From d3224cea9b1bec0d011ec4c79d8619031f4be0a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= <debian@jff-webhosting.net>
Date: Sat, 22 Apr 2017 10:17:02 +0200
Subject: CVE-2017-6318

---
 debian/changelog                        | 14 ++++-----
 debian/libsane-dev.NEWS                 |  6 ++++
 debian/patches/0500-CVE-2017-6318.patch | 52 +++++++++++++++++++++++++++++++++
 debian/patches/series                   |  1 +
 debian/rules                            |  1 -
 debian/sane-utils.postinst              |  2 +-
 6 files changed, 66 insertions(+), 10 deletions(-)
 create mode 100644 debian/libsane-dev.NEWS
 create mode 100644 debian/patches/0500-CVE-2017-6318.patch

diff --git a/debian/changelog b/debian/changelog
index 299ba91..1781835 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,13 +1,11 @@
-sane-backends (1.0.25-4) UNRELEASED; urgency=medium
+sane-backends (1.0.25-4) unstable; urgency=medium
 
-  * Remove outdated debian/libsane-dev.NEWS (Closes: #852842).
-  * debian/rules:
-    - Remove DVIPSSource from sane.ps to make build reproducible.
-  * debian/sane-uitls.postinst: 
-    - Add "|| true" after adduser call to continue installation if
-      adduser fails (Closes: #860078).
+  * CVE-2017-6318:
+    - New debian/patches/0500-CVE-2017-6318.patch
+      + cherry-picked from upstream to fix memory corruption and
+        information leakage (Closes: #854804).
 
- -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Fri, 27 Jan 2017 22:09:18 +0100
+ -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Wed, 19 Apr 2017 12:07:38 +0200
 
 sane-backends (1.0.25-3) unstable; urgency=medium
 
diff --git a/debian/libsane-dev.NEWS b/debian/libsane-dev.NEWS
new file mode 100644
index 0000000..5fd28f3
--- /dev/null
+++ b/debian/libsane-dev.NEWS
@@ -0,0 +1,6 @@
+sane-backends (1.0.24-14) unstable; urgency=medium
+
+  Starting with this release sane-config are moved to
+  the new package libsane-bin.
+
+ -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Sun, 30 Aug 2015 19:02:57 +0200
diff --git a/debian/patches/0500-CVE-2017-6318.patch b/debian/patches/0500-CVE-2017-6318.patch
new file mode 100644
index 0000000..e793888
--- /dev/null
+++ b/debian/patches/0500-CVE-2017-6318.patch
@@ -0,0 +1,52 @@
+Description: Address memory corruption and information leakage
+ cheery-pick from upstream git commit 42896939822b44f44ecd1b6d35afdfa4473ed35d
+Author: Jörg Frings-Fürst <debian@jff-webhosting.net>
+Origin: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804
+Forwarded: not-needed
+Last-Update: 2017-04-19
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: 1.0.25-3x/frontend/saned.c
+===================================================================
+--- 1.0.25-3x.orig/frontend/saned.c
++++ 1.0.25-3x/frontend/saned.c
+@@ -1987,6 +1987,38 @@ process_request (Wire * w)
+ 	    return 1;
+ 	  }
+ 
++        /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */
++        /* This is done here (rather than in sanei/sanei_wire.c where
++         * it should be done) to minimize scope of impact and amount
++         * of code change.
++         */
++        if (w->direction == WIRE_DECODE
++            && req.value_type == SANE_TYPE_STRING
++            && req.action     == SANE_ACTION_GET_VALUE)
++          {
++            if (req.value)
++              {
++                /* FIXME: If req.value contains embedded NUL
++                 *        characters, this is wrong but we do not have
++                 *        access to the amount of memory allocated in
++                 *        sanei/sanei_wire.c at this point.
++                 */
++                w->allocated_memory -= (1 + strlen (req.value));
++                free (req.value);
++              }
++            req.value = malloc (req.value_size);
++            if (!req.value)
++              {
++                w->status = ENOMEM;
++                DBG (DBG_ERR,
++                     "process_request: (control_option) "
++                     "h=%d (%s)\n", req.handle, strerror (w->status));
++                return 1;
++              }
++            memset (req.value, 0, req.value_size);
++            w->allocated_memory += req.value_size;
++          }
++
+ 	can_authorize = 1;
+ 
+ 	memset (&reply, 0, sizeof (reply));	/* avoid leaking bits */
diff --git a/debian/patches/series b/debian/patches/series
index b291883..8f2cb3f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@
 0710-sane-desc.c_debian_mods.patch
 0125-multiarch_dll_search_path.patch
 0135-saned-remotescanners.patch
+0500-CVE-2017-6318.patch
diff --git a/debian/rules b/debian/rules
index fee580d..fcd28d1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -92,7 +92,6 @@ override_dh_install-arch:
 
 override_dh_installdocs-arch:
 	dh_installdocs
-	sed -i /DVIPSSource/d debian/tmp/usr/share/doc/libsane/sane.ps
 	# move files that belong to libsane-dev
 	mv debian/tmp/usr/share/doc/libsane/sane.ps debian/libsane-dev/usr/share/doc/libsane-dev/
 	mv debian/tmp/usr/share/doc/libsane/backend-writing.txt debian/libsane-dev/usr/share/doc/libsane-dev/
diff --git a/debian/sane-utils.postinst b/debian/sane-utils.postinst
index cf97dbe..155ed22 100644
--- a/debian/sane-utils.postinst
+++ b/debian/sane-utils.postinst
@@ -66,7 +66,7 @@ if [ "$1" = "configure" ] || [ "$1" = "reconfigure" ]; then
 	fi
     fi
     if [ "$SANED_IN_SCANNER" = "true" ]; then
-	adduser --quiet saned scanner || true
+	adduser --quiet saned scanner
     else
 	if id saned | grep -q "groups=.*\(scanner\)"; then
 	    deluser --quiet saned scanner
-- 
cgit v1.2.3