commit sane-backends for openSUSE:Factory

[root]

Hello community,

here is the log from the commit of package sane-backends for openSUSE:Factory 
checked in at 2017-03-03 17:32:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sane-backends (Old)
 and      /work/SRC/openSUSE:Factory/.sane-backends.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "sane-backends"

Fri Mar  3 17:32:12 2017 rev:82 rq:460926 version:1.0.25

Changes:
--------
--- /work/SRC/openSUSE:Factory/sane-backends/sane-backends.changes      
2016-01-13 22:44:26.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.sane-backends.new/sane-backends.changes 
2017-03-03 17:32:13.397513465 +0100
@@ -1,0 +2,10 @@
+Tue Feb 28 12:15:12 CET 2017 - jsm...@suse.de
+
+- CVE-2017-6318.patch fixes CVE-2017-6318 which is about that via
+  access to saned some opcodes could leak uninitialized memory
+  back to the requester allowing information disclosure
+  of memory content in saned (bsc#1027197).
+  In general regarding "access to saned" see
+  https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
+
+-------------------------------------------------------------------

New:
----
  CVE-2017-6318.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ sane-backends.spec ++++++
--- /var/tmp/diff_new_pack.TNLpab/_old  2017-03-03 17:32:14.501357499 +0100
+++ /var/tmp/diff_new_pack.TNLpab/_new  2017-03-03 17:32:14.501357499 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package sane-backends
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -74,6 +74,12 @@
 Patch1:         dell1600n_net-fix-strncat.patch
 # Patch2 sane-backends.builttime.patch avoids build-compare noise
 Patch2:         sane-backends.builttime.patch
+# Patch3 CVE-2017-6318.patch fixes CVE-2017-6318 which is about that via
+# access to saned some opcodes could leak uninitialized memory back to the 
requester
+# allowing information disclosure of memory content in saned,
+# see 
https://lists.alioth.debian.org/pipermail/sane-devel/2017-February/035029.html
+# and https://bugzilla.suse.com/show_bug.cgi?id=1027197
+Patch3:         CVE-2017-6318.patch
 # Patch100... is SUSE specific stuff:
 # Patch101 no-descriptions-external-hpoj.patch removes 
descriptions-external/hpoj.desc from doc/Makefile.am
 # because it is intentionally removed from the sources in the prep section:
@@ -169,7 +175,14 @@
 #   GOOD: strncat(buffer,charptr,sizeof(buffer)-strlen(buffer)-1)
 # see 
https://alioth.debian.org/tracker/index.php?func=detail&aid=315198&group_id=30186&atid=410366
 %patch1
+# Patch2 sane-backends.builttime.patch avoids build-compare noise
 %patch2 -p1
+# Patch3 CVE-2017-6318.patch fixes CVE-2017-6318 which is about that via
+# access to saned some opcodes could leak uninitialized memory back to the 
requester
+# allowing information disclosure of memory content in saned,
+# see 
https://lists.alioth.debian.org/pipermail/sane-devel/2017-February/035029.html
+# and https://bugzilla.suse.com/show_bug.cgi?id=1027197
+%patch3
 # Patch100... is SUSE specific stuff:
 # Patch101 no-descriptions-external-hpoj.patch removes 
descriptions-external/hpoj.desc from doc/Makefile.am
 # because it is intentionally removed from the sources in the prep section:

++++++ CVE-2017-6318.patch ++++++
--- frontend/saned.c
+++ frontend/saned.c
@@ -1992,6 +1992,32 @@ process_request (Wire * w)
            return 1;
          }
 
+        /* Debian BTS #853804 */
+        if (w->direction == WIRE_DECODE
+            && req.value_type == SANE_TYPE_STRING
+            && req.action     == SANE_ACTION_GET_VALUE)
+          {
+            if (req.value)
+              {
+                /* FIXME: If req.value contained embedded NUL
+                 *        characters, this is wrong.
+                 */
+                w->allocated_memory -= (1 + strlen (req.value));
+                free (req.value);
+              }
+            req.value = malloc (req.value_size);
+            if (!req.value)
+              {
+                w->status = ENOMEM;
+                DBG (DBG_ERR,
+                     "process_request: (control_option) "
+                     "h=%d (%s)\n", req.handle, strerror (w->status));
+                return 1;
+              }
+            memset (req.value, 0, req.value_size);
+            w->allocated_memory += req.value_size;
+          }
+
        can_authorize = 1;
 
        memset (&reply, 0, sizeof (reply));     /* avoid leaking bits */