diff options
| -rw-r--r-- | debian/changelog | 14 | ||||
| -rw-r--r-- | debian/libsane-dev.NEWS | 6 | ||||
| -rw-r--r-- | debian/patches/0500-CVE-2017-6318.patch | 52 | ||||
| -rw-r--r-- | debian/patches/series | 1 | ||||
| -rwxr-xr-x | debian/rules | 1 | ||||
| -rw-r--r-- | debian/sane-utils.postinst | 2 | 
6 files changed, 66 insertions, 10 deletions
| diff --git a/debian/changelog b/debian/changelog index 299ba91..1781835 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,13 +1,11 @@ -sane-backends (1.0.25-4) UNRELEASED; urgency=medium +sane-backends (1.0.25-4) unstable; urgency=medium -  * Remove outdated debian/libsane-dev.NEWS (Closes: #852842). -  * debian/rules: -    - Remove DVIPSSource from sane.ps to make build reproducible. -  * debian/sane-uitls.postinst:  -    - Add "|| true" after adduser call to continue installation if -      adduser fails (Closes: #860078). +  * CVE-2017-6318: +    - New debian/patches/0500-CVE-2017-6318.patch +      + cherry-picked from upstream to fix memory corruption and +        information leakage (Closes: #854804). - -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Fri, 27 Jan 2017 22:09:18 +0100 + -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Wed, 19 Apr 2017 12:07:38 +0200  sane-backends (1.0.25-3) unstable; urgency=medium diff --git a/debian/libsane-dev.NEWS b/debian/libsane-dev.NEWS new file mode 100644 index 0000000..5fd28f3 --- /dev/null +++ b/debian/libsane-dev.NEWS @@ -0,0 +1,6 @@ +sane-backends (1.0.24-14) unstable; urgency=medium + +  Starting with this release sane-config are moved to +  the new package libsane-bin. + + -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Sun, 30 Aug 2015 19:02:57 +0200 diff --git a/debian/patches/0500-CVE-2017-6318.patch b/debian/patches/0500-CVE-2017-6318.patch new file mode 100644 index 0000000..e793888 --- /dev/null +++ b/debian/patches/0500-CVE-2017-6318.patch @@ -0,0 +1,52 @@ +Description: Address memory corruption and information leakage + cheery-pick from upstream git commit 42896939822b44f44ecd1b6d35afdfa4473ed35d +Author: Jörg Frings-Fürst <debian@jff-webhosting.net> +Origin: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804 +Forwarded: not-needed +Last-Update: 2017-04-19 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: 1.0.25-3x/frontend/saned.c +=================================================================== +--- 1.0.25-3x.orig/frontend/saned.c ++++ 1.0.25-3x/frontend/saned.c +@@ -1987,6 +1987,38 @@ process_request (Wire * w) + 	    return 1; + 	  } +  ++        /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */ ++        /* This is done here (rather than in sanei/sanei_wire.c where ++         * it should be done) to minimize scope of impact and amount ++         * of code change. ++         */ ++        if (w->direction == WIRE_DECODE ++            && req.value_type == SANE_TYPE_STRING ++            && req.action     == SANE_ACTION_GET_VALUE) ++          { ++            if (req.value) ++              { ++                /* FIXME: If req.value contains embedded NUL ++                 *        characters, this is wrong but we do not have ++                 *        access to the amount of memory allocated in ++                 *        sanei/sanei_wire.c at this point. ++                 */ ++                w->allocated_memory -= (1 + strlen (req.value)); ++                free (req.value); ++              } ++            req.value = malloc (req.value_size); ++            if (!req.value) ++              { ++                w->status = ENOMEM; ++                DBG (DBG_ERR, ++                     "process_request: (control_option) " ++                     "h=%d (%s)\n", req.handle, strerror (w->status)); ++                return 1; ++              } ++            memset (req.value, 0, req.value_size); ++            w->allocated_memory += req.value_size; ++          } ++ + 	can_authorize = 1; +  + 	memset (&reply, 0, sizeof (reply));	/* avoid leaking bits */ diff --git a/debian/patches/series b/debian/patches/series index b291883..8f2cb3f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -17,3 +17,4 @@  0710-sane-desc.c_debian_mods.patch  0125-multiarch_dll_search_path.patch  0135-saned-remotescanners.patch +0500-CVE-2017-6318.patch diff --git a/debian/rules b/debian/rules index fee580d..fcd28d1 100755 --- a/debian/rules +++ b/debian/rules @@ -92,7 +92,6 @@ override_dh_install-arch:  override_dh_installdocs-arch:  	dh_installdocs -	sed -i /DVIPSSource/d debian/tmp/usr/share/doc/libsane/sane.ps  	# move files that belong to libsane-dev  	mv debian/tmp/usr/share/doc/libsane/sane.ps debian/libsane-dev/usr/share/doc/libsane-dev/  	mv debian/tmp/usr/share/doc/libsane/backend-writing.txt debian/libsane-dev/usr/share/doc/libsane-dev/ diff --git a/debian/sane-utils.postinst b/debian/sane-utils.postinst index cf97dbe..155ed22 100644 --- a/debian/sane-utils.postinst +++ b/debian/sane-utils.postinst @@ -66,7 +66,7 @@ if [ "$1" = "configure" ] || [ "$1" = "reconfigure" ]; then  	fi      fi      if [ "$SANED_IN_SCANNER" = "true" ]; then -	adduser --quiet saned scanner || true +	adduser --quiet saned scanner      else  	if id saned | grep -q "groups=.*\(scanner\)"; then  	    deluser --quiet saned scanner | 
