diff -u libxfcegui4-4.3.90.2svn+r21598/debian/changelog libxfcegui4-4.3.90.2svn+r21598/debian/changelog --- libxfcegui4-4.3.90.2svn+r21598/debian/changelog +++ libxfcegui4-4.3.90.2svn+r21598/debian/changelog @@ -1,3 +1,16 @@ +libxfcegui4 (4.3.90.2svn+r21598-0ubuntu2.1) dapper-security; urgency=low + + * SECURITY UPDATE: + + debian/patches/CVE_2007_6532.patch + - Double free vulnerability in the Widget Library (libxfcegui4) in Xfce + before 4.4.2 might allow remote attackers to execute arbitrary code via + unknown vectors related to the "cliend id, program name and working + directory in session management." + * References: + + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6532 + + -- Gauvain Pocentek Fri, 27 Jun 2008 23:12:07 +0200 + libxfcegui4 (4.3.90.2svn+r21598-0ubuntu2) dapper; urgency=low * Add patch from Daniele Favara to support more of the icon naming only in patch2: unchanged: --- libxfcegui4-4.3.90.2svn+r21598.orig/debian/patches/CVE_2007_6532.patch +++ libxfcegui4-4.3.90.2svn+r21598/debian/patches/CVE_2007_6532.patch @@ -0,0 +1,26 @@ +diff -Nur -x '*.orig' -x '*~' libxfcegui4-4.3.90.2svn+r21598/libxfcegui4/session-client.c libxfcegui4-4.3.90.2svn+r21598.new/libxfcegui4/session-client.c +--- libxfcegui4-4.3.90.2svn+r21598/libxfcegui4/session-client.c 2006-05-02 08:10:50.000000000 +0200 ++++ libxfcegui4-4.3.90.2svn+r21598.new/libxfcegui4/session-client.c 2008-06-27 23:11:38.000000000 +0200 +@@ -741,11 +741,11 @@ + session_client->interact_style = SESSION_INTERACT_NONE; + session_client->session_connection = NULL; + session_client->priority = priority; +- session_client->client_id = client_id; ++ session_client->client_id = g_strdup (client_id); + session_client->given_client_id = NULL; + if (program) + { +- session_client->program = program; ++ session_client->program = g_strdup (program); + } + else + { +@@ -753,7 +753,7 @@ + } + if (current_directory) + { +- session_client->current_directory = current_directory; ++ session_client->current_directory = g_strdup (current_directory); + } + else + {