diff -Nru openafs-1.6.0/debian/changelog openafs-1.6.0/debian/changelog
--- openafs-1.6.0/debian/changelog	2011-09-01 21:43:08.000000000 -0400
+++ openafs-1.6.0/debian/changelog	2013-03-05 01:43:20.000000000 -0500
@@ -1,3 +1,15 @@
+openafs (1.6.0-1+ubuntu0.1) oneiric-security; urgency=low
+
+  [ Russ Allbery ]
+  * Apply upstream security patches:
+    - OPENAFS-SA-2013-001: Fix fileserver buffer overflow when parsing
+      client-supplied ACL entries and protect against client parsing of
+      bad ACL entries.  (CVE-2013-1794)  (LP: #1145560)
+    - OPENAFS-SA-2013-002: Fix ptserver buffer overflow via integer
+      overflow in the IdToName RPC.  (CVE-2013-1795)  (LP: #1145560)
+
+ -- Luke Faraone <lfaraone@debian.org>  Tue, 05 Mar 2013 01:42:40 -0500
+
 openafs (1.6.0-1) unstable; urgency=low
 
   * New upstream stable release.
diff -Nru openafs-1.6.0/debian/patches/debian-changes openafs-1.6.0/debian/patches/debian-changes
--- openafs-1.6.0/debian/patches/debian-changes	2011-09-01 21:44:41.000000000 -0400
+++ openafs-1.6.0/debian/patches/debian-changes	2013-03-05 01:43:26.000000000 -0500
@@ -91,3 +91,116 @@
  	-ln -s $(TOP_SRCDIR)/afsd afsd
  	-ln -s $(NS_INCL) nsapi
  
+--- openafs-1.6.0.orig/src/libacl/aclprocs.c
++++ openafs-1.6.0/src/libacl/aclprocs.c
+@@ -23,13 +23,13 @@
+ #else
+ #include <netinet/in.h>
+ #endif
++#include <limits.h>
+ #include <string.h>
+ #include <rx/xdr.h>
+ #include <rx/rx.h>
+ #include <afs/ptclient.h>
+ #include <afs/ptuser.h>
+ #include "acl.h"
+-
+ #ifdef AFS_PTHREAD_ENV
+ #include <assert.h>
+ #include <pthread.h>
+@@ -251,7 +251,7 @@ acl_Internalize_pr(int (*func)(namelist
+ 
+     if (sscanf(elist, "%d\n%d\n", &p, &n) != 2)
+ 	return -1;
+-    if (p + n > ACL_MAXENTRIES)
++    if (p < 0 || n < 0 || p > INT_MAX - n || p + n > ACL_MAXENTRIES)
+ 	return (-1);
+     acl_NewACL(p + n, acl);
+     (*acl)->total = p + n;
+@@ -276,7 +276,7 @@ acl_Internalize_pr(int (*func)(namelist
+     nextc++;			/* now at the beginning of the entry list */
+     for (i = 0; i < (*acl)->positive; i++) {
+ 	int k;
+-	if (sscanf(nextc, "%s\t%d\n", lnames.namelist_val[i], &k) != 2) {
++	if (sscanf(nextc, "%63s\t%d\n", lnames.namelist_val[i], &k) != 2) {
+ 	    free(lnames.namelist_val);
+ 	    return (-1);
+ 	}
+@@ -288,7 +288,7 @@ acl_Internalize_pr(int (*func)(namelist
+     for (i = (*acl)->total - 1; i >= (*acl)->total - (*acl)->negative;
+ 	 i--, j++) {
+ 	if (sscanf
+-	    (nextc, "%s\t%d\n", lnames.namelist_val[j],
++	    (nextc, "%63s\t%d\n", lnames.namelist_val[j],
+ 	     &((*acl)->entries[j].rights)) != 2) {
+ 	    free(lnames.namelist_val);
+ 	    return (-1);
+--- openafs-1.6.0.orig/src/libadmin/client/afs_clientAdmin.c
++++ openafs-1.6.0/src/libadmin/client/afs_clientAdmin.c
+@@ -1542,7 +1542,7 @@ afsclient_ACLEntryAdd(const char *direct
+      */
+ 
+     is_dfs =
+-	sscanf(old_acl_string, "%d dfs:%d %s", &cur_acl.nplus, &cur_acl.dfs,
++	sscanf(old_acl_string, "%d dfs:%d %1024s", &cur_acl.nplus, &cur_acl.dfs,
+ 	       cur_acl.cell);
+     ptr = strchr(old_acl_string, '\n');
+     ptr++;
+@@ -1567,7 +1567,7 @@ afsclient_ACLEntryAdd(const char *direct
+      */
+ 
+     for (i = 0; i < (cur_acl.nplus + cur_acl.nminus); i++) {
+-	sscanf(ptr, "%s%d\n", cur_user, &cur_user_acl);
++	sscanf(ptr, "%63s%d\n", cur_user, &cur_user_acl);
+ 	/*
+ 	 * Skip the entry for the user we are replacing/adding
+ 	 */
+--- openafs-1.6.0.orig/src/ptserver/ptprocs.c
++++ openafs-1.6.0/src/ptserver/ptprocs.c
+@@ -679,7 +679,7 @@ idToName(struct rx_call *call, idlist *a
+     size = aid->idlist_len;
+     if (size == 0)
+ 	return 0;
+-    if (size < 0)
++    if (size < 0 || size > INT_MAX / PR_MAXNAMELEN)
+ 	return PRTOOMANY;
+     aname->namelist_val = (prname *) malloc(size * PR_MAXNAMELEN);
+     aname->namelist_len = 0;
+--- openafs-1.6.0.orig/src/venus/fs.c
++++ openafs-1.6.0/src/venus/fs.c
+@@ -561,7 +561,7 @@ EmptyAcl(char *astr)
+     tp->nplus = tp->nminus = 0;
+     tp->pluslist = tp->minuslist = 0;
+     tp->dfs = 0;
+-    sscanf(astr, "%d dfs:%d %s", &junk, &tp->dfs, tp->cell);
++    sscanf(astr, "%d dfs:%d %1024s", &junk, &tp->dfs, tp->cell);
+     return tp;
+ }
+ 
+@@ -576,7 +576,7 @@ ParseAcl(char *astr)
+     ta = (struct Acl *)malloc(sizeof(struct Acl));
+     assert(ta);
+     ta->dfs = 0;
+-    sscanf(astr, "%d dfs:%d %s", &ta->nplus, &ta->dfs, ta->cell);
++    sscanf(astr, "%d dfs:%d %1024s", &ta->nplus, &ta->dfs, ta->cell);
+     astr = SkipLine(astr);
+     sscanf(astr, "%d", &ta->nminus);
+     astr = SkipLine(astr);
+@@ -587,7 +587,7 @@ ParseAcl(char *astr)
+     last = 0;
+     first = 0;
+     for (i = 0; i < nplus; i++) {
+-	sscanf(astr, "%100s %d", tname, &trights);
++	sscanf(astr, "%99s %d", tname, &trights);
+ 	astr = SkipLine(astr);
+ 	tl = (struct AclEntry *)malloc(sizeof(struct AclEntry));
+ 	assert(tl);
+@@ -605,7 +605,7 @@ ParseAcl(char *astr)
+     last = 0;
+     first = 0;
+     for (i = 0; i < nminus; i++) {
+-	sscanf(astr, "%100s %d", tname, &trights);
++	sscanf(astr, "%99s %d", tname, &trights);
+ 	astr = SkipLine(astr);
+ 	tl = (struct AclEntry *)malloc(sizeof(struct AclEntry));
+ 	assert(tl);