summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJörg Frings-Fürst <debian@jff-webhosting.net>2017-04-22 10:17:02 +0200
committerJörg Frings-Fürst <debian@jff-webhosting.net>2017-04-22 10:17:02 +0200
commitd3224cea9b1bec0d011ec4c79d8619031f4be0a9 (patch)
tree715f1b0c38630c762e995fb611c0605d00620c10
parent252d827f90d1ab171e3d12d08041c3a6bc2c760d (diff)
CVE-2017-6318debian/1.0.25-4
-rw-r--r--debian/changelog14
-rw-r--r--debian/libsane-dev.NEWS6
-rw-r--r--debian/patches/0500-CVE-2017-6318.patch52
-rw-r--r--debian/patches/series1
-rwxr-xr-xdebian/rules1
-rw-r--r--debian/sane-utils.postinst2
6 files changed, 66 insertions, 10 deletions
diff --git a/debian/changelog b/debian/changelog
index 299ba91..1781835 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,13 +1,11 @@
-sane-backends (1.0.25-4) UNRELEASED; urgency=medium
+sane-backends (1.0.25-4) unstable; urgency=medium
- * Remove outdated debian/libsane-dev.NEWS (Closes: #852842).
- * debian/rules:
- - Remove DVIPSSource from sane.ps to make build reproducible.
- * debian/sane-uitls.postinst:
- - Add "|| true" after adduser call to continue installation if
- adduser fails (Closes: #860078).
+ * CVE-2017-6318:
+ - New debian/patches/0500-CVE-2017-6318.patch
+ + cherry-picked from upstream to fix memory corruption and
+ information leakage (Closes: #854804).
- -- Jörg Frings-Fürst <debian@jff-webhosting.net> Fri, 27 Jan 2017 22:09:18 +0100
+ -- Jörg Frings-Fürst <debian@jff-webhosting.net> Wed, 19 Apr 2017 12:07:38 +0200
sane-backends (1.0.25-3) unstable; urgency=medium
diff --git a/debian/libsane-dev.NEWS b/debian/libsane-dev.NEWS
new file mode 100644
index 0000000..5fd28f3
--- /dev/null
+++ b/debian/libsane-dev.NEWS
@@ -0,0 +1,6 @@
+sane-backends (1.0.24-14) unstable; urgency=medium
+
+ Starting with this release sane-config are moved to
+ the new package libsane-bin.
+
+ -- Jörg Frings-Fürst <debian@jff-webhosting.net> Sun, 30 Aug 2015 19:02:57 +0200
diff --git a/debian/patches/0500-CVE-2017-6318.patch b/debian/patches/0500-CVE-2017-6318.patch
new file mode 100644
index 0000000..e793888
--- /dev/null
+++ b/debian/patches/0500-CVE-2017-6318.patch
@@ -0,0 +1,52 @@
+Description: Address memory corruption and information leakage
+ cheery-pick from upstream git commit 42896939822b44f44ecd1b6d35afdfa4473ed35d
+Author: Jörg Frings-Fürst <debian@jff-webhosting.net>
+Origin: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804
+Forwarded: not-needed
+Last-Update: 2017-04-19
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: 1.0.25-3x/frontend/saned.c
+===================================================================
+--- 1.0.25-3x.orig/frontend/saned.c
++++ 1.0.25-3x/frontend/saned.c
+@@ -1987,6 +1987,38 @@ process_request (Wire * w)
+ return 1;
+ }
+
++ /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */
++ /* This is done here (rather than in sanei/sanei_wire.c where
++ * it should be done) to minimize scope of impact and amount
++ * of code change.
++ */
++ if (w->direction == WIRE_DECODE
++ && req.value_type == SANE_TYPE_STRING
++ && req.action == SANE_ACTION_GET_VALUE)
++ {
++ if (req.value)
++ {
++ /* FIXME: If req.value contains embedded NUL
++ * characters, this is wrong but we do not have
++ * access to the amount of memory allocated in
++ * sanei/sanei_wire.c at this point.
++ */
++ w->allocated_memory -= (1 + strlen (req.value));
++ free (req.value);
++ }
++ req.value = malloc (req.value_size);
++ if (!req.value)
++ {
++ w->status = ENOMEM;
++ DBG (DBG_ERR,
++ "process_request: (control_option) "
++ "h=%d (%s)\n", req.handle, strerror (w->status));
++ return 1;
++ }
++ memset (req.value, 0, req.value_size);
++ w->allocated_memory += req.value_size;
++ }
++
+ can_authorize = 1;
+
+ memset (&reply, 0, sizeof (reply)); /* avoid leaking bits */
diff --git a/debian/patches/series b/debian/patches/series
index b291883..8f2cb3f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@
0710-sane-desc.c_debian_mods.patch
0125-multiarch_dll_search_path.patch
0135-saned-remotescanners.patch
+0500-CVE-2017-6318.patch
diff --git a/debian/rules b/debian/rules
index fee580d..fcd28d1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -92,7 +92,6 @@ override_dh_install-arch:
override_dh_installdocs-arch:
dh_installdocs
- sed -i /DVIPSSource/d debian/tmp/usr/share/doc/libsane/sane.ps
# move files that belong to libsane-dev
mv debian/tmp/usr/share/doc/libsane/sane.ps debian/libsane-dev/usr/share/doc/libsane-dev/
mv debian/tmp/usr/share/doc/libsane/backend-writing.txt debian/libsane-dev/usr/share/doc/libsane-dev/
diff --git a/debian/sane-utils.postinst b/debian/sane-utils.postinst
index cf97dbe..155ed22 100644
--- a/debian/sane-utils.postinst
+++ b/debian/sane-utils.postinst
@@ -66,7 +66,7 @@ if [ "$1" = "configure" ] || [ "$1" = "reconfigure" ]; then
fi
fi
if [ "$SANED_IN_SCANNER" = "true" ]; then
- adduser --quiet saned scanner || true
+ adduser --quiet saned scanner
else
if id saned | grep -q "groups=.*\(scanner\)"; then
deluser --quiet saned scanner