Source: sane-backends Version: 1.0.29-1~experimental4 Severity: grave Tags: security upstream Justification: user security hole
The Sane team released a new version of sane-backends a few days ago, fixing about 5 or 6 CVEs. From [their announcement][1]: ,---- | Kevin Backhouse of the [GitHub Security Lab team][1] has discovered | several issues in the epson2, epsonds and magicolor backends that could | be exploited by a malicious network device. All three backends are | enabled by default. Moreover, all enable automatic discovery of network | devices. The issues can be used to crash SANE frontends at start up or | when starting a scan as well as corrupt memory leading to a possibility | of remote code execution. `---- [1]: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html Please, upload a new version of the package as soon as possible. Thanks, Rogério Brito. -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (150, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.6.0-1-rt-amd64 (SMP w/4 CPU cores; PREEMPT) Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_US.utf-8, LC_CTYPE=pt_BR.utf-8 (charmap=UTF-8), LANGUAGE=en_US.utf-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Rogério Brito : rbrito@{ime.usp.br,gmail.com} : GPG key 4096R/BCFCAAAA http://cynic.cc/blog/ : github.com/rbrito : profiles.google.com/rbrito DebianQA: http://qa.debian.org/developer.php?login=rbrito%40ime.usp.br