Bug#860907: marked as done (unblock: sane-backends/1.0.25-4)

Fri, 21 Apr 2017 10:33:50 -0700 

Your message dated Fri, 21 Apr 2017 17:27:00 +0000
with message-id <acf5e192-e940-8251-41fe-d7ffc71f1...@thykier.net>
and subject line Re: Bug#860907: unblock: sane-backends/1.0.25-4
has caused the Debian Bug report #860907,
regarding unblock: sane-backends/1.0.25-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
860907: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860907
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: patch
User: release.debian....@packages.debian.org
Usertags: unblock

Hello!

sane-backends_1.0.25-4 contains a single, cherry-picked patch
from upstream to address an RC bug which is the vulnerability
CVE-2017-6318.

Debdiff attached.

Thanks,
Adrian

unblock sane-backends/1.0.25-4

-- System Information:
Debian Release: 9.0
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru sane-backends-1.0.25/debian/changelog 
sane-backends-1.0.25/debian/changelog
--- sane-backends-1.0.25/debian/changelog       2016-12-10 13:45:15.000000000 
+0100
+++ sane-backends-1.0.25/debian/changelog       2017-04-19 12:07:38.000000000 
+0200
@@ -1,3 +1,12 @@
+sane-backends (1.0.25-4) unstable; urgency=medium
+
+  * CVE-2017-6318:
+    - New debian/patches/0500-CVE-2017-6318.patch
+      + cherry-picked from upstream to fix memory corruption and
+        information leakage (Closes: #854804).
+
+ -- Jörg Frings-Fürst <deb...@jff-webhosting.net>  Wed, 19 Apr 2017 12:07:38 
+0200
+
 sane-backends (1.0.25-3) unstable; urgency=medium
 
   * debian/rules:
diff -Nru sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch 
sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch
--- sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch        
1970-01-01 01:00:00.000000000 +0100
+++ sane-backends-1.0.25/debian/patches/0500-CVE-2017-6318.patch        
2017-04-19 07:50:23.000000000 +0200
@@ -0,0 +1,52 @@
+Description: Address memory corruption and information leakage
+ cheery-pick from upstream git commit 42896939822b44f44ecd1b6d35afdfa4473ed35d
+Author: Jörg Frings-Fürst <deb...@jff-webhosting.net>
+Origin: 
https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804
+Forwarded: not-needed
+Last-Update: 2017-04-19
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: 1.0.25-3x/frontend/saned.c
+===================================================================
+--- 1.0.25-3x.orig/frontend/saned.c
++++ 1.0.25-3x/frontend/saned.c
+@@ -1987,6 +1987,38 @@ process_request (Wire * w)
+           return 1;
+         }
+ 
++        /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */
++        /* This is done here (rather than in sanei/sanei_wire.c where
++         * it should be done) to minimize scope of impact and amount
++         * of code change.
++         */
++        if (w->direction == WIRE_DECODE
++            && req.value_type == SANE_TYPE_STRING
++            && req.action     == SANE_ACTION_GET_VALUE)
++          {
++            if (req.value)
++              {
++                /* FIXME: If req.value contains embedded NUL
++                 *        characters, this is wrong but we do not have
++                 *        access to the amount of memory allocated in
++                 *        sanei/sanei_wire.c at this point.
++                 */
++                w->allocated_memory -= (1 + strlen (req.value));
++                free (req.value);
++              }
++            req.value = malloc (req.value_size);
++            if (!req.value)
++              {
++                w->status = ENOMEM;
++                DBG (DBG_ERR,
++                     "process_request: (control_option) "
++                     "h=%d (%s)\n", req.handle, strerror (w->status));
++                return 1;
++              }
++            memset (req.value, 0, req.value_size);
++            w->allocated_memory += req.value_size;
++          }
++
+       can_authorize = 1;
+ 
+       memset (&reply, 0, sizeof (reply));     /* avoid leaking bits */
diff -Nru sane-backends-1.0.25/debian/patches/series 
sane-backends-1.0.25/debian/patches/series
--- sane-backends-1.0.25/debian/patches/series  2016-08-21 15:18:29.000000000 
+0200
+++ sane-backends-1.0.25/debian/patches/series  2017-04-19 07:16:16.000000000 
+0200
@@ -17,3 +17,4 @@
 0710-sane-desc.c_debian_mods.patch
 0125-multiarch_dll_search_path.patch
 0135-saned-remotescanners.patch
+0500-CVE-2017-6318.patch

--- End Message ---
--- Begin Message --- 
John Paul Adrian Glaubitz:
> Package: release.debian.org
> Severity: normal
> Tags: patch
> User: release.debian....@packages.debian.org
> Usertags: unblock
> 
> Hello!
> 
> sane-backends_1.0.25-4 contains a single, cherry-picked patch
> from upstream to address an RC bug which is the vulnerability
> CVE-2017-6318.
> 
> Debdiff attached.
> 
> Thanks,
> Adrian
> 
> unblock sane-backends/1.0.25-4
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---

Reply via email to