diff options
Diffstat (limited to 'debian/patches/0500-CVE-2017-6318.patch')
-rw-r--r-- | debian/patches/0500-CVE-2017-6318.patch | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/debian/patches/0500-CVE-2017-6318.patch b/debian/patches/0500-CVE-2017-6318.patch deleted file mode 100644 index e793888..0000000 --- a/debian/patches/0500-CVE-2017-6318.patch +++ /dev/null @@ -1,52 +0,0 @@ -Description: Address memory corruption and information leakage - cheery-pick from upstream git commit 42896939822b44f44ecd1b6d35afdfa4473ed35d -Author: Jörg Frings-Fürst <debian@jff-webhosting.net> -Origin: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804 -Forwarded: not-needed -Last-Update: 2017-04-19 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: 1.0.25-3x/frontend/saned.c -=================================================================== ---- 1.0.25-3x.orig/frontend/saned.c -+++ 1.0.25-3x/frontend/saned.c -@@ -1987,6 +1987,38 @@ process_request (Wire * w) - return 1; - } - -+ /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */ -+ /* This is done here (rather than in sanei/sanei_wire.c where -+ * it should be done) to minimize scope of impact and amount -+ * of code change. -+ */ -+ if (w->direction == WIRE_DECODE -+ && req.value_type == SANE_TYPE_STRING -+ && req.action == SANE_ACTION_GET_VALUE) -+ { -+ if (req.value) -+ { -+ /* FIXME: If req.value contains embedded NUL -+ * characters, this is wrong but we do not have -+ * access to the amount of memory allocated in -+ * sanei/sanei_wire.c at this point. -+ */ -+ w->allocated_memory -= (1 + strlen (req.value)); -+ free (req.value); -+ } -+ req.value = malloc (req.value_size); -+ if (!req.value) -+ { -+ w->status = ENOMEM; -+ DBG (DBG_ERR, -+ "process_request: (control_option) " -+ "h=%d (%s)\n", req.handle, strerror (w->status)); -+ return 1; -+ } -+ memset (req.value, 0, req.value_size); -+ w->allocated_memory += req.value_size; -+ } -+ - can_authorize = 1; - - memset (&reply, 0, sizeof (reply)); /* avoid leaking bits */ |