!33 Update to 1.2.1

From: @wu-leilei Reviewed-by: @wang--ge Signed-off-by: @wang--ge
2023-10-09 01:37:48 +00:00 · 2023-10-09 01:37:48 +00:00 · d010f8274b
commit d010f8274b
parent 2b0f749a73 37b3b124e4
11 changed files with 12 additions and 481 deletions
--- a/0001-genesys-Make-sure-calib_reg-are-available-before-wri.patch
+++ b/0001-genesys-Make-sure-calib_reg-are-available-before-wri.patch
@ -1,13 +0,0 @@
 diff -up sane-backends-1.0.28/backend/genesys_gl841.cc.genesys-regression sane-backends-1.0.28/backend/genesys_gl841.cc
 --- sane-backends-1.0.28/backend/genesys_gl841.cc.genesys-regression	2019-10-14 13:11:10.772763713 +0200
 +++ sane-backends-1.0.28/backend/genesys_gl841.cc	2019-10-14 13:11:57.602389188 +0200
@@ -5042,6 +5042,9 @@ gl841_init (Genesys_Device * dev)
   /* Set analog frontend */
   RIE (gl841_set_fe(dev, sensor, AFE_INIT));
 +    // FIXME: slow_back_home modifies dev->calib_reg and requires it to be filled
 +    dev->calib_reg = dev->reg;
 +
   /* Move home */
   RIE (gl841_slow_back_home (dev, SANE_TRUE));
--- a/CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch
+++ b/CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch
@ -1,4 +1,4 @@
-From 30b1831a28f24ab2921b9f717c66d37f02bb81cc Mon Sep 17 00:00:00 2001
+From 4360b6f5910d57740eccbd1aa3bcd17eca7e438b Mon Sep 17 00:00:00 2001
 From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
 Date: Mon, 11 May 2020 21:07:12 +0900
 Subject: [PATCH] epsonds: Mitigate potential network related security issues. 
@ -11,13 +11,13 @@ and GHSL-2020-081.
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/backend/epsonds.conf.in b/backend/epsonds.conf.in
-index b8b36237a..1967a00fd 100644
+index e2880fa..7462d1d 100644
 --- a/backend/epsonds.conf.in
 +++ b/backend/epsonds.conf.in
-@@ -10,7 +10,7 @@ usb
+@@ -11,7 +11,7 @@ usb
 # e.g.:
 # usb 0x4b8 0x14c
 #
 -# Network
 +# Network (not yet supported!)
 #
@ -25,5 +25,5 @@ index b8b36237a..1967a00fd 100644
 -net autodiscovery
 +#net autodiscovery
 -- 
-GitLab
+2.27.0
--- a/CVE-2020-12862.patch
+++ b/CVE-2020-12862.patch
@ -1,75 +0,0 @@
 From 27ea994d23ee52fe1ec1249c92ebc1080a358288 Mon Sep 17 00:00:00 2001
 From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
 Date: Thu, 30 Apr 2020 21:15:45 +0900
 Subject: [PATCH] epsonds: Do not read beyond the end of the token
 Addresses GHSL-2020-082, re #279.
 ---
 backend/epsonds-cmd.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)
 diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c
 index 9a4db3080..7ca660f1f 100644
 --- a/backend/epsonds-cmd.c
 +++ b/backend/epsonds-cmd.c
@@ -255,18 +255,20 @@ static int decode_value(char *buf, int len)
 }
 /* h000 */
 -static char *decode_binary(char *buf)
 +static char *decode_binary(char *buf, int len)
 {
 	char tmp[6];
 	int hl;
 	memcpy(tmp, buf, 4);
 	tmp[4] = '\0';
 +	len -= 4;
 	if (buf[0] != 'h')
 		return NULL;
 	hl = strtol(tmp + 1, NULL, 16);
 +	if (hl > len) hl = len;
 	if (hl) {
 		char *v = malloc(hl + 1);
@@ -279,9 +281,9 @@ static char *decode_binary(char *buf)
 	return NULL;
 }
 -static char *decode_string(char *buf)
 +static char *decode_string(char *buf, int len)
 {
 -	char *p, *s = decode_binary(buf);
 +	char *p, *s = decode_binary(buf, len);
 	if (s == NULL)
 		return NULL;
@@ -326,20 +328,20 @@ static SANE_Status info_cb(void *userdata, char *token, int len)
 	if (strncmp("PRD", token, 3) == 0) {
 		free(s->hw->model);
 -		s->hw->model = decode_string(value);
 +		s->hw->model = decode_string(value, len);
 		s->hw->sane.model = s->hw->model;
 		DBG(1, " product: %s\n", s->hw->model);
 		/* we will free the string later */
 	}
 	if (strncmp("VER", token, 3) == 0) {
 -		char *v = decode_string(value);
 +		char *v = decode_string(value, len);
 		DBG(1, " version: %s\n", v);
 		free(v);
 	}
 	if (strncmp("S/N", token, 3) == 0) {
 -		char *v = decode_string(value);
 +		char *v = decode_string(value, len);
 		DBG(1, "  serial: %s\n", v);
 		free(v);
 	}
 -- 
 GitLab
--- a/CVE-2020-12863.patch
+++ b/CVE-2020-12863.patch
@ -1,27 +0,0 @@
 From db9480b09ea807e52029f2334769a55d4b95e45b Mon Sep 17 00:00:00 2001
 From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
 Date: Mon, 27 Apr 2020 18:24:56 +0900
 Subject: [PATCH] epsonds: Read only up to seven hexdigits to determine payload
 size
 Addresses GHSL-2020-083, re #279.
 ---
 backend/epsonds-cmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c
 index 9a4db3080..23327bb18 100644
 --- a/backend/epsonds-cmd.c
 +++ b/backend/epsonds-cmd.c
@@ -117,7 +117,7 @@ esci2_check_header(const char *cmd, const char *buf, unsigned int *more)
 		return 0;
 	}
 -	err = sscanf(&buf[5], "%x#", more);
 +	err = sscanf(&buf[5], "%7x#", more);
 	if (err != 1) {
 		DBG(1, "cannot decode length from header\n");
 		return 0;
 -- 
 GitLab
--- a/CVE-2020-12865.patch
+++ b/CVE-2020-12865.patch
@ -1,72 +0,0 @@
 From b9b0173409df73e235da2aa0dae5edd21fb55967 Mon Sep 17 00:00:00 2001
 From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
 Date: Mon, 27 Apr 2020 18:48:29 +0900
 Subject: [PATCH] epsonds: Prevent possible buffer overflow when reading image
 data
 Addresses GHSL-2020-084, re #279.
 ---
 backend/epsonds-cmd.c |  5 +++++
 backend/epsonds.c     | 12 +++++++-----
 backend/epsonds.h     |  1 +
 3 files changed, 13 insertions(+), 5 deletions(-)
 diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c
 index 9a4db3080..c182aa51a 100644
 --- a/backend/epsonds-cmd.c
 +++ b/backend/epsonds-cmd.c
@@ -876,6 +876,11 @@ esci2_img(struct epsonds_scanner *s, SANE_Int *length)
 		return parse_status;
 	}
 +	/* more data than was accounted for in s->buf */
 +	if (more > s->bsz) {
 +		return SANE_STATUS_IO_ERROR;
 +	}
 +
 	/* ALWAYS read image data */
 	if (s->hw->connection == SANE_EPSONDS_NET) {
 		epsonds_net_request_read(s, more);
 diff --git a/backend/epsonds.c b/backend/epsonds.c
 index ff5d68106..fb9694a88 100644
 --- a/backend/epsonds.c
 +++ b/backend/epsonds.c
@@ -1230,16 +1230,18 @@ sane_start(SANE_Handle handle)
 	if (s->line_buffer == NULL)
 		return SANE_STATUS_NO_MEM;
 -	/* ring buffer for front page, twice bsz */
 +	/* transfer buffer size, bsz */
 	/* XXX read value from scanner */
 -	status = eds_ring_init(&s->front, (65536 * 4) * 2);
 +	s->bsz = (65536 * 4);
 +
 +	/* ring buffer for front page */
 +	status = eds_ring_init(&s->front, s->bsz * 2);
 	if (status != SANE_STATUS_GOOD) {
 		return status;
 	}
 -	/* transfer buffer, bsz */
 -	/* XXX read value from scanner */
 -	s->buf = realloc(s->buf, 65536 * 4);
 +	/* transfer buffer */
 +	s->buf = realloc(s->buf, s->bsz);
 	if (s->buf == NULL)
 		return SANE_STATUS_NO_MEM;
 diff --git a/backend/epsonds.h b/backend/epsonds.h
 index 0427ef3b4..401b0f32c 100644
 --- a/backend/epsonds.h
 +++ b/backend/epsonds.h
@@ -160,6 +160,7 @@ struct epsonds_scanner
 	Option_Value val[NUM_OPTIONS];
 	SANE_Parameters params;
 +	size_t bsz;		/* transfer buffer size */
 	SANE_Byte *buf, *line_buffer;
 	ring_buffer *current, front, back;
 -- 
 GitLab
--- a/CVE-2020-12867.patch
+++ b/CVE-2020-12867.patch
@ -1,249 +0,0 @@
 From fff83e7eacd0f27bb2d71c42488e0fd735c15ac3 Mon Sep 17 00:00:00 2001
 From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
 Date: Thu, 30 Apr 2020 18:24:51 +0900
 Subject: [PATCH] epson2: Rewrite network I/O
 This addresses GHSL-2020-075 as well as all other problematic code
 uncovered as a result of investigating that.  This includes:
 - buffer overflows due to use of unchecked lengths
 - integer overflows due to type conversions
 - potential memory leaks
 - checking for memory allocation failures
 Re #279.
 ---
 backend/epson2_net.c | 140 +++++++++++++++++++++++++------------------
 backend/epson2_net.h |   4 +-
 2 files changed, 85 insertions(+), 59 deletions(-)
 diff --git a/backend/epson2_net.c b/backend/epson2_net.c
 index 8d0fe9ea7..7f804eea8 100644
 --- a/backend/epson2_net.c
 +++ b/backend/epson2_net.c
@@ -32,11 +32,12 @@
 #include "sane/sanei_debug.h"
 -static int
 +static ssize_t
 sanei_epson_net_read_raw(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
 		       SANE_Status *status)
 {
 -	int ready, read = -1;
 +	int ready;
 +	ssize_t read = -1;
 	fd_set readable;
 	struct timeval tv;
@@ -62,111 +63,136 @@ sanei_epson_net_read_raw(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
 	return read;
 }
 -int
 -sanei_epson_net_read(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
 +static ssize_t
 +sanei_epson_net_read_buf(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
 		       SANE_Status * status)
 {
 -	ssize_t size;
 	ssize_t read = 0;
 -	unsigned char header[12];
 -	/* read from buffer, if available */
 -	if (s->netptr != s->netbuf) {
 -		DBG(23, "reading %lu from buffer at %p, %lu available\n",
 -			(u_long) wanted, s->netptr, (u_long) s->netlen);
 +	DBG(23, "%s: reading up to %lu from buffer at %p, %lu available\n",
 +		__func__, (u_long) wanted, s->netptr, (u_long) s->netlen);
 -		memcpy(buf, s->netptr, wanted);
 -		read = wanted;
 +	if ((size_t) wanted > s->netlen) {
 +		*status = SANE_STATUS_IO_ERROR;
 +		wanted = s->netlen;
 +	}
 -		s->netlen -= wanted;
 +	memcpy(buf, s->netptr, wanted);
 +	read = wanted;
 -		if (s->netlen == 0) {
 -			DBG(23, "%s: freeing %p\n", __func__, s->netbuf);
 -			free(s->netbuf);
 -			s->netbuf = s->netptr = NULL;
 -			s->netlen = 0;
 -		}
 +	s->netptr += read;
 +	s->netlen -= read;
 +
 +	if (s->netlen == 0) {
 +		DBG(23, "%s: freeing %p\n", __func__, s->netbuf);
 +		free(s->netbuf);
 +		s->netbuf = s->netptr = NULL;
 +		s->netlen = 0;
 +	}
 +
 +	return read;
 +}
 +
 +ssize_t
 +sanei_epson_net_read(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
 +		       SANE_Status * status)
 +{
 +	if (wanted < 0) {
 +		*status = SANE_STATUS_INVAL;
 +		return 0;
 +	}
 +
 +	size_t size;
 +	ssize_t read = 0;
 +	unsigned char header[12];
 -		return read;
 +	/* read from remainder of buffer */
 +	if (s->netptr) {
 +		return sanei_epson_net_read_buf(s, buf, wanted, status);
 	}
 	/* receive net header */
 -	size = sanei_epson_net_read_raw(s, header, 12, status);
 -	if (size != 12) {
 +	read = sanei_epson_net_read_raw(s, header, 12, status);
 +	if (read != 12) {
 		return 0;
 	}
 +	/* validate header */
 	if (header[0] != 'I' || header[1] != 'S') {
 		DBG(1, "header mismatch: %02X %02x\n", header[0], header[1]);
 		*status = SANE_STATUS_IO_ERROR;
 		return 0;
 	}
 +	/* parse payload size */
 	size = be32atoh(&header[6]);
 -	DBG(23, "%s: wanted = %lu, available = %lu\n", __func__,
 -		(u_long) wanted, (u_long) size);
 -
 	*status = SANE_STATUS_GOOD;
 -	if (size == wanted) {
 -
 -		DBG(15, "%s: full read\n", __func__);
 -
 -		read = sanei_epson_net_read_raw(s, buf, size, status);
 +	if (!s->netbuf) {
 +		DBG(15, "%s: direct read\n", __func__);
 +		DBG(23, "%s: wanted = %lu, available = %lu\n", __func__,
 +			(u_long) wanted, (u_long) size);
 -		if (s->netbuf) {
 -			free(s->netbuf);
 -			s->netbuf = NULL;
 -			s->netlen = 0;
 +		if ((size_t) wanted > size) {
 +			wanted = size;
 		}
 -		if (read < 0) {
 -			return 0;
 -		}
 -
 -/*	} else if (wanted < size && s->netlen == size) { */
 +		read = sanei_epson_net_read_raw(s, buf, wanted, status);
 	} else {
 -		DBG(23, "%s: partial read\n", __func__);
 +		DBG(15, "%s: buffered read\n", __func__);
 +		DBG(23, "%s: bufferable = %lu, available = %lu\n", __func__,
 +			(u_long) s->netlen, (u_long) size);
 -		read = sanei_epson_net_read_raw(s, s->netbuf, size, status);
 -		if (read != size) {
 -			return 0;
 +		if (s->netlen > size) {
 +			s->netlen = size;
 		}
 -		s->netlen = size - wanted;
 -		s->netptr += wanted;
 -		read = wanted;
 -
 -		DBG(23, "0,4 %02x %02x\n", s->netbuf[0], s->netbuf[4]);
 -		DBG(23, "storing %lu to buffer at %p, next read at %p, %lu bytes left\n",
 -			(u_long) size, s->netbuf, s->netptr, (u_long) s->netlen);
 +		/* fill buffer */
 +		read = sanei_epson_net_read_raw(s, s->netbuf, s->netlen, status);
 +		s->netptr = s->netbuf;
 +		s->netlen = (read > 0 ? read : 0);
 -		memcpy(buf, s->netbuf, wanted);
 +		/* copy wanted part */
 +		read = sanei_epson_net_read_buf(s, buf, wanted, status);
 	}
 	return read;
 }
 -
 -int
 +size_t
 sanei_epson_net_write(Epson_Scanner *s, unsigned int cmd, const unsigned char *buf,
 			size_t buf_size, size_t reply_len, SANE_Status *status)
 {
 	unsigned char *h1, *h2, *payload;
 	unsigned char *packet = malloc(12 + 8 + buf_size);
 -	/* XXX check allocation failure */
 +	if (!packet) {
 +		*status = SANE_STATUS_NO_MEM;
 +		return 0;
 +	}
 	h1 = packet;
 	h2 = packet + 12;
 	payload = packet + 12 + 8;
 	if (reply_len) {
 -		s->netbuf = s->netptr = malloc(reply_len);
 +		if (s->netbuf) {
 +			DBG(23, "%s, freeing %p, %ld bytes unprocessed\n",
 +				__func__, s->netbuf, (u_long) s->netlen);
 +			free(s->netbuf);
 +			s->netbuf = s->netptr = NULL;
 +			s->netlen = 0;
 +		}
 +		s->netbuf = malloc(reply_len);
 +		if (!s->netbuf) {
 +			free(packet);
 +			*status = SANE_STATUS_NO_MEM;
 +			return 0;
 +		}
 		s->netlen = reply_len;
 -		DBG(24, "allocated %lu bytes at %p\n",
 -			(u_long) reply_len, s->netbuf);
 +		DBG(24, "%s: allocated %lu bytes at %p\n", __func__,
 +			(u_long) s->netlen, s->netbuf);
 	}
 	DBG(24, "%s: cmd = %04x, buf = %p, buf_size = %lu, reply_len = %lu\n",
 diff --git a/backend/epson2_net.h b/backend/epson2_net.h
 index 6aef2b725..7db671bf1 100644
 --- a/backend/epson2_net.h
 +++ b/backend/epson2_net.h
@@ -4,9 +4,9 @@
 #include <sys/types.h>
 #include "../include/sane/sane.h"
 -extern int sanei_epson_net_read(struct Epson_Scanner *s, unsigned char *buf, ssize_t buf_size,
 +extern ssize_t sanei_epson_net_read(struct Epson_Scanner *s, unsigned char *buf, ssize_t buf_size,
 				SANE_Status *status);
 -extern int sanei_epson_net_write(struct Epson_Scanner *s, unsigned int cmd, const unsigned char *buf,
 +extern size_t sanei_epson_net_write(struct Epson_Scanner *s, unsigned int cmd, const unsigned char *buf,
 				size_t buf_size, size_t reply_len,
 				SANE_Status *status);
 extern SANE_Status sanei_epson_net_lock(struct Epson_Scanner *s);
 -- 
 GitLab
--- a/sane-backends-1.0.28.tar.gz
+++ b/sane-backends-1.0.28.tar.gz
--- a/sane-backends-1.2.1.tar.gz
+++ b/sane-backends-1.2.1.tar.gz
--- a/sane-backends.spec
+++ b/sane-backends.spec
@ -2,8 +2,8 @@
 %global __requires_exclude ^libsane-.*\.so\.[0-9]*(\(\).*)?+$
 Name:              sane-backends
-Version:           1.0.28
+Version:           1.2.1
-Release:           11
+Release:           1
 Summary:           Scanner access software
 License:           GPLv2+ and GPLv2+ and Public Domain and IJG and LGPLv2+ and MIT
 URL:               http://www.sane-project.org
@ -18,15 +18,8 @@ Requires:          libpng systemd >= 196 systemd-udev >= 196
 Requires:          sane-backends-libs = %{version}-%{release}
-Patch0000:         0001-genesys-Make-sure-calib_reg-are-available-before-wri.patch
+Patch0000:         CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch
-Patch0001:         sane-xerox-mfp-blacklist-C460-for-JPEG.patch
+Patch0001:         Add-check-for-ports-to-avoid-Segmentation-fault.patch
 Patch0002:         sane-genesys-vector-glibcxxassert.patch
 Patch0003:         CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch
 Patch0004:         CVE-2020-12867.patch
 Patch0005:         Add-check-for-ports-to-avoid-Segmentation-fault.patch
 Patch0006:         CVE-2020-12862.patch
 Patch0007:         CVE-2020-12865.patch
 Patch0008:	   CVE-2020-12863.patch
 %description
 SANE (Scanner Access Now Easy) is a sane and simple interface to both local and networked scanners
@ -209,6 +202,9 @@ exit 0
 %{_unitdir}/*
 %changelog
 * Sat Oct 07 2023 wulei <wu_lei@hoperun.com> - 1.2.1-1
 - Update to 1.2.1
 * Sat Oct 09 2021 houyingchao <houyingchao@huawei.com> - 1.0.28-11
 - Fix CVE-2020-12863
--- a/sane-genesys-vector-glibcxxassert.patch
+++ b/sane-genesys-vector-glibcxxassert.patch
@ -1,17 +0,0 @@
 diff --git a/backend/genesys.cc b/backend/genesys.cc
 index 0368e21..5ec37bc 100644
 --- a/backend/genesys.cc
 +++ b/backend/genesys.cc
@@ -778,6 +778,12 @@ void sanei_genesys_create_default_gamma_table(Genesys_Device* dev,
             size = 4096;
         }
         max = size - 1;
 +    } else if (dev->model->asic_type == GENESYS_GL846
 +               || dev->model->asic_type == GENESYS_GL847
 +               || dev->model->asic_type == GENESYS_GL848
 +               || dev->model->asic_type == GENESYS_GL124) {
 +        size = 257;
 +        max = 65535;
     } else {
         size = 256;
         max = 65535;
--- a/sane-xerox-mfp-blacklist-C460-for-JPEG.patch
+++ b/sane-xerox-mfp-blacklist-C460-for-JPEG.patch
@ -1,12 +0,0 @@
 diff --git a/backend/xerox_mfp.c b/backend/xerox_mfp.c
 index b7fcbee..2cb73ee 100644
 --- a/backend/xerox_mfp.c
 +++ b/backend/xerox_mfp.c
@@ -209,6 +209,7 @@ static int isSupportedDevice(struct device __sane_unused__ *dev)
     if (dev->compressionTypes & (1 << 6)) {
 	/* blacklist malfunctioning device(s) */
 	if (!strncmp(dev->sane.model, "SCX-4500W", 9) ||
 +            !strncmp(dev->sane.model, "C460", 4) ||
 	    !strncmp(dev->sane.model, "M288x", 5))
 	    return 0;
         return 1;