diff -u amule-2.2.4/debian/changelog amule-2.2.4/debian/changelog
--- amule-2.2.4/debian/changelog
+++ amule-2.2.4/debian/changelog
@@ -1,3 +1,16 @@
+amule (2.2.4-1ubuntu1.1) jaunty-security; urgency=low
+
+  * SECURITY UPDATE: Incomplete escaping in filenames allows remote attackers 
+    to conduct argument injection attacks into a command via a crafted 
+    filename. (LP: #396807)
+    - src/DownloadListCtrl.cpp sanitises the downloaded filenames but does 
+      not escape ticks in filenames correctly.
+    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525078
+    - Patch by Sam Hocevar
+    - CVE-2009-1440
+
+ -- Andreas Moog <amoog@ubuntu.com>  Wed, 08 Jul 2009 01:59:01 +0200
+
 amule (2.2.4-1ubuntu1) jaunty; urgency=low
 
   * Merge from debian unstable (LP: #355046), remaining changes:
diff -u amule-2.2.4/debian/patches/series amule-2.2.4/debian/patches/series
--- amule-2.2.4/debian/patches/series
+++ amule-2.2.4/debian/patches/series
@@ -3,0 +4 @@
+CVE-2009-1440.patch
only in patch2:
unchanged:
--- amule-2.2.4.orig/debian/patches/CVE-2009-1440.patch
+++ amule-2.2.4/debian/patches/CVE-2009-1440.patch
@@ -0,0 +1,21 @@
+# Description: Fix for CVE-2009-1440, an attacker could inject arguments via crafted filenames
+# Ubuntu: https://bugs.edge.launchpad.net/bugs/396807
+# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525078
+# Upstream: http://www.amule.org/abugs/view.php?id=1515
+# Patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=34;filename=nmu.patch;att=1;bug=525078
+Index: amule-2.2.4/src/DownloadListCtrl.cpp
+===================================================================
+--- amule-2.2.4.orig/src/DownloadListCtrl.cpp	2009-07-08 01:58:13.986653298 +0200
++++ amule-2.2.4/src/DownloadListCtrl.cpp	2009-07-08 01:58:23.294653170 +0200
+@@ -2295,6 +2295,11 @@
+ 		// This is a complete file
+ 		// FIXME: This is probably not going to work if the filenames are mangled ...
+ 		wxString rawFileName = file->GetFullName().GetRaw();
++
++#ifndef __WXMSW__
++		rawFileName.Replace(QUOTE, wxT("\\") QUOTE);
++#endif
++
+ 		if (!command.Replace(wxT("$file"), rawFileName)) {
+ 			// No magic string, so we just append the filename to the player command
+ 			// Need to use quotes in case filename contains spaces