[sane-devel] CVE-2017-6318 (old: Bug#854804: saned: SANE_NET_CONTROL_OPTION response packet may contain memory contents of the server)

Olaf Meeuwissen paddy-hack at member.fsf.org
Sun Mar 5 10:02:14 UTC 2017

Hi Jörg,

Sorry for the belated follow-up.

Jörg Frings-Fürst writes:

> Hi,
> the bug[1] is now an security issue[2] and has a CVE-Number[3].
> I need your comment about the patch.

I wrote the patch so I am not sure how qualified I am commenting on it
(and I have no idea what kind of comments you're after) but here goes

Kritphong has reported[4] that the patch makes the problem he reported
go away and does not obviously break saned.

I wrote the patch to take care only of the issue reported in the least
intrusive way.  Unfortunately, that also means the patch cannot really
address the issue where it originates.  It merely tries to repair the
broken logic in sanei/sanei_wire.c under very specific conditions (as
you can see from the initial condition in the patch.

I've commented a bit more on the patch in [5].

The FIXME in the patch, as also explained in [5], is to remind folks of
the fact that backends may send strings in buffers that are larger than
the length of the string.  In that case, w->allocated_memory would end
up being larger than the amount that is actually still allocated.  This
may, over time, lead to unwarranted SANE_STATUS_NO_MEM return values,
i.e. resource starvation, which may be a security issue in and of itself
as it would provide a way to trigger a DOS for saned.

> [1]https://alioth.debian.org/tracker/index.php?func=detail&aid=315576&group_id=30186&atid=410366
> [2]https://security-tracker.debian.org/tracker/CVE-2017-6318
> [3]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6318


Hope this helps,
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join

More information about the sane-devel mailing list