Version in base suite: 0.10.10-2sarge10
Version in overlay suite: 0.10.10-2sarge11

Base version: ethereal_0.10.10-2sarge10
Target version: ethereal_0.10.10-2sarge11
Base file: /org/ftp.debian.org/ftp/pool/main/e/ethereal/ethereal_0.10.10-2sarge10.dsc
Target file: /org/ftp.debian.org/ftp/pool/main/e/ethereal/ethereal_0.10.10-2sarge11.dsc

diff -u ethereal-0.10.10/debian/changelog ethereal-0.10.10/debian/changelog
--- ethereal-0.10.10/debian/changelog
+++ ethereal-0.10.10/debian/changelog
@@ -1,3 +1,10 @@
+ethereal (0.10.10-2sarge11) oldstable-security; urgency=high
+
+  * Backport two further security fixes from 0.99.7 reported later:
+    CVE-2007-6450, CVE-2007-6451
+
+ -- Moritz Muehlenhoff <jmm@debian.org>  Tue,  1 Jan 2008 18:33:10 +0000
+
 ethereal (0.10.10-2sarge10) oldstable-security; urgency=high
 
   * Non-maintainer upload by the Security Team
only in patch2:
unchanged:
--- ethereal-0.10.10.orig/epan/dissectors/packet-cip.c
+++ ethereal-0.10.10/epan/dissectors/packet-cip.c
@@ -388,6 +388,9 @@
       tmp2_length = ( length * 2 ) + 1;
    }
 
+
+   /* Throw an exception if tmp_length is negative */
+   tvb_ensure_bytes_exist( tvb, start, tmp_length );
    tmp = tvb_get_ptr( tvb, start, tmp_length );
    tmp2 = (char*)g_malloc( tmp2_length );
 
only in patch2:
unchanged:
--- ethereal-0.10.10.orig/epan/dissectors/packet-rpl.c
+++ ethereal-0.10.10/epan/dissectors/packet-rpl.c
@@ -148,11 +148,16 @@
 				reported_length = tvb_reported_length_remaining(tvb, offset);
 				if (reported_length > sublen)
 					reported_length = sublen;
-				dissect_rpl_container(tvb_new_subset(tvb, 
+				if ( length > 0) {
+				  dissect_rpl_container(tvb_new_subset(tvb, 
 					offset, length, reported_length),
 					pinfo, rpl_container_tree);
-
-				offset += sublen;
+				  offset += reported_length;
+				} else {
+				  /* no more data, exit the loop */
+				  offset += reported_length;
+				  break;
+				}
 			}	
 			break;