Bug#860907: unblock: sane-backends/1.0.25-4
Package: release.debian.org
Severity: normal
Tags: patch
User: release.debian.org@packages.debian.org
Usertags: unblock
Hello!
sane-backends_1.0.25-4 contains a single, cherry-picked patch
from upstream to address an RC bug which is the vulnerability
CVE-2017-6318.
Debdiff attached.
Thanks,
Adrian
unblock sane-backends/1.0.25-4
-- System Information:
Debian Release: 9.0
APT prefers buildd-unstable
APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64
(x86_64)
Foreign Architectures: i386
Kernel: Linux 4.10.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru sane-backends-1.0.25/debian/changelog sane-backends-1.0.25/debian/changelog
--- sane-backends-1.0.25/debian/changelog 2016-12-10 13:45:15.000000000 +0100
+++ sane-backends-1.0.25/debian/changelog 2017-04-19 12:07:38.000000000 +0200
@@ -1,3 +1,12 @@
+sane-backends (1.0.25-4) unstable; urgency=medium
+
+ * CVE-2017-6318:
+ - New debian/patches/0500-CVE-2017-6318.patch
+ + cherry-picked from upstream to fix memory corruption and
+ information leakage (Closes: #854804).
+
+ -- Jörg Frings-Fürst <debian@jff-webhosting.net> Wed, 19 Apr 2017 12:07:38 +0200
+
sane-backends (1.0.25-3) unstable; urgency=medium
* debian/rules:
diff -Nru sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch
--- sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch 1970-01-01 01:00:00.000000000 +0100
+++ sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch 2017-04-19 07:50:23.000000000 +0200
@@ -0,0 +1,52 @@
+Description: Address memory corruption and information leakage
+ cheery-pick from upstream git commit 42896939822b44f44ecd1b6d35afdfa4473ed35d
+Author: Jörg Frings-Fürst <debian@jff-webhosting.net>
+Origin: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804
+Forwarded: not-needed
+Last-Update: 2017-04-19
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: 1.0.25-3x/frontend/saned.c
+===================================================================
+--- 1.0.25-3x.orig/frontend/saned.c
++++ 1.0.25-3x/frontend/saned.c
+@@ -1987,6 +1987,38 @@ process_request (Wire * w)
+ return 1;
+ }
+
++ /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */
++ /* This is done here (rather than in sanei/sanei_wire.c where
++ * it should be done) to minimize scope of impact and amount
++ * of code change.
++ */
++ if (w->direction == WIRE_DECODE
++ && req.value_type == SANE_TYPE_STRING
++ && req.action == SANE_ACTION_GET_VALUE)
++ {
++ if (req.value)
++ {
++ /* FIXME: If req.value contains embedded NUL
++ * characters, this is wrong but we do not have
++ * access to the amount of memory allocated in
++ * sanei/sanei_wire.c at this point.
++ */
++ w->allocated_memory -= (1 + strlen (req.value));
++ free (req.value);
++ }
++ req.value = malloc (req.value_size);
++ if (!req.value)
++ {
++ w->status = ENOMEM;
++ DBG (DBG_ERR,
++ "process_request: (control_option) "
++ "h=%d (%s)\n", req.handle, strerror (w->status));
++ return 1;
++ }
++ memset (req.value, 0, req.value_size);
++ w->allocated_memory += req.value_size;
++ }
++
+ can_authorize = 1;
+
+ memset (&reply, 0, sizeof (reply)); /* avoid leaking bits */
diff -Nru sane-backends-1.0.25/debian/patches/series sane-backends-1.0.25/debian/patches/series
--- sane-backends-1.0.25/debian/patches/series 2016-08-21 15:18:29.000000000 +0200
+++ sane-backends-1.0.25/debian/patches/series 2017-04-19 07:16:16.000000000 +0200
@@ -17,3 +17,4 @@
0710-sane-desc.c_debian_mods.patch
0125-multiarch_dll_search_path.patch
0135-saned-remotescanners.patch
+0500-CVE-2017-6318.patch
Reply to: