diff -u clamav-0.91.2/debian/changelog clamav-0.91.2/debian/changelog
--- clamav-0.91.2/debian/changelog
+++ clamav-0.91.2/debian/changelog
@@ -1,3 +1,11 @@
+clamav (0.91.2-3ubuntu2.4) gutsy-security; urgency=low
+
+  * SECURITY UPDATE: Possible heap corruprion
+  * Added 31_mew.c-CVE-2008-0728.dpatch
+  * References: CVE-2008-0728 ( LP: #213500 )
+
+ -- Leonel Nunez <leonel@enelserver.com>  Mon, 07 Apr 2008 17:32:39 -0600
+
 clamav (0.91.2-3ubuntu2.3) gutsy-security; urgency=low
 
   * SECURITY UPDATE: possible integer overflow and tempfile symlink
diff -u clamav-0.91.2/debian/patches/00list clamav-0.91.2/debian/patches/00list
--- clamav-0.91.2/debian/patches/00list
+++ clamav-0.91.2/debian/patches/00list
@@ -10,0 +11 @@
+31_mew.c-CVE-2008-0728.dpatch
only in patch2:
unchanged:
--- clamav-0.91.2.orig/debian/patches/31_mew.c-CVE-2008-0728.dpatch
+++ clamav-0.91.2/debian/patches/31_mew.c-CVE-2008-0728.dpatch
@@ -0,0 +1,52 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 31_mew.c-CVE-2008-0728.dpatch by Leonel Nunez <leonel@enelserver.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad clamav-0.91.2~/libclamav/mew.c clamav-0.91.2/libclamav/mew.c
+--- clamav-0.91.2~/libclamav/mew.c	2008-04-07 17:28:19.000000000 -0600
++++ clamav-0.91.2/libclamav/mew.c	2008-04-07 17:31:29.000000000 -0600
+@@ -775,7 +775,7 @@
+ int unmew11(int sectnum, char *src, int off, int ssize, int dsize, uint32_t base, uint32_t vadd, int uselzma, char **endsrc, char **enddst, int filedesc)
+ {
+ 	uint32_t entry_point, newedi, loc_ds=dsize, loc_ss=ssize;
+-	char *source = src + dsize + off; /*EC32(section_hdr[sectnum].VirtualSize) + off;*/
++	char *source = src + dsize + off;
+ 	char *lesi = source + 12, *ledi;
+ 	char *f1, *f2;
+ 	int i;
+@@ -785,13 +785,15 @@
+ 	entry_point  = cli_readint32(source + 4);
+ 	newedi = cli_readint32(source + 8);
+ 	ledi = src + (newedi - vma);
++	loc_ds = size_sum - (newedi - vma);
+ 
+ 	i = 0;
+-	ssize -= 12;
++        loc_ss -= 12;
++        loc_ss -= off;
+ 	while (1)
+ 	{
+-  		cli_dbgmsg("MEW unpacking section %d (%08x->%08x)\n", i, lesi, ledi);
+-		if (!CLI_ISCONTAINED(src, size_sum, lesi, 4) || !CLI_ISCONTAINED(src, size_sum, ledi, 4))
++                cli_dbgmsg("MEW unpacking section %d (%p->%p)\n", i, lesi, ledi);
++                if (!CLI_ISCONTAINED(src, size_sum, lesi, loc_ss) || !CLI_ISCONTAINED(src, size_sum, ledi, loc_ds))
+ 		{
+ 			cli_dbgmsg("Possibly programmer error or hand-crafted PE file, report to clamav team\n");
+ 			return -1;
+@@ -811,10 +813,11 @@
+ 
+ 		/* XXX */
+ 		loc_ss -= (f1+4-lesi);
+-		loc_ds -= (f2-ledi);
+-		ledi = src + (cli_readint32(f1) - vma);
+ 		lesi = f1+4;
+ 
++                ledi = src + (cli_readint32(f1) - vma);
++                loc_ds = size_sum - (cli_readint32(f1) - vma);
++
+ 		if (!uselzma)
+ 		{
+ 			uint32_t val = PESALIGN(f2 - src, 0x1000);