[sane-devel] Bug#854804: saned: SANE_NET_CONTROL_OPTION response packet may contain memory contents of the server

Jörg Frings-Fürst debian at jff-webhosting.net
Sat Feb 11 04:54:37 UTC 2017

tags 854804 + moreinfo

Hello Kritphong,

thank you for spending your time helping to make Debian better with
this bug report.

I have add the sane-devel ML as cc.

Am Freitag, den 10.02.2017, 10:33 -0500 schrieb Kritphong
> Package: sane-utils
> Version: 1.0.25-3
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Dear Maintainer,
> When saned received a SANE_NET_CONTROL_OPTION packet with value_type ==
> SANE_TYPE_STRING and value_size larger than the actual length of the
> requested string, the response packet from the server contains a string
> object as long as value_size in the request. The bytes following the
> actual string appears to contain memory contents from the server.

Please let me explain:

You have found one or more parts in the code where a string with an
incorrect value_size is transferred? Then please tell us where.

Or is there an other problem?

Please give us more infos and remove the tag moreinfo with your answer.

> It may be possible to trigger this bug with other packet types, but I
> have not verified this.
> I have previously filed a bug in the SANE bug tracker on Alioth
> (#315576), but I received no response.
> -- System Information:
> Debian Release: 9.0
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
> Kernel: Linux 4.8.0-1-amd64 (SMP w/1 CPU core)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> Versions of packages sane-utils depends on:
> ii  adduser                3.115
> ii  debconf [debconf-2.0]  1.5.60
> ii  init-system-helpers    1.47
> ii  libavahi-client3       0.6.32-2
> ii  libavahi-common3       0.6.32-2
> ii  libc6                  2.24-9
> ii  libieee1284-3          0.2.11-13
> ii  libjpeg62-turbo        1:1.5.1-2
> ii  libpng16-16            1.6.28-1
> ii  libsane                1.0.25-3
> ii  libsystemd0            232-6
> ii  libusb-1.0-0           2:1.0.21-1
> ii  lsb-base               9.20161125
> ii  update-inetd           4.44
> sane-utils recommends no packages.
> Versions of packages sane-utils suggests:
> ii  avahi-daemon  0.6.32-2
> pn  unpaper       <none>
> -- debconf information excluded


GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB  30EE 09F8 9F3C 8CA1 D25D
GPG key (long) : 09F89F3C8CA1D25D
GPG Key        : 8CA1D25D
CAcert Key S/N : 0E:D4:56

Old pgp Key: BE581B6E (revoked since 2014-12-31).

Jörg Frings-Fürst
D-54470 Lieser

Threema: SYR8SJXB

IRC: j_f-f at freenode.net
     j_f-f at oftc.net

My wish list: 
 - Please send me a picture from the nature at your home.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/sane-devel/attachments/20170211/749275ad/attachment.sig>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3767 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/sane-devel/attachments/20170211/749275ad/attachment.bin>

More information about the sane-devel mailing list