Fix CVE-2023-46047 and CVE-2023-46052

(cherry picked from commit 7da9e72522627d0fafbbfe0d0c7897bccdc2793a)
2024-05-10 14:44:57 +08:00 · 2024-05-10 14:44:57 +08:00 · f00fd66a7b
commit f00fd66a7b
parent d010f8274b
3 changed files with 164 additions and 1 deletions
--- a/CVE-2023-46047.patch
+++ b/CVE-2023-46047.patch
@ -0,0 +1,30 @@
+From a617461c630da22f4bcc22c687f5a299b5630e2d Mon Sep 17 00:00:00 2001
+From: Ralph Little <skelband@gmail.com>
+Date: Mon, 2 Oct 2023 16:40:27 -0700
+Subject: [PATCH] sanei_config: malformed line can return NULL for token. We
+ should check.
+
+---
+ sanei/sanei_config.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sanei/sanei_config.c b/sanei/sanei_config.c
+index 07c85c964..45f380337 100644
+--- a/sanei/sanei_config.c
+++ b/sanei/sanei_config.c
+@@ -295,6 +295,12 @@ sanei_configure_attach (const char *config_file, SANEI_Config * config,
+        * So we parse the line 2 time to find an option */
+       /* check if it is an option */
+       lp = sanei_config_get_string (lp, &token);
+      if (NULL == token)
+        {
+          // Invalid format?
+          continue;
+        }
+
+       if (strncmp (token, "option", 6) == 0)
+ 	{
+ 	  /* skip the "option" token */
+-- 
+GitLab
+
--- a/CVE-2023-46052.patch
+++ b/CVE-2023-46052.patch
@ -0,0 +1,126 @@
+From 6fc47c4c1472ea244561b18d5d6e3e8eefb1cde7 Mon Sep 17 00:00:00 2001
+From: Ralph Little <skelband@gmail.com>
+Date: Mon, 2 Oct 2023 16:23:07 -0700
+Subject: [PATCH] test: added validation checks for config string option
+ saelections.
+
+This will avoid a reported buffer overflow issue related to invalid (long) options being specified.
+---
+ backend/test.c | 63 ++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 51 insertions(+), 12 deletions(-)
+
+diff --git a/backend/test.c b/backend/test.c
+index ea7329073..4663a16e4 100644
+--- a/backend/test.c
+++ b/backend/test.c
+@@ -1432,6 +1432,43 @@ read_option (SANE_String line, SANE_String option_string,
+   return SANE_STATUS_GOOD;
+ }
+ 
+
+static SANE_Status
+read_option_str_list (SANE_String line, SANE_String option_string,
+                      parameter_type p_type, void *value,
+                      SANE_String_Const *string_list)
+{
+  SANE_String new_value = NULL;
+
+  SANE_Status ret = read_option (line, option_string, p_type, &new_value);
+  if (ret != SANE_STATUS_GOOD)
+    {
+      if (new_value)
+        {
+          free(new_value);
+        }
+      return ret;
+    }
+
+  for (SANE_String_Const *option = string_list; *option; option++)
+    {
+      if (strcmp (*option, new_value) == 0)
+        {
+
+          if (*(SANE_String*) value)
+            {
+              free (*(SANE_String*) value);
+            }
+          *(SANE_String*) value = new_value;
+
+          return SANE_STATUS_GOOD;
+        }
+    }
+
+  return SANE_STATUS_INVAL;
+}
+
+
+ static SANE_Status
+ reader_process (Test_Device * test_device, SANE_Int fd)
+ {
+@@ -1636,7 +1673,6 @@ print_options (Test_Device * test_device)
+ 
+ /***************************** SANE API ****************************/
+ 
+-
+ SANE_Status
+ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_unused__ authorize)
+ {
+@@ -1736,20 +1772,23 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
+ 
+ 	  DBG (5, "sane_init: config file line %3d: `%s'\n",
+ 	       linenumber, line);
+
+ 	  if (read_option (line, "number_of_devices", param_int,
+ 			   &init_number_of_devices) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "mode", param_string,
+-			   &init_mode) == SANE_STATUS_GOOD)
+-	    continue;
+
+          if (read_option_str_list (line, "mode", param_string,
+                                    &init_mode, mode_list) == SANE_STATUS_GOOD)
+              continue;
+
+ 	  if (read_option (line, "hand-scanner", param_bool,
+ 			   &init_hand_scanner) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "three-pass", param_bool,
+ 			   &init_three_pass) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "three-pass-order", param_string,
+-			   &init_three_pass_order) == SANE_STATUS_GOOD)
+	  if (read_option_str_list (line, "three-pass-order", param_string,
+	                            &init_three_pass_order, order_list) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "resolution_min", param_fixed,
+ 			   &resolution_range.min) == SANE_STATUS_GOOD)
+@@ -1766,11 +1805,11 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
+ 	  if (read_option (line, "depth", param_int,
+ 			   &init_depth) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "scan-source", param_string,
+-			   &init_scan_source) == SANE_STATUS_GOOD)
+	  if (read_option_str_list (line, "scan-source", param_string,
+	                            &init_scan_source, source_list) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "test-picture", param_string,
+-			   &init_test_picture) == SANE_STATUS_GOOD)
+	  if (read_option_str_list (line, "test-picture", param_string,
+	                               &init_test_picture, test_picture_list) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "invert-endianess", param_bool,
+ 			   &init_invert_endianess) == SANE_STATUS_GOOD)
+@@ -1787,8 +1826,8 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
+ 	  if (read_option (line, "read-delay-duration", param_int,
+ 			   &init_read_delay_duration) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "read-status-code", param_string,
+-			   &init_read_status_code) == SANE_STATUS_GOOD)
+	  if (read_option_str_list (line, "read-status-code", param_string,
+	                            &init_read_status_code, read_status_code_list) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "ppl-loss", param_int,
+ 			   &init_ppl_loss) == SANE_STATUS_GOOD)
+-- 
+GitLab
+
--- a/sane-backends.spec
+++ b/sane-backends.spec
@ -3,7 +3,7 @@

 Name:              sane-backends
 Version:           1.2.1
-Release:           1
+Release:           2
 Summary:           Scanner access software
 License:           GPLv2+ and GPLv2+ and Public Domain and IJG and LGPLv2+ and MIT
 URL:               http://www.sane-project.org
@ -20,6 +20,10 @@ Requires:          sane-backends-libs = %{version}-%{release}

 Patch0000:         CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch
 Patch0001:         Add-check-for-ports-to-avoid-Segmentation-fault.patch
+# https://gitlab.com/sane-project/backends/-/commit/fd7b83c8f7b4da4a9e1fb715d070aa2fd96832ff
+Patch0002:         CVE-2023-46047.patch
+# https://gitlab.com/sane-project/backends/-/commit/a92ffb3d978329c29513b0acb98ae7987ec1bed7
+Patch0003:         CVE-2023-46052.patch

 %description
 SANE (Scanner Access Now Easy) is a sane and simple interface to both local and networked scanners
@ -202,6 +206,9 @@ exit 0
 %{_unitdir}/*

 %changelog
+* Fri May 10 2024 yaoxin <yao_xin001@hoperun.com> - 1.2.1-2
+- Fix CVE-2023-46047 and CVE-2023-46052
+
 * Sat Oct 07 2023 wulei <wu_lei@hoperun.com> - 1.2.1-1
 - Update to 1.2.1