!37 [sync] PR-35: Fix CVE-2023-46047 and CVE-2023-46052

From: @openeuler-sync-bot 
Reviewed-by: @wu-leilei 
Signed-off-by: @wu-leilei

0001-genesys-Make-sure-calib_reg-are-available-before-wri.patch

@@ -1,13 +0,0 @@
-diff -up sane-backends-1.0.28/backend/genesys_gl841.cc.genesys-regression sane-backends-1.0.28/backend/genesys_gl841.cc
---- sane-backends-1.0.28/backend/genesys_gl841.cc.genesys-regression	2019-10-14 13:11:10.772763713 +0200
-+++ sane-backends-1.0.28/backend/genesys_gl841.cc	2019-10-14 13:11:57.602389188 +0200
-@@ -5042,6 +5042,9 @@ gl841_init (Genesys_Device * dev)
-   /* Set analog frontend */
-   RIE (gl841_set_fe(dev, sensor, AFE_INIT));
- 
-+    // FIXME: slow_back_home modifies dev->calib_reg and requires it to be filled
-+    dev->calib_reg = dev->reg;
-+
-   /* Move home */
-   RIE (gl841_slow_back_home (dev, SANE_TRUE));
- 

Add-check-for-ports-to-avoid-Segmentation-fault.patch

@@ -0,0 +1,37 @@
+From d7bd15792ea3d2613aa5a0b09d948dc2ef77dfcf Mon Sep 17 00:00:00 2001
+From: lingsheng <lingsheng@huawei.com>
+Date: Wed, 27 Jan 2021 15:00:32 +0800
+Subject: [PATCH] Add check for ports to avoid Segmentation fault
+
+---
+ tools/umax_pp.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/tools/umax_pp.c b/tools/umax_pp.c
+index 7b127e3..00ffea9 100644
+--- a/tools/umax_pp.c
++++ b/tools/umax_pp.c
+@@ -355,12 +355,15 @@ main (int argc, char **argv)
+       if (rc != 1)
+ 	{
+ 	  ports = sanei_parport_find_port ();
+-	  i = 0;
+-	  rc = 0;
+-	  while ((ports[i] != NULL) && (rc != 1))
++	  if (ports != NULL)
+ 	    {
+-	      rc = sanei_umax_pp_initPort (strtol (ports[i], NULL, 16), NULL);
+-	      i++;
++	      i = 0;
++	      rc = 0;
++	      while ((ports[i] != NULL) && (rc != 1))
++	        {
++	          rc = sanei_umax_pp_initPort (strtol (ports[i], NULL, 16), NULL);
++	          i++;
++	        }
+ 	    }
+ 	}
+       if (rc != 1)
+-- 
+2.23.0
+

CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch

@@ -1,4 +1,4 @@
-From 30b1831a28f24ab2921b9f717c66d37f02bb81cc Mon Sep 17 00:00:00 2001
+From 4360b6f5910d57740eccbd1aa3bcd17eca7e438b Mon Sep 17 00:00:00 2001
 From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
 Date: Mon, 11 May 2020 21:07:12 +0900
 Subject: [PATCH] epsonds: Mitigate potential network related security issues. 
@@ -11,13 +11,13 @@ and GHSL-2020-081.
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/backend/epsonds.conf.in b/backend/epsonds.conf.in
-index b8b36237a..1967a00fd 100644
+index e2880fa..7462d1d 100644
 --- a/backend/epsonds.conf.in
 +++ b/backend/epsonds.conf.in
-@@ -10,7 +10,7 @@ usb
- # e.g.:
+@@ -11,7 +11,7 @@ usb
  # usb 0x4b8 0x14c
  
+ #
 -# Network
 +# Network (not yet supported!)
  #
@@ -25,5 +25,5 @@ index b8b36237a..1967a00fd 100644
 -net autodiscovery
 +#net autodiscovery
 -- 
-GitLab
+2.27.0
 

CVE-2020-12867.patch

@@ -1,249 +0,0 @@
-From fff83e7eacd0f27bb2d71c42488e0fd735c15ac3 Mon Sep 17 00:00:00 2001
-From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
-Date: Thu, 30 Apr 2020 18:24:51 +0900
-Subject: [PATCH] epson2: Rewrite network I/O
-
-This addresses GHSL-2020-075 as well as all other problematic code
-uncovered as a result of investigating that.  This includes:
-
-- buffer overflows due to use of unchecked lengths
-- integer overflows due to type conversions
-- potential memory leaks
-- checking for memory allocation failures
-
-Re #279.
----
- backend/epson2_net.c | 140 +++++++++++++++++++++++++------------------
- backend/epson2_net.h |   4 +-
- 2 files changed, 85 insertions(+), 59 deletions(-)
-
-diff --git a/backend/epson2_net.c b/backend/epson2_net.c
-index 8d0fe9ea7..7f804eea8 100644
---- a/backend/epson2_net.c
-+++ b/backend/epson2_net.c
-@@ -32,11 +32,12 @@
- 
- #include "sane/sanei_debug.h"
- 
--static int
-+static ssize_t
- sanei_epson_net_read_raw(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
- 		       SANE_Status *status)
- {
--	int ready, read = -1;
-+	int ready;
-+	ssize_t read = -1;
- 	fd_set readable;
- 	struct timeval tv;
- 
-@@ -62,111 +63,136 @@ sanei_epson_net_read_raw(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
- 	return read;
- }
- 
--int
--sanei_epson_net_read(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
-+static ssize_t
-+sanei_epson_net_read_buf(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
- 		       SANE_Status * status)
- {
--	ssize_t size;
- 	ssize_t read = 0;
--	unsigned char header[12];
- 
--	/* read from buffer, if available */
--	if (s->netptr != s->netbuf) {
--		DBG(23, "reading %lu from buffer at %p, %lu available\n",
--			(u_long) wanted, s->netptr, (u_long) s->netlen);
-+	DBG(23, "%s: reading up to %lu from buffer at %p, %lu available\n",
-+		__func__, (u_long) wanted, s->netptr, (u_long) s->netlen);
- 
--		memcpy(buf, s->netptr, wanted);
--		read = wanted;
-+	if ((size_t) wanted > s->netlen) {
-+		*status = SANE_STATUS_IO_ERROR;
-+		wanted = s->netlen;
-+	}
- 
--		s->netlen -= wanted;
-+	memcpy(buf, s->netptr, wanted);
-+	read = wanted;
- 
--		if (s->netlen == 0) {
--			DBG(23, "%s: freeing %p\n", __func__, s->netbuf);
--			free(s->netbuf);
--			s->netbuf = s->netptr = NULL;
--			s->netlen = 0;
--		}
-+	s->netptr += read;
-+	s->netlen -= read;
-+
-+	if (s->netlen == 0) {
-+		DBG(23, "%s: freeing %p\n", __func__, s->netbuf);
-+		free(s->netbuf);
-+		s->netbuf = s->netptr = NULL;
-+		s->netlen = 0;
-+	}
-+
-+	return read;
-+}
-+
-+ssize_t
-+sanei_epson_net_read(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
-+		       SANE_Status * status)
-+{
-+	if (wanted < 0) {
-+		*status = SANE_STATUS_INVAL;
-+		return 0;
-+	}
-+
-+	size_t size;
-+	ssize_t read = 0;
-+	unsigned char header[12];
- 
--		return read;
-+	/* read from remainder of buffer */
-+	if (s->netptr) {
-+		return sanei_epson_net_read_buf(s, buf, wanted, status);
- 	}
- 
- 	/* receive net header */
--	size = sanei_epson_net_read_raw(s, header, 12, status);
--	if (size != 12) {
-+	read = sanei_epson_net_read_raw(s, header, 12, status);
-+	if (read != 12) {
- 		return 0;
- 	}
- 
-+	/* validate header */
- 	if (header[0] != 'I' || header[1] != 'S') {
- 		DBG(1, "header mismatch: %02X %02x\n", header[0], header[1]);
- 		*status = SANE_STATUS_IO_ERROR;
- 		return 0;
- 	}
- 
-+	/* parse payload size */
- 	size = be32atoh(&header[6]);
- 
--	DBG(23, "%s: wanted = %lu, available = %lu\n", __func__,
--		(u_long) wanted, (u_long) size);
--
- 	*status = SANE_STATUS_GOOD;
- 
--	if (size == wanted) {
--
--		DBG(15, "%s: full read\n", __func__);
--
--		read = sanei_epson_net_read_raw(s, buf, size, status);
-+	if (!s->netbuf) {
-+		DBG(15, "%s: direct read\n", __func__);
-+		DBG(23, "%s: wanted = %lu, available = %lu\n", __func__,
-+			(u_long) wanted, (u_long) size);
- 
--		if (s->netbuf) {
--			free(s->netbuf);
--			s->netbuf = NULL;
--			s->netlen = 0;
-+		if ((size_t) wanted > size) {
-+			wanted = size;
- 		}
- 
--		if (read < 0) {
--			return 0;
--		}
--
--/*	} else if (wanted < size && s->netlen == size) { */
-+		read = sanei_epson_net_read_raw(s, buf, wanted, status);
- 	} else {
--		DBG(23, "%s: partial read\n", __func__);
-+		DBG(15, "%s: buffered read\n", __func__);
-+		DBG(23, "%s: bufferable = %lu, available = %lu\n", __func__,
-+			(u_long) s->netlen, (u_long) size);
- 
--		read = sanei_epson_net_read_raw(s, s->netbuf, size, status);
--		if (read != size) {
--			return 0;
-+		if (s->netlen > size) {
-+			s->netlen = size;
- 		}
- 
--		s->netlen = size - wanted;
--		s->netptr += wanted;
--		read = wanted;
--
--		DBG(23, "0,4 %02x %02x\n", s->netbuf[0], s->netbuf[4]);
--		DBG(23, "storing %lu to buffer at %p, next read at %p, %lu bytes left\n",
--			(u_long) size, s->netbuf, s->netptr, (u_long) s->netlen);
-+		/* fill buffer */
-+		read = sanei_epson_net_read_raw(s, s->netbuf, s->netlen, status);
-+		s->netptr = s->netbuf;
-+		s->netlen = (read > 0 ? read : 0);
- 
--		memcpy(buf, s->netbuf, wanted);
-+		/* copy wanted part */
-+		read = sanei_epson_net_read_buf(s, buf, wanted, status);
- 	}
- 
- 	return read;
- }
- 
--
--int
-+size_t
- sanei_epson_net_write(Epson_Scanner *s, unsigned int cmd, const unsigned char *buf,
- 			size_t buf_size, size_t reply_len, SANE_Status *status)
- {
- 	unsigned char *h1, *h2, *payload;
- 	unsigned char *packet = malloc(12 + 8 + buf_size);
- 
--	/* XXX check allocation failure */
-+	if (!packet) {
-+		*status = SANE_STATUS_NO_MEM;
-+		return 0;
-+	}
- 
- 	h1 = packet;
- 	h2 = packet + 12;
- 	payload = packet + 12 + 8;
- 
- 	if (reply_len) {
--		s->netbuf = s->netptr = malloc(reply_len);
-+		if (s->netbuf) {
-+			DBG(23, "%s, freeing %p, %ld bytes unprocessed\n",
-+				__func__, s->netbuf, (u_long) s->netlen);
-+			free(s->netbuf);
-+			s->netbuf = s->netptr = NULL;
-+			s->netlen = 0;
-+		}
-+		s->netbuf = malloc(reply_len);
-+		if (!s->netbuf) {
-+			free(packet);
-+			*status = SANE_STATUS_NO_MEM;
-+			return 0;
-+		}
- 		s->netlen = reply_len;
--		DBG(24, "allocated %lu bytes at %p\n",
--			(u_long) reply_len, s->netbuf);
-+		DBG(24, "%s: allocated %lu bytes at %p\n", __func__,
-+			(u_long) s->netlen, s->netbuf);
- 	}
- 
- 	DBG(24, "%s: cmd = %04x, buf = %p, buf_size = %lu, reply_len = %lu\n",
-diff --git a/backend/epson2_net.h b/backend/epson2_net.h
-index 6aef2b725..7db671bf1 100644
---- a/backend/epson2_net.h
-+++ b/backend/epson2_net.h
-@@ -4,9 +4,9 @@
- #include <sys/types.h>
- #include "../include/sane/sane.h"
- 
--extern int sanei_epson_net_read(struct Epson_Scanner *s, unsigned char *buf, ssize_t buf_size,
-+extern ssize_t sanei_epson_net_read(struct Epson_Scanner *s, unsigned char *buf, ssize_t buf_size,
- 				SANE_Status *status);
--extern int sanei_epson_net_write(struct Epson_Scanner *s, unsigned int cmd, const unsigned char *buf,
-+extern size_t sanei_epson_net_write(struct Epson_Scanner *s, unsigned int cmd, const unsigned char *buf,
- 				size_t buf_size, size_t reply_len,
- 				SANE_Status *status);
- extern SANE_Status sanei_epson_net_lock(struct Epson_Scanner *s);
--- 
-GitLab
-

CVE-2023-46047.patch

@@ -0,0 +1,30 @@
+From a617461c630da22f4bcc22c687f5a299b5630e2d Mon Sep 17 00:00:00 2001
+From: Ralph Little <skelband@gmail.com>
+Date: Mon, 2 Oct 2023 16:40:27 -0700
+Subject: [PATCH] sanei_config: malformed line can return NULL for token. We
+ should check.
+
+---
+ sanei/sanei_config.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sanei/sanei_config.c b/sanei/sanei_config.c
+index 07c85c964..45f380337 100644
+--- a/sanei/sanei_config.c
++++ b/sanei/sanei_config.c
+@@ -295,6 +295,12 @@ sanei_configure_attach (const char *config_file, SANEI_Config * config,
+        * So we parse the line 2 time to find an option */
+       /* check if it is an option */
+       lp = sanei_config_get_string (lp, &token);
++      if (NULL == token)
++        {
++          // Invalid format?
++          continue;
++        }
++
+       if (strncmp (token, "option", 6) == 0)
+ 	{
+ 	  /* skip the "option" token */
+-- 
+GitLab
+

CVE-2023-46052.patch

@@ -0,0 +1,126 @@
+From 6fc47c4c1472ea244561b18d5d6e3e8eefb1cde7 Mon Sep 17 00:00:00 2001
+From: Ralph Little <skelband@gmail.com>
+Date: Mon, 2 Oct 2023 16:23:07 -0700
+Subject: [PATCH] test: added validation checks for config string option
+ saelections.
+
+This will avoid a reported buffer overflow issue related to invalid (long) options being specified.
+---
+ backend/test.c | 63 ++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 51 insertions(+), 12 deletions(-)
+
+diff --git a/backend/test.c b/backend/test.c
+index ea7329073..4663a16e4 100644
+--- a/backend/test.c
++++ b/backend/test.c
+@@ -1432,6 +1432,43 @@ read_option (SANE_String line, SANE_String option_string,
+   return SANE_STATUS_GOOD;
+ }
+ 
++
++static SANE_Status
++read_option_str_list (SANE_String line, SANE_String option_string,
++                      parameter_type p_type, void *value,
++                      SANE_String_Const *string_list)
++{
++  SANE_String new_value = NULL;
++
++  SANE_Status ret = read_option (line, option_string, p_type, &new_value);
++  if (ret != SANE_STATUS_GOOD)
++    {
++      if (new_value)
++        {
++          free(new_value);
++        }
++      return ret;
++    }
++
++  for (SANE_String_Const *option = string_list; *option; option++)
++    {
++      if (strcmp (*option, new_value) == 0)
++        {
++
++          if (*(SANE_String*) value)
++            {
++              free (*(SANE_String*) value);
++            }
++          *(SANE_String*) value = new_value;
++
++          return SANE_STATUS_GOOD;
++        }
++    }
++
++  return SANE_STATUS_INVAL;
++}
++
++
+ static SANE_Status
+ reader_process (Test_Device * test_device, SANE_Int fd)
+ {
+@@ -1636,7 +1673,6 @@ print_options (Test_Device * test_device)
+ 
+ /***************************** SANE API ****************************/
+ 
+-
+ SANE_Status
+ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_unused__ authorize)
+ {
+@@ -1736,20 +1772,23 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
+ 
+ 	  DBG (5, "sane_init: config file line %3d: `%s'\n",
+ 	       linenumber, line);
++
+ 	  if (read_option (line, "number_of_devices", param_int,
+ 			   &init_number_of_devices) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "mode", param_string,
+-			   &init_mode) == SANE_STATUS_GOOD)
+-	    continue;
++
++          if (read_option_str_list (line, "mode", param_string,
++                                    &init_mode, mode_list) == SANE_STATUS_GOOD)
++              continue;
++
+ 	  if (read_option (line, "hand-scanner", param_bool,
+ 			   &init_hand_scanner) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "three-pass", param_bool,
+ 			   &init_three_pass) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "three-pass-order", param_string,
+-			   &init_three_pass_order) == SANE_STATUS_GOOD)
++	  if (read_option_str_list (line, "three-pass-order", param_string,
++	                            &init_three_pass_order, order_list) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "resolution_min", param_fixed,
+ 			   &resolution_range.min) == SANE_STATUS_GOOD)
+@@ -1766,11 +1805,11 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
+ 	  if (read_option (line, "depth", param_int,
+ 			   &init_depth) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "scan-source", param_string,
+-			   &init_scan_source) == SANE_STATUS_GOOD)
++	  if (read_option_str_list (line, "scan-source", param_string,
++	                            &init_scan_source, source_list) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "test-picture", param_string,
+-			   &init_test_picture) == SANE_STATUS_GOOD)
++	  if (read_option_str_list (line, "test-picture", param_string,
++	                               &init_test_picture, test_picture_list) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "invert-endianess", param_bool,
+ 			   &init_invert_endianess) == SANE_STATUS_GOOD)
+@@ -1787,8 +1826,8 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
+ 	  if (read_option (line, "read-delay-duration", param_int,
+ 			   &init_read_delay_duration) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "read-status-code", param_string,
+-			   &init_read_status_code) == SANE_STATUS_GOOD)
++	  if (read_option_str_list (line, "read-status-code", param_string,
++	                            &init_read_status_code, read_status_code_list) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "ppl-loss", param_int,
+ 			   &init_ppl_loss) == SANE_STATUS_GOOD)
+-- 
+GitLab
+

sane-backends.spec

@@ -2,10 +2,10 @@
 %global __requires_exclude ^libsane-.*\.so\.[0-9]*(\(\).*)?+$
 
 Name:              sane-backends
-Version:           1.0.28
-Release:           8
+Version:           1.2.1
+Release:           2
 Summary:           Scanner access software
-License:           GPLv2+ and GPLv2+ with exceptions and Public Domain and IJG and LGPLv2+ and MIT
+License:           GPLv2+ and GPLv2+ and Public Domain and IJG and LGPLv2+ and MIT
 URL:               http://www.sane-project.org
 Source0:           https://gitlab.com/sane-project/backends/uploads/9e718daff347826f4cfe21126c8d5091/%{name}-%{version}.tar.gz
 Source1:           saned.socket
@@ -18,11 +18,12 @@ Requires:          libpng systemd >= 196 systemd-udev >= 196
 Requires:          sane-backends-libs = %{version}-%{release}
 
 
-Patch0000:         0001-genesys-Make-sure-calib_reg-are-available-before-wri.patch
-Patch0001:         sane-xerox-mfp-blacklist-C460-for-JPEG.patch
-Patch0002:         sane-genesys-vector-glibcxxassert.patch
-Patch0003:         CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch
-Patch0004:         CVE-2020-12867.patch
+Patch0000:         CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch
+Patch0001:         Add-check-for-ports-to-avoid-Segmentation-fault.patch
+# https://gitlab.com/sane-project/backends/-/commit/fd7b83c8f7b4da4a9e1fb715d070aa2fd96832ff
+Patch0002:         CVE-2023-46047.patch
+# https://gitlab.com/sane-project/backends/-/commit/a92ffb3d978329c29513b0acb98ae7987ec1bed7
+Patch0003:         CVE-2023-46052.patch
 
 %description
 SANE (Scanner Access Now Easy) is a sane and simple interface to both local and networked scanners
@@ -205,6 +206,21 @@ exit 0
 %{_unitdir}/*
 
 %changelog
+* Fri May 10 2024 yaoxin <yao_xin001@hoperun.com> - 1.2.1-2
+- Fix CVE-2023-46047 and CVE-2023-46052
+
+* Sat Oct 07 2023 wulei <wu_lei@hoperun.com> - 1.2.1-1
+- Update to 1.2.1
+
+* Sat Oct 09 2021 houyingchao <houyingchao@huawei.com> - 1.0.28-11
+- Fix CVE-2020-12863
+
+* Fri Feb 05 2021 wangyue <wangyue92@huawei.com> - 1.0.28-10
+- Fix CVE-2020-12862 CVE-2020-12865
+
+* Wed Jan 27 2021 lingsheng <lingsheng@huawei.com> - 1.0.28-9
+- Add check for ports to avoid Segmentation fault
+
 * Mon Jan 18 2021 zhanghua <zhanghua40@huawei.com> - 1.0.28-8
 - fix CVE-2020-12867
 

sane-genesys-vector-glibcxxassert.patch

@@ -1,17 +0,0 @@
-diff --git a/backend/genesys.cc b/backend/genesys.cc
-index 0368e21..5ec37bc 100644
---- a/backend/genesys.cc
-+++ b/backend/genesys.cc
-@@ -778,6 +778,12 @@ void sanei_genesys_create_default_gamma_table(Genesys_Device* dev,
-             size = 4096;
-         }
-         max = size - 1;
-+    } else if (dev->model->asic_type == GENESYS_GL846
-+               || dev->model->asic_type == GENESYS_GL847
-+               || dev->model->asic_type == GENESYS_GL848
-+               || dev->model->asic_type == GENESYS_GL124) {
-+        size = 257;
-+        max = 65535;
-     } else {
-         size = 256;
-         max = 65535;

sane-xerox-mfp-blacklist-C460-for-JPEG.patch

@@ -1,12 +0,0 @@
-diff --git a/backend/xerox_mfp.c b/backend/xerox_mfp.c
-index b7fcbee..2cb73ee 100644
---- a/backend/xerox_mfp.c
-+++ b/backend/xerox_mfp.c
-@@ -209,6 +209,7 @@ static int isSupportedDevice(struct device __sane_unused__ *dev)
-     if (dev->compressionTypes & (1 << 6)) {
- 	/* blacklist malfunctioning device(s) */
- 	if (!strncmp(dev->sane.model, "SCX-4500W", 9) ||
-+            !strncmp(dev->sane.model, "C460", 4) ||
- 	    !strncmp(dev->sane.model, "M288x", 5))
- 	    return 0;
-         return 1;