Package: release.debian.org Severity: normal Tags: patch User: release.debian....@packages.debian.org Usertags: unblock
Hello! sane-backends_1.0.25-4 contains a single, cherry-picked patch from upstream to address an RC bug which is the vulnerability CVE-2017-6318. Debdiff attached. Thanks, Adrian unblock sane-backends/1.0.25-4 -- System Information: Debian Release: 9.0 APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.10.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru sane-backends-1.0.25/debian/changelog sane-backends-1.0.25/debian/changelog --- sane-backends-1.0.25/debian/changelog 2016-12-10 13:45:15.000000000 +0100 +++ sane-backends-1.0.25/debian/changelog 2017-04-19 12:07:38.000000000 +0200 @@ -1,3 +1,12 @@ +sane-backends (1.0.25-4) unstable; urgency=medium + + * CVE-2017-6318: + - New debian/patches/0500-CVE-2017-6318.patch + + cherry-picked from upstream to fix memory corruption and + information leakage (Closes: #854804). + + -- Jörg Frings-Fürst <deb...@jff-webhosting.net> Wed, 19 Apr 2017 12:07:38 +0200 + sane-backends (1.0.25-3) unstable; urgency=medium * debian/rules: diff -Nru sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch --- sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch 1970-01-01 01:00:00.000000000 +0100 +++ sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch 2017-04-19 07:50:23.000000000 +0200 @@ -0,0 +1,52 @@ +Description: Address memory corruption and information leakage + cheery-pick from upstream git commit 42896939822b44f44ecd1b6d35afdfa4473ed35d +Author: Jörg Frings-Fürst <deb...@jff-webhosting.net> +Origin: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804 +Forwarded: not-needed +Last-Update: 2017-04-19 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: 1.0.25-3x/frontend/saned.c +=================================================================== +--- 1.0.25-3x.orig/frontend/saned.c ++++ 1.0.25-3x/frontend/saned.c +@@ -1987,6 +1987,38 @@ process_request (Wire * w) + return 1; + } + ++ /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */ ++ /* This is done here (rather than in sanei/sanei_wire.c where ++ * it should be done) to minimize scope of impact and amount ++ * of code change. ++ */ ++ if (w->direction == WIRE_DECODE ++ && req.value_type == SANE_TYPE_STRING ++ && req.action == SANE_ACTION_GET_VALUE) ++ { ++ if (req.value) ++ { ++ /* FIXME: If req.value contains embedded NUL ++ * characters, this is wrong but we do not have ++ * access to the amount of memory allocated in ++ * sanei/sanei_wire.c at this point. ++ */ ++ w->allocated_memory -= (1 + strlen (req.value)); ++ free (req.value); ++ } ++ req.value = malloc (req.value_size); ++ if (!req.value) ++ { ++ w->status = ENOMEM; ++ DBG (DBG_ERR, ++ "process_request: (control_option) " ++ "h=%d (%s)\n", req.handle, strerror (w->status)); ++ return 1; ++ } ++ memset (req.value, 0, req.value_size); ++ w->allocated_memory += req.value_size; ++ } ++ + can_authorize = 1; + + memset (&reply, 0, sizeof (reply)); /* avoid leaking bits */ diff -Nru sane-backends-1.0.25/debian/patches/series sane-backends-1.0.25/debian/patches/series --- sane-backends-1.0.25/debian/patches/series 2016-08-21 15:18:29.000000000 +0200 +++ sane-backends-1.0.25/debian/patches/series 2017-04-19 07:16:16.000000000 +0200 @@ -17,3 +17,4 @@ 0710-sane-desc.c_debian_mods.patch 0125-multiarch_dll_search_path.patch 0135-saned-remotescanners.patch +0500-CVE-2017-6318.patch
