diff -u pcsc-lite-1.4.102/debian/changelog pcsc-lite-1.4.102/debian/changelog
--- pcsc-lite-1.4.102/debian/changelog
+++ pcsc-lite-1.4.102/debian/changelog
@@ -1,3 +1,13 @@
+pcsc-lite (1.4.102-1ubuntu2.1) jaunty-security; urgency=low
+
+  * SECURITY UPDATE: fix buffer overflows (LP: #603657)
+  - modified src/winscard_svc.c: Fix buffer overflows which allow local users to
+     to gain privileges via crafted message data, which is improperly
+     demarshalled. Patch provided by Debian in Lenny. (DSA-2059-1)
+  - CVE-2010-0407
+
+ -- Brian Thomason <brian.thomason@canonical.com>  Fri, 09 Jul 2010 12:05:26 -0400
+
 pcsc-lite (1.4.102-1ubuntu2) jaunty; urgency=low
 
   * Move runtime libraries to /lib, for the benefit of wpasupplicant
only in patch2:
unchanged:
--- pcsc-lite-1.4.102.orig/src/winscard_svc.c
+++ pcsc-lite-1.4.102/src/winscard_svc.c
@@ -385,6 +385,14 @@
 		dwProtocol = stStr->pdwProtocol;
 		cbAtrLen = stStr->pcbAtrLen;
 
+		/* avoids buffer overflow */
+		if ((cchReaderLen > sizeof(stStr->mszReaderNames))
+			|| (cbAtrLen > sizeof(stStr->pbAtr)))
+		{
+			stStr->rv = SCARD_E_INSUFFICIENT_BUFFER ;
+			break;
+		}
+
 		stStr->rv = SCardStatus(stStr->hCard, stStr->mszReaderNames,
 			&cchReaderLen, &dwState,
 			&dwProtocol, stStr->pbAtr, &cbAtrLen);
@@ -400,6 +408,14 @@
 		rv = MSGCheckHandleAssociation(trStr->hCard, dwContextIndex);
 		if (rv != 0) return rv;
 
+		/* avoids buffer overflow */
+		if ((trStr->pcbRecvLength > sizeof(trStr->pbRecvBuffer))
+			|| (trStr->cbSendLength > sizeof(trStr->pbSendBuffer)))
+		{
+			trStr->rv = SCARD_E_INSUFFICIENT_BUFFER ;
+			break;
+		}
+
 		ioSendPci.dwProtocol = trStr->pioSendPciProtocol;
 		ioSendPci.cbPciLength = trStr->pioSendPciLength;
 		ioRecvPci.dwProtocol = trStr->pioRecvPciProtocol;
@@ -424,6 +440,14 @@
 		rv = MSGCheckHandleAssociation(ctStr->hCard, dwContextIndex);
 		if (rv != 0) return rv;
 
+		/* avoids buffer overflow */
+		if ((ctStr->cbRecvLength > sizeof(ctStr->pbRecvBuffer))
+			|| (ctStr->cbSendLength > sizeof(ctStr->pbSendBuffer)))
+		{
+			ctStr->rv = SCARD_E_INSUFFICIENT_BUFFER;
+			break;
+		}
+
 		dwBytesReturned = ctStr->dwBytesReturned;
 
 		ctStr->rv = SCardControl(ctStr->hCard, ctStr->dwControlCode,
@@ -440,6 +464,13 @@
 		rv = MSGCheckHandleAssociation(gsStr->hCard, dwContextIndex);
 		if (rv != 0) return rv;
 
+		/* avoids buffer overflow */
+		if (gsStr->cbAttrLen > sizeof(gsStr->pbAttr))
+		{
+			gsStr->rv = SCARD_E_INSUFFICIENT_BUFFER ;
+			break;
+		}
+
 		cbAttrLen = gsStr->cbAttrLen;
 
 		gsStr->rv = SCardGetAttrib(gsStr->hCard, gsStr->dwAttrId,
@@ -453,6 +484,14 @@
 		gsStr = ((getset_struct *) msgStruct->data);
 		rv = MSGCheckHandleAssociation(gsStr->hCard, dwContextIndex);
 		if (rv != 0) return rv;
+
+		/* avoids buffer overflow */
+		if (gsStr->cbAttrLen <= sizeof(gsStr->pbAttr))
+		{
+			gsStr->rv = SCARD_E_INSUFFICIENT_BUFFER ;
+			break;
+		}
+
 		gsStr->rv = SCardSetAttrib(gsStr->hCard, gsStr->dwAttrId,
 			gsStr->pbAttr, gsStr->cbAttrLen);
 		break;
@@ -467,6 +506,15 @@
 			rv = MSGCheckHandleAssociation(treStr->hCard, dwContextIndex);
 			if (rv != 0) return rv;
 
+			/* avoids buffer overflow */
+			if ((treStr->size > sizeof(pbSendBuffer))
+				|| (treStr->cbSendLength > sizeof(pbSendBuffer))
+				|| (treStr->pcbRecvLength > sizeof(pbRecvBuffer)))
+			{
+				treStr->rv = SCARD_E_INSUFFICIENT_BUFFER;
+				break;
+			}
+
 			/* on more block to read? */
 			if (treStr->size > PCSCLITE_MAX_MESSAGE_SIZE)
 			{
@@ -548,6 +596,15 @@
 			rv = MSGCheckHandleAssociation(cteStr->hCard, dwContextIndex);
 			if (rv != 0) return rv;
 
+			/* avoids buffer overflow */
+			if ((cteStr->size > sizeof(pbSendBuffer))
+				|| (cteStr->cbSendLength > sizeof(pbSendBuffer))
+				|| (cteStr->cbRecvLength > sizeof(pbRecvBuffer)))
+			{
+				cteStr->rv = SCARD_E_INSUFFICIENT_BUFFER;
+				break;
+			}
+
 			/* on more block to read? */
 			if (cteStr->size > PCSCLITE_MAX_MESSAGE_SIZE)
 			{