[sane-devel] Bug#854804: saned: SANE_NET_CONTROL_OPTION response packet may contain memory contents of the server
Kritphong Mongkhonvanit
kritphong at mongkhonvanit.tk
Sat Feb 11 17:16:04 UTC 2017
tags 854804 - moreinfo
thanks
On Sat, Feb 11, 2017 at 11:54 AM, Jörg Frings-Fürst
<debian at jff-webhosting.net> wrote:
> tags 854804 + moreinfo
> thanks
>
> Hello Kritphong,
>
> thank you for spending your time helping to make Debian better with
> this bug report.
>
> I have add the sane-devel ML as cc.
>
>
> Am Freitag, den 10.02.2017, 10:33 -0500 schrieb Kritphong
> Mongkhonvanit:
>> Package: sane-utils
>> Version: 1.0.25-3
>> Severity: grave
>> Tags: security upstream
>> Justification: user security hole
>>
>> Dear Maintainer,
>>
>> When saned received a SANE_NET_CONTROL_OPTION packet with
>> value_type ==
>> SANE_TYPE_STRING and value_size larger than the actual length of the
>> requested string, the response packet from the server contains a
>> string
>> object as long as value_size in the request. The bytes following the
>> actual string appears to contain memory contents from the server.
>>
>
> Please let me explain:
>
> You have found one or more parts in the code where a string with an
> incorrect value_size is transferred? Then please tell us where.
I found that the transferred string in the value field of
SANE_NET_CONTROL_OPTION response packet is always the same size as the
one requested, even if the actual string is shorter. I assume that this
is intentional since the string is NULL-terminated. However, the part
beyond the NULL-terminator appears to be uninitialized memory from the
server, which can potentially contain sensitive information. I have yet
to locate where in SANE's source code this is happening, but I am able
to see the uninitialized memory in Wireshark, which suggests that it
actually comes from the server rather than from my machine.
I also have a proof-of-concept that demonstrates this if you'd like to
take a look at it.
>
> Or is there an other problem?
>
> Please give us more infos and remove the tag moreinfo with your
> answer.
>
>
>> It may be possible to trigger this bug with other packet types, but
>> I
>> have not verified this.
>>
>> I have previously filed a bug in the SANE bug tracker on Alioth
>> (#315576), but I received no response.
>>
>>
>> -- System Information:
>> Debian Release: 9.0
>> APT prefers unstable
>> APT policy: (500, 'unstable')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 4.8.0-1-amd64 (SMP w/1 CPU core)
>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>> Shell: /bin/sh linked to /bin/dash
>> Init: systemd (via /run/systemd/system)
>>
>> Versions of packages sane-utils depends on:
>> ii adduser 3.115
>> ii debconf [debconf-2.0] 1.5.60
>> ii init-system-helpers 1.47
>> ii libavahi-client3 0.6.32-2
>> ii libavahi-common3 0.6.32-2
>> ii libc6 2.24-9
>> ii libieee1284-3 0.2.11-13
>> ii libjpeg62-turbo 1:1.5.1-2
>> ii libpng16-16 1.6.28-1
>> ii libsane 1.0.25-3
>> ii libsystemd0 232-6
>> ii libusb-1.0-0 2:1.0.21-1
>> ii lsb-base 9.20161125
>> ii update-inetd 4.44
>>
>> sane-utils recommends no packages.
>>
>> Versions of packages sane-utils suggests:
>> ii avahi-daemon 0.6.32-2
>> pn unpaper <none>
>>
>> -- debconf information excluded
>>
>
> CU
> Jörg
>
> --
> New:
> GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB 30EE 09F8 9F3C 8CA1 D25D
> GPG key (long) : 09F89F3C8CA1D25D
> GPG Key : 8CA1D25D
> CAcert Key S/N : 0E:D4:56
>
> Old pgp Key: BE581B6E (revoked since 2014-12-31).
>
> Jörg Frings-Fürst
> D-54470 Lieser
>
> Threema: SYR8SJXB
>
> IRC: j_f-f at freenode.net
> j_f-f at oftc.net
>
> My wish list:
> - Please send me a picture from the nature at your home.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/sane-devel/attachments/20170212/face84db/attachment.html>
More information about the sane-devel
mailing list