Fix CVE-2023-46047 and CVE-2023-46052

(cherry picked from commit 7da9e72522627d0fafbbfe0d0c7897bccdc2793a)
2024-05-10 14:44:57 +08:00 · 2024-05-10 14:44:57 +08:00 · f00fd66a7b
commit f00fd66a7b
parent d010f8274b
3 changed files with 164 additions and 1 deletions
--- a/CVE-2023-46047.patch
+++ b/CVE-2023-46047.patch
@ -0,0 +1,30 @@
 From a617461c630da22f4bcc22c687f5a299b5630e2d Mon Sep 17 00:00:00 2001
 From: Ralph Little <skelband@gmail.com>
 Date: Mon, 2 Oct 2023 16:40:27 -0700
 Subject: [PATCH] sanei_config: malformed line can return NULL for token. We
 should check.
 ---
 sanei/sanei_config.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/sanei/sanei_config.c b/sanei/sanei_config.c
 index 07c85c964..45f380337 100644
 --- a/sanei/sanei_config.c
 +++ b/sanei/sanei_config.c
@@ -295,6 +295,12 @@ sanei_configure_attach (const char *config_file, SANEI_Config * config,
        * So we parse the line 2 time to find an option */
       /* check if it is an option */
       lp = sanei_config_get_string (lp, &token);
 +      if (NULL == token)
 +        {
 +          // Invalid format?
 +          continue;
 +        }
 +
       if (strncmp (token, "option", 6) == 0)
 	{
 	  /* skip the "option" token */
 -- 
 GitLab
--- a/CVE-2023-46052.patch
+++ b/CVE-2023-46052.patch
@ -0,0 +1,126 @@
 From 6fc47c4c1472ea244561b18d5d6e3e8eefb1cde7 Mon Sep 17 00:00:00 2001
 From: Ralph Little <skelband@gmail.com>
 Date: Mon, 2 Oct 2023 16:23:07 -0700
 Subject: [PATCH] test: added validation checks for config string option
 saelections.
 This will avoid a reported buffer overflow issue related to invalid (long) options being specified.
 ---
 backend/test.c | 63 ++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 51 insertions(+), 12 deletions(-)
 diff --git a/backend/test.c b/backend/test.c
 index ea7329073..4663a16e4 100644
 --- a/backend/test.c
 +++ b/backend/test.c
@@ -1432,6 +1432,43 @@ read_option (SANE_String line, SANE_String option_string,
   return SANE_STATUS_GOOD;
 }
 +
 +static SANE_Status
 +read_option_str_list (SANE_String line, SANE_String option_string,
 +                      parameter_type p_type, void *value,
 +                      SANE_String_Const *string_list)
 +{
 +  SANE_String new_value = NULL;
 +
 +  SANE_Status ret = read_option (line, option_string, p_type, &new_value);
 +  if (ret != SANE_STATUS_GOOD)
 +    {
 +      if (new_value)
 +        {
 +          free(new_value);
 +        }
 +      return ret;
 +    }
 +
 +  for (SANE_String_Const *option = string_list; *option; option++)
 +    {
 +      if (strcmp (*option, new_value) == 0)
 +        {
 +
 +          if (*(SANE_String*) value)
 +            {
 +              free (*(SANE_String*) value);
 +            }
 +          *(SANE_String*) value = new_value;
 +
 +          return SANE_STATUS_GOOD;
 +        }
 +    }
 +
 +  return SANE_STATUS_INVAL;
 +}
 +
 +
 static SANE_Status
 reader_process (Test_Device * test_device, SANE_Int fd)
 {
@@ -1636,7 +1673,6 @@ print_options (Test_Device * test_device)
 /***************************** SANE API ****************************/
 -
 SANE_Status
 sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_unused__ authorize)
 {
@@ -1736,20 +1772,23 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
 	  DBG (5, "sane_init: config file line %3d: `%s'\n",
 	       linenumber, line);
 +
 	  if (read_option (line, "number_of_devices", param_int,
 			   &init_number_of_devices) == SANE_STATUS_GOOD)
 	    continue;
 -	  if (read_option (line, "mode", param_string,
 -			   &init_mode) == SANE_STATUS_GOOD)
 -	    continue;
 +
 +          if (read_option_str_list (line, "mode", param_string,
 +                                    &init_mode, mode_list) == SANE_STATUS_GOOD)
 +              continue;
 +
 	  if (read_option (line, "hand-scanner", param_bool,
 			   &init_hand_scanner) == SANE_STATUS_GOOD)
 	    continue;
 	  if (read_option (line, "three-pass", param_bool,
 			   &init_three_pass) == SANE_STATUS_GOOD)
 	    continue;
 -	  if (read_option (line, "three-pass-order", param_string,
 -			   &init_three_pass_order) == SANE_STATUS_GOOD)
 +	  if (read_option_str_list (line, "three-pass-order", param_string,
 +	                            &init_three_pass_order, order_list) == SANE_STATUS_GOOD)
 	    continue;
 	  if (read_option (line, "resolution_min", param_fixed,
 			   &resolution_range.min) == SANE_STATUS_GOOD)
@@ -1766,11 +1805,11 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
 	  if (read_option (line, "depth", param_int,
 			   &init_depth) == SANE_STATUS_GOOD)
 	    continue;
 -	  if (read_option (line, "scan-source", param_string,
 -			   &init_scan_source) == SANE_STATUS_GOOD)
 +	  if (read_option_str_list (line, "scan-source", param_string,
 +	                            &init_scan_source, source_list) == SANE_STATUS_GOOD)
 	    continue;
 -	  if (read_option (line, "test-picture", param_string,
 -			   &init_test_picture) == SANE_STATUS_GOOD)
 +	  if (read_option_str_list (line, "test-picture", param_string,
 +	                               &init_test_picture, test_picture_list) == SANE_STATUS_GOOD)
 	    continue;
 	  if (read_option (line, "invert-endianess", param_bool,
 			   &init_invert_endianess) == SANE_STATUS_GOOD)
@@ -1787,8 +1826,8 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
 	  if (read_option (line, "read-delay-duration", param_int,
 			   &init_read_delay_duration) == SANE_STATUS_GOOD)
 	    continue;
 -	  if (read_option (line, "read-status-code", param_string,
 -			   &init_read_status_code) == SANE_STATUS_GOOD)
 +	  if (read_option_str_list (line, "read-status-code", param_string,
 +	                            &init_read_status_code, read_status_code_list) == SANE_STATUS_GOOD)
 	    continue;
 	  if (read_option (line, "ppl-loss", param_int,
 			   &init_ppl_loss) == SANE_STATUS_GOOD)
 -- 
 GitLab
--- a/sane-backends.spec
+++ b/sane-backends.spec
@ -3,7 +3,7 @@
 Name:              sane-backends
 Version:           1.2.1
-Release:           1
+Release:           2
 Summary:           Scanner access software
 License:           GPLv2+ and GPLv2+ and Public Domain and IJG and LGPLv2+ and MIT
 URL:               http://www.sane-project.org
@ -20,6 +20,10 @@ Requires:          sane-backends-libs = %{version}-%{release}
 Patch0000:         CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch
 Patch0001:         Add-check-for-ports-to-avoid-Segmentation-fault.patch
 # https://gitlab.com/sane-project/backends/-/commit/fd7b83c8f7b4da4a9e1fb715d070aa2fd96832ff
 Patch0002:         CVE-2023-46047.patch
 # https://gitlab.com/sane-project/backends/-/commit/a92ffb3d978329c29513b0acb98ae7987ec1bed7
 Patch0003:         CVE-2023-46052.patch
 %description
 SANE (Scanner Access Now Easy) is a sane and simple interface to both local and networked scanners
@ -202,6 +206,9 @@ exit 0
 %{_unitdir}/*
 %changelog
 * Fri May 10 2024 yaoxin <yao_xin001@hoperun.com> - 1.2.1-2
 - Fix CVE-2023-46047 and CVE-2023-46052
 * Sat Oct 07 2023 wulei <wu_lei@hoperun.com> - 1.2.1-1
 - Update to 1.2.1