diff -u cupsys-1.2.2/debian/changelog cupsys-1.2.2/debian/changelog
--- cupsys-1.2.2/debian/changelog
+++ cupsys-1.2.2/debian/changelog
@@ -1,3 +1,14 @@
+cupsys (1.2.2-0ubuntu0.6.06.6) dapper-security; urgency=low
+
+  * SECURITY UPDATE: tempfile race, denial of service in SNMP backend.
+  * Add 70_CVE-2007-6358.dpatch, 71_CVE-2007-5849.dpatch: upstream fixes
+    thanks to Kenshi Muto.
+  * References
+    CVE-2007-6358
+    CVE-2007-5849
+
+ -- Kees Cook <kees@ubuntu.com>  Mon, 07 Jan 2008 16:08:28 -0800
+
 cupsys (1.2.2-0ubuntu0.6.06.4) dapper-security; urgency=low
 
   * SECURITY UPDATE: arbitrary code execution via stack overflow.
diff -u cupsys-1.2.2/debian/patches/00list cupsys-1.2.2/debian/patches/00list
--- cupsys-1.2.2/debian/patches/00list
+++ cupsys-1.2.2/debian/patches/00list
@@ -25,0 +26,2 @@
+70_CVE-2007-6358.dpatch
+71_CVE-2007-5849.dpatch
only in patch2:
unchanged:
--- cupsys-1.2.2.orig/debian/patches/70_CVE-2007-6358.dpatch
+++ cupsys-1.2.2/debian/patches/70_CVE-2007-6358.dpatch
@@ -0,0 +1,45 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 70_CVE-2007-6358.dpatch by Kees Cook <kees@ubuntu.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad cupsys-1.2.2~/debian/pdftops cupsys-1.2.2/debian/pdftops
+--- cupsys-1.2.2~/debian/pdftops	2008-01-07 16:03:13.000000000 -0800
++++ cupsys-1.2.2/debian/pdftops	2008-01-07 16:18:11.000000000 -0800
+@@ -68,6 +68,7 @@
+ # ------------------------------------------------------------------------------
+ 
+ use File::Copy;
++use File::Temp qw( tempfile );
+ 
+ #
+ # Check the arguments
+@@ -87,15 +88,21 @@
+ 
+ if (! defined $pdffile)
+ {
+-	my $tmpfile = $ENV{TMPDIR} . "pdfin.$$.tmp";
+-	open (TEMP, ">$tmpfile") || die ("ERROR: pdftops wrapper: $tmpfile: $!\n");
+-	if (! copy (\*STDIN, \*TEMP))
++       	my $template = "pdfinXXXXXX";
++	my $tmpdir = $ENV{TMPDIR};
++	my ($bytes, $buffer);
++	my ($tmpfh, $tmpfile) = tempfile ($template, OPEN => 1, DIR => $tmpdir, UNLINK => 0, SUFFIX => '.tmp');
++	while (($bytes = read (STDIN, $buffer, 1024)) > 0)
+ 	{
+-		close (TEMP);
++		print $tmpfh "$buffer";
++	}
++	if ($bytes < 0)
++	{
++		close ($tmpfh);
+ 		unlink $tmpfile;
+ 		die ("ERROR: pdftops wrapper: $tmpfile: $!\n");
+ 	}
+-	close (TEMP);
++	close ($tmpfh);
+ 	$pdffile = $tmpfile;
+ 	$delete_input = 1;			# for deleting the temp file after converting
+ }
only in patch2:
unchanged:
--- cupsys-1.2.2.orig/debian/patches/71_CVE-2007-5849.dpatch
+++ cupsys-1.2.2/debian/patches/71_CVE-2007-5849.dpatch
@@ -0,0 +1,48 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 71_CVE-2007-5849.dpatch by Kees Cook <kees@ubuntu.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad cupsys-1.2.2~/backend/snmp.c cupsys-1.2.2/backend/snmp.c
+--- cupsys-1.2.2~/backend/snmp.c	2006-07-13 12:59:36.000000000 -0700
++++ cupsys-1.2.2/backend/snmp.c	2008-01-07 16:18:28.000000000 -0800
+@@ -940,10 +940,24 @@
+     char          *string,		/* I  - String buffer */
+     int           strsize)		/* I  - String buffer size */
+ {
+-  if (length < strsize)
++  if (length < 0)
+   {
+-    memcpy(string, *buffer, length);
+-    string[length] = '\0';
++   /*
++    * Disallow negative lengths!
++    */
++
++    fprintf(stderr, "ERROR: Bad ASN1 string length %d!\n", length);
++    *string = '\0';
++  }
++  else if (length < strsize)
++  {
++   /*
++    * String is smaller than the buffer...
++    */
++
++    if (length > 0)
++      memcpy(string, *buffer, length);
++  string[length] = '\0';
+   }
+   else
+   {
+@@ -951,7 +965,8 @@
+     string[strsize - 1] = '\0';
+   }
+ 
+-  (*buffer) += length;
++  if (length > 0)
++    (*buffer) += length;
+ 
+   return (string);
+ }