SCM

[#315576] saned: SANE_NET_CONTROL_OPTION response packet may contain memory contents of the server

View Trackers | Bugs | Export CSV

Date:
2016-12-16 19:37
Priority:
3
State:
Closed
Submitted by:
Kritphong Mongkhonvanit (kritphong-guest)
Assigned to:
Olaf Meeuwissen (olaf-guest)
Category:
saned
Group:
security
Resolution:
Fixed
Summary:
saned: SANE_NET_CONTROL_OPTION response packet may contain memory contents of the server

Detailed description
saned-1.0.25

When saned receives a SANE_NET_CONTROL_OPTION with value_type == SANE_TYPE_STRING and value_size larger than the actual length of the requested string, the response packet from the server contains a string object as long as value_size in the request. The bytes following the actual string appear to contain memory contents of the server.

Followups: Sort comments antichronologically

Message
Date: 2017-02-14 12:49
Sender: Olaf Meeuwissen

This has been submitted to the Debian BTS (for lack of response here :-() and forwarded to the sane-devel ML now.

- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854804
- http://lists.alioth.debian.org/pipermail/sane-devel/2017-February/035029.html

Suggest we track this via the Debian BTS for now.
Date: 2017-05-05 04:41
Sender: Olaf Meeuwissen

This was addressed in 42896939.

Attached Files:

Changes:

Field Old Value Date By
ResolutionNone2017-05-05 04:41olaf-guest
close_dateNone2017-05-05 04:41olaf-guest
status_idOpen2017-05-05 04:41olaf-guest
assigned_tonone2017-02-14 12:49olaf-guest
Powered By FusionForge