CVE-2011-0538 Wireshark: memory corruption when reading a malformed pcap file

Attached lucid patch, fixing:
 - CVE-2010-4300 LP: #682549
 - CVE-2011-0444 LP: #730415
 - CVE-2010-4538 LP: #730417
 - CVE-2010-3445 LP: #682549
 - CVE-2010-2995 CVE-2010-2287 LP: #730419
 - CVE-2011-0538 LP: #730413
 - CVE-2011-0713 LP: #730412
 - CVE-2011-1139 LP: #730409

This was fixed in natty with 1.4.4-1

Thank you for preparing this update! Unfortunately I have to NACK the lucid debdiff for the following reasons:
* debian/patches/CVE-2011-0444.patch lists this as fixing https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5530, and there are two commits for this (as mentioned in the patch):
 http://anonsvn.wireshark.org/viewvc?view=rev&revision=35292
 http://anonsvn.wireshark.org/viewvc?view=rev&revision=35298

However the patch to epan/dissectors/packet-snmp.c is missing.

* debian/patches/CVE-2010-3445.patch lists this as fixing https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5230, with the fix in http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ber.c?r1=34111&r2=34110&pathrev=34111&view=patch. Now, packet-ber.c differs a bit in Lucid as opposed to later releases of wireshark, but I found this at the end of the patch:
@@ -1001,7 +1013,7 @@
  tmp_length = 0;
  tmp_ind = FALSE;

- if (nest_level > BER_MAX_INDEFINITE_NESTING) {
+ if (nest_level > BER_MAX_NESTING) {
   /* Assume that we have a malformed packet. */
   THROW(ReportedBoundsError);
  }

The Lucid version does not have the if statement at all, but I wonder if it should use the patched version. Can you comment?

* debian/patches/CVE-2011-0538.patch uses the Debian bug for both 'Bug' and 'Bug-Debian'. It should use https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5652 for 'Bug'.

* debian/patches/CVE-2011-0713.patch has two 'Origin' statements, but no upstream 'Bug' statement. One of the Origin statements is wrong and is for CVE-2011-0538. The correct one should be http://anonsvn.wireshark.org/viewvc?revision=35953&view=revision.

* debian/patches/CVE-2011-1139.patch does not reference the upstream bug (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5661) or the Ubuntu bug (https://launchpad.net/bugs/730409)

Please adjust the debdiff for the above issues, and respond to my question regarding the 'if (nest_level > BER_MAX_NESTING)' test in the patch for CVE-2010-3445. Thanks!

Unsubscribing ubuntu-security-sponsors. Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the changes are complete. Please also detail the testing performed for packages you compiled with the update.

One more thing, the debian/changelog states that debian/patches/CVE-2010-2995.patch fixes CVE-2010-2287, but it does not. The fixes for CVE-2010-2287 are:
 http://anonsvn.wireshark.org/viewvc?view=revision&revision=33061
 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4826

Thank you for reporting this bug to Ubuntu. karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against karmic is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to 'New'. Thanks again!