CVE-2017-6318jessie/1.0.24-8+deb8u2

author: Jörg Frings-Fürst <debian@jff-webhosting.net> 2017-04-22 10:32:17 +0200
committer: Jörg Frings-Fürst <debian@jff-webhosting.net> 2017-04-22 10:32:17 +0200
commit: af59b7d3140fc16a3f1db0144dc7d10beb06bd35 (patch)
tree: b074e605a3769c21374f803ac0e3df77eb69ea79
parent: e12449010118a157da633edb652e50d96fae8cf3 (diff)
4 files changed, 66 insertions, 4 deletions
diff --git a/debian/changelog b/debian/changelog
index d946df7..509a8d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,13 +1,22 @@
+sane-backends (1.0.24-8+deb8u2) stable; urgency=medium
+
+  * CVE-2017-6318:
+    - New debian/patches/0500-CVE-2017-6318.patch
+      + cherry-picked from upstream to fix memory corruption and
+        information leakage (Closes: #854804).
+
+ -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Wed, 19 Apr 2017 11:51:22 +0200
+
 sane-backends (1.0.24-8+deb8u1) stable; urgency=medium
 
   * Cherry-picked systemd handling from unstable (Closes: #791961):
-    - Rewrite debian/saned@.service to prevent errors by network scaning.
+    - Rewrite debian/saned@.service to prevent errors by network scanning.
     - New debian/sane-utils.links:
       + Add a link from /dev/null to /lib/systemd/system/saned.service
         to prevent start via fallback script /etc/init.d/saned.
-    - Add 2015 to debian/copyright.
+    - Add year 2016 to debian/copyright.
 
- -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Wed, 02 Sep 2015 14:10:00 +0200
+ -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Wed, 27 Jan 2016 07:48:32 +0100
 
 sane-backends (1.0.24-8) unstable; urgency=medium
 
diff --git a/debian/copyright b/debian/copyright
index f4bd25b..66018f6 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -13,7 +13,7 @@ Copyright: 1997-2002 Kevin Dalley <kevind@rahul.net>
            2002-2011 Julien BLACHE <jblache@debian.org>
            2002-2006 Aurélien Jarno <aurel32@debian.org>
            2013      Mark Buda <hermit@acm.org>
-           2014-2015 Jörg Frings-Fürst <debian@jff-webhosting.net>
+           2014-2016 Jörg Frings-Fürst <debian@jff-webhosting.net>
 License: GPL-2+ with sane exception
 
 Files: backend/abaton.*
diff --git a/debian/patches/0505-CVE-2017-6318.patch b/debian/patches/0505-CVE-2017-6318.patch
new file mode 100644
index 0000000..b7f2b2a
--- /dev/null
+++ b/debian/patches/0505-CVE-2017-6318.patch
@@ -0,0 +1,52 @@
+Description: Address memory corruption and information leakage
+ cheery-picked from upstream git commit 42896939822b44f44ecd1b6d35afdfa4473ed35d
+Author: Jörg Frings-Fürst <debian@jff-webhosting.net>
+Origin: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804
+Forwarded: not-needed
+Last-Update: 2017-04-19
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: jessie/frontend/saned.c
+===================================================================
+--- jessie.orig/frontend/saned.c
++++ jessie/frontend/saned.c
+@@ -1986,6 +1986,38 @@ process_request (Wire * w)
+ 	    return 1;
+ 	  }
+ 
++        /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */
++        /* This is done here (rather than in sanei/sanei_wire.c where
++         * it should be done) to minimize scope of impact and amount
++         * of code change.
++         */
++        if (w->direction == WIRE_DECODE
++            && req.value_type == SANE_TYPE_STRING
++            && req.action     == SANE_ACTION_GET_VALUE)
++          {
++            if (req.value)
++              {
++                /* FIXME: If req.value contains embedded NUL
++                 *        characters, this is wrong but we do not have
++                 *        access to the amount of memory allocated in
++                 *        sanei/sanei_wire.c at this point.
++                 */
++                w->allocated_memory -= (1 + strlen (req.value));
++                free (req.value);
++              }
++            req.value = malloc (req.value_size);
++            if (!req.value)
++              {
++                w->status = ENOMEM;
++                DBG (DBG_ERR,
++                     "process_request: (control_option) "
++                     "h=%d (%s)\n", req.handle, strerror (w->status));
++                return 1;
++              }
++            memset (req.value, 0, req.value_size);
++            w->allocated_memory += req.value_size;
++          }
++
+ 	can_authorize = 1;
+ 
+ 	memset (&reply, 0, sizeof (reply));	/* avoid leaking bits */
diff --git a/debian/patches/series b/debian/patches/series
index 5586d9d..8e0513e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ hp5370c.patch
 out_of_bounds.patch
 0500-systemd_configure.patch
 0100-usb3-corrections.patch
+0505-CVE-2017-6318.patch
author	Jörg Frings-Fürst <debian@jff-webhosting.net>	2017-04-22 10:32:17 +0200
committer	Jörg Frings-Fürst <debian@jff-webhosting.net>	2017-04-22 10:32:17 +0200
commit	af59b7d3140fc16a3f1db0144dc7d10beb06bd35 (patch)
tree	b074e605a3769c21374f803ac0e3df77eb69ea79
parent	e12449010118a157da633edb652e50d96fae8cf3 (diff)