = 1;
+ 
++	my $checked = 0;
++	my $hasPtr = 0;
++	my $offset = $pkt_offset;
+ 	while (1) {
+ 		return (undef, undef) if $packetlen < ($offset + 1);
++		return (undef, undef) if $checked > $packetlen; # endless Loop
+ 
+ 		$len = unpack("\@$offset C", $$packet);
+ 
+ 		if ($len == 0) {
+ 			$offset++;
++			$pkt_offset++ if !$hasPtr;
+ 			last;
+ 		}
+ 		elsif (($len & 0xc0) == 0xc0) {
++			# pointer into message for compressed strings
+ 			return (undef, undef)
+ 				if $packetlen < ($offset + $int16sz);
+ 
++			$pkt_offset+=$int16sz if !$hasPtr;
++			$checked += $int16sz;
+ 			my $ptr = unpack("\@$offset n", $$packet);
+ 			$ptr &= 0x3fff;
+ 			my($name2) = dn_expand_PP($packet, $ptr); # pass $seen for debugging
+-
+-			return (undef, undef) unless defined $name2;
+-
+-			$name .= $name2;
+-			$offset += $int16sz;
+-			last;
++			$offset = $ptr;
++			$hasPtr = 1;
++			next; # restart with offset from pointer
+ 		}
+ 		else {
+ 			$offset++;
++			$pkt_offset+=1 if !$hasPtr;
+ 
+ 			return (undef, undef)
+ 				if $packetlen < ($offset + $len);
+@@ -731,11 +737,13 @@ sub dn_expand_PP {
+ 			$elem =~ s/\./\\./g;
+ 			$name .= "$elem.";
+ 			$offset += $len;
++			$pkt_offset+= $len if !$hasPtr;
++			$checked += $len;
+ 		}
+ 	}
+ 
+ 	$name =~ s/\.$//;
+-	return ($name, $offset);
++	return ($name, $pkt_offset);
+ }
+ 
+ =head2 sign_tsig