diff -u openafs-1.4.1/debian/control openafs-1.4.1/debian/control
--- openafs-1.4.1/debian/control
+++ openafs-1.4.1/debian/control
@@ -1,7 +1,8 @@
 Source: openafs
 Section: net
 Priority: optional
-Maintainer: Sam Hartman <hartmans@debian.org>
+Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
+XSBC-Original-Maintainer: Sam Hartman <hartmans@debian.org>
 Uploaders: Russ Allbery <rra@debian.org>
 Build-Depends: debhelper (>= 4.1.16), libncurses5-dev, libpam0g-dev, bison, docbook-to-man, flex, perl, comerr-dev, libkrb5-dev
 Standards-Version: 3.6.2
diff -u openafs-1.4.1/debian/changelog openafs-1.4.1/debian/changelog
--- openafs-1.4.1/debian/changelog
+++ openafs-1.4.1/debian/changelog
@@ -1,3 +1,20 @@
+openafs (1.4.1-2+ubuntu0.1) dapper-security; urgency=low
+
+  * Apply upstream security patches from 1.4.9 (LP: #356861, #180792,
+    #94787):
+      - OPENAFS-SA-2007-001: Avoid a potential privilege escalation from a
+        spoofed setuid file by disabling setuid on all cells by default.
+        (CVE-2007-1507)
+      - OPENAFS-SA-2007-003: Avoid a potential denial of service against an
+        AFS fileserver. (CVE-2007-6599)
+      - OPENAFS-SA-2009-001: Avoid a potential kernel memory overrun if more
+        items than requested are returned from an InlineBulk or BulkStatus
+        message. (CVE-2009-1251)
+      - OPENAFS-SA-2009-002: Avoid converting negative errors into invalid
+        kernel memory pointers. (CVE-2009-1250)
+
+ -- Evan Broder <broder@mit.edu>  Thu, 16 Apr 2009 11:16:19 -0400
+
 openafs (1.4.1-2) unstable; urgency=low
 
   * Exit successfully in the openafs-client init script if no module is
only in patch2:
unchanged:
--- openafs-1.4.1.orig/src/viced/afsfileprocs.c
+++ openafs-1.4.1/src/viced/afsfileprocs.c
@@ -6055,7 +6055,9 @@
 		 (tcon->peer ? tcon->peer->host : 0)));
 	errorCode = GetClient(tcon, &client);
 	if (!errorCode) {
+	    H_LOCK;
 	    DeleteAllCallBacks_r(client->host, 1);
+	    H_UNLOCK;
 	    PutClient(&client);
 	}
     } else {
only in patch2:
unchanged:
--- openafs-1.4.1.orig/src/viced/host.c
+++ openafs-1.4.1/src/viced/host.c
@@ -1242,6 +1242,7 @@
 		     host->interface ? uuid2 : ""));
 
 	    /* The host in the cache is not the host for this connection */
+            h_Lock_r(host);
 	    host->hostFlags |= HOSTDELETED;
 	    h_Unlock_r(host);
 	    if (!held)
only in patch2:
unchanged:
--- openafs-1.4.1.orig/src/viced/callback.c
+++ openafs-1.4.1/src/viced/callback.c
@@ -493,7 +493,7 @@
 	CcdelB++;
     *cbp = cb->cnext;
     FreeCB(cb);
-    if (deletefe && (--fe->ncbs == 0))
+    if ((--fe->ncbs == 0) && deletefe)
 	FDel(fe);
     return 0;
 }
@@ -1030,6 +1030,7 @@
 	TDel(cb);
 	HDel(cb);
 	FreeCB(cb);
+	fe->ncbs--;
     }
     FDel(fe);
     H_UNLOCK;
@@ -1860,7 +1861,7 @@
     read(fd, &tfirst, sizeof(tfirst));
     read(fd, &freelisthead, sizeof(freelisthead));
     CB = ((struct CallBack
-	   *)(calloc(cbstuff.nblks, sizeof(struct FileEntry)))) - 1;
+	   *)(calloc(cbstuff.nblks, sizeof(struct CallBack)))) - 1;
     FE = ((struct FileEntry
 	   *)(calloc(cbstuff.nblks, sizeof(struct FileEntry)))) - 1;
     CBfree = (struct CallBack *)itocb(freelisthead);
only in patch2:
unchanged:
--- openafs-1.4.1.orig/src/afs/afs_cell.c
+++ openafs-1.4.1/src/afs/afs_cell.c
@@ -708,8 +708,7 @@
 	tc->vlport = AFS_VLPORT;
 	RWLOCK_INIT(&tc->lock, "cell lock");
 	newc = 1;
-	if (afs_thiscell && !strcmp(acellName, afs_thiscell))
-	    aflags &= ~CNoSUID;
+	aflags |= CNoSUID;
     }
     ObtainWriteLock(&tc->lock, 688);
 
only in patch2:
unchanged:
--- openafs-1.4.1.orig/src/afs/VNOPS/afs_vnop_lookup.c
+++ openafs-1.4.1/src/afs/VNOPS/afs_vnop_lookup.c
@@ -538,8 +538,6 @@
     int nskip;			/* # of slots in the LRU queue to skip */
     struct vcache *lruvcp;	/* vcache ptr of our goal pos in LRU queue */
     struct dcache *dcp;		/* chunk containing the dir block */
-    char *statMemp;		/* status memory block */
-    char *cbfMemp;		/* callback and fid memory block */
     afs_size_t temp;		/* temp for holding chunk length, &c. */
     struct AFSFid *fidsp;	/* file IDs were collecting */
     struct AFSCallBack *cbsp;	/* call back pointers */
@@ -597,13 +595,11 @@
      * one for fids and callbacks, and one for stat info.  Well set
      * up our pointers to the memory from there, too.
      */
-    statMemp = osi_AllocLargeSpace(nentries * sizeof(AFSFetchStatus));
-    statsp = (struct AFSFetchStatus *)statMemp;
-    cbfMemp =
-	osi_AllocLargeSpace(nentries *
-			    (sizeof(AFSCallBack) + sizeof(AFSFid)));
-    fidsp = (AFSFid *) cbfMemp;
-    cbsp = (AFSCallBack *) (cbfMemp + nentries * sizeof(AFSFid));
+    statsp = (AFSFetchStatus *) 
+	    osi_Alloc(AFSCBMAX * sizeof(AFSFetchStatus));
+    fidsp = (AFSFid *) osi_AllocLargeSpace(nentries * sizeof(AFSFid));
+    cbsp = (AFSCallBack *) 
+	    osi_Alloc(AFSCBMAX * sizeof(AFSCallBack));
 
     /* next, we must iterate over the directory, starting from the specified
      * cookie offset (dirCookie), and counting out nentries file entries.
@@ -1081,7 +1077,7 @@
 	afs_PutVolume(volp, READ_LOCK);
 
     /* If we did the InlineBulk RPC pull out the return code */
-    if (inlinebulk) {
+    if (inlinebulk && code == 0) {
 	if ((&statsp[0])->errorCode) {
 	    afs_Analyze(tcp, (&statsp[0])->errorCode, &adp->fid, areqp,
 			AFS_STATS_FS_RPCIDX_BULKSTATUS, SHARED_LOCK, NULL);
@@ -1091,8 +1087,9 @@
 	code = 0;
     }
   done2:
-    osi_FreeLargeSpace(statMemp);
-    osi_FreeLargeSpace(cbfMemp);
+    osi_FreeLargeSpace((char *)fidsp);
+    osi_Free((char *)statsp, AFSCBMAX * sizeof(AFSFetchStatus));
+    osi_Free((char *)cbsp, AFSCBMAX * sizeof(AFSCallBack));
     return code;
 }
 
only in patch2:
unchanged:
--- openafs-1.4.1.orig/src/afs/LINUX/osi_vnodeops.c
+++ openafs-1.4.1/src/afs/LINUX/osi_vnodeops.c
@@ -45,6 +45,10 @@
 #define pageoff(pp) pp->offset
 #endif
 
+#ifndef MAX_ERRNO
+#define MAX_ERRNO 1000L
+#endif
+
 #if defined(AFS_LINUX26_ENV)
 #define UnlockPage(pp) unlock_page(pp)
 #endif
@@ -933,8 +937,10 @@
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,10)
     if (code == ENOENT)
 	return ERR_PTR(0);
-    else
+    else if ((code >= 0) && (code <= MAX_ERRNO))
 	return ERR_PTR(-code);
+    else 
+	return ERR_PTR(-EIO);
 #else
     if (code == ENOENT)
 	code = 0;
@@ -1237,7 +1243,10 @@
 
     if (code < 0) {
 	dput(basep);
-	res = ERR_PTR(code);
+	if (code < -MAX_ERRNO)
+	    res = ERR_PTR(-EIO);
+	else
+	    res = ERR_PTR(code);
     } else {
 	name[code] = '\0';
 	res = lookup_dentry(name, basep, follow);
only in patch2:
unchanged:
--- openafs-1.4.1.orig/src/sys/rmtsysc.c
+++ openafs-1.4.1/src/sys/rmtsysc.c
@@ -241,8 +241,14 @@
     InData.rmtbulk_len = data->in_size;
     InData.rmtbulk_val = inbuffer;
     inparam_conversion(cmd, InData.rmtbulk_val, 0);
-    OutData.rmtbulk_len = data->out_size;
-    OutData.rmtbulk_val = data->out;
+
+    OutData.rmtbulk_len = MAXBUFFERLEN * sizeof(*OutData.rmtbulk_val);
+    OutData.rmtbulk_val = malloc(OutData.rmtbulk_len); 
+    if (!OutData.rmtbulk_val) {
+	free(inbuffer);
+	return -1;
+    }
+
     /* We always need to pass absolute pathnames to the remote pioctl since we
      * lose the current directory value when doing an rpc call. Below we
      * prepend the current absolute path directory, if the name is relative */
@@ -279,8 +285,15 @@
     if (!errorcode) {
 	/* Do the conversions back to the host order; store the results back
 	 * on the same buffer */
-	outparam_conversion(cmd, OutData.rmtbulk_val, 1);
+	if (data->out_size < OutData.rmtbulk_len) {
+	    errno = EINVAL;
+	    errorcode = -1;
+	} else {
+	    memcpy(data->out, OutData.rmtbulk_val, data->out_size);
+	    outparam_conversion(cmd, data->out, 1);
+	}
     }
+    free(OutData.rmtbulk_val);
     free(inbuffer);
     return errorcode;
 }