diff -Nru wireshark-1.2.7/debian/changelog wireshark-1.2.7/debian/changelog --- wireshark-1.2.7/debian/changelog 2010-04-01 17:46:59.000000000 +0700 +++ wireshark-1.2.7/debian/changelog 2011-03-07 11:42:43.000000000 +0700 @@ -1,3 +1,46 @@ +wireshark (1.2.7-1ubuntu0.1) lucid-security; urgency=low + + * SECURITY UPDATE: Fix SE memory corruption, Ensure the digest is + smaller than buffer before copying it. (LP: #682549) + - debian/patches/CVE-2010-4300.patch + - CVE-2010-4300 + - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5318 + * SECURITY UPDATE: Fix Buffer overflow in the MAC-LTE dissector. + (LP: #730415) + - debian/patches/CVE-2011-0444.patch + - CVE-2011-0444 + - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5530 + * SECURITY UPDATE: Fix buffer overflow in ENTTEC dissector. (LP: #730417) + - debian/patches/CVE-2010-4538.patch + - CVE-2010-4538 + - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5530 + * SECURITY UPDATE: Fix BER dissector was susceptible to a stack + overflow. (LP: #682549) + - debian/patches/CVE-2010-3445.patch + - CVE-2010-3445 + - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5230 + * SECURITY UPDATE: Fix SigComp UDVM dissector buffer overruns. (LP: #730419) + - debian/patches/CVE-2010-2995.patch + - CVE-2010-2995 + - CVE-2010-2287 + - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4867 + * SECURITY UPDATE: Fix crash triggered by opening a malformed pcap-ng + file. (LP: #730413) + - debian/patches/CVE-2011-0538.patch + - CVE-2011-0538 + - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5652 + * SECURITY UPDATE: Fix a buffer overflow found by the Visual C++ analyzer. + (LP: #730412) + - debian/patches/CVE-2011-0713.patch + - CVE-2011-0713 + * SECURITY UPDATE: Fix crash when reading a large pcap-ng packet length. + (LP: #730409) + - debian/patches/CVE-2011-1139.patch + - CVE-2011-1139 + - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5661 + + -- Mahyuddin Susanto Mon, 07 Mar 2011 07:14:41 +0700 + wireshark (1.2.7-1) unstable; urgency=low * New upstream release 1.2.7 - release notes: diff -Nru wireshark-1.2.7/debian/control wireshark-1.2.7/debian/control --- wireshark-1.2.7/debian/control 2010-02-16 01:45:02.000000000 +0700 +++ wireshark-1.2.7/debian/control 2011-03-07 07:14:57.000000000 +0700 @@ -1,7 +1,8 @@ Source: wireshark Section: net Priority: optional -Maintainer: Balint Reczey +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Balint Reczey Uploaders: Joost Yervante Damad DM-Upload-Allowed: yes Standards-Version: 3.8.4 diff -Nru wireshark-1.2.7/debian/patches/CVE-2010-2995.patch wireshark-1.2.7/debian/patches/CVE-2010-2995.patch --- wireshark-1.2.7/debian/patches/CVE-2010-2995.patch 1970-01-01 07:00:00.000000000 +0700 +++ wireshark-1.2.7/debian/patches/CVE-2010-2995.patch 2011-03-07 11:28:21.000000000 +0700 @@ -0,0 +1,33 @@ +Description: The SigComp Universal Decompressor Virtual Machine (UDVM) in Wireshark + 0.10.8 through 1.0.14 and 1.2.0 through 1.2.9 allows remote attackers to + cause a denial of service (crash) and possibly execute arbitrary code via + vectors related to sigcomp-udvm.c and an off-by-one error, which triggers a + buffer overflow, different vulnerabilities than CVE-2010-2287 +Origin: http://anonsvn.wireshark.org/viewvc?view=rev&revision=33134 +Bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4837 +Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2995 +Bug-Ubuntu: https://launchpad.net/bugs/730419 +Index: wireshark-1.2.7/epan/sigcomp-udvm.c +=================================================================== +--- wireshark-1.2.7.orig/epan/sigcomp-udvm.c 2011-03-07 08:02:28.807018190 +0700 ++++ wireshark-1.2.7/epan/sigcomp-udvm.c 2011-03-07 08:01:30.855015895 +0700 +@@ -133,7 +133,7 @@ + tvbuff_t *decomp_tvb; + guint8 buff[UDVM_MEMORY_SIZE]; + char string[2]; +- guint8 *out_buff; /* Largest allowed size for a message is 65535 */ ++ guint8 *out_buff; /* Largest allowed size for a message is UDVM_MEMORY_SIZE = 65536 */ + guint32 i = 0; + guint16 n = 0; + guint16 m = 0; +@@ -322,8 +322,8 @@ + offset++; + + } +- /* Largest allowed size for a message is 65535 */ +- out_buff = g_malloc(65535); ++ /* Largest allowed size for a message is UDVM_MEMORY_SIZE = 65536 */ ++ out_buff = g_malloc(UDVM_MEMORY_SIZE); + /* Start executing code */ + current_address = udvm_start_ip; + input_address = 0; diff -Nru wireshark-1.2.7/debian/patches/CVE-2010-3445.patch wireshark-1.2.7/debian/patches/CVE-2010-3445.patch --- wireshark-1.2.7/debian/patches/CVE-2010-3445.patch 1970-01-01 07:00:00.000000000 +0700 +++ wireshark-1.2.7/debian/patches/CVE-2010-3445.patch 2011-03-07 07:47:29.000000000 +0700 @@ -0,0 +1,84 @@ +Description: Fix BER dissector was susceptible to a stack overflow, taken from debian 1.2.11-3 +Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3445 +Bug-Ubuntu: https://launchpad.net/bugs/682549 +Bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5230 +Origin: http://anonsvn.wireshark.org/viewvc?view=revision&revision=34111 +Index: wireshark-1.2.7/epan/dissectors/packet-ber.c +=================================================================== +--- wireshark-1.2.7.orig/epan/dissectors/packet-ber.c 2011-03-07 07:42:39.683018141 +0700 ++++ wireshark-1.2.7/epan/dissectors/packet-ber.c 2011-03-07 07:42:11.243515908 +0700 +@@ -206,6 +206,13 @@ + gpointer user_data; + } da_data; + ++/* ++* Set a limit on recursion so we don't blow away the stack. Another approach ++* would be to remove recursion completely but then we'd exhaust CPU+memory ++* trying to read a hellabyte of nested indefinite lengths. ++* XXX - Max nesting in the ASN.1 plugin is 32. Should they match? ++*/ ++#define BER_MAX_NESTING 500 + + void + dissect_ber_oid_NULL_callback(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_) +@@ -373,7 +380,8 @@ + return offset; + } + +-int dissect_unknown_ber(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree) ++static int ++try_dissect_unknown_ber(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, gint nest_level) + { + int start_offset; + gint8 class; +@@ -389,6 +397,11 @@ + proto_item *pi, *cause; + asn1_ctx_t asn1_ctx; + ++ if (nest_level > BER_MAX_NESTING) { ++ /* Assume that we have a malformed packet. */ ++ THROW(ReportedBoundsError); ++ } ++ + start_offset=offset; + asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo); + +@@ -449,7 +462,7 @@ + } + item = proto_tree_add_item(tree, hf_ber_unknown_BER_OCTETSTRING, tvb, offset, len, FALSE); + next_tree = proto_item_add_subtree(item, ett_ber_octet_string); +- offset = dissect_unknown_ber(pinfo, tvb, offset, next_tree); ++ offset = try_dissect_unknown_ber(pinfo, tvb, offset, next_tree, nest_level+1); + } else { + offset = dissect_ber_octet_string(FALSE, &asn1_ctx, tree, tvb, start_offset, hf_ber_unknown_OCTETSTRING, NULL); + } +@@ -562,7 +575,7 @@ + next_tree=proto_item_add_subtree(item, ett_ber_SEQUENCE); + } + while(offset < (int)(start_offset + len + hdr_len)) +- offset=dissect_unknown_ber(pinfo, tvb, offset, next_tree); ++ offset=try_dissect_unknown_ber(pinfo, tvb, offset, next_tree, nest_level+1); + break; + case BER_CLASS_APP: + case BER_CLASS_CON: +@@ -573,7 +586,7 @@ + next_tree=proto_item_add_subtree(item, ett_ber_SEQUENCE); + } + while(offset < (int)(start_offset + len + hdr_len)) +- offset=dissect_unknown_ber(pinfo, tvb, offset, next_tree); ++ offset=try_dissect_unknown_ber(pinfo, tvb, offset, next_tree, nest_level+1); + break; + + } +@@ -584,6 +597,11 @@ + return offset; + } + ++int ++dissect_unknown_ber(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree) ++{ ++ return try_dissect_unknown_ber(pinfo, tvb, offset, tree, 1); ++} + + int + call_ber_oid_callback(const char *oid, tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree) diff -Nru wireshark-1.2.7/debian/patches/CVE-2010-4300.patch wireshark-1.2.7/debian/patches/CVE-2010-4300.patch --- wireshark-1.2.7/debian/patches/CVE-2010-4300.patch 1970-01-01 07:00:00.000000000 +0700 +++ wireshark-1.2.7/debian/patches/CVE-2010-4300.patch 2011-03-07 11:35:40.000000000 +0700 @@ -0,0 +1,18 @@ +Description: Fix SE memory corruption reported, Ensure the digest is + smaller than buffer before copying it. +Origin: http://anonsvn.wireshark.org/viewvc?view=revision&revision=34581 +Bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5318 +Bug-Ubuntu: https://launchpad.net/bugs/682549 +Index: wireshark-1.2.7/epan/dissectors/packet-ldss.c +=================================================================== +--- wireshark-1.2.7.orig/epan/dissectors/packet-ldss.c 2011-03-07 06:37:29.027030013 +0700 ++++ wireshark-1.2.7/epan/dissectors/packet-ldss.c 2011-03-07 06:37:19.371721644 +0700 +@@ -607,6 +607,8 @@ + tvb_get_ptr(tvb, offset+digest_type_len, linelen-digest_type_len), + digest_bytes, FALSE); + ++ if(digest_bytes->len >= DIGEST_LEN) ++ digest_bytes->len = (DIGEST_LEN-1); + /* Ensure the digest is zero-padded */ + transfer_info->file->digest = se_alloc0(DIGEST_LEN); + memcpy(transfer_info->file->digest, digest_bytes->data, digest_bytes->len); diff -Nru wireshark-1.2.7/debian/patches/CVE-2010-4538.patch wireshark-1.2.7/debian/patches/CVE-2010-4538.patch --- wireshark-1.2.7/debian/patches/CVE-2010-4538.patch 1970-01-01 07:00:00.000000000 +0700 +++ wireshark-1.2.7/debian/patches/CVE-2010-4538.patch 2011-03-07 11:29:06.000000000 +0700 @@ -0,0 +1,46 @@ +Description: Buffer overflow in the sect_enttec_dmx_da function in + epan/dissectors/packet-enttec.c in Wireshark 1.4.2 allows remote attackers + to cause a denial of service (application crash) or possibly execute + arbitrary code via a crafted ENTTEC DMX packet with Run Length Encoding + (RLE) compression. +Origin: http://anonsvn.wireshark.org/viewvc?view=rev&revision=35318 +Bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5539 +Bug-Debian: http://bugs.debian.org/608990 +Bug-Ubuntu: https://launchpad.net/bugs730417 +Index: wireshark-1.2.7/epan/dissectors/packet-enttec.c +=================================================================== +--- wireshark-1.2.7.orig/epan/dissectors/packet-enttec.c 2011-03-07 07:10:02.491534227 +0700 ++++ wireshark-1.2.7/epan/dissectors/packet-enttec.c 2011-03-07 07:09:53.915019187 +0700 +@@ -195,8 +195,8 @@ + "%3u: %s" + }; + +- static guint8 dmx_data[512]; +- static guint16 dmx_data_offset[513]; /* 1 extra for last offset */ ++ guint8 *dmx_data = ep_alloc(512 * sizeof(guint8)); ++ guint16 *dmx_data_offset = ep_alloc(513 * sizeof(guint16)); /* 1 extra for last offset */ + emem_strbuf_t *dmx_epstr; + + proto_tree *hi,*si; +@@ -227,10 +227,10 @@ + length = 512; + + if (type == ENTTEC_DATA_TYPE_RLE) { +- /* uncompres the DMX data */ ++ /* uncompress the DMX data */ + ui = 0; + ci = 0; +- while (ci < length) { ++ while (ci < length && ui < 512) { + v = tvb_get_guint8(tvb, offset+ci); + if (v == 0xFE) { + ci++; +@@ -238,7 +238,7 @@ + ci++; + v = tvb_get_guint8(tvb, offset+ci); + ci++; +- for (i=0;i < count;i++) { ++ for (i=0;i < count && ui < 512;i++) { + dmx_data[ui] = v; + dmx_data_offset[ui] = ci-3; + ui++; diff -Nru wireshark-1.2.7/debian/patches/CVE-2011-0444.patch wireshark-1.2.7/debian/patches/CVE-2011-0444.patch --- wireshark-1.2.7/debian/patches/CVE-2011-0444.patch 1970-01-01 07:00:00.000000000 +0700 +++ wireshark-1.2.7/debian/patches/CVE-2011-0444.patch 2011-03-07 11:30:24.000000000 +0700 @@ -0,0 +1,88 @@ +Description: Buffer overflow in the MAC-LTE dissector in + Wireshark 1.2.0 through 1.2.13 and 1.4.0 through 1.4.2 allows remote + attackers to cause a denial of service (crash) and possibly execute + arbitrary code via a large number of RARs. +Origin: http://anonsvn.wireshark.org/viewvc?view=rev&revision=35292, + http://anonsvn.wireshark.org/viewvc?view=rev&revision=35298 +Bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5530 +Bug-Ubuntu: https://launchpad.net/ubuntu/bugs/730415 +Index: wireshark-1.2.7/asn1/snmp/packet-snmp-template.c +=================================================================== +--- wireshark-1.2.7.orig/asn1/snmp/packet-snmp-template.c 2011-03-07 06:58:05.591017612 +0700 ++++ wireshark-1.2.7/asn1/snmp/packet-snmp-template.c 2011-03-07 06:57:45.091015510 +0700 +@@ -1732,7 +1732,7 @@ + guint engineLength, + guint8 *key ) { + sha1_context SH; +- guint8 *cp, password_buf[72]; ++ guint8 *cp, password_buf[64]; + guint32 password_index = 0; + guint32 count = 0, i; + +@@ -1766,7 +1766,9 @@ + memcpy(password_buf+20+engineLength, key, 20); + + sha1_starts(&SH); +- sha1_update(&SH, password_buf, 40+engineLength); ++ sha1_update(&SH, key, 20); ++ sha1_update(&SH, engineID, engineLength); ++ sha1_update(&SH, key, 20); + sha1_finish(&SH, key); + return; + } +@@ -1831,20 +1833,23 @@ + for (i=0; iengine.len < 5 || u->engine.len > 32) { ++ g_string_append_printf(es, "Invalid engineId length (%u). Must be between 5 and 32 (10 and 64 hex digits)\n", u->engine.len); ++ } + if ( u->user.userName.len == ue->user.userName.len + && u->engine.len == ue->engine.len ) { + + if (u->engine.len > 0 && memcmp( u->engine.data, ue->engine.data, u->engine.len ) == 0) { + if ( memcmp( u->user.userName.data, ue->user.userName.data, ue->user.userName.len ) == 0 ) { + /* XXX: make a string for the engineId */ +- g_string_append_printf(es,"duplicate key (userName='%s')\n",ue->user.userName.data); ++ g_string_append_printf(es,"Duplicate key (userName='%s')\n",ue->user.userName.data); + } + } + + if (u->engine.len == 0) { + if ( memcmp( u->user.userName.data, ue->user.userName.data, ue->user.userName.len ) == 0 ) { +- g_string_append_printf(es,"duplicate key (userName='%s' engineId=NONE)\n",ue->user.userName.data); ++ g_string_append_printf(es,"Duplicate key (userName='%s' engineId=NONE)\n",ue->user.userName.data); + } + } + } +Index: wireshark-1.2.7/epan/dissectors/packet-mac-lte.c +=================================================================== +--- wireshark-1.2.7.orig/epan/dissectors/packet-mac-lte.c 2011-03-07 06:58:12.095020429 +0700 ++++ wireshark-1.2.7/epan/dissectors/packet-mac-lte.c 2011-03-07 06:57:31.051028444 +0700 +@@ -458,13 +458,13 @@ + return offset; + } + +- ++#define MAX_RAR_PDUS 64 + /* Dissect Random Access Reponse (RAR) PDU */ + static void dissect_rar(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + gint offset, mac_lte_info *p_mac_lte_info, mac_lte_tap_info *tap_info) + { + gint number_of_rars = 0; /* No of RAR bodies expected following headers */ +- guint8 rapids[64]; ++ guint8 *rapids = ep_alloc(MAX_RAR_PDUS * sizeof(guint8)); + gboolean backoff_indicator_seen = FALSE; + guint8 extension; + gint n; +@@ -566,7 +566,7 @@ + /* Finalise length of header tree selection */ + proto_item_set_len(rar_header_ti, offset - start_header_offset); + +- } while (extension); ++ } while (extension && number_of_rars < MAX_RAR_PDUS); + + /* Append summary to headers root */ + proto_item_append_text(rar_headers_ti, " (%u RARs%s)", diff -Nru wireshark-1.2.7/debian/patches/CVE-2011-0538.patch wireshark-1.2.7/debian/patches/CVE-2011-0538.patch --- wireshark-1.2.7/debian/patches/CVE-2011-0538.patch 1970-01-01 07:00:00.000000000 +0700 +++ wireshark-1.2.7/debian/patches/CVE-2011-0538.patch 2011-03-07 11:33:12.000000000 +0700 @@ -0,0 +1,41 @@ +Description: Wireshark 1.5.0, 1.4.3, and earlier frees an uninitialized + pointer during processing of a .pcap file in the pcap-ng format, which + allows remote attackers to cause a denial of service (memory corruption) + or possibly have unspecified other impact via a malformed file. +Origin: http://anonsvn.wireshark.org/viewvc?view=revision&revision=35793 +Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=613202 +Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0538 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=613202 +Bug-Ubuntu: https://launchpad.net/bugs/730413 +Index: wireshark-1.2.7/tshark.c +=================================================================== +--- wireshark-1.2.7.orig/tshark.c 2011-03-07 09:59:54.679018191 +0700 ++++ wireshark-1.2.7/tshark.c 2011-03-07 09:50:50.839025597 +0700 +@@ -2172,7 +2172,7 @@ + int snapshot_length; + wtap_dumper *pdh; + int err; +- gchar *err_info; ++ gchar *err_info = NULL; + gint64 data_offset; + char *save_file_string = NULL; + +Index: wireshark-1.2.7/wiretap/pcapng.c +=================================================================== +--- wireshark-1.2.7.orig/wiretap/pcapng.c 2011-03-07 09:59:55.943016958 +0700 ++++ wireshark-1.2.7/wiretap/pcapng.c 2011-03-07 09:53:59.523017337 +0700 +@@ -762,12 +762,14 @@ + pcapng_debug2("pcapng_read_packet_block:cap_len %d is larger than packet_len %u.", + wblock->data.packet.cap_len, wblock->data.packet.packet_len); + *err = WTAP_ERR_BAD_RECORD; ++ *err_info = strdup("pcapng_read_packet_block:cap_len is larger than packet_len"); + return 0; + } + if (wblock->data.packet.cap_len > WTAP_MAX_PACKET_SIZE) { + pcapng_debug2("pcapng_read_packet_block:cap_len %d is larger than WTAP_MAX_PACKET_SIZE %u.", + wblock->data.packet.cap_len, WTAP_MAX_PACKET_SIZE); + *err = WTAP_ERR_BAD_RECORD; ++ *err_info = strdup("pcapng_read_packet_block:cap_len is larger than WTAP_MAX_PACKET_SIZE"); + return 0; + } + pcapng_debug3("pcapng_read_packet_block: packet data: packet_len %u captured_len %u interface_id %u", diff -Nru wireshark-1.2.7/debian/patches/CVE-2011-0713.patch wireshark-1.2.7/debian/patches/CVE-2011-0713.patch --- wireshark-1.2.7/debian/patches/CVE-2011-0713.patch 1970-01-01 07:00:00.000000000 +0700 +++ wireshark-1.2.7/debian/patches/CVE-2011-0713.patch 2011-03-07 11:41:00.000000000 +0700 @@ -0,0 +1,29 @@ +Description: Heap-based buffer overflow in wiretap/dct3trace.c in Wireshark 1.2.0 + through 1.2.14 and 1.4.0 through 1.4.3 allows remote attackers to cause a + denial of service (application crash) or possibly have unspecified other + impact via a long record in a Nokia DCT3 trace file. + Origin: http://anonsvn.wireshark.org/viewvc?view=revision&revision=35793 +Origin: http://anonsvn.wireshark.org/viewvc?revision=35953 +Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0713 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=613202 +Bug-Ubuntu: https://launchpad.net/bugs/730412 +Index: wireshark-1.2.7/wiretap/dct3trace.c +=================================================================== +--- wireshark-1.2.7.orig/wiretap/dct3trace.c 2011-03-07 10:13:15.059016621 +0700 ++++ wireshark-1.2.7/wiretap/dct3trace.c 2011-03-07 10:13:05.635016976 +0700 +@@ -391,7 +391,14 @@ + len, buf_len); + return FALSE; + } +- ++ ++ if( buf_len > MAX_PACKET_LEN) ++ { ++ *err = WTAP_ERR_BAD_RECORD; ++ *err_info = g_strdup_printf("dct3trace: record length %d too long", buf_len); ++ return FALSE; ++ } ++ + memcpy( pd, buf, buf_len ); + return TRUE; + } diff -Nru wireshark-1.2.7/debian/patches/CVE-2011-1139.patch wireshark-1.2.7/debian/patches/CVE-2011-1139.patch --- wireshark-1.2.7/debian/patches/CVE-2011-1139.patch 1970-01-01 07:00:00.000000000 +0700 +++ wireshark-1.2.7/debian/patches/CVE-2011-1139.patch 2011-03-07 10:33:57.000000000 +0700 @@ -0,0 +1,38 @@ +Description: wiretap/pcapng.c in Wireshark 1.2.0 through 1.2.14 and 1.4.0 through 1.4.3 + allows remote attackers to cause a denial of service (application crash) + via a pcap-ng file that contains a large packet-length field. +Origin: http://anonsvn.wireshark.org/viewvc?view=revision&revision=35858 +Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1139 +Index: wireshark-1.2.7/wiretap/pcapng.c +=================================================================== +--- wireshark-1.2.7.orig/wiretap/pcapng.c 2011-03-07 10:30:51.999017233 +0700 ++++ wireshark-1.2.7/wiretap/pcapng.c 2011-03-07 10:30:28.367016924 +0700 +@@ -776,7 +776,13 @@ + wblock->data.packet.packet_len, + wblock->data.packet.cap_len, + wblock->data.packet.interface_id); +- ++ if (wblock->data.packet.packet_len > WTAP_MAX_PACKET_SIZE) { ++ *err = WTAP_ERR_BAD_RECORD; ++ *err_info = g_strdup_printf("pcapng_read_packet_block: packet_len %u is larger than WTAP_MAX_PACKET_SIZE %u.", ++ wblock->data.packet.packet_len, WTAP_MAX_PACKET_SIZE); ++ return 0; ++ } ++ + wtap_encap = pcapng_get_encap(wblock->data.packet.interface_id, pn); + pcapng_debug3("pcapng_read_packet_block: encapsulation = %d (%s), pseudo header size = %d.", + wtap_encap, +@@ -936,7 +942,12 @@ + } + pcapng_debug1("pcapng_read_simple_packet_block: packet data: packet_len %u", + wblock->data.simple_packet.packet_len); +- ++ if (wblock->data.simple_packet.packet_len > WTAP_MAX_PACKET_SIZE) { ++ *err = WTAP_ERR_BAD_RECORD; ++ *err_info = g_strdup_printf("pcapng_read_simple_packet_block: packet_len %u is larger than WTAP_MAX_PACKET_SIZE %u.", ++ wblock->data.simple_packet.packet_len, WTAP_MAX_PACKET_SIZE); ++ return 0; ++ } + encap = pcapng_get_encap(0, pn); + pcapng_debug1("pcapng_read_simple_packet_block: Need to read pseudo header of size %d", + pcap_get_phdr_size(encap, wblock->pseudo_header)); diff -Nru wireshark-1.2.7/debian/patches/series wireshark-1.2.7/debian/patches/series --- wireshark-1.2.7/debian/patches/series 2010-03-17 22:59:17.000000000 +0700 +++ wireshark-1.2.7/debian/patches/series 2011-03-07 10:26:41.000000000 +0700 @@ -14,3 +14,11 @@ 16_licence_about_location.patch 21_dumpcap.patch 23_lintian-overrides.patch +CVE-2010-4300.patch +CVE-2011-0444.patch +CVE-2010-4538.patch +CVE-2010-3445.patch +CVE-2010-2995.patch +CVE-2011-0538.patch +CVE-2011-0713.patch +CVE-2011-1139.patch