Version in base suite: 1.0.4-2
Version in overlay suite: (not present)

Base version: mysql-ocaml_1.0.4-2
Target version: mysql-ocaml_1.0.4-2+etch1
Base file: /org/ftp.debian.org/ftp/pool/main/m/mysql-ocaml/mysql-ocaml_1.0.4-2.dsc
Target file: /org/ftp.debian.org/queue/o-p-u-new/mysql-ocaml_1.0.4-2+etch1.dsc

 debian/patches/real_escape.dpatch       |  116 ++++++++++++++++++++++++++++++++
 mysql-ocaml-1.0.4/debian/changelog      |    9 ++
 mysql-ocaml-1.0.4/debian/patches/00list |    1 
 3 files changed, 125 insertions(+), 1 deletion(-)

diff -u mysql-ocaml-1.0.4/debian/patches/00list mysql-ocaml-1.0.4/debian/patches/00list
--- mysql-ocaml-1.0.4/debian/patches/00list
+++ mysql-ocaml-1.0.4/debian/patches/00list
@@ -1,0 +2 @@
+real_escape
diff -u mysql-ocaml-1.0.4/debian/changelog mysql-ocaml-1.0.4/debian/changelog
--- mysql-ocaml-1.0.4/debian/changelog
+++ mysql-ocaml-1.0.4/debian/changelog
@@ -1,3 +1,11 @@
+mysql-ocaml (1.0.4-2+etch1) oldstable-security; urgency=high
+
+  * Non-maintainer upload to fix a security bug.
+  * Add a patch to add a binding to mysql_real_escape whose name is
+    real_escape (CVE-2009-2942).
+
+ -- Mehdi Dogguy <mehdi@debian.org>  Wed, 07 Oct 2009 23:45:59 +0200
+
 mysql-ocaml (1.0.4-2) unstable; urgency=low
 
   * Rebuild with OCaml 3.09.2.
@@ -108 +115,0 @@
-
only in patch2:
unchanged:
--- mysql-ocaml-1.0.4.orig/debian/patches/real_escape.dpatch
+++ mysql-ocaml-1.0.4/debian/patches/real_escape.dpatch
@@ -0,0 +1,116 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## real_escape.dpatch by Mehdi Dogguy <mehdi@debian.org>
+##
+## DP: Add a binding for mysql_real_escape_string.
+
+@DPATCH@
+diff -urNad mysql-ocaml~/mysql.ml mysql-ocaml/mysql.ml
+--- mysql-ocaml~/mysql.ml	2009-10-01 22:56:38.000000000 +0200
++++ mysql-ocaml/mysql.ml	2009-10-07 23:59:24.000000000 +0200
+@@ -333,6 +333,7 @@
+ external real_status     : dbd -> int                         = "db_status"
+ external errmsg     : dbd -> string option                  = "db_errmsg"
+ external escape     : string -> string                      = "db_escape"
++external real_escape: dbd -> string -> string               = "db_real_escape"
+ external fetch      : result -> string option array option  = "db_fetch" 
+ external to_row     : result -> int64 -> unit                 = "db_to_row"
+ external size       : result -> int64                         = "db_size"
+@@ -516,7 +517,9 @@
+    the corresponding type *)
+   
+ let ml2str str  = "'" ^ escape str ^ "'"
++let ml2rstr conn str = "'" ^ real_escape conn str ^ "'"
+ let ml2blob     = ml2str
++let ml2rblob    = ml2rstr
+ let ml2int x    = string_of_int x
+ let ml2decimal x    = x
+ let ml322int x  = Int32.to_string x
+@@ -524,12 +527,15 @@
+ let mlnative2int x = Nativeint.to_string x
+ let ml2float x  = string_of_float x
+ let ml2enum x   = escape x
+-let ml2set x    = let rec loop arg = match arg with
+-                    | []        -> ""
+-                    | [x]       -> escape x
+-                    | x::y::ys  -> escape x ^ "," ^ loop (y::ys)
+-                  in
+-                    loop x  
++let ml2renum x  = real_escape x
++let ml2set_filter f x =
++  let rec loop f = function
++  | []        -> ""
++  | [x]       -> f x
++  | x::y::ys  -> f x ^ "," ^ loop f (y::ys)
++  in loop f x
++let ml2set x       = ml2set_filter escape x
++let ml2rset conn x = ml2set_filter (real_escape conn) x
+ 
+ let ml2datetimel ~year ~month ~day ~hour ~min ~sec =
+     Printf.sprintf "'%04d-%02d-%02d %02d:%02d:%02d'"
+diff -urNad mysql-ocaml~/mysql.mli mysql-ocaml/mysql.mli
+--- mysql-ocaml~/mysql.mli	2009-10-01 22:56:38.000000000 +0200
++++ mysql-ocaml/mysql.mli	2009-10-07 23:59:24.000000000 +0200
+@@ -230,6 +230,7 @@
+ (** [escape str] returns the same string as [str] in MySQL syntax with
+   special characters quoted to not confuse the MySQL parser *)
+ val escape : string -> string 
++val real_escape : dbd -> string -> string
+ 
+ (** [xxx2ml str] decodes a MySQL value of type xxx into a corresponding
+   OCaml value *)
+@@ -277,14 +278,18 @@
+ (** [ml2xxx v] encodes [v] into MySQL syntax. *)
+ 
+ val ml2str          : string -> string
++val ml2rstr         : dbd -> string -> string
+ val ml2blob         : string -> string
++val ml2rblob        : dbd -> string -> string
+ val ml2int          : int -> string
+ val ml2decimal      : string -> string
+ val ml322int        : int32 -> string
+ val ml642int        : int64 -> string
+ val ml2float        : float -> string
+ val ml2enum         : string -> string
++val ml2renum        : dbd -> string -> string
+ val ml2set          : string list -> string
++val ml2rset         : dbd -> string list -> string
+ val ml2datetime     : int * int * int * int * int * int -> string
+ val ml2datetimel    : year:int -> month:int -> day:int -> hour:int -> min:int -> sec:int -> string
+ val ml2date         : int * int * int -> string
+diff -urNad mysql-ocaml~/mysql_stubs.c mysql-ocaml/mysql_stubs.c
+--- mysql-ocaml~/mysql_stubs.c	2009-10-01 22:56:38.000000000 +0200
++++ mysql-ocaml/mysql_stubs.c	2009-10-07 23:59:24.000000000 +0200
+@@ -472,6 +472,33 @@
+   CAMLreturn(res);
+ }
+ 
++EXTERNAL value
++db_real_escape(value dbd, value str)
++{
++  CAMLparam2(dbd, str);
++  char *s;
++  char *buf;
++  int len, esclen;
++  MYSQL *mysql;
++  CAMLlocal1(res);
++
++  check_dbd(dbd, "escape");
++  mysql = DBDmysql(dbd);
++
++  s = String_val(str);
++  len = string_length(str);
++  buf = (char*) stat_alloc(2*len+1);
++  caml_enter_blocking_section();
++  esclen = mysql_real_escape_string(mysql,buf,s,len);
++  caml_leave_blocking_section();
++
++  res = alloc_string(esclen);
++  memcpy(String_val(res), buf, esclen);
++  stat_free(buf);
++
++  CAMLreturn(res);
++}
++
+ /*
+  * db_size -- returns the size of the current result (number of rows).
+  */