[Pkg-xmpp-commits] [SCM] Jabberd2 XMPP server branch, master, updated. upstream/2.2.8-16-gdec816c

W. van den Akker wvdakker at wilsoft.nl
Wed Jan 16 08:27:15 UTC 2013 

The following commit has been merged in the master branch:
commit a09ef0a9916ebe68d2816abc54db5c25aac8e068
Author: W. van den Akker <wvdakker at wilsoft.nl>
Date:   Wed Jan 16 09:13:03 2013 +0100

    Patch for billion laughs DoS attack (CVE-2011-1755.dpatch).

diff --git a/debian/changelog b/debian/changelog
index 57fd4fd..950430c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+jabberd2 (2.2.8-2.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Prevent entity expansion in order to prevent about
+    the billion laughs DoS attack (CVE-2011-1755.dpatch).
+
+ -- Nico Golde <nion at debian.org>  Mon, 30 May 2011 23:40:50 +0200
+
 jabberd2 (2.2.8-2) unstable; urgency=low
 
   * Deletes resolver configuration files (Closes: #528105).
diff --git a/debian/patches/00list b/debian/patches/00list
index 352b3b1..e276d3d 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -3,3 +3,4 @@ etc_pidpath.dpatch
 etc_logpath.dpatch
 etc_dbpath.dpatch
 implicit-pointer-conversion.dpatch
+CVE-2011-1755.dpatch
diff --git a/debian/patches/CVE-2011-1755.dpatch b/debian/patches/CVE-2011-1755.dpatch
new file mode 100644
index 0000000..3f4fab6
--- /dev/null
+++ b/debian/patches/CVE-2011-1755.dpatch
@@ -0,0 +1,29 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2011-1755.dpatch by Nico Golde <nion at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: disable entity expansian to prevent billion laughs attack
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' jabberd2-2.2.8~/sx/sx.c jabberd2-2.2.8/sx/sx.c
+--- jabberd2-2.2.8~/sx/sx.c	2009-04-27 11:05:13.000000000 +0200
++++ jabberd2-2.2.8/sx/sx.c	2011-05-30 23:40:27.000000000 +0200
+@@ -36,6 +36,7 @@
+     s->expat = XML_ParserCreateNS(NULL, '|');
+     XML_SetReturnNSTriplet(s->expat, 1);
+     XML_SetUserData(s->expat, (void *) s);
++    XML_SetDefaultHandler(s->expat, NULL);
+ 
+     s->wbufq = jqueue_new();
+     s->rnadq = jqueue_new();
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' jabberd2-2.2.8~/util/nad.c jabberd2-2.2.8/util/nad.c
+--- jabberd2-2.2.8~/util/nad.c	2009-04-27 11:05:15.000000000 +0200
++++ jabberd2-2.2.8/util/nad.c	2011-05-30 23:40:27.000000000 +0200
+@@ -1331,6 +1331,7 @@
+         return NULL;
+ 
+     XML_SetReturnNSTriplet(p, 1);
++    XML_SetDefaultHandler(p, NULL);
+ 
+     bd.nad = nad_new();
+     bd.depth = 0;

-- 
Jabberd2 XMPP server

More information about the Pkg-xmpp-commits mailing list