diff --git a/0001-genesys-Make-sure-calib_reg-are-available-before-wri.patch b/0001-genesys-Make-sure-calib_reg-are-available-before-wri.patch deleted file mode 100644 index 4687a24..0000000 --- a/0001-genesys-Make-sure-calib_reg-are-available-before-wri.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up sane-backends-1.0.28/backend/genesys_gl841.cc.genesys-regression sane-backends-1.0.28/backend/genesys_gl841.cc ---- sane-backends-1.0.28/backend/genesys_gl841.cc.genesys-regression 2019-10-14 13:11:10.772763713 +0200 -+++ sane-backends-1.0.28/backend/genesys_gl841.cc 2019-10-14 13:11:57.602389188 +0200 -@@ -5042,6 +5042,9 @@ gl841_init (Genesys_Device * dev) - /* Set analog frontend */ - RIE (gl841_set_fe(dev, sensor, AFE_INIT)); - -+ // FIXME: slow_back_home modifies dev->calib_reg and requires it to be filled -+ dev->calib_reg = dev->reg; -+ - /* Move home */ - RIE (gl841_slow_back_home (dev, SANE_TRUE)); - diff --git a/CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch b/CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch index 0f55d52..e47ca7d 100644 --- a/CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch +++ b/CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch @@ -1,4 +1,4 @@ -From 30b1831a28f24ab2921b9f717c66d37f02bb81cc Mon Sep 17 00:00:00 2001 +From 4360b6f5910d57740eccbd1aa3bcd17eca7e438b Mon Sep 17 00:00:00 2001 From: Olaf Meeuwissen Date: Mon, 11 May 2020 21:07:12 +0900 Subject: [PATCH] epsonds: Mitigate potential network related security issues. @@ -11,13 +11,13 @@ and GHSL-2020-081. 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/epsonds.conf.in b/backend/epsonds.conf.in -index b8b36237a..1967a00fd 100644 +index e2880fa..7462d1d 100644 --- a/backend/epsonds.conf.in +++ b/backend/epsonds.conf.in -@@ -10,7 +10,7 @@ usb - # e.g.: +@@ -11,7 +11,7 @@ usb # usb 0x4b8 0x14c + # -# Network +# Network (not yet supported!) # @@ -25,5 +25,5 @@ index b8b36237a..1967a00fd 100644 -net autodiscovery +#net autodiscovery -- -GitLab +2.27.0 diff --git a/CVE-2020-12862.patch b/CVE-2020-12862.patch deleted file mode 100644 index 1d46225..0000000 --- a/CVE-2020-12862.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 27ea994d23ee52fe1ec1249c92ebc1080a358288 Mon Sep 17 00:00:00 2001 -From: Olaf Meeuwissen -Date: Thu, 30 Apr 2020 21:15:45 +0900 -Subject: [PATCH] epsonds: Do not read beyond the end of the token - -Addresses GHSL-2020-082, re #279. ---- - backend/epsonds-cmd.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c -index 9a4db3080..7ca660f1f 100644 ---- a/backend/epsonds-cmd.c -+++ b/backend/epsonds-cmd.c -@@ -255,18 +255,20 @@ static int decode_value(char *buf, int len) - } - - /* h000 */ --static char *decode_binary(char *buf) -+static char *decode_binary(char *buf, int len) - { - char tmp[6]; - int hl; - - memcpy(tmp, buf, 4); - tmp[4] = '\0'; -+ len -= 4; - - if (buf[0] != 'h') - return NULL; - - hl = strtol(tmp + 1, NULL, 16); -+ if (hl > len) hl = len; - if (hl) { - - char *v = malloc(hl + 1); -@@ -279,9 +281,9 @@ static char *decode_binary(char *buf) - return NULL; - } - --static char *decode_string(char *buf) -+static char *decode_string(char *buf, int len) - { -- char *p, *s = decode_binary(buf); -+ char *p, *s = decode_binary(buf, len); - if (s == NULL) - return NULL; - -@@ -326,20 +328,20 @@ static SANE_Status info_cb(void *userdata, char *token, int len) - - if (strncmp("PRD", token, 3) == 0) { - free(s->hw->model); -- s->hw->model = decode_string(value); -+ s->hw->model = decode_string(value, len); - s->hw->sane.model = s->hw->model; - DBG(1, " product: %s\n", s->hw->model); - /* we will free the string later */ - } - - if (strncmp("VER", token, 3) == 0) { -- char *v = decode_string(value); -+ char *v = decode_string(value, len); - DBG(1, " version: %s\n", v); - free(v); - } - - if (strncmp("S/N", token, 3) == 0) { -- char *v = decode_string(value); -+ char *v = decode_string(value, len); - DBG(1, " serial: %s\n", v); - free(v); - } --- -GitLab - diff --git a/CVE-2020-12863.patch b/CVE-2020-12863.patch deleted file mode 100644 index 57a27d3..0000000 --- a/CVE-2020-12863.patch +++ /dev/null @@ -1,27 +0,0 @@ -From db9480b09ea807e52029f2334769a55d4b95e45b Mon Sep 17 00:00:00 2001 -From: Olaf Meeuwissen -Date: Mon, 27 Apr 2020 18:24:56 +0900 -Subject: [PATCH] epsonds: Read only up to seven hexdigits to determine payload - size - -Addresses GHSL-2020-083, re #279. ---- - backend/epsonds-cmd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c -index 9a4db3080..23327bb18 100644 ---- a/backend/epsonds-cmd.c -+++ b/backend/epsonds-cmd.c -@@ -117,7 +117,7 @@ esci2_check_header(const char *cmd, const char *buf, unsigned int *more) - return 0; - } - -- err = sscanf(&buf[5], "%x#", more); -+ err = sscanf(&buf[5], "%7x#", more); - if (err != 1) { - DBG(1, "cannot decode length from header\n"); - return 0; --- -GitLab - diff --git a/CVE-2020-12865.patch b/CVE-2020-12865.patch deleted file mode 100644 index ff40056..0000000 --- a/CVE-2020-12865.patch +++ /dev/null @@ -1,72 +0,0 @@ -From b9b0173409df73e235da2aa0dae5edd21fb55967 Mon Sep 17 00:00:00 2001 -From: Olaf Meeuwissen -Date: Mon, 27 Apr 2020 18:48:29 +0900 -Subject: [PATCH] epsonds: Prevent possible buffer overflow when reading image - data - -Addresses GHSL-2020-084, re #279. ---- - backend/epsonds-cmd.c | 5 +++++ - backend/epsonds.c | 12 +++++++----- - backend/epsonds.h | 1 + - 3 files changed, 13 insertions(+), 5 deletions(-) - -diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c -index 9a4db3080..c182aa51a 100644 ---- a/backend/epsonds-cmd.c -+++ b/backend/epsonds-cmd.c -@@ -876,6 +876,11 @@ esci2_img(struct epsonds_scanner *s, SANE_Int *length) - return parse_status; - } - -+ /* more data than was accounted for in s->buf */ -+ if (more > s->bsz) { -+ return SANE_STATUS_IO_ERROR; -+ } -+ - /* ALWAYS read image data */ - if (s->hw->connection == SANE_EPSONDS_NET) { - epsonds_net_request_read(s, more); -diff --git a/backend/epsonds.c b/backend/epsonds.c -index ff5d68106..fb9694a88 100644 ---- a/backend/epsonds.c -+++ b/backend/epsonds.c -@@ -1230,16 +1230,18 @@ sane_start(SANE_Handle handle) - if (s->line_buffer == NULL) - return SANE_STATUS_NO_MEM; - -- /* ring buffer for front page, twice bsz */ -+ /* transfer buffer size, bsz */ - /* XXX read value from scanner */ -- status = eds_ring_init(&s->front, (65536 * 4) * 2); -+ s->bsz = (65536 * 4); -+ -+ /* ring buffer for front page */ -+ status = eds_ring_init(&s->front, s->bsz * 2); - if (status != SANE_STATUS_GOOD) { - return status; - } - -- /* transfer buffer, bsz */ -- /* XXX read value from scanner */ -- s->buf = realloc(s->buf, 65536 * 4); -+ /* transfer buffer */ -+ s->buf = realloc(s->buf, s->bsz); - if (s->buf == NULL) - return SANE_STATUS_NO_MEM; - -diff --git a/backend/epsonds.h b/backend/epsonds.h -index 0427ef3b4..401b0f32c 100644 ---- a/backend/epsonds.h -+++ b/backend/epsonds.h -@@ -160,6 +160,7 @@ struct epsonds_scanner - Option_Value val[NUM_OPTIONS]; - SANE_Parameters params; - -+ size_t bsz; /* transfer buffer size */ - SANE_Byte *buf, *line_buffer; - ring_buffer *current, front, back; - --- -GitLab - diff --git a/CVE-2020-12867.patch b/CVE-2020-12867.patch deleted file mode 100644 index 9e2cd58..0000000 --- a/CVE-2020-12867.patch +++ /dev/null @@ -1,249 +0,0 @@ -From fff83e7eacd0f27bb2d71c42488e0fd735c15ac3 Mon Sep 17 00:00:00 2001 -From: Olaf Meeuwissen -Date: Thu, 30 Apr 2020 18:24:51 +0900 -Subject: [PATCH] epson2: Rewrite network I/O - -This addresses GHSL-2020-075 as well as all other problematic code -uncovered as a result of investigating that. This includes: - -- buffer overflows due to use of unchecked lengths -- integer overflows due to type conversions -- potential memory leaks -- checking for memory allocation failures - -Re #279. ---- - backend/epson2_net.c | 140 +++++++++++++++++++++++++------------------ - backend/epson2_net.h | 4 +- - 2 files changed, 85 insertions(+), 59 deletions(-) - -diff --git a/backend/epson2_net.c b/backend/epson2_net.c -index 8d0fe9ea7..7f804eea8 100644 ---- a/backend/epson2_net.c -+++ b/backend/epson2_net.c -@@ -32,11 +32,12 @@ - - #include "sane/sanei_debug.h" - --static int -+static ssize_t - sanei_epson_net_read_raw(Epson_Scanner *s, unsigned char *buf, ssize_t wanted, - SANE_Status *status) - { -- int ready, read = -1; -+ int ready; -+ ssize_t read = -1; - fd_set readable; - struct timeval tv; - -@@ -62,111 +63,136 @@ sanei_epson_net_read_raw(Epson_Scanner *s, unsigned char *buf, ssize_t wanted, - return read; - } - --int --sanei_epson_net_read(Epson_Scanner *s, unsigned char *buf, ssize_t wanted, -+static ssize_t -+sanei_epson_net_read_buf(Epson_Scanner *s, unsigned char *buf, ssize_t wanted, - SANE_Status * status) - { -- ssize_t size; - ssize_t read = 0; -- unsigned char header[12]; - -- /* read from buffer, if available */ -- if (s->netptr != s->netbuf) { -- DBG(23, "reading %lu from buffer at %p, %lu available\n", -- (u_long) wanted, s->netptr, (u_long) s->netlen); -+ DBG(23, "%s: reading up to %lu from buffer at %p, %lu available\n", -+ __func__, (u_long) wanted, s->netptr, (u_long) s->netlen); - -- memcpy(buf, s->netptr, wanted); -- read = wanted; -+ if ((size_t) wanted > s->netlen) { -+ *status = SANE_STATUS_IO_ERROR; -+ wanted = s->netlen; -+ } - -- s->netlen -= wanted; -+ memcpy(buf, s->netptr, wanted); -+ read = wanted; - -- if (s->netlen == 0) { -- DBG(23, "%s: freeing %p\n", __func__, s->netbuf); -- free(s->netbuf); -- s->netbuf = s->netptr = NULL; -- s->netlen = 0; -- } -+ s->netptr += read; -+ s->netlen -= read; -+ -+ if (s->netlen == 0) { -+ DBG(23, "%s: freeing %p\n", __func__, s->netbuf); -+ free(s->netbuf); -+ s->netbuf = s->netptr = NULL; -+ s->netlen = 0; -+ } -+ -+ return read; -+} -+ -+ssize_t -+sanei_epson_net_read(Epson_Scanner *s, unsigned char *buf, ssize_t wanted, -+ SANE_Status * status) -+{ -+ if (wanted < 0) { -+ *status = SANE_STATUS_INVAL; -+ return 0; -+ } -+ -+ size_t size; -+ ssize_t read = 0; -+ unsigned char header[12]; - -- return read; -+ /* read from remainder of buffer */ -+ if (s->netptr) { -+ return sanei_epson_net_read_buf(s, buf, wanted, status); - } - - /* receive net header */ -- size = sanei_epson_net_read_raw(s, header, 12, status); -- if (size != 12) { -+ read = sanei_epson_net_read_raw(s, header, 12, status); -+ if (read != 12) { - return 0; - } - -+ /* validate header */ - if (header[0] != 'I' || header[1] != 'S') { - DBG(1, "header mismatch: %02X %02x\n", header[0], header[1]); - *status = SANE_STATUS_IO_ERROR; - return 0; - } - -+ /* parse payload size */ - size = be32atoh(&header[6]); - -- DBG(23, "%s: wanted = %lu, available = %lu\n", __func__, -- (u_long) wanted, (u_long) size); -- - *status = SANE_STATUS_GOOD; - -- if (size == wanted) { -- -- DBG(15, "%s: full read\n", __func__); -- -- read = sanei_epson_net_read_raw(s, buf, size, status); -+ if (!s->netbuf) { -+ DBG(15, "%s: direct read\n", __func__); -+ DBG(23, "%s: wanted = %lu, available = %lu\n", __func__, -+ (u_long) wanted, (u_long) size); - -- if (s->netbuf) { -- free(s->netbuf); -- s->netbuf = NULL; -- s->netlen = 0; -+ if ((size_t) wanted > size) { -+ wanted = size; - } - -- if (read < 0) { -- return 0; -- } -- --/* } else if (wanted < size && s->netlen == size) { */ -+ read = sanei_epson_net_read_raw(s, buf, wanted, status); - } else { -- DBG(23, "%s: partial read\n", __func__); -+ DBG(15, "%s: buffered read\n", __func__); -+ DBG(23, "%s: bufferable = %lu, available = %lu\n", __func__, -+ (u_long) s->netlen, (u_long) size); - -- read = sanei_epson_net_read_raw(s, s->netbuf, size, status); -- if (read != size) { -- return 0; -+ if (s->netlen > size) { -+ s->netlen = size; - } - -- s->netlen = size - wanted; -- s->netptr += wanted; -- read = wanted; -- -- DBG(23, "0,4 %02x %02x\n", s->netbuf[0], s->netbuf[4]); -- DBG(23, "storing %lu to buffer at %p, next read at %p, %lu bytes left\n", -- (u_long) size, s->netbuf, s->netptr, (u_long) s->netlen); -+ /* fill buffer */ -+ read = sanei_epson_net_read_raw(s, s->netbuf, s->netlen, status); -+ s->netptr = s->netbuf; -+ s->netlen = (read > 0 ? read : 0); - -- memcpy(buf, s->netbuf, wanted); -+ /* copy wanted part */ -+ read = sanei_epson_net_read_buf(s, buf, wanted, status); - } - - return read; - } - -- --int -+size_t - sanei_epson_net_write(Epson_Scanner *s, unsigned int cmd, const unsigned char *buf, - size_t buf_size, size_t reply_len, SANE_Status *status) - { - unsigned char *h1, *h2, *payload; - unsigned char *packet = malloc(12 + 8 + buf_size); - -- /* XXX check allocation failure */ -+ if (!packet) { -+ *status = SANE_STATUS_NO_MEM; -+ return 0; -+ } - - h1 = packet; - h2 = packet + 12; - payload = packet + 12 + 8; - - if (reply_len) { -- s->netbuf = s->netptr = malloc(reply_len); -+ if (s->netbuf) { -+ DBG(23, "%s, freeing %p, %ld bytes unprocessed\n", -+ __func__, s->netbuf, (u_long) s->netlen); -+ free(s->netbuf); -+ s->netbuf = s->netptr = NULL; -+ s->netlen = 0; -+ } -+ s->netbuf = malloc(reply_len); -+ if (!s->netbuf) { -+ free(packet); -+ *status = SANE_STATUS_NO_MEM; -+ return 0; -+ } - s->netlen = reply_len; -- DBG(24, "allocated %lu bytes at %p\n", -- (u_long) reply_len, s->netbuf); -+ DBG(24, "%s: allocated %lu bytes at %p\n", __func__, -+ (u_long) s->netlen, s->netbuf); - } - - DBG(24, "%s: cmd = %04x, buf = %p, buf_size = %lu, reply_len = %lu\n", -diff --git a/backend/epson2_net.h b/backend/epson2_net.h -index 6aef2b725..7db671bf1 100644 ---- a/backend/epson2_net.h -+++ b/backend/epson2_net.h -@@ -4,9 +4,9 @@ - #include - #include "../include/sane/sane.h" - --extern int sanei_epson_net_read(struct Epson_Scanner *s, unsigned char *buf, ssize_t buf_size, -+extern ssize_t sanei_epson_net_read(struct Epson_Scanner *s, unsigned char *buf, ssize_t buf_size, - SANE_Status *status); --extern int sanei_epson_net_write(struct Epson_Scanner *s, unsigned int cmd, const unsigned char *buf, -+extern size_t sanei_epson_net_write(struct Epson_Scanner *s, unsigned int cmd, const unsigned char *buf, - size_t buf_size, size_t reply_len, - SANE_Status *status); - extern SANE_Status sanei_epson_net_lock(struct Epson_Scanner *s); --- -GitLab - diff --git a/sane-backends-1.0.28.tar.gz b/sane-backends-1.0.28.tar.gz deleted file mode 100644 index 8b62791..0000000 Binary files a/sane-backends-1.0.28.tar.gz and /dev/null differ diff --git a/sane-backends-1.2.1.tar.gz b/sane-backends-1.2.1.tar.gz new file mode 100644 index 0000000..db2e726 Binary files /dev/null and b/sane-backends-1.2.1.tar.gz differ diff --git a/sane-backends.spec b/sane-backends.spec index 2d82ac1..7315b01 100644 --- a/sane-backends.spec +++ b/sane-backends.spec @@ -2,8 +2,8 @@ %global __requires_exclude ^libsane-.*\.so\.[0-9]*(\(\).*)?+$ Name: sane-backends -Version: 1.0.28 -Release: 11 +Version: 1.2.1 +Release: 1 Summary: Scanner access software License: GPLv2+ and GPLv2+ and Public Domain and IJG and LGPLv2+ and MIT URL: http://www.sane-project.org @@ -18,15 +18,8 @@ Requires: libpng systemd >= 196 systemd-udev >= 196 Requires: sane-backends-libs = %{version}-%{release} -Patch0000: 0001-genesys-Make-sure-calib_reg-are-available-before-wri.patch -Patch0001: sane-xerox-mfp-blacklist-C460-for-JPEG.patch -Patch0002: sane-genesys-vector-glibcxxassert.patch -Patch0003: CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch -Patch0004: CVE-2020-12867.patch -Patch0005: Add-check-for-ports-to-avoid-Segmentation-fault.patch -Patch0006: CVE-2020-12862.patch -Patch0007: CVE-2020-12865.patch -Patch0008: CVE-2020-12863.patch +Patch0000: CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch +Patch0001: Add-check-for-ports-to-avoid-Segmentation-fault.patch %description SANE (Scanner Access Now Easy) is a sane and simple interface to both local and networked scanners @@ -209,6 +202,9 @@ exit 0 %{_unitdir}/* %changelog +* Sat Oct 07 2023 wulei - 1.2.1-1 +- Update to 1.2.1 + * Sat Oct 09 2021 houyingchao - 1.0.28-11 - Fix CVE-2020-12863 diff --git a/sane-genesys-vector-glibcxxassert.patch b/sane-genesys-vector-glibcxxassert.patch deleted file mode 100644 index 2825e89..0000000 --- a/sane-genesys-vector-glibcxxassert.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/backend/genesys.cc b/backend/genesys.cc -index 0368e21..5ec37bc 100644 ---- a/backend/genesys.cc -+++ b/backend/genesys.cc -@@ -778,6 +778,12 @@ void sanei_genesys_create_default_gamma_table(Genesys_Device* dev, - size = 4096; - } - max = size - 1; -+ } else if (dev->model->asic_type == GENESYS_GL846 -+ || dev->model->asic_type == GENESYS_GL847 -+ || dev->model->asic_type == GENESYS_GL848 -+ || dev->model->asic_type == GENESYS_GL124) { -+ size = 257; -+ max = 65535; - } else { - size = 256; - max = 65535; diff --git a/sane-xerox-mfp-blacklist-C460-for-JPEG.patch b/sane-xerox-mfp-blacklist-C460-for-JPEG.patch deleted file mode 100644 index 401a4a7..0000000 --- a/sane-xerox-mfp-blacklist-C460-for-JPEG.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/backend/xerox_mfp.c b/backend/xerox_mfp.c -index b7fcbee..2cb73ee 100644 ---- a/backend/xerox_mfp.c -+++ b/backend/xerox_mfp.c -@@ -209,6 +209,7 @@ static int isSupportedDevice(struct device __sane_unused__ *dev) - if (dev->compressionTypes & (1 << 6)) { - /* blacklist malfunctioning device(s) */ - if (!strncmp(dev->sane.model, "SCX-4500W", 9) || -+ !strncmp(dev->sane.model, "C460", 4) || - !strncmp(dev->sane.model, "M288x", 5)) - return 0; - return 1;