import sane-backends-1.0.27-19.el8_2.1

This commit is contained in:
CentOS Sources 2020-07-14 04:50:18 -04:00 committed by Andrew Lukoshko
parent 458ebfb3fd
commit adf925ca73
2 changed files with 92 additions and 1 deletions

View File

@ -0,0 +1,72 @@
From b9b0173409df73e235da2aa0dae5edd21fb55967 Mon Sep 17 00:00:00 2001
From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
Date: Mon, 27 Apr 2020 18:48:29 +0900
Subject: [PATCH] epsonds: Prevent possible buffer overflow when reading image
data
Addresses GHSL-2020-084, re #279.
---
backend/epsonds-cmd.c | 5 +++++
backend/epsonds.c | 12 +++++++-----
backend/epsonds.h | 1 +
3 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c
index 9a4db3080..c182aa51a 100644
--- a/backend/epsonds-cmd.c
+++ b/backend/epsonds-cmd.c
@@ -876,6 +876,11 @@ esci2_img(struct epsonds_scanner *s, SANE_Int *length)
return parse_status;
}
+ /* more data than was accounted for in s->buf */
+ if (more > s->bsz) {
+ return SANE_STATUS_IO_ERROR;
+ }
+
/* ALWAYS read image data */
if (s->hw->connection == SANE_EPSONDS_NET) {
epsonds_net_request_read(s, more);
diff --git a/backend/epsonds.c b/backend/epsonds.c
index ff5d68106..fb9694a88 100644
--- a/backend/epsonds.c
+++ b/backend/epsonds.c
@@ -1230,16 +1230,18 @@ sane_start(SANE_Handle handle)
if (s->line_buffer == NULL)
return SANE_STATUS_NO_MEM;
- /* ring buffer for front page, twice bsz */
+ /* transfer buffer size, bsz */
/* XXX read value from scanner */
- status = eds_ring_init(&s->front, (65536 * 4) * 2);
+ s->bsz = (65536 * 4);
+
+ /* ring buffer for front page */
+ status = eds_ring_init(&s->front, s->bsz * 2);
if (status != SANE_STATUS_GOOD) {
return status;
}
- /* transfer buffer, bsz */
- /* XXX read value from scanner */
- s->buf = realloc(s->buf, 65536 * 4);
+ /* transfer buffer */
+ s->buf = realloc(s->buf, s->bsz);
if (s->buf == NULL)
return SANE_STATUS_NO_MEM;
diff --git a/backend/epsonds.h b/backend/epsonds.h
index 0427ef3b4..401b0f32c 100644
--- a/backend/epsonds.h
+++ b/backend/epsonds.h
@@ -160,6 +160,7 @@ struct epsonds_scanner
Option_Value val[NUM_OPTIONS];
SANE_Parameters params;
+ size_t bsz; /* transfer buffer size */
SANE_Byte *buf, *line_buffer;
ring_buffer *current, front, back;
--
2.25.4

View File

@ -33,7 +33,7 @@
Summary: Scanner access software Summary: Scanner access software
Name: sane-backends Name: sane-backends
Version: 1.0.27 Version: 1.0.27
Release: 19%{?dist} Release: 19%{?dist}.1
# lib/ is LGPLv2+, backends are GPLv2+ with exceptions # lib/ is LGPLv2+, backends are GPLv2+ with exceptions
# Tools are GPLv2+, docs are public domain # Tools are GPLv2+, docs are public domain
# see LICENSE for details # see LICENSE for details
@ -59,6 +59,8 @@ Patch3: sane-backends-saned-manpage.patch
Patch4: sane-backends-canon-lide-100.patch Patch4: sane-backends-canon-lide-100.patch
# Revert samsung patch from upstream (upstream tracker https://alioth.debian.org/tracker/index.php?func=detail&aid=315876&group_id=30186&atid=410366) # Revert samsung patch from upstream (upstream tracker https://alioth.debian.org/tracker/index.php?func=detail&aid=315876&group_id=30186&atid=410366)
Patch5: sane-backends-revert-samsung-patch.patch Patch5: sane-backends-revert-samsung-patch.patch
# 1852468, 1852467, 1852466, 1852465 - prevent buffer overflow in esci2_img
Patch6: 0001-epsonds-Prevent-possible-buffer-overflow-when-readin.patch
URL: http://www.sane-project.org URL: http://www.sane-project.org
@ -90,6 +92,10 @@ Obsoletes: sane-backends < 1.0.25-3
Conflicts: sane-backends < 1.0.25-3 Conflicts: sane-backends < 1.0.25-3
%endif %endif
# fix for 1852668, 1852667, 1852666, 1852665 - autodiscovery is not supported in epsonds
# backend, so disable it during post scriptlet (grep and sed are needed for the scriptlet)
Requires: grep, sed
%description %description
Scanner Access Now Easy (SANE) is a universal scanner interface. The Scanner Access Now Easy (SANE) is a universal scanner interface. The
SANE application programming interface (API) provides standardized SANE application programming interface (API) provides standardized
@ -194,6 +200,7 @@ access image acquisition devices available on the local host.
%patch3 -p1 -b .saned-manpage %patch3 -p1 -b .saned-manpage
%patch4 -p1 -b .canon-lide-100 %patch4 -p1 -b .canon-lide-100
%patch5 -p1 -b .revert-samsung-patch %patch5 -p1 -b .revert-samsung-patch
%patch6 -p1 -b .prevent-buffer-overflow
%build %build
CFLAGS="%optflags -fno-strict-aliasing" CFLAGS="%optflags -fno-strict-aliasing"
@ -273,6 +280,14 @@ install -m 644 saned@.service %{buildroot}%{_unitdir}
%post %post
udevadm hwdb --update >/dev/null 2>&1 || : udevadm hwdb --update >/dev/null 2>&1 || :
# check if there is autodiscovery enabled in epsonds.conf
autodiscovery=`%{_bindir}/grep -E '^[[:space:]]*net[[:space:]]*autodiscovery' /etc/sane.d/epsonds.conf`
if [ -n "$autodiscovery" ]
then
# comment out 'net autodiscovery' if it is not commented out
%{_bindir}/sed -i 's,^[[:space:]]*net[[:space:]]*autodiscovery,#net autodiscovery,g' /etc/sane.d/epsonds.conf
fi
%postun %postun
udevadm hwdb --update >/dev/null 2>&1 || : udevadm hwdb --update >/dev/null 2>&1 || :
@ -355,6 +370,10 @@ exit 0
%{_unitdir}/saned@.service %{_unitdir}/saned@.service
%changelog %changelog
* Wed Jul 01 2020 Zdenek Dohnal <zdohnal@redhat.com> - 1.0.27-19.1
- 1852468, 1852467, 1852466, 1852465 - prevent buffer overflow in esci2_img
- 1852668, 1852667, 1852666, 1852665 - disable autodiscovery for epsonds backend
* Tue Jul 24 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1.0.27-19 * Tue Jul 24 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1.0.27-19
- corrected license - corrected license