diff -u amarok-1.4.9.1/debian/patches/series amarok-1.4.9.1/debian/patches/series
--- amarok-1.4.9.1/debian/patches/series
+++ amarok-1.4.9.1/debian/patches/series
@@ -13,0 +14 @@
+security_audible_tags.diff
diff -u amarok-1.4.9.1/debian/changelog amarok-1.4.9.1/debian/changelog
--- amarok-1.4.9.1/debian/changelog
+++ amarok-1.4.9.1/debian/changelog
@@ -1,3 +1,14 @@
+amarok (2:1.4.9.1-0ubuntu3.2) hardy-security; urgency=low
+
+  * SECURITY UPDATE: integer overflows allow remote attackers to execute
+    arbitrary code via an Audible Audio (.aa) file (LP: #318555)
+    - debian/patches/security_audible_tags.diff fix integer overflow while
+      reading audible aa file tags. Based on upstream patch.
+    - http://websvn.kde.org/?view=rev&revision=908415
+    - http://www.trapkit.de/advisories/TKADV2009-002.txt
+
+ -- Harald Sitter <apachelogger@ubuntu.com>  Mon, 19 Jan 2009 22:13:53 +0100
+
 amarok (2:1.4.9.1-0ubuntu3.1) hardy-security; urgency=low
 
   * SECURITY UPDATE: Insecure creation of magnatune temp files
only in patch2:
unchanged:
--- amarok-1.4.9.1.orig/debian/patches/security_audible_tags.diff
+++ amarok-1.4.9.1/debian/patches/security_audible_tags.diff
@@ -0,0 +1,87 @@
+Index: amarok-1.4.9.1/amarok/src/metadata/audible/audibletag.cpp
+===================================================================
+--- amarok-1.4.9.1.orig/amarok/src/metadata/audible/audibletag.cpp	2009-01-19 22:14:42.000000000 +0100
++++ amarok-1.4.9.1/amarok/src/metadata/audible/audibletag.cpp	2009-01-19 22:15:05.000000000 +0100
+@@ -73,7 +73,8 @@
+ {
+     char buf[1023];
+     fseek(fp, OFF_PRODUCT_ID, SEEK_SET);
+-    fread(buf, strlen("product_id"), 1, fp);
++    if (fread(buf, strlen("product_id"), 1, fp) != 1)
++        return;
+     if(memcmp(buf, "product_id", strlen("product_id")))
+     {
+         buf[20]='\0';
+@@ -132,24 +133,65 @@
+ 
+ bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
+ {
++    // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags
++    const uint32_t maxtaglen = 100000;
++
+     uint32_t nlen;
+-    fread(&nlen, sizeof(nlen), 1, fp);
++    if (fread(&nlen, sizeof(nlen), 1, fp) != 1)
++        return false;
+     nlen = ntohl(nlen);
+     //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
+-    *name = new char[nlen+1];
+-    (*name)[nlen] = '\0';
++    if (nlen > maxtaglen)
++        return false;
+ 
+     uint32_t vlen;
+-    fread(&vlen, sizeof(vlen), 1, fp);
++    if (fread(&vlen, sizeof(vlen), 1, fp) != 1)
++        return false;
+     vlen = ntohl(vlen);
+     //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
++    if (vlen > maxtaglen)
++        return false;
++
++    *name = new char[nlen+1];
++    if (!*name)
++        return false;
++
+     *value = new char[vlen+1];
++    if (!*value)
++    {
++        delete[] *name;
++        *name = 0;
++        return false;
++    }
++
++    (*name)[nlen] = '\0';
+     (*value)[vlen] = '\0';
+ 
+-    fread(*name, nlen, 1, fp);
+-    fread(*value, vlen, 1, fp);
++    if (fread(*name, nlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
++    if (fread(*value, vlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     char lasttag;
+-    fread(&lasttag, 1, 1, fp);
++    if (fread(&lasttag, 1, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     //fprintf(stderr, "%s: \"%s\"\n", *name, *value);
+ 
+     m_tagsEndOffset += 2 * 4 + nlen + vlen + 1;