Hi Please find attached the NMU patch for this issue and an issue with open debconf file descriptors that left the postinst script hanging.
Cheers Steffen
diff -u hybserv-1.9.2/debian/changelog hybserv-1.9.2/debian/changelog --- hybserv-1.9.2/debian/changelog +++ hybserv-1.9.2/debian/changelog @@ -1,3 +1,14 @@ +hybserv (1.9.2-4.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Fix DoS via commands with tabs (Closes: #550389) + Fixes: CVE-2010-0303 + * Add db_stop into hybserv.postinst to avoid that the postinst script + hangs due to open debconf file descriptors + Thanks to Julien Cristau + + -- Steffen Joeris <wh...@debian.org> Fri, 29 Jan 2010 14:30:27 +0100 + hybserv (1.9.2-4) unstable; urgency=low * Update 01_fhs+mkdirfix.dpatch: diff -u hybserv-1.9.2/debian/hybserv.postinst hybserv-1.9.2/debian/hybserv.postinst --- hybserv-1.9.2/debian/hybserv.postinst +++ hybserv-1.9.2/debian/hybserv.postinst @@ -10,2 +10,4 @@ +db_stop + #DEBHELPER# diff -u hybserv-1.9.2/debian/patches/00list hybserv-1.9.2/debian/patches/00list --- hybserv-1.9.2/debian/patches/00list +++ hybserv-1.9.2/debian/patches/00list @@ -2,0 +3 @@ +03_commands_DoS only in patch2: unchanged: --- hybserv-1.9.2.orig/debian/patches/03_commands_DoS.dpatch +++ hybserv-1.9.2/debian/patches/03_commands_DoS.dpatch @@ -0,0 +1,14 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run + +...@dpatch@ +--- ../old/hybserv-1.9.2/src/mystring.c 2005-11-29 11:40:00.000000000 +0000 ++++ hybserv-1.9.2/src/mystring.c 2010-01-29 09:58:15.000000000 +0000 +@@ -142,7 +142,7 @@ + else + return x; + +- while (*buf == ' ') ++ while (IsSpace(*buf)) + ++buf; + + if (*buf == '\0')
signature.asc
Description: This is a digitally signed message part.
