packages/sane-backends
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-12862 CVE-2020-12865

Browse Source
This commit is contained in:
wang_yue111 2021-02-05 16:37:37 +08:00
parent 1843afbf1b
commit f30eb1c9dc
3 changed files with 153 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
CVE-2020-12862.patch Normal file
View File

@ -0,0 +1,75 @@
From 27ea994d23ee52fe1ec1249c92ebc1080a358288 Mon Sep 17 00:00:00 2001
From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
Date: Thu, 30 Apr 2020 21:15:45 +0900
Subject: [PATCH] epsonds: Do not read beyond the end of the token
Addresses GHSL-2020-082, re #279.
---
backend/epsonds-cmd.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c
index 9a4db3080..7ca660f1f 100644
--- a/backend/epsonds-cmd.c
+++ b/backend/epsonds-cmd.c
@@ -255,18 +255,20 @@ static int decode_value(char *buf, int len)
}
/* h000 */
-static char *decode_binary(char *buf)
+static char *decode_binary(char *buf, int len)
{
char tmp[6];
int hl;
memcpy(tmp, buf, 4);
tmp[4] = '\0';
+ len -= 4;
if (buf[0] != 'h')
return NULL;
hl = strtol(tmp + 1, NULL, 16);
+ if (hl > len) hl = len;
if (hl) {
char *v = malloc(hl + 1);
@@ -279,9 +281,9 @@ static char *decode_binary(char *buf)
return NULL;
}
-static char *decode_string(char *buf)
+static char *decode_string(char *buf, int len)
{
- char *p, *s = decode_binary(buf);
+ char *p, *s = decode_binary(buf, len);
if (s == NULL)
return NULL;
@@ -326,20 +328,20 @@ static SANE_Status info_cb(void *userdata, char *token, int len)
if (strncmp("PRD", token, 3) == 0) {
free(s->hw->model);
- s->hw->model = decode_string(value);
+ s->hw->model = decode_string(value, len);
s->hw->sane.model = s->hw->model;
DBG(1, " product: %s\n", s->hw->model);
/* we will free the string later */
}
if (strncmp("VER", token, 3) == 0) {
- char *v = decode_string(value);
+ char *v = decode_string(value, len);
DBG(1, " version: %s\n", v);
free(v);
}
if (strncmp("S/N", token, 3) == 0) {
- char *v = decode_string(value);
+ char *v = decode_string(value, len);
DBG(1, " serial: %s\n", v);
free(v);
}
--
GitLab

72
CVE-2020-12865.patch Normal file
View File

@ -0,0 +1,72 @@
From b9b0173409df73e235da2aa0dae5edd21fb55967 Mon Sep 17 00:00:00 2001
From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
Date: Mon, 27 Apr 2020 18:48:29 +0900
Subject: [PATCH] epsonds: Prevent possible buffer overflow when reading image
data
Addresses GHSL-2020-084, re #279.
---
backend/epsonds-cmd.c | 5 +++++
backend/epsonds.c | 12 +++++++-----
backend/epsonds.h | 1 +
3 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c
index 9a4db3080..c182aa51a 100644
--- a/backend/epsonds-cmd.c
+++ b/backend/epsonds-cmd.c
@@ -876,6 +876,11 @@ esci2_img(struct epsonds_scanner *s, SANE_Int *length)
return parse_status;
}
+ /* more data than was accounted for in s->buf */
+ if (more > s->bsz) {
+ return SANE_STATUS_IO_ERROR;
+ }
+
/* ALWAYS read image data */
if (s->hw->connection == SANE_EPSONDS_NET) {
epsonds_net_request_read(s, more);
diff --git a/backend/epsonds.c b/backend/epsonds.c
index ff5d68106..fb9694a88 100644
--- a/backend/epsonds.c
+++ b/backend/epsonds.c
@@ -1230,16 +1230,18 @@ sane_start(SANE_Handle handle)
if (s->line_buffer == NULL)
return SANE_STATUS_NO_MEM;
- /* ring buffer for front page, twice bsz */
+ /* transfer buffer size, bsz */
/* XXX read value from scanner */
- status = eds_ring_init(&s->front, (65536 * 4) * 2);
+ s->bsz = (65536 * 4);
+
+ /* ring buffer for front page */
+ status = eds_ring_init(&s->front, s->bsz * 2);
if (status != SANE_STATUS_GOOD) {
return status;
}
- /* transfer buffer, bsz */
- /* XXX read value from scanner */
- s->buf = realloc(s->buf, 65536 * 4);
+ /* transfer buffer */
+ s->buf = realloc(s->buf, s->bsz);
if (s->buf == NULL)
return SANE_STATUS_NO_MEM;
diff --git a/backend/epsonds.h b/backend/epsonds.h
index 0427ef3b4..401b0f32c 100644
--- a/backend/epsonds.h
+++ b/backend/epsonds.h
@@ -160,6 +160,7 @@ struct epsonds_scanner
Option_Value val[NUM_OPTIONS];
SANE_Parameters params;
+ size_t bsz; /* transfer buffer size */
SANE_Byte *buf, *line_buffer;
ring_buffer *current, front, back;
--
GitLab

7
sane-backends.spec
View File

@ -3,7 +3,7 @@
Name: sane-backends Name: sane-backends
Version: 1.0.28 Version: 1.0.28
Release: 9 Release: 10
Summary: Scanner access software Summary: Scanner access software
License: GPLv2+ and GPLv2+ with exceptions and Public Domain and IJG and LGPLv2+ and MIT License: GPLv2+ and GPLv2+ with exceptions and Public Domain and IJG and LGPLv2+ and MIT
URL: http://www.sane-project.org URL: http://www.sane-project.org
@ -24,6 +24,8 @@ Patch0002: sane-genesys-vector-glibcxxassert.patch
Patch0003: CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch Patch0003: CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch
Patch0004: CVE-2020-12867.patch Patch0004: CVE-2020-12867.patch
Patch0005: Add-check-for-ports-to-avoid-Segmentation-fault.patch Patch0005: Add-check-for-ports-to-avoid-Segmentation-fault.patch
Patch0006: CVE-2020-12862.patch
Patch0007: CVE-2020-12865.patch
%description %description
SANE (Scanner Access Now Easy) is a sane and simple interface to both local and networked scanners SANE (Scanner Access Now Easy) is a sane and simple interface to both local and networked scanners
@ -206,6 +208,9 @@ exit 0
%{_unitdir}/* %{_unitdir}/*
%changelog %changelog
* Fri Feb 05 2021 wangyue <wangyue92@huawei.com> - 1.0.28-10
- Fix CVE-2020-12862 CVE-2020-12865
* Wed Jan 27 2021 lingsheng <lingsheng@huawei.com> - 1.0.28-9 * Wed Jan 27 2021 lingsheng <lingsheng@huawei.com> - 1.0.28-9
- Add check for ports to avoid Segmentation fault - Add check for ports to avoid Segmentation fault