diff -u wml-2.0.8/wml_backend/p1_ipp/ipp.src wml-2.0.8/wml_backend/p1_ipp/ipp.src
--- wml-2.0.8/wml_backend/p1_ipp/ipp.src
+++ wml-2.0.8/wml_backend/p1_ipp/ipp.src
@@ -565,6 +565,7 @@
 #
 #   process the pre-loaded include files
 #
+$tmpdir = $ENV{'TMPDIR'} || '/tmp';
 my $tmpldir = ($ENV{'TMPDIR'} || '/tmp') . '/ipp.XXXXXX';
 $tmpdir = mkdtemp($tmpldir) or die "Unable to create temporary directory: $!\n";
 $tmpfile = $tmpdir . "/ipp.$$.tmp";
diff -u wml-2.0.8/wml_contrib/wmg.cgi wml-2.0.8/wml_contrib/wmg.cgi
--- wml-2.0.8/wml_contrib/wmg.cgi
+++ wml-2.0.8/wml_contrib/wmg.cgi
@@ -366,14 +366,7 @@
         ($w, $h, $t) = Image::Size::imgsize(\$contents);
         if ($w*$h == 1) {
             #   read image into GD
-            $tmpfile = "/tmp/pe.tmp.$$";
-            unlink($tmpfile);
-            open(TMP, ">$tmpfile");
-            print TMP $contents;
-            close(TMP);
-            open(TMP, "<$tmpfile");
-            $tmpimg = newFromGif GD::Image(TMP);
-            close(TMP);
+            $tmpimg = newFromGif GD::Image($contents);
             unlink($tmpfile);
             if ($tmpimg->transparent != -1) {
                 my $im = new GD::Image($w, $h);
diff -u wml-2.0.8/debian/control wml-2.0.8/debian/control
--- wml-2.0.8/debian/control
+++ wml-2.0.8/debian/control
@@ -1,7 +1,8 @@
 Source: wml
 Section: web
 Priority: optional
-Maintainer: Denis Barbier <barbier@debian.org>
+Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
+XSBC-Original-Maintainer: Denis Barbier <barbier@debian.org>
 Standards-Version: 3.6.1
 Build-Depends: perl (>= 5.8.0), libperl-dev, debhelper (>= 3.0.5)
 
diff -u wml-2.0.8/debian/changelog wml-2.0.8/debian/changelog
--- wml-2.0.8/debian/changelog
+++ wml-2.0.8/debian/changelog
@@ -1,3 +1,24 @@
+wml (2.0.8-11ubuntu0.6.06) dapper-security; urgency=low
+
+  * debian/control
+   - updated maintainer field
+  * SECURITY UPDATE: (LP: #191205)
+   + wml_backend/p1_ipp/ipp.src (CVE-2008-0665) 
+    - in Website META Language (WML) 2.0.11 allows local 
+      users to overwrite arbitrary files via a symlink attack on the ipp.$$.tmp 
+      temporary file.
+   + wlm_backend/p3_eperl/eperl_sys.c wml_contrib/wmg.cgi (CVE-2008-0666)
+    - Website META Language (WML) 2.0.11 allows local users to overwrite arbitrary 
+      files via a symlink attack on (1) the /tmp/pe.tmp.$$ temporary file used by 
+      wml_contrib/wmg.cgi and (2) temporary files used by 
+      wml_backend/p3_eperl/eperl_sys.c.
+  * References
+   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0665
+   + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0666
+   + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463907
+
+ -- Emanuele Gentili <emgent@emanuele-gentili.com>  Mon, 10 Mar 2008 17:49:38 +0100
+
 wml (2.0.8-11) unstable; urgency=low
 
   * Prolog and epilog filters may use a relative path defined by an
only in patch2:
unchanged:
--- wml-2.0.8.orig/wml_backend/p3_eperl/eperl_sys.c
+++ wml-2.0.8/wml_backend/p3_eperl/eperl_sys.c
@@ -208,11 +208,19 @@
 {
     char ca[1024];
     char *cp, *tmpdir;
+    char tmpfile[]="eperl_sourceXXXXXX";
     int i;
+    int fd=-1
 
     if ((tmpdir = getenv("TMPDIR")) == NULL)
         tmpdir = "/tmp";
-    sprintf(ca, "%s/%s.%d.tmp%d", tmpdir, id, (int)getpid(), mytmpfilecnt++);
+    snprintf(ca, sizeof(ca), "%s/%s", tmpdir, tmpfile);
+    if((fd = mkstemp(tmpfile)) == -1){
+        perror("can not create tmpfile");
+        return NULL;
+    }
+    close(fd);
+    ca[sizeof(ca)-1] = NUL;
     cp = strdup(ca);
     for (i = 0; mytmpfiles[i] != NULL; i++)
         ;