!18 fix CVE-2020-12862 CVE-2020-12865

From: @wang_yue111 Reviewed-by: @zhanghua1831,@small_leek Signed-off-by: @small_leek
2021-02-07 14:04:55 +08:00 · 2021-02-07 14:04:55 +08:00 · a4049e7bea
commit a4049e7bea
parent 1843afbf1b f30eb1c9dc
3 changed files with 153 additions and 1 deletions
--- a/CVE-2020-12862.patch
+++ b/CVE-2020-12862.patch
@ -0,0 +1,75 @@
+From 27ea994d23ee52fe1ec1249c92ebc1080a358288 Mon Sep 17 00:00:00 2001
+From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
+Date: Thu, 30 Apr 2020 21:15:45 +0900
+Subject: [PATCH] epsonds: Do not read beyond the end of the token
+
+Addresses GHSL-2020-082, re #279.
+---
+ backend/epsonds-cmd.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c
+index 9a4db3080..7ca660f1f 100644
+--- a/backend/epsonds-cmd.c
+++ b/backend/epsonds-cmd.c
+@@ -255,18 +255,20 @@ static int decode_value(char *buf, int len)
+ }
+ 
+ /* h000 */
+-static char *decode_binary(char *buf)
+static char *decode_binary(char *buf, int len)
+ {
+ 	char tmp[6];
+ 	int hl;
+ 
+ 	memcpy(tmp, buf, 4);
+ 	tmp[4] = '\0';
+	len -= 4;
+ 
+ 	if (buf[0] != 'h')
+ 		return NULL;
+ 
+ 	hl = strtol(tmp + 1, NULL, 16);
+	if (hl > len) hl = len;
+ 	if (hl) {
+ 
+ 		char *v = malloc(hl + 1);
+@@ -279,9 +281,9 @@ static char *decode_binary(char *buf)
+ 	return NULL;
+ }
+ 
+-static char *decode_string(char *buf)
+static char *decode_string(char *buf, int len)
+ {
+-	char *p, *s = decode_binary(buf);
+	char *p, *s = decode_binary(buf, len);
+ 	if (s == NULL)
+ 		return NULL;
+ 
+@@ -326,20 +328,20 @@ static SANE_Status info_cb(void *userdata, char *token, int len)
+ 
+ 	if (strncmp("PRD", token, 3) == 0) {
+ 		free(s->hw->model);
+-		s->hw->model = decode_string(value);
+		s->hw->model = decode_string(value, len);
+ 		s->hw->sane.model = s->hw->model;
+ 		DBG(1, " product: %s\n", s->hw->model);
+ 		/* we will free the string later */
+ 	}
+ 
+ 	if (strncmp("VER", token, 3) == 0) {
+-		char *v = decode_string(value);
+		char *v = decode_string(value, len);
+ 		DBG(1, " version: %s\n", v);
+ 		free(v);
+ 	}
+ 
+ 	if (strncmp("S/N", token, 3) == 0) {
+-		char *v = decode_string(value);
+		char *v = decode_string(value, len);
+ 		DBG(1, "  serial: %s\n", v);
+ 		free(v);
+ 	}
+-- 
+GitLab
+
--- a/CVE-2020-12865.patch
+++ b/CVE-2020-12865.patch
@ -0,0 +1,72 @@
+From b9b0173409df73e235da2aa0dae5edd21fb55967 Mon Sep 17 00:00:00 2001
+From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
+Date: Mon, 27 Apr 2020 18:48:29 +0900
+Subject: [PATCH] epsonds: Prevent possible buffer overflow when reading image
+ data
+
+Addresses GHSL-2020-084, re #279.
+---
+ backend/epsonds-cmd.c |  5 +++++
+ backend/epsonds.c     | 12 +++++++-----
+ backend/epsonds.h     |  1 +
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c
+index 9a4db3080..c182aa51a 100644
+--- a/backend/epsonds-cmd.c
+++ b/backend/epsonds-cmd.c
+@@ -876,6 +876,11 @@ esci2_img(struct epsonds_scanner *s, SANE_Int *length)
+ 		return parse_status;
+ 	}
+ 
+	/* more data than was accounted for in s->buf */
+	if (more > s->bsz) {
+		return SANE_STATUS_IO_ERROR;
+	}
+
+ 	/* ALWAYS read image data */
+ 	if (s->hw->connection == SANE_EPSONDS_NET) {
+ 		epsonds_net_request_read(s, more);
+diff --git a/backend/epsonds.c b/backend/epsonds.c
+index ff5d68106..fb9694a88 100644
+--- a/backend/epsonds.c
+++ b/backend/epsonds.c
+@@ -1230,16 +1230,18 @@ sane_start(SANE_Handle handle)
+ 	if (s->line_buffer == NULL)
+ 		return SANE_STATUS_NO_MEM;
+ 
+-	/* ring buffer for front page, twice bsz */
+	/* transfer buffer size, bsz */
+ 	/* XXX read value from scanner */
+-	status = eds_ring_init(&s->front, (65536 * 4) * 2);
+	s->bsz = (65536 * 4);
+
+	/* ring buffer for front page */
+	status = eds_ring_init(&s->front, s->bsz * 2);
+ 	if (status != SANE_STATUS_GOOD) {
+ 		return status;
+ 	}
+ 
+-	/* transfer buffer, bsz */
+-	/* XXX read value from scanner */
+-	s->buf = realloc(s->buf, 65536 * 4);
+	/* transfer buffer */
+	s->buf = realloc(s->buf, s->bsz);
+ 	if (s->buf == NULL)
+ 		return SANE_STATUS_NO_MEM;
+ 
+diff --git a/backend/epsonds.h b/backend/epsonds.h
+index 0427ef3b4..401b0f32c 100644
+--- a/backend/epsonds.h
+++ b/backend/epsonds.h
+@@ -160,6 +160,7 @@ struct epsonds_scanner
+ 	Option_Value val[NUM_OPTIONS];
+ 	SANE_Parameters params;
+ 
+	size_t bsz;		/* transfer buffer size */
+ 	SANE_Byte *buf, *line_buffer;
+ 	ring_buffer *current, front, back;
+ 
+-- 
+GitLab
+
--- a/sane-backends.spec
+++ b/sane-backends.spec
@ -3,7 +3,7 @@

 Name:              sane-backends
 Version:           1.0.28
-Release:           9
+Release:           10
 Summary:           Scanner access software
 License:           GPLv2+ and GPLv2+ with exceptions and Public Domain and IJG and LGPLv2+ and MIT
 URL:               http://www.sane-project.org
@ -24,6 +24,8 @@ Patch0002:         sane-genesys-vector-glibcxxassert.patch
 Patch0003:         CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch
 Patch0004:         CVE-2020-12867.patch
 Patch0005:         Add-check-for-ports-to-avoid-Segmentation-fault.patch
+Patch0006:         CVE-2020-12862.patch
+Patch0007:         CVE-2020-12865.patch

 %description
 SANE (Scanner Access Now Easy) is a sane and simple interface to both local and networked scanners
@ -206,6 +208,9 @@ exit 0
 %{_unitdir}/*

 %changelog
+* Fri Feb 05 2021 wangyue <wangyue92@huawei.com> - 1.0.28-10
+- Fix CVE-2020-12862 CVE-2020-12865
+
 * Wed Jan 27 2021 lingsheng <lingsheng@huawei.com> - 1.0.28-9
 - Add check for ports to avoid Segmentation fault