diff -u mplayer-1.0~rc1/debian/changelog mplayer-1.0~rc1/debian/changelog
--- mplayer-1.0~rc1/debian/changelog
+++ mplayer-1.0~rc1/debian/changelog
@@ -1,3 +1,12 @@
+mplayer (2:1.0~rc1-0ubuntu9.1) feisty-security; urgency=low
+
+  * SECURITY UPDATE: buffer overrun in cddb code (LP: #118855).
+  * stream/stream_cddb.c: Apply upstream patch.
+  * References:
+    - CVE-2007-2948
+
+ -- William Grant <william.grant@ubuntu.org.au>  Mon, 11 Jun 2007 11:08:49 +1000
+
 mplayer (2:1.0~rc1-0ubuntu9) feisty; urgency=low
 
   * Rebuild to get correct version of libdirectfb
only in patch2:
unchanged:
--- mplayer-1.0~rc1.orig/stream/stream_cddb.c
+++ mplayer-1.0~rc1/stream/stream_cddb.c
@@ -435,7 +435,7 @@
 
 	switch(status) {
 		case 210:
-			ret = sscanf( http_hdr->body, "%d %s %08lx", &status, category, &disc_id);
+			ret = sscanf( http_hdr->body, "%d %99s %08lx", &status, category, &disc_id);
 			if( ret!=3 ) {
 				mp_msg(MSGT_DEMUX, MSGL_ERR, MSGTR_ParseError);
 				return -1;
@@ -496,7 +496,7 @@
 	ptr++;
 	// We have a list of exact/inexact matches, so which one do we use?
 	// So let's take the first one.
-	ret = sscanf(ptr, "%s %08lx %s", cddb_data->category, &(cddb_data->disc_id), album_title);
+	ret = sscanf(ptr, "%99s %08lx %99s", cddb_data->category, &(cddb_data->disc_id), album_title);
 	if( ret!=3 ) {
 		mp_msg(MSGT_DEMUX, MSGL_ERR, MSGTR_ParseError);
 		return -1;
@@ -533,7 +533,7 @@
 	switch(status) {
 		case 200:
 			// Found exact match
-			ret = sscanf(http_hdr->body, "%d %s %08lx %s", &status, cddb_data->category, &(cddb_data->disc_id), album_title);
+			ret = sscanf(http_hdr->body, "%d %99s %08lx %99s", &status, cddb_data->category, &(cddb_data->disc_id), album_title);
 			if( ret!=4 ) {
 				mp_msg(MSGT_DEMUX, MSGL_ERR, MSGTR_ParseError);
 				return -1;