1
0
forked from pool/sane-backends

Accepting request 460922 from home:jsmeix:branches:graphics

Applied upstream CVE-2017-6318.patch (bsc#1027197)

OBS-URL: https://build.opensuse.org/request/show/460922
OBS-URL: https://build.opensuse.org/package/show/graphics/sane-backends?expand=0&rev=83
This commit is contained in:
Johannes Meixner 2017-02-28 16:37:52 +00:00 committed by Git OBS Bridge
parent ce6cd2ce4a
commit 5db422d7c0
3 changed files with 59 additions and 1 deletions

35
CVE-2017-6318.patch Normal file
View File

@ -0,0 +1,35 @@
--- frontend/saned.c
+++ frontend/saned.c
@@ -1992,6 +1992,32 @@ process_request (Wire * w)
return 1;
}
+ /* Debian BTS #853804 */
+ if (w->direction == WIRE_DECODE
+ && req.value_type == SANE_TYPE_STRING
+ && req.action == SANE_ACTION_GET_VALUE)
+ {
+ if (req.value)
+ {
+ /* FIXME: If req.value contained embedded NUL
+ * characters, this is wrong.
+ */
+ w->allocated_memory -= (1 + strlen (req.value));
+ free (req.value);
+ }
+ req.value = malloc (req.value_size);
+ if (!req.value)
+ {
+ w->status = ENOMEM;
+ DBG (DBG_ERR,
+ "process_request: (control_option) "
+ "h=%d (%s)\n", req.handle, strerror (w->status));
+ return 1;
+ }
+ memset (req.value, 0, req.value_size);
+ w->allocated_memory += req.value_size;
+ }
+
can_authorize = 1;
memset (&reply, 0, sizeof (reply)); /* avoid leaking bits */

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Tue Feb 28 12:15:12 CET 2017 - jsmeix@suse.de
- CVE-2017-6318.patch fixes CVE-2017-6318 which is about that via
access to saned some opcodes could leak uninitialized memory
back to the requester allowing information disclosure
of memory content in saned (bsc#1027197).
In general regarding "access to saned" see
https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
-------------------------------------------------------------------
Mon Jan 11 11:44:28 UTC 2016 - olaf@aepfle.de

View File

@ -1,7 +1,7 @@
#
# spec file for package sane-backends
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -74,6 +74,12 @@ Source201: create_sane-backends-autoconfig.rules
Patch1: dell1600n_net-fix-strncat.patch
# Patch2 sane-backends.builttime.patch avoids build-compare noise
Patch2: sane-backends.builttime.patch
# Patch3 CVE-2017-6318.patch fixes CVE-2017-6318 which is about that via
# access to saned some opcodes could leak uninitialized memory back to the requester
# allowing information disclosure of memory content in saned,
# see https://lists.alioth.debian.org/pipermail/sane-devel/2017-February/035029.html
# and https://bugzilla.suse.com/show_bug.cgi?id=1027197
Patch3: CVE-2017-6318.patch
# Patch100... is SUSE specific stuff:
# Patch101 no-descriptions-external-hpoj.patch removes descriptions-external/hpoj.desc from doc/Makefile.am
# because it is intentionally removed from the sources in the prep section:
@ -169,7 +175,14 @@ package or remove it when it is already installed.
# GOOD: strncat(buffer,charptr,sizeof(buffer)-strlen(buffer)-1)
# see https://alioth.debian.org/tracker/index.php?func=detail&aid=315198&group_id=30186&atid=410366
%patch1
# Patch2 sane-backends.builttime.patch avoids build-compare noise
%patch2 -p1
# Patch3 CVE-2017-6318.patch fixes CVE-2017-6318 which is about that via
# access to saned some opcodes could leak uninitialized memory back to the requester
# allowing information disclosure of memory content in saned,
# see https://lists.alioth.debian.org/pipermail/sane-devel/2017-February/035029.html
# and https://bugzilla.suse.com/show_bug.cgi?id=1027197
%patch3
# Patch100... is SUSE specific stuff:
# Patch101 no-descriptions-external-hpoj.patch removes descriptions-external/hpoj.desc from doc/Makefile.am
# because it is intentionally removed from the sources in the prep section: