diff -u libtheora-1.0~beta3/debian/changelog libtheora-1.0~beta3/debian/changelog
--- libtheora-1.0~beta3/debian/changelog
+++ libtheora-1.0~beta3/debian/changelog
@@ -1,3 +1,12 @@
+libtheora (1.0~beta3-1+lenny1) stable-security; urgency=high
+
+  * Non-maintainer upload by the security team.
+  * Fixes potential arbitrary code execution vulnerability: CVE-2009-3389.
+  * Fixes two other potential vulnerabilities as applied to xulrunner
+    since version 1.9.1.
+
+ -- Michael Gilbert <michael.s.gilbert@gmail.com>  Sat, 16 Jan 2010 14:53:59 -0500
+
 libtheora (1.0~beta3-1) unstable; urgency=low
 
   * New upstream release.
diff -u libtheora-1.0~beta3/debian/patches/series libtheora-1.0~beta3/debian/patches/series
--- libtheora-1.0~beta3/debian/patches/series
+++ libtheora-1.0~beta3/debian/patches/series
@@ -1,0 +2,3 @@
+mozilla-bug498815.patch
+mozilla-bug498824.patch
+mozilla-bug504613.patch
only in patch2:
unchanged:
--- libtheora-1.0~beta3.orig/debian/patches/mozilla-bug504613.patch
+++ libtheora-1.0~beta3/debian/patches/mozilla-bug504613.patch
@@ -0,0 +1,120 @@
+# CVE-2009-3389
+# HG changeset patch
+# User Matthew Gregan <kinetik@flim.org>
+# Date 1252993590 -43200
+# Node ID 2fce745981185aecebad0366b4c2ff45e9f93e95
+# Parent  8dbe8de92cb46f64f8ff80d79f38961eb02e9cbd
+imported patch bug504613
+
+diff --git a/lib/dec/decode.c b/lib/dec/decode.c
+--- a/lib/dec/decode.c
++++ b/lib/dec/decode.c
+@@ -1846,16 +1846,40 @@ int th_decode_ctl(th_dec_ctx *_dec,int _
+       _dec->stripe_cb.ctx=cb->ctx;
+       _dec->stripe_cb.stripe_decoded=cb->stripe_decoded;
+       return 0;
+     }break;
+     default:return TH_EIMPL;
+   }
+ }
+ 
++/*We're decoding an INTER frame, but have no initialized reference
++   buffers (i.e., decoding did not start on a key frame).
++  We initialize them to a solid gray here.*/
++static void oc_dec_init_dummy_frame(th_dec_ctx *_dec){
++  th_info *info;
++  size_t   yplane_sz;
++  size_t   cplane_sz;
++  int      yhstride;
++  int      yvstride;
++  int      chstride;
++  int      cvstride;
++  _dec->state.ref_frame_idx[OC_FRAME_GOLD]=0;
++  _dec->state.ref_frame_idx[OC_FRAME_PREV]=0;
++  _dec->state.ref_frame_idx[OC_FRAME_SELF]=1;
++  info=&_dec->state.info;
++  yhstride=info->frame_width+2*OC_UMV_PADDING;
++  yvstride=info->frame_height+2*OC_UMV_PADDING;
++  chstride=yhstride>>!(info->pixel_fmt&1);
++  cvstride=yvstride>>!(info->pixel_fmt&2);
++  yplane_sz=(size_t)yhstride*yvstride;
++  cplane_sz=(size_t)chstride*cvstride;
++  memset(_dec->state.ref_frame_data,0x80,yplane_sz+2*cplane_sz);
++}
++
+ int th_decode_packetin(th_dec_ctx *_dec,const ogg_packet *_op,
+  ogg_int64_t *_granpos){
+   int ret;
+   if(_dec==NULL||_op==NULL)return TH_EFAULT;
+   /*A completely empty packet indicates a dropped frame and is treated exactly
+      like an inter frame with no coded blocks.
+     Only proceed if we have a non-empty packet.*/
+   if(_op->bytes!=0){
+@@ -1869,37 +1893,19 @@ int th_decode_packetin(th_dec_ctx *_dec,
+     theorapackB_readinit(&_dec->opb,_op->packet,_op->bytes);
+     ret=oc_dec_frame_header_unpack(_dec);
+     if(ret<0)return ret;
+     /*Select a free buffer to use for the reconstructed version of this
+        frame.*/
+     if(_dec->state.frame_type!=OC_INTRA_FRAME&&
+      (_dec->state.ref_frame_idx[OC_FRAME_GOLD]<0||
+      _dec->state.ref_frame_idx[OC_FRAME_PREV]<0)){
+-      th_info *info;
+-      size_t       yplane_sz;
+-      size_t       cplane_sz;
+-      int          yhstride;
+-      int          yvstride;
+-      int          chstride;
+-      int          cvstride;
+-      /*We're decoding an INTER frame, but have no initialized reference
+-         buffers (i.e., decoding did not start on a key frame).
+-        We initialize them to a solid gray here.*/
+-      _dec->state.ref_frame_idx[OC_FRAME_GOLD]=0;
+-      _dec->state.ref_frame_idx[OC_FRAME_PREV]=0;
+-      _dec->state.ref_frame_idx[OC_FRAME_SELF]=refi=1;
+-      info=&_dec->state.info;
+-      yhstride=info->frame_width+2*OC_UMV_PADDING;
+-      yvstride=info->frame_height+2*OC_UMV_PADDING;
+-      chstride=yhstride>>!(info->pixel_fmt&1);
+-      cvstride=yvstride>>!(info->pixel_fmt&2);
+-      yplane_sz=(size_t)yhstride*yvstride;
+-      cplane_sz=(size_t)chstride*cvstride;
+-      memset(_dec->state.ref_frame_data,0x80,yplane_sz+2*cplane_sz);
++      /*No reference frames yet!*/
++      oc_dec_init_dummy_frame(_dec);
++      refi=_dec->state.ref_frame_idx[OC_FRAME_SELF];
+     }
+     else{
+       for(refi=0;refi==_dec->state.ref_frame_idx[OC_FRAME_GOLD]||
+        refi==_dec->state.ref_frame_idx[OC_FRAME_PREV];refi++);
+       _dec->state.ref_frame_idx[OC_FRAME_SELF]=refi;
+     }
+     if(_dec->state.frame_type==OC_INTRA_FRAME){
+       oc_dec_mark_all_intra(_dec);
+@@ -2036,16 +2042,26 @@ int th_decode_packetin(th_dec_ctx *_dec,
+     }
+ #if defined(OC_DUMP_IMAGES)
+     /*Don't dump images for dropped frames.*/
+     oc_state_dump_frame(&_dec->state,OC_FRAME_SELF,"dec");
+ #endif
+     return 0;
+   }
+   else{
++    if(_dec->state.ref_frame_idx[OC_FRAME_GOLD]<0||
++     _dec->state.ref_frame_idx[OC_FRAME_PREV]<0){
++      int refi;
++      /*No reference frames yet!*/
++      oc_dec_init_dummy_frame(_dec);
++      refi=_dec->state.ref_frame_idx[OC_FRAME_PREV];
++      _dec->state.ref_frame_idx[OC_FRAME_SELF]=refi;
++      memcpy(_dec->pp_frame_buf,_dec->state.ref_frame_bufs[refi],
++       sizeof(_dec->pp_frame_buf[0])*3);
++    }
+     /*Just update the granule position and return.*/
+     _dec->state.granpos=
+      (_dec->state.keyframe_num<<_dec->state.info.keyframe_granule_shift)+
+      (_dec->state.curframe_num-_dec->state.keyframe_num);
+     _dec->state.curframe_num++;
+     if(_granpos!=NULL)*_granpos=_dec->state.granpos;
+     return TH_DUPFRAME;
+   }
only in patch2:
unchanged:
--- libtheora-1.0~beta3.orig/debian/patches/mozilla-bug498815.patch
+++ libtheora-1.0~beta3/debian/patches/mozilla-bug498815.patch
@@ -0,0 +1,30 @@
+Index: decinfo.c
+===================================================================
+--- a/lib/dec/decinfo.c   (revision 16127)
++++ b/lib/dec/decinfo.c   (working copy)
+@@ -70,12 +70,8 @@
+   _info->pic_height=(ogg_uint32_t)val;
+   theorapackB_read(_opb,8,&val);
+   _info->pic_x=(ogg_uint32_t)val;
+-  /*Note: The sense of pic_y is inverted in what we pass back to the
+-     application compared to how it is stored in the bitstream.
+-    This is because the bitstream uses a right-handed coordinate system, while
+-     applications expect a left-handed one.*/
+   theorapackB_read(_opb,8,&val);
+-  _info->pic_y=_info->frame_height-_info->pic_height-(ogg_uint32_t)val;
++  _info->pic_y=(ogg_uint32_t)val;
+   theorapackB_read(_opb,32,&val);
+   _info->fps_numerator=(ogg_uint32_t)val;
+   theorapackB_read(_opb,32,&val);
+@@ -86,6 +82,11 @@
+    _info->fps_numerator==0||_info->fps_denominator==0){
+     return TH_EBADHEADER;
+   }
++  /*Note: The sense of pic_y is inverted in what we pass back to the
++     application compared to how it is stored in the bitstream.
++    This is because the bitstream uses a right-handed coordinate system, while
++     applications expect a left-handed one.*/
++  _info->pic_y=_info->frame_height-_info->pic_height-_info->pic_y;
+   theorapackB_read(_opb,24,&val);
+   _info->aspect_numerator=(ogg_uint32_t)val;
+   theorapackB_read(_opb,24,&val);
only in patch2:
unchanged:
--- libtheora-1.0~beta3.orig/debian/patches/mozilla-bug498824.patch
+++ libtheora-1.0~beta3/debian/patches/mozilla-bug498824.patch
@@ -0,0 +1,46 @@
+diff --git a/lib/dec/decinfo.c b/lib/dec/decinfo.c
+index e51d63e..d08d6b6 100644
+--- a/lib/dec/decinfo.c
++++ b/lib/dec/decinfo.c
+@@ -111,14 +111,15 @@ static int oc_comment_unpack(oggpack_buffer *_opb,th_comment *_tc){
+   int  i;
+   /*Read the vendor string.*/
+   len=oc_unpack_length(_opb);
+-  if(len<0||theorapackB_bytes(_opb)+len>_opb->storage)return TH_EBADHEADER;
++  if(len<0||len>_opb->storage-theorapackB_bytes(_opb))return TH_EBADHEADER;
+   _tc->vendor=_ogg_malloc((size_t)len+1);
+   oc_unpack_octets(_opb,_tc->vendor,len);
+   _tc->vendor[len]='\0';
+   /*Read the user comments.*/
+   _tc->comments=(int)oc_unpack_length(_opb);
+-  if(_tc->comments<0||_tc->comments>(LONG_MAX>>2)||
+-   theorapackB_bytes(_opb)+((long)_tc->comments<<2)>_opb->storage){
++  len=_tc->comments;
++  if(len<0||len>(LONG_MAX>>2)||len<<2>_opb->storage-theorapackB_bytes(_opb)){
++    _tc->comments=0;
+     return TH_EBADHEADER;
+   }
+   _tc->comment_lengths=(int *)_ogg_malloc(
+@@ -127,7 +128,7 @@ static int oc_comment_unpack(oggpack_buffer *_opb,th_comment *_tc){
+    _tc->comments*sizeof(_tc->user_comments[0]));
+   for(i=0;i<_tc->comments;i++){
+     len=oc_unpack_length(_opb);
+-    if(len<0||theorapackB_bytes(_opb)+len>_opb->storage){
++    if(len<0||len>_opb->storage-theorapackB_bytes(_opb)){
+       _tc->comments=i;
+       return TH_EBADHEADER;
+     }
+@@ -224,12 +225,10 @@ static int oc_dec_headerin(oggpack_buffer *_opb,th_info *_info,
+ int th_decode_headerin(th_info *_info,th_comment *_tc,
+  th_setup_info **_setup,ogg_packet *_op){
+   oggpack_buffer opb;
+-  int            ret;
+   if(_op==NULL)return TH_EBADHEADER;
+   if(_info==NULL)return TH_EFAULT;
+   theorapackB_readinit(&opb,_op->packet,_op->bytes);
+-  ret=oc_dec_headerin(&opb,_info,_tc,_setup,_op);
+-  return ret;
++  return oc_dec_headerin(&opb,_info,_tc,_setup,_op);
+ }
+ 
+ void th_setup_free(th_setup_info *_setup){