Package: sane-utils Version: 1.0.25-3 Severity: grave Tags: security upstream Justification: user security hole
Dear Maintainer, When saned received a SANE_NET_CONTROL_OPTION packet with value_type == SANE_TYPE_STRING and value_size larger than the actual length of the requested string, the response packet from the server contains a string object as long as value_size in the request. The bytes following the actual string appears to contain memory contents from the server. It may be possible to trigger this bug with other packet types, but I have not verified this. I have previously filed a bug in the SANE bug tracker on Alioth (#315576), but I received no response. -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.8.0-1-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sane-utils depends on: ii adduser 3.115 ii debconf [debconf-2.0] 1.5.60 ii init-system-helpers 1.47 ii libavahi-client3 0.6.32-2 ii libavahi-common3 0.6.32-2 ii libc6 2.24-9 ii libieee1284-3 0.2.11-13 ii libjpeg62-turbo 1:1.5.1-2 ii libpng16-16 1.6.28-1 ii libsane 1.0.25-3 ii libsystemd0 232-6 ii libusb-1.0-0 2:1.0.21-1 ii lsb-base 9.20161125 ii update-inetd 4.44 sane-utils recommends no packages. Versions of packages sane-utils suggests: ii avahi-daemon 0.6.32-2 pn unpaper <none> -- debconf information excluded
