[Secure-testing-team] Bug#854804: saned: SANE_NET_CONTROL_OPTION response packet may contain memory contents of the server

Fri Feb 10 15:33:26 UTC 2017

Package: sane-utils
Version: 1.0.25-3
Severity: grave
Tags: security upstream
Justification: user security hole

Dear Maintainer,

When saned received a SANE_NET_CONTROL_OPTION packet with value_type ==
SANE_TYPE_STRING and value_size larger than the actual length of the
requested string, the response packet from the server contains a string
object as long as value_size in the request. The bytes following the
actual string appears to contain memory contents from the server.

It may be possible to trigger this bug with other packet types, but I
have not verified this.

I have previously filed a bug in the SANE bug tracker on Alioth
(#315576), but I received no response.

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sane-utils depends on:
ii  adduser                3.115
ii  debconf [debconf-2.0]  1.5.60
ii  init-system-helpers    1.47
ii  libavahi-client3       0.6.32-2
ii  libavahi-common3       0.6.32-2
ii  libc6                  2.24-9
ii  libieee1284-3          0.2.11-13
ii  libjpeg62-turbo        1:1.5.1-2
ii  libpng16-16            1.6.28-1
ii  libsane                1.0.25-3
ii  libsystemd0            232-6
ii  libusb-1.0-0           2:1.0.21-1
ii  lsb-base               9.20161125
ii  update-inetd           4.44

sane-utils recommends no packages.

Versions of packages sane-utils suggests:
ii  avahi-daemon  0.6.32-2
pn  unpaper       <none>

-- debconf information excluded