[sane-devel] CVE-2017-6318 (old: Bug#854804: saned: SANE_NET_CONTROL_OPTION response packet may contain memory contents of the server)
paddy-hack at member.fsf.org
Sun Mar 5 10:02:14 UTC 2017
Sorry for the belated follow-up.
Jörg Frings-Fürst writes:
> the bug is now an security issue and has a CVE-Number.
> I need your comment about the patch.
I wrote the patch so I am not sure how qualified I am commenting on it
(and I have no idea what kind of comments you're after) but here goes
Kritphong has reported that the patch makes the problem he reported
go away and does not obviously break saned.
I wrote the patch to take care only of the issue reported in the least
intrusive way. Unfortunately, that also means the patch cannot really
address the issue where it originates. It merely tries to repair the
broken logic in sanei/sanei_wire.c under very specific conditions (as
you can see from the initial condition in the patch.
I've commented a bit more on the patch in .
The FIXME in the patch, as also explained in , is to remind folks of
the fact that backends may send strings in buffers that are larger than
the length of the string. In that case, w->allocated_memory would end
up being larger than the amount that is actually still allocated. This
may, over time, lead to unwarranted SANE_STATUS_NO_MEM return values,
i.e. resource starvation, which may be a security issue in and of itself
as it would provide a way to trigger a DOS for saned.
Hope this helps,
Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27
GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9
Support Free Software https://my.fsf.org/donate
Join the Free Software Foundation https://my.fsf.org/join
More information about the sane-devel