tags 854804 - moreinfo
thanks
On Sat, Feb 11, 2017 at 11:54 AM, Jörg Frings-Fürst
<deb...@jff-webhosting.net> wrote:
tags 854804 + moreinfo
thanks
Hello Kritphong,
thank you for spending your time helping to make Debian better with
this bug report.
I have add the sane-devel ML as cc.
Am Freitag, den 10.02.2017, 10:33 -0500 schrieb Kritphong
Mongkhonvanit:
Package: sane-utils
Version: 1.0.25-3
Severity: grave
Tags: security upstream
Justification: user security hole
Dear Maintainer,
When saned received a SANE_NET_CONTROL_OPTION packet with
value_type ==
SANE_TYPE_STRING and value_size larger than the actual length of the
requested string, the response packet from the server contains a
string
object as long as value_size in the request. The bytes following the
actual string appears to contain memory contents from the server.
Please let me explain:
You have found one or more parts in the code where a string with an
incorrect value_size is transferred? Then please tell us where.
I found that the transferred string in the value field of
SANE_NET_CONTROL_OPTION response packet is always the same size as the
one requested, even if the actual string is shorter. I assume that this
is intentional since the string is NULL-terminated. However, the part
beyond the NULL-terminator appears to be uninitialized memory from the
server, which can potentially contain sensitive information. I have yet
to locate where in SANE's source code this is happening, but I am able
to see the uninitialized memory in Wireshark, which suggests that it
actually comes from the server rather than from my machine.
I also have a proof-of-concept that demonstrates this if you'd like to
take a look at it.
Or is there an other problem?
Please give us more infos and remove the tag moreinfo with your
answer.
It may be possible to trigger this bug with other packet types, but
I
have not verified this.
I have previously filed a bug in the SANE bug tracker on Alioth
(#315576), but I received no response.
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.8.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sane-utils depends on:
ii adduser 3.115
ii debconf [debconf-2.0] 1.5.60
ii init-system-helpers 1.47
ii libavahi-client3 0.6.32-2
ii libavahi-common3 0.6.32-2
ii libc6 2.24-9
ii libieee1284-3 0.2.11-13
ii libjpeg62-turbo 1:1.5.1-2
ii libpng16-16 1.6.28-1
ii libsane 1.0.25-3
ii libsystemd0 232-6
ii libusb-1.0-0 2:1.0.21-1
ii lsb-base 9.20161125
ii update-inetd 4.44
sane-utils recommends no packages.
Versions of packages sane-utils suggests:
ii avahi-daemon 0.6.32-2
pn unpaper <none>
-- debconf information excluded
CU
Jörg
--
New:
GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB 30EE 09F8 9F3C 8CA1 D25D
GPG key (long) : 09F89F3C8CA1D25D
GPG Key : 8CA1D25D
CAcert Key S/N : 0E:D4:56
Old pgp Key: BE581B6E (revoked since 2014-12-31).
Jörg Frings-Fürst
D-54470 Lieser
Threema: SYR8SJXB
IRC: j_...@freenode.net
j_...@oftc.net
My wish list:
- Please send me a picture from the nature at your home.
