diff -u python2.5-2.5/debian/changelog python2.5-2.5/debian/changelog
--- python2.5-2.5/debian/changelog
+++ python2.5-2.5/debian/changelog
@@ -1,3 +1,24 @@
+python2.5 (2.5-2ubuntu2.1) edgy-security; urgency=low
+
+  * SECURITY UPDATE: 
+    + CVE-2007-4965: Multiple integer overflows in the imageop module in
+      Python 2.5.1 and earlier allow context-dependent attackers to cause a denial
+      of service (application crash) and possibly obtain sensitive information
+      (memory contents) via crafted arguments to (1) the tovideo method, and
+      unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and
+      other files, which trigger heap-based buffer overflows.
+  * debian/patches/CVE-2007-4695.dpatch:
+    - Applied patch from upstream
+    - Link: http://bugs.python.org/file8592/python-2.5.CVE-2007-4965-int-overflow.patch
+  * debian/rules:
+    - Added new shell var: ubuntu_security_patches
+    - Added the new var to debian_patches to work with the patch system
+  * References:
+    CVE-2007-4965
+    http://bugs.python.org/issue1179
+
+ -- Stephan Hermann <sh@sourcecode.de>  Sat, 24 Nov 2007 20:51:05 +0100
+
 python2.5 (2.5-2ubuntu2) edgy; urgency=low
 
   * PVER-minimal.postinst: Use this version as the first version
diff -u python2.5-2.5/debian/rules python2.5-2.5/debian/rules
--- python2.5-2.5/debian/rules
+++ python2.5-2.5/debian/rules
@@ -898,6 +898,15 @@
   debian_patches += $(debian_doc_patches)
 endif
 
+ifeq ($(distribution),Ubuntu)
+  ubuntu_security_patches = \
+	CVE-2007-4965
+endif
+
+ifeq ($(distribution),Ubuntu)
+  debian_patches += $(ubuntu_security_patches)
+endif
+
 patch: patch-stamp
 apply-patches: patch-stamp
 
only in patch2:
unchanged:
--- python2.5-2.5.orig/debian/patches/CVE-2007-4965.dpatch
+++ python2.5-2.5/debian/patches/CVE-2007-4965.dpatch
@@ -0,0 +1,246 @@
+#! /bin/sh -e
+
+# All lines beginning with `# DPATCH:' are a description of the patch.
+# DP: CVE-2007-4965 Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a dos
+
+
+dir=
+if [ $# -eq 3 -a "$2" = '-d' ]; then
+    pdir="-d $3"
+    dir="$3/"
+elif [ $# -ne 1 ]; then
+    echo >&2 "usage: `basename $0`: -patch|-unpatch [-d <srcdir>]"
+    exit 1
+fi
+case "$1" in
+    -patch)
+        patch $pdir -f --no-backup-if-mismatch -p0 < $0
+        #cd ${dir}gcc && autoconf
+        ;;
+    -unpatch)
+        patch $pdir -f --no-backup-if-mismatch -R -p0 < $0
+        #rm ${dir}gcc/configure
+        ;;
+    *)
+	echo >&2 "usage: `basename $0`: -patch|-unpatch [-d <srcdir>]"
+        exit 1
+esac
+exit 0
+
+diff -ruN ./Modules/imageop.c ../python2.5-2.5.1/Modules/imageop.c
+--- ./Modules/imageop.c	2006-01-19 07:09:39.000000000 +0100
++++ ../python2.5-2.5.1/Modules/imageop.c	2007-11-24 17:00:43.000000000 +0100
+@@ -78,7 +78,7 @@
+ 	char *cp, *ncp;
+ 	short *nsp;
+ 	Py_Int32 *nlp;
+-	int len, size, x, y, newx1, newx2, newy1, newy2;
++	int len, size, x, y, newx1, newx2, newy1, newy2. nlen;
+ 	int ix, iy, xstep, ystep;
+ 	PyObject *rv;
+ 
+@@ -90,13 +90,19 @@
+ 		PyErr_SetString(ImageopError, "Size should be 1, 2 or 4");
+ 		return 0;
+ 	}
+-	if ( len != size*x*y ) {
++	if (( len != size*x*y ) ||
++            ( size != ((len / x) / y) )) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+ 	xstep = (newx1 < newx2)? 1 : -1;
+ 	ystep = (newy1 < newy2)? 1 : -1;
+     
++        nlen = (abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size;
++        if ( size != ((nlen / (abs(newx2-newx1)+1)) / (abs(newy2-newy1)+1)) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	rv = PyString_FromStringAndSize(NULL,
+ 			     (abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size);
+ 	if ( rv == 0 )
+@@ -132,7 +138,7 @@
+ 	char *cp, *ncp;
+ 	short *nsp;
+ 	Py_Int32 *nlp;
+-	int len, size, x, y, newx, newy;
++	int len, size, x, y, newx, newy, nlen;
+ 	int ix, iy;
+ 	int oix, oiy;
+ 	PyObject *rv;
+@@ -145,12 +151,18 @@
+ 		PyErr_SetString(ImageopError, "Size should be 1, 2 or 4");
+ 		return 0;
+ 	}
+-	if ( len != size*x*y ) {
++	if ( ( len != size*x*y ) ||
++             ( size != ((len / x) / y) ) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
++        nlen = newx*newy*size;
++	if ( size != ((nlen / newx) / newy) ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+     
+-	rv = PyString_FromStringAndSize(NULL, newx*newy*size);
++	rv = PyString_FromStringAndSize(NULL, nlen);
+ 	if ( rv == 0 )
+ 		return 0;
+ 	ncp = (char *)PyString_AsString(rv);
+@@ -190,7 +202,8 @@
+ 		PyErr_SetString(ImageopError, "Size should be 1 or 4");
+ 		return 0;
+ 	}
+-	if ( maxx*maxy*width != len ) {
++	if ( ( maxx*maxy*width != len ) ||
++             ( maxx != ((len / maxy) / width) ) ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+@@ -240,7 +253,8 @@
+ 	if ( !PyArg_ParseTuple(args, "s#iii", &cp, &len, &x, &y, &tres) )
+ 		return 0;
+ 
+-	if ( x*y != len ) {
++	if ( ( x*y != len ) ||
++             ( x != len / y ) ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+@@ -281,7 +295,8 @@
+ 	if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
+ 		return 0;
+ 
+-	if ( x*y != len ) {
++	if ( ( x*y != len ) ||
++             ( x != len / y ) ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+@@ -320,7 +335,8 @@
+ 	if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
+ 		return 0;
+ 
+-	if ( x*y != len ) {
++	if ( ( x*y != len ) ||
++             ( x != len / y ) ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+@@ -358,7 +374,8 @@
+ 	if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
+ 		return 0;
+ 
+-	if ( x*y != len ) {
++	if ( ( x*y != len ) ||
++             ( x != len / y ) ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+@@ -404,7 +421,8 @@
+ 	if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
+ 		return 0;
+ 
+-	if ( x*y != len ) {
++	if ( ( x*y != len ) ||
++             ( x != len / y ) ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+@@ -443,7 +461,11 @@
+ 	if ( !PyArg_ParseTuple(args, "s#iiii", &cp, &len, &x, &y, &v0, &v1) )
+ 		return 0;
+ 
+-	nlen = x*y;
++        nlen = x*y;
++	if ( x != (nlen / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	if ( (nlen+7)/8 != len ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+@@ -481,6 +503,10 @@
+ 		return 0;
+ 
+ 	nlen = x*y;
++	if ( x != (nlen / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	if ( (nlen+3)/4 != len ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+@@ -517,6 +543,10 @@
+ 		return 0;
+ 
+ 	nlen = x*y;
++	if ( x != (nlen / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	if ( (nlen+1)/2 != len ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+@@ -554,6 +584,10 @@
+ 		return 0;
+ 
+ 	nlen = x*y;
++	if ( x != (nlen / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	if ( nlen*4 != len ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+@@ -598,6 +632,10 @@
+ 		return 0;
+ 
+ 	nlen = x*y;
++	if ( x != (nlen / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	if ( nlen != len ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+@@ -648,6 +686,10 @@
+ 		return 0;
+ 
+ 	nlen = x*y;
++	if ( x != (nlen / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	if ( nlen*4 != len ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+@@ -693,6 +735,10 @@
+ 		return 0;
+ 
+ 	nlen = x*y;
++	if ( x != (nlen / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	if ( nlen != len ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+diff -ruN ./Modules/rgbimgmodule.c ../python2.5-2.5.1/Modules/rgbimgmodule.c
+--- ./Modules/rgbimgmodule.c	2006-08-12 05:18:50.000000000 +0200
++++ ../python2.5-2.5.1/Modules/rgbimgmodule.c	2007-11-24 17:01:30.000000000 +0100
+@@ -299,6 +299,11 @@
+ 	xsize = image.xsize;
+ 	ysize = image.ysize;
+ 	zsize = image.zsize;
++	tablen = xsize * ysize * zsize * sizeof(Py_Int32);
++        if (xsize != (((tablen / ysize) / zsize) / sizeof(Py_Int32))) {
++		PyErr_NoMemory();
++		goto finally;
++        }
+ 	if (rle) {
+ 		tablen = ysize * zsize * sizeof(Py_Int32);
+ 		starttab = (Py_Int32 *)malloc(tablen);