[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#860907: marked as done (unblock: sane-backends/1.0.25-4)

Your message dated Fri, 21 Apr 2017 17:27:00 +0000
with message-id <acf5e192-e940-8251-41fe-d7ffc71f157e@thykier.net>
and subject line Re: Bug#860907: unblock: sane-backends/1.0.25-4
has caused the Debian Bug report #860907,
regarding unblock: sane-backends/1.0.25-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
860907: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860907
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: patch
User: release.debian.org@packages.debian.org
Usertags: unblock

Hello!

sane-backends_1.0.25-4 contains a single, cherry-picked patch
from upstream to address an RC bug which is the vulnerability
CVE-2017-6318.

Debdiff attached.

Thanks,
Adrian

unblock sane-backends/1.0.25-4

-- System Information:
Debian Release: 9.0
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru sane-backends-1.0.25/debian/changelog sane-backends-1.0.25/debian/changelog
--- sane-backends-1.0.25/debian/changelog	2016-12-10 13:45:15.000000000 +0100
+++ sane-backends-1.0.25/debian/changelog	2017-04-19 12:07:38.000000000 +0200
@@ -1,3 +1,12 @@
+sane-backends (1.0.25-4) unstable; urgency=medium
+
+  * CVE-2017-6318:
+    - New debian/patches/0500-CVE-2017-6318.patch
+      + cherry-picked from upstream to fix memory corruption and
+        information leakage (Closes: #854804).
+
+ -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Wed, 19 Apr 2017 12:07:38 +0200
+
 sane-backends (1.0.25-3) unstable; urgency=medium
 
   * debian/rules:
diff -Nru sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch
--- sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch	1970-01-01 01:00:00.000000000 +0100
+++ sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch	2017-04-19 07:50:23.000000000 +0200
@@ -0,0 +1,52 @@
+Description: Address memory corruption and information leakage
+ cheery-pick from upstream git commit 42896939822b44f44ecd1b6d35afdfa4473ed35d
+Author: Jörg Frings-Fürst <debian@jff-webhosting.net>
+Origin: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804
+Forwarded: not-needed
+Last-Update: 2017-04-19
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: 1.0.25-3x/frontend/saned.c
+===================================================================
+--- 1.0.25-3x.orig/frontend/saned.c
++++ 1.0.25-3x/frontend/saned.c
+@@ -1987,6 +1987,38 @@ process_request (Wire * w)
+ 	    return 1;
+ 	  }
+ 
++        /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */
++        /* This is done here (rather than in sanei/sanei_wire.c where
++         * it should be done) to minimize scope of impact and amount
++         * of code change.
++         */
++        if (w->direction == WIRE_DECODE
++            && req.value_type == SANE_TYPE_STRING
++            && req.action     == SANE_ACTION_GET_VALUE)
++          {
++            if (req.value)
++              {
++                /* FIXME: If req.value contains embedded NUL
++                 *        characters, this is wrong but we do not have
++                 *        access to the amount of memory allocated in
++                 *        sanei/sanei_wire.c at this point.
++                 */
++                w->allocated_memory -= (1 + strlen (req.value));
++                free (req.value);
++              }
++            req.value = malloc (req.value_size);
++            if (!req.value)
++              {
++                w->status = ENOMEM;
++                DBG (DBG_ERR,
++                     "process_request: (control_option) "
++                     "h=%d (%s)\n", req.handle, strerror (w->status));
++                return 1;
++              }
++            memset (req.value, 0, req.value_size);
++            w->allocated_memory += req.value_size;
++          }
++
+ 	can_authorize = 1;
+ 
+ 	memset (&reply, 0, sizeof (reply));	/* avoid leaking bits */
diff -Nru sane-backends-1.0.25/debian/patches/series sane-backends-1.0.25/debian/patches/series
--- sane-backends-1.0.25/debian/patches/series	2016-08-21 15:18:29.000000000 +0200
+++ sane-backends-1.0.25/debian/patches/series	2017-04-19 07:16:16.000000000 +0200
@@ -17,3 +17,4 @@
 0710-sane-desc.c_debian_mods.patch
 0125-multiarch_dll_search_path.patch
 0135-saned-remotescanners.patch
+0500-CVE-2017-6318.patch

--- End Message ---
--- Begin Message --- 
John Paul Adrian Glaubitz:
> Package: release.debian.org
> Severity: normal
> Tags: patch
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hello!
> 
> sane-backends_1.0.25-4 contains a single, cherry-picked patch
> from upstream to address an RC bug which is the vulnerability
> CVE-2017-6318.
> 
> Debdiff attached.
> 
> Thanks,
> Adrian
> 
> unblock sane-backends/1.0.25-4
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: