1428886 - CVE-2017-6318 sane-backends: SANE_NET_CONTROL_OPTION response packet may contain memory contents of the server [fedora-all]
This commit is contained in:
parent
2ffc2c5c58
commit
543e63ae3d
42
sane-backends-1.0.25-CVE-2017-6318.patch
Normal file
42
sane-backends-1.0.25-CVE-2017-6318.patch
Normal file
@ -0,0 +1,42 @@
|
||||
diff -up sane-backends-1.0.25/frontend/saned.c.CVE-2017-6318 sane-backends-1.0.25/frontend/saned.c
|
||||
--- sane-backends-1.0.25/frontend/saned.c.CVE-2017-6318 2017-03-22 09:05:09.884788366 +0100
|
||||
+++ sane-backends-1.0.25/frontend/saned.c 2017-03-22 16:58:20.393869129 +0100
|
||||
@@ -1986,6 +1986,38 @@ process_request (Wire * w)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+ /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */
|
||||
+ /* This is done here (rather than in sanei/sanei_wire.c where
|
||||
+ * it should be done) to minimize scope of impact and amount
|
||||
+ * of code change.
|
||||
+ */
|
||||
+ if (w->direction == WIRE_DECODE
|
||||
+ && req.value_type == SANE_TYPE_STRING
|
||||
+ && req.action == SANE_ACTION_GET_VALUE)
|
||||
+ {
|
||||
+ if (req.value)
|
||||
+ {
|
||||
+ /* FIXME: If req.value contains embedded NUL
|
||||
+ * characters, this is wrong but we do not have
|
||||
+ * access to the amount of memory allocated in
|
||||
+ * sanei/sanei_wire.c at this point.
|
||||
+ */
|
||||
+ w->allocated_memory -= (1 + strlen (req.value));
|
||||
+ free (req.value);
|
||||
+ }
|
||||
+ req.value = malloc (req.value_size);
|
||||
+ if (!req.value)
|
||||
+ {
|
||||
+ w->status = ENOMEM;
|
||||
+ DBG (DBG_ERR,
|
||||
+ "process_request: (control_option) "
|
||||
+ "h=%d (%s)\n", req.handle, strerror (w->status));
|
||||
+ return 1;
|
||||
+ }
|
||||
+ memset (req.value, 0, req.value_size);
|
||||
+ w->allocated_memory += req.value_size;
|
||||
+ }
|
||||
+
|
||||
can_authorize = 1;
|
||||
|
||||
memset (&reply, 0, sizeof (reply)); /* avoid leaking bits */
|
@ -33,7 +33,7 @@
|
||||
Summary: Scanner access software
|
||||
Name: sane-backends
|
||||
Version: 1.0.25
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
# lib/ is LGPLv2+, backends are GPLv2+ with exceptions
|
||||
# Tools are GPLv2+, docs are public domain
|
||||
# see LICENSE for details
|
||||
@ -53,6 +53,8 @@ Patch1: sane-backends-1.0.23-soname.patch
|
||||
Patch2: sane-backends-1.0.23-sane-config-multilib.patch
|
||||
# Backported from upstream, commit 6585b6f60d07a196e42c99b935e2754bbc80b3c8
|
||||
Patch3: sane-backends-1.0.25-avision-skip-adf.patch
|
||||
# CVE-2017-6318 - backported from upstream 42896939822b44f44ecd1b6d35afdfa4473ed35d
|
||||
Patch4: sane-backends-1.0.25-CVE-2017-6318.patch
|
||||
|
||||
URL: http://www.sane-project.org
|
||||
|
||||
@ -180,6 +182,7 @@ access image acquisition devices available on the local host.
|
||||
%patch1 -p1 -b .soname
|
||||
%patch2 -p1 -b .sane-config-multilib
|
||||
%patch3 -p1 -b .avision-skip-adf
|
||||
%patch4 -p1 -b .CVE-2017-6318
|
||||
|
||||
%build
|
||||
CFLAGS="%optflags -fno-strict-aliasing"
|
||||
@ -330,6 +333,9 @@ exit 0
|
||||
%{_unitdir}/saned@.service
|
||||
|
||||
%changelog
|
||||
* Wed Mar 22 2017 Zdenek Dohnal <zdohnal@redhat.com> - 1.0.25-7
|
||||
- 1428886 - CVE-2017-6318 sane-backends: SANE_NET_CONTROL_OPTION response packet may contain memory contents of the server [fedora-all]
|
||||
|
||||
* Tue Mar 14 2017 Nils Philippsen <nils@redhat.com> - 1.0.25-6
|
||||
- avision: add "skip-adf" option (#1288712)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user