tags 854804 - moreinfo<div>thanks<br><br>On Sat, Feb 11, 2017 at 11:54 AM, Jörg Frings-Fürst <debian@jff-webhosting.net> wrote:<br>
<blockquote type="cite"><div class="plaintext" style="white-space: pre-wrap;">tags 854804 + moreinfo
thanks
Hello Kritphong,
thank you for spending your time helping to make Debian better with
this bug report.
I have add the sane-devel ML as cc.
Am Freitag, den 10.02.2017, 10:33 -0500 schrieb Kritphong
Mongkhonvanit:
<blockquote> Package: sane-utils
Version: 1.0.25-3
Severity: grave
Tags: security upstream
Justification: user security hole
Dear Maintainer,
When saned received a SANE_NET_CONTROL_OPTION packet with value_type ==
SANE_TYPE_STRING and value_size larger than the actual length of the
requested string, the response packet from the server contains a string
object as long as value_size in the request. The bytes following the
actual string appears to contain memory contents from the server.
</blockquote>
Please let me explain:
You have found one or more parts in the code where a string with an
incorrect value_size is transferred? Then please tell us where.</div></blockquote><div><br></div>I found that the transferred string in the value field of SANE_NET_CONTROL_OPTION response packet is always the same size as the one requested, even if the actual string is shorter. I assume that this is intentional since the string is NULL-terminated. However, the part beyond the NULL-terminator appears to be uninitialized memory from the server, which can potentially contain sensitive information. I have yet to locate where in SANE's source code this is happening, but I am able to see the uninitialized memory in Wireshark, which suggests that it actually comes from the server rather than from my machine.</div><div><br></div><div>I also have a proof-of-concept that demonstrates this if you'd like to take a look at it.</div><div><br><blockquote type="cite"><div class="plaintext" style="white-space: pre-wrap;">
Or is there an other problem?
Please give us more infos and remove the tag moreinfo with your answer.</div></blockquote><blockquote type="cite"><div class="plaintext" style="white-space: pre-wrap;">
<blockquote> It may be possible to trigger this bug with other packet types, but I
have not verified this.
I have previously filed a bug in the SANE bug tracker on Alioth
(#315576), but I received no response.
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.8.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sane-utils depends on:
ii adduser 3.115
ii debconf [debconf-2.0] 1.5.60
ii init-system-helpers 1.47
ii libavahi-client3 0.6.32-2
ii libavahi-common3 0.6.32-2
ii libc6 2.24-9
ii libieee1284-3 0.2.11-13
ii libjpeg62-turbo 1:1.5.1-2
ii libpng16-16 1.6.28-1
ii libsane 1.0.25-3
ii libsystemd0 232-6
ii libusb-1.0-0 2:1.0.21-1
ii lsb-base 9.20161125
ii update-inetd 4.44
sane-utils recommends no packages.
Versions of packages sane-utils suggests:
ii avahi-daemon 0.6.32-2
pn unpaper <none>
-- debconf information excluded
</blockquote>
CU
Jörg
<div>--
</div>New:
GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB 30EE 09F8 9F3C 8CA1 D25D
GPG key (long) : 09F89F3C8CA1D25D
GPG Key : 8CA1D25D
CAcert Key S/N : 0E:D4:56
Old pgp Key: BE581B6E (revoked since 2014-12-31).
Jörg Frings-Fürst
D-54470 Lieser
Threema: SYR8SJXB
IRC: <a href="mailto:j_f-f@freenode.net">j_f-f@freenode.net</a>
<a href="mailto: j_f-f@oftc.net"> j_f-f@oftc.net</a>
My wish list:
- Please send me a picture from the nature at your home.
</div></blockquote></div>