commit sane-backends for openSUSE:Factory
![](https://seccdn.libravatar.org/avatar/000404b9c3cf99a2a21283776f57d3b5.jpg?s=120&d=mm&r=g)
Hello community, here is the log from the commit of package sane-backends for openSUSE:Factory checked in at 2017-03-03 17:32:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sane-backends (Old) and /work/SRC/openSUSE:Factory/.sane-backends.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "sane-backends" Fri Mar 3 17:32:12 2017 rev:82 rq:460926 version:1.0.25 Changes: -------- --- /work/SRC/openSUSE:Factory/sane-backends/sane-backends.changes 2016-01-13 22:44:26.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.sane-backends.new/sane-backends.changes 2017-03-03 17:32:13.397513465 +0100 @@ -1,0 +2,10 @@ +Tue Feb 28 12:15:12 CET 2017 - jsmeix@suse.de + +- CVE-2017-6318.patch fixes CVE-2017-6318 which is about that via + access to saned some opcodes could leak uninitialized memory + back to the requester allowing information disclosure + of memory content in saned (bsc#1027197). + In general regarding "access to saned" see + https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings + +------------------------------------------------------------------- New: ---- CVE-2017-6318.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sane-backends.spec ++++++ --- /var/tmp/diff_new_pack.TNLpab/_old 2017-03-03 17:32:14.501357499 +0100 +++ /var/tmp/diff_new_pack.TNLpab/_new 2017-03-03 17:32:14.501357499 +0100 @@ -1,7 +1,7 @@ # # spec file for package sane-backends # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -74,6 +74,12 @@ Patch1: dell1600n_net-fix-strncat.patch # Patch2 sane-backends.builttime.patch avoids build-compare noise Patch2: sane-backends.builttime.patch +# Patch3 CVE-2017-6318.patch fixes CVE-2017-6318 which is about that via +# access to saned some opcodes could leak uninitialized memory back to the requester +# allowing information disclosure of memory content in saned, +# see https://lists.alioth.debian.org/pipermail/sane-devel/2017-February/035029.ht... +# and https://bugzilla.suse.com/show_bug.cgi?id=1027197 +Patch3: CVE-2017-6318.patch # Patch100... is SUSE specific stuff: # Patch101 no-descriptions-external-hpoj.patch removes descriptions-external/hpoj.desc from doc/Makefile.am # because it is intentionally removed from the sources in the prep section: @@ -169,7 +175,14 @@ # GOOD: strncat(buffer,charptr,sizeof(buffer)-strlen(buffer)-1) # see https://alioth.debian.org/tracker/index.php?func=detail&aid=315198&group_id=30186&atid=410366 %patch1 +# Patch2 sane-backends.builttime.patch avoids build-compare noise %patch2 -p1 +# Patch3 CVE-2017-6318.patch fixes CVE-2017-6318 which is about that via +# access to saned some opcodes could leak uninitialized memory back to the requester +# allowing information disclosure of memory content in saned, +# see https://lists.alioth.debian.org/pipermail/sane-devel/2017-February/035029.ht... +# and https://bugzilla.suse.com/show_bug.cgi?id=1027197 +%patch3 # Patch100... is SUSE specific stuff: # Patch101 no-descriptions-external-hpoj.patch removes descriptions-external/hpoj.desc from doc/Makefile.am # because it is intentionally removed from the sources in the prep section: ++++++ CVE-2017-6318.patch ++++++ --- frontend/saned.c +++ frontend/saned.c @@ -1992,6 +1992,32 @@ process_request (Wire * w) return 1; } + /* Debian BTS #853804 */ + if (w->direction == WIRE_DECODE + && req.value_type == SANE_TYPE_STRING + && req.action == SANE_ACTION_GET_VALUE) + { + if (req.value) + { + /* FIXME: If req.value contained embedded NUL + * characters, this is wrong. + */ + w->allocated_memory -= (1 + strlen (req.value)); + free (req.value); + } + req.value = malloc (req.value_size); + if (!req.value) + { + w->status = ENOMEM; + DBG (DBG_ERR, + "process_request: (control_option) " + "h=%d (%s)\n", req.handle, strerror (w->status)); + return 1; + } + memset (req.value, 0, req.value_size); + w->allocated_memory += req.value_size; + } + can_authorize = 1; memset (&reply, 0, sizeof (reply)); /* avoid leaking bits */
participants (1)
-
root@hilbertn.suse.de