From 5db422d7c0ae9307d3e6839c13967e9e74f87fece50a44aa64bef8e1f0759f86 Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Tue, 28 Feb 2017 16:37:52 +0000
Subject: [PATCH] Accepting request 460922 from home:jsmeix:branches:graphics

Applied upstream CVE-2017-6318.patch (bsc#1027197)

OBS-URL: https://build.opensuse.org/request/show/460922
OBS-URL: https://build.opensuse.org/package/show/graphics/sane-backends?expand=0&rev=83
---
 CVE-2017-6318.patch   | 35 +++++++++++++++++++++++++++++++++++
 sane-backends.changes | 10 ++++++++++
 sane-backends.spec    | 15 ++++++++++++++-
 3 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2017-6318.patch

diff --git a/CVE-2017-6318.patch b/CVE-2017-6318.patch
new file mode 100644
index 0000000..d727cd9
--- /dev/null
+++ b/CVE-2017-6318.patch
@@ -0,0 +1,35 @@
+--- frontend/saned.c
++++ frontend/saned.c
+@@ -1992,6 +1992,32 @@ process_request (Wire * w)
+ 	    return 1;
+ 	  }
+ 
++        /* Debian BTS #853804 */
++        if (w->direction == WIRE_DECODE
++            && req.value_type == SANE_TYPE_STRING
++            && req.action     == SANE_ACTION_GET_VALUE)
++          {
++            if (req.value)
++              {
++                /* FIXME: If req.value contained embedded NUL
++                 *        characters, this is wrong.
++                 */
++                w->allocated_memory -= (1 + strlen (req.value));
++                free (req.value);
++              }
++            req.value = malloc (req.value_size);
++            if (!req.value)
++              {
++                w->status = ENOMEM;
++                DBG (DBG_ERR,
++                     "process_request: (control_option) "
++                     "h=%d (%s)\n", req.handle, strerror (w->status));
++                return 1;
++              }
++            memset (req.value, 0, req.value_size);
++            w->allocated_memory += req.value_size;
++          }
++
+ 	can_authorize = 1;
+ 
+ 	memset (&reply, 0, sizeof (reply));	/* avoid leaking bits */
diff --git a/sane-backends.changes b/sane-backends.changes
index a29e11e..931d349 100644
--- a/sane-backends.changes
+++ b/sane-backends.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue Feb 28 12:15:12 CET 2017 - jsmeix@suse.de
+
+- CVE-2017-6318.patch fixes CVE-2017-6318 which is about that via
+  access to saned some opcodes could leak uninitialized memory
+  back to the requester allowing information disclosure
+  of memory content in saned (bsc#1027197).
+  In general regarding "access to saned" see
+  https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
+
 -------------------------------------------------------------------
 Mon Jan 11 11:44:28 UTC 2016 - olaf@aepfle.de
 
diff --git a/sane-backends.spec b/sane-backends.spec
index a5430e6..435416f 100644
--- a/sane-backends.spec
+++ b/sane-backends.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package sane-backends
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -74,6 +74,12 @@ Source201:      create_sane-backends-autoconfig.rules
 Patch1:         dell1600n_net-fix-strncat.patch
 # Patch2 sane-backends.builttime.patch avoids build-compare noise
 Patch2:         sane-backends.builttime.patch
+# Patch3 CVE-2017-6318.patch fixes CVE-2017-6318 which is about that via
+# access to saned some opcodes could leak uninitialized memory back to the requester
+# allowing information disclosure of memory content in saned,
+# see https://lists.alioth.debian.org/pipermail/sane-devel/2017-February/035029.html
+# and https://bugzilla.suse.com/show_bug.cgi?id=1027197
+Patch3:         CVE-2017-6318.patch
 # Patch100... is SUSE specific stuff:
 # Patch101 no-descriptions-external-hpoj.patch removes descriptions-external/hpoj.desc from doc/Makefile.am
 # because it is intentionally removed from the sources in the prep section:
@@ -169,7 +175,14 @@ package or remove it when it is already installed.
 #   GOOD: strncat(buffer,charptr,sizeof(buffer)-strlen(buffer)-1)
 # see https://alioth.debian.org/tracker/index.php?func=detail&aid=315198&group_id=30186&atid=410366
 %patch1
+# Patch2 sane-backends.builttime.patch avoids build-compare noise
 %patch2 -p1
+# Patch3 CVE-2017-6318.patch fixes CVE-2017-6318 which is about that via
+# access to saned some opcodes could leak uninitialized memory back to the requester
+# allowing information disclosure of memory content in saned,
+# see https://lists.alioth.debian.org/pipermail/sane-devel/2017-February/035029.html
+# and https://bugzilla.suse.com/show_bug.cgi?id=1027197
+%patch3
 # Patch100... is SUSE specific stuff:
 # Patch101 no-descriptions-external-hpoj.patch removes descriptions-external/hpoj.desc from doc/Makefile.am
 # because it is intentionally removed from the sources in the prep section: