Bug 20450 - sane new security issue CVE-2017-6318
Summary: sane new security issue CVE-2017-6318
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga5-32-ok mga5-64-ok advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-03-11 17:02 CET by David Walser
Modified: 2017-07-22 10:54 CEST (History)
7 users (show)

See Also:
Source RPM: sane-1.0.24-10.mga5.src.rpm
CVE: CVE-2017-6318
Status comment:


Attachments

Description David Walser 2017-03-11 17:02:39 CET
openSUSE has issued an advisory on March 10:
https://lists.opensuse.org/opensuse-updates/2017-03/msg00016.html

Mageia 5 is also affected.
Comment 1 Nicolas Lécureuil 2017-04-25 16:16:47 CEST
Fixed on cauldron
Comment 2 David Walser 2017-07-09 02:27:00 CEST
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated sane packages fix security vulnerability:

saned could have leaked uninitialized memory back to its requesters for some
opcodes, allowing for information disclosure of saned memory (CVE-2017-6318).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6318
https://lists.opensuse.org/opensuse-updates/2017-03/msg00016.html
========================

Updated packages in core/updates_testing:
========================
libsane1-1.0.24-10.2.mga5
libsane1-devel-1.0.24-10.2.mga5
sane-backends-1.0.24-10.2.mga5
sane-backends-iscan-1.0.24-10.2.mga5
sane-backends-doc-1.0.24-10.2.mga5
saned-1.0.24-10.2.mga5

from sane-1.0.24-10.2.mga5.src.rpm
Comment 3 Thomas Andrews 2017-07-14 00:59:35 CEST
OK with HP Officejet 6110, in a 32-bit install, using Intel motherboard, Core 2 Duo, Intel graphics, when called using the xsane plugin of Gimp.

Previewed and scanned an old photo, both in color and grayscale.
Comment 4 William Kenney 2017-07-14 05:00:18 CEST
In VirtualBox, M5.1, KDE, 34-bit

Package(s) under test:
saned

default install of sane xsane libsane1 sane-backends sane-backends-iscan sane-backends-doc saned

[root@localhost wilcal]# uname -a
Linux localhost 4.4.74-desktop-1.mga5 #1 SMP Mon Jun 26 07:50:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi sane
Package sane-backends-1.0.24-10.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi xsane
Package xsane-0.999-5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi libsane1
Package libsane1-1.0.24-10.mga5.i586 is already installed
[root@localhost wilcal]# urpmi sane-backends
Package sane-backends-1.0.24-10.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi sane-backends-iscan
Package sane-backends-iscan-1.0.24-10.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi sane-backends-doc
Package sane-backends-doc-1.0.24-10.mga5.noarch is already installed
[root@localhost wilcal]# urpmi saned
Package saned-1.0.24-10.mga5.x86_64 is already installed

xsane scans documents and outputs to a file that can be edited by Gimp

install sane xsane libsane1 sane-backends sane-backends-iscan sane-backends-doc
saned from updates_testing

[root@localhost wilcal]# uname -a
Linux localhost 4.4.74-desktop-1.mga5 #1 SMP Mon Jun 26 07:50:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi sane
Package sane-backends-1.0.24-10.2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi xsane
Package xsane-0.999-5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi libsane1
Package libsane1-1.0.24-10.2.mga5.i586 is already installed
[root@localhost wilcal]# urpmi sane-backends
Package sane-backends-1.0.24-10.2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi sane-backends-iscan
Package sane-backends-iscan-1.0.24-10.2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi sane-backends-doc
Package sane-backends-doc-1.0.24-10.2.mga5.noarch is already installed
[root@localhost wilcal]# urpmi saned
Package saned-1.0.24-10.2.mga5.x86_64 is already installed

xsane scans documents and outputs to a file that can be edited by Gimp
Comment 5 William Kenney 2017-07-14 05:01:42 CEST
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks
Comment 6 Mageia Robot 2017-07-22 10:54:19 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0208.html

Note You need to log in before you can comment on or make changes to this bug.