Merge tag 'experimental/1.0.29-1_experimental1' into develop

New upstream release

1 files changed, 0 insertions, 52 deletions

diff --git a/debian/patches/0500-CVE-2017-6318.patch b/debian/patches/0500-CVE-2017-6318.patch
deleted file mode 100644
index e793888..0000000
--- a/debian/patches/0500-CVE-2017-6318.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-Description: Address memory corruption and information leakage
- cheery-pick from upstream git commit 42896939822b44f44ecd1b6d35afdfa4473ed35d
-Author: Jörg Frings-Fürst <debian@jff-webhosting.net>
-Origin: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804
-Forwarded: not-needed
-Last-Update: 2017-04-19
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
-Index: 1.0.25-3x/frontend/saned.c
-===================================================================
---- 1.0.25-3x.orig/frontend/saned.c
-+++ 1.0.25-3x/frontend/saned.c
-@@ -1987,6 +1987,38 @@ process_request (Wire * w)
- 	    return 1;
- 	  }
- 
-+        /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */
-+        /* This is done here (rather than in sanei/sanei_wire.c where
-+         * it should be done) to minimize scope of impact and amount
-+         * of code change.
-+         */
-+        if (w->direction == WIRE_DECODE
-+            && req.value_type == SANE_TYPE_STRING
-+            && req.action     == SANE_ACTION_GET_VALUE)
-+          {
-+            if (req.value)
-+              {
-+                /* FIXME: If req.value contains embedded NUL
-+                 *        characters, this is wrong but we do not have
-+                 *        access to the amount of memory allocated in
-+                 *        sanei/sanei_wire.c at this point.
-+                 */
-+                w->allocated_memory -= (1 + strlen (req.value));
-+                free (req.value);
-+              }
-+            req.value = malloc (req.value_size);
-+            if (!req.value)
-+              {
-+                w->status = ENOMEM;
-+                DBG (DBG_ERR,
-+                     "process_request: (control_option) "
-+                     "h=%d (%s)\n", req.handle, strerror (w->status));
-+                return 1;
-+              }
-+            memset (req.value, 0, req.value_size);
-+            w->allocated_memory += req.value_size;
-+          }
-+
- 	can_authorize = 1;
- 
- 	memset (&reply, 0, sizeof (reply));	/* avoid leaking bits */