diff options
Diffstat (limited to 'debian')
-rw-r--r-- | debian/changelog | 15 | ||||
-rw-r--r-- | debian/copyright | 2 | ||||
-rw-r--r-- | debian/patches/0505-CVE-2017-6318.patch | 52 | ||||
-rw-r--r-- | debian/patches/series | 1 |
4 files changed, 66 insertions, 4 deletions
diff --git a/debian/changelog b/debian/changelog index d946df7..509a8d3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,13 +1,22 @@ +sane-backends (1.0.24-8+deb8u2) stable; urgency=medium + + * CVE-2017-6318: + - New debian/patches/0500-CVE-2017-6318.patch + + cherry-picked from upstream to fix memory corruption and + information leakage (Closes: #854804). + + -- Jörg Frings-Fürst <debian@jff-webhosting.net> Wed, 19 Apr 2017 11:51:22 +0200 + sane-backends (1.0.24-8+deb8u1) stable; urgency=medium * Cherry-picked systemd handling from unstable (Closes: #791961): - - Rewrite debian/saned@.service to prevent errors by network scaning. + - Rewrite debian/saned@.service to prevent errors by network scanning. - New debian/sane-utils.links: + Add a link from /dev/null to /lib/systemd/system/saned.service to prevent start via fallback script /etc/init.d/saned. - - Add 2015 to debian/copyright. + - Add year 2016 to debian/copyright. - -- Jörg Frings-Fürst <debian@jff-webhosting.net> Wed, 02 Sep 2015 14:10:00 +0200 + -- Jörg Frings-Fürst <debian@jff-webhosting.net> Wed, 27 Jan 2016 07:48:32 +0100 sane-backends (1.0.24-8) unstable; urgency=medium diff --git a/debian/copyright b/debian/copyright index f4bd25b..66018f6 100644 --- a/debian/copyright +++ b/debian/copyright @@ -13,7 +13,7 @@ Copyright: 1997-2002 Kevin Dalley <kevind@rahul.net> 2002-2011 Julien BLACHE <jblache@debian.org> 2002-2006 Aurélien Jarno <aurel32@debian.org> 2013 Mark Buda <hermit@acm.org> - 2014-2015 Jörg Frings-Fürst <debian@jff-webhosting.net> + 2014-2016 Jörg Frings-Fürst <debian@jff-webhosting.net> License: GPL-2+ with sane exception Files: backend/abaton.* diff --git a/debian/patches/0505-CVE-2017-6318.patch b/debian/patches/0505-CVE-2017-6318.patch new file mode 100644 index 0000000..b7f2b2a --- /dev/null +++ b/debian/patches/0505-CVE-2017-6318.patch @@ -0,0 +1,52 @@ +Description: Address memory corruption and information leakage + cheery-picked from upstream git commit 42896939822b44f44ecd1b6d35afdfa4473ed35d +Author: Jörg Frings-Fürst <debian@jff-webhosting.net> +Origin: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804 +Forwarded: not-needed +Last-Update: 2017-04-19 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: jessie/frontend/saned.c +=================================================================== +--- jessie.orig/frontend/saned.c ++++ jessie/frontend/saned.c +@@ -1986,6 +1986,38 @@ process_request (Wire * w) + return 1; + } + ++ /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */ ++ /* This is done here (rather than in sanei/sanei_wire.c where ++ * it should be done) to minimize scope of impact and amount ++ * of code change. ++ */ ++ if (w->direction == WIRE_DECODE ++ && req.value_type == SANE_TYPE_STRING ++ && req.action == SANE_ACTION_GET_VALUE) ++ { ++ if (req.value) ++ { ++ /* FIXME: If req.value contains embedded NUL ++ * characters, this is wrong but we do not have ++ * access to the amount of memory allocated in ++ * sanei/sanei_wire.c at this point. ++ */ ++ w->allocated_memory -= (1 + strlen (req.value)); ++ free (req.value); ++ } ++ req.value = malloc (req.value_size); ++ if (!req.value) ++ { ++ w->status = ENOMEM; ++ DBG (DBG_ERR, ++ "process_request: (control_option) " ++ "h=%d (%s)\n", req.handle, strerror (w->status)); ++ return 1; ++ } ++ memset (req.value, 0, req.value_size); ++ w->allocated_memory += req.value_size; ++ } ++ + can_authorize = 1; + + memset (&reply, 0, sizeof (reply)); /* avoid leaking bits */ diff --git a/debian/patches/series b/debian/patches/series index 5586d9d..8e0513e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -22,3 +22,4 @@ hp5370c.patch out_of_bounds.patch 0500-systemd_configure.patch 0100-usb3-corrections.patch +0505-CVE-2017-6318.patch |