...
 
Commits (2)
sane-backends (1.0.24-8+deb8u2) stable; urgency=medium
* CVE-2017-6318:
- New debian/patches/0500-CVE-2017-6318.patch
+ cherry-picked from upstream to fix memory corruption and
information leakage (Closes: #854804).
-- Jörg Frings-Fürst <debian@jff-webhosting.net> Wed, 19 Apr 2017 11:51:22 +0200
sane-backends (1.0.24-8+deb8u1) stable; urgency=medium
* Cherry-picked systemd handling from unstable (Closes: #791961):
- Rewrite debian/saned@.service to prevent errors by network scanning.
- New debian/sane-utils.links:
+ Add a link from /dev/null to /lib/systemd/system/saned.service
to prevent start via fallback script /etc/init.d/saned.
- Add year 2016 to debian/copyright.
-- Jörg Frings-Fürst <debian@jff-webhosting.net> Wed, 27 Jan 2016 07:48:32 +0100
sane-backends (1.0.24-8) unstable; urgency=medium
* New debian/patches/0100-usb3-corrections.patch:
......
......@@ -13,7 +13,7 @@ Copyright: 1997-2002 Kevin Dalley <kevind@rahul.net>
2002-2011 Julien BLACHE <jblache@debian.org>
2002-2006 Aurélien Jarno <aurel32@debian.org>
2013 Mark Buda <hermit@acm.org>
2014 Jörg Frings-Fürst <debian@jff-webhosting.net>
2014-2016 Jörg Frings-Fürst <debian@jff-webhosting.net>
License: GPL-2+ with sane exception
Files: backend/abaton.*
......
Description: Address memory corruption and information leakage
cheery-picked from upstream git commit 42896939822b44f44ecd1b6d35afdfa4473ed35d
Author: Jörg Frings-Fürst <debian@jff-webhosting.net>
Origin: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804
Forwarded: not-needed
Last-Update: 2017-04-19
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: jessie/frontend/saned.c
===================================================================
--- jessie.orig/frontend/saned.c
+++ jessie/frontend/saned.c
@@ -1986,6 +1986,38 @@ process_request (Wire * w)
return 1;
}
+ /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */
+ /* This is done here (rather than in sanei/sanei_wire.c where
+ * it should be done) to minimize scope of impact and amount
+ * of code change.
+ */
+ if (w->direction == WIRE_DECODE
+ && req.value_type == SANE_TYPE_STRING
+ && req.action == SANE_ACTION_GET_VALUE)
+ {
+ if (req.value)
+ {
+ /* FIXME: If req.value contains embedded NUL
+ * characters, this is wrong but we do not have
+ * access to the amount of memory allocated in
+ * sanei/sanei_wire.c at this point.
+ */
+ w->allocated_memory -= (1 + strlen (req.value));
+ free (req.value);
+ }
+ req.value = malloc (req.value_size);
+ if (!req.value)
+ {
+ w->status = ENOMEM;
+ DBG (DBG_ERR,
+ "process_request: (control_option) "
+ "h=%d (%s)\n", req.handle, strerror (w->status));
+ return 1;
+ }
+ memset (req.value, 0, req.value_size);
+ w->allocated_memory += req.value_size;
+ }
+
can_authorize = 1;
memset (&reply, 0, sizeof (reply)); /* avoid leaking bits */
......@@ -22,3 +22,4 @@ hp5370c.patch
out_of_bounds.patch
0500-systemd_configure.patch
0100-usb3-corrections.patch
0505-CVE-2017-6318.patch
/dev/null /lib/systemd/system/saned.service
......@@ -6,7 +6,7 @@ Requires=saned.socket
ExecStart=/usr/sbin/saned
User=saned
Group=saned
StandardInput=socket
StandardInput=null
StandardOutput=syslog
StandardError=syslog
Environment=SANE_CONFIG_DIR=/etc/sane.d
......@@ -14,4 +14,3 @@ Environment=SANE_CONFIG_DIR=/etc/sane.d
[Install]
Also=saned.socket
Alias=saned