SANE 1.0.30 has been released on May 17, fixing several security issues: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html Debian-LTS has issued an advisory for one of these issues on May 31: https://www.debian.org/lts/security/2020/dla-2231 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 1.0.30
Assigning to Zezinho as the active maintainer.
Assignee: bugsquad => lists.jjorge
Debian-LTS has issued an advisory for more of these issues on August 17: https://www.debian.org/lts/security/2020/dla-2332
Sane 1.0.31 has been released. Hopefully someone can update it.
Assignee: lists.jjorge => pkg-bugsCC: (none) => lists.jjorge
Ubuntu has issued an advisory for this on August 24: https://ubuntu.com/security/notices/USN-4470-1
sane-1.0.31-1.mga8 uploaded for Cauldron by David Geiger.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)CC: (none) => geiger.david68210
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A heap buffer overflow in SANE Backends before 1.0.30 allows a malicious device connected to the same local network as the victim to execute arbitrary code, aka GHSL-2020-080. (CVE-2020-12861) An out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-082. (CVE-2020-12862) An out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-083. (CVE-2020-12863) An out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-081. (CVE-2020-12864) A heap buffer overflow in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to execute arbitrary code, aka GHSL-2020-084. (CVE-2020-12865) A NULL pointer dereference in SANE Backends before 1.0.30 allows a malicious device connected to the same local network as the victim to cause a denial of service, GHSL-2020-079. (CVE-2020-12866) A NULL pointer dereference in sanei_epson_net_read in SANE Backends before 1.0.30 allows a malicious device connected to the same local network as the victim to cause a denial of service, aka GHSL-2020-075. (CVE-2020-12867) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12862 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12863 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12864 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12865 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12866 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12867 https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html https://www.debian.org/lts/security/2020/dla-2231 https://www.debian.org/lts/security/2020/dla-2332 https://ubuntu.com/security/notices/USN-4470-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)sane1-1.0.28-1.1.mga7 lib(64)sane1-devel-1.0.28-1.1.mga7 sane-backends-1.0.28-1.1.mga7 sane-backends-iscan-1.0.28-1.1.mga7 sane-backends-doc-1.0.28-1.1.mga7 saned-1.0.28-1.1.mga7 from SRPM: sane-1.0.28-1.1.mga7.src.rpm
Status comment: Fixed upstream in 1.0.30 => (none)Source RPM: sane-1.0.28-2.mga8.src.rpm => sane-1.0.28-1.mga7.src.rpmAssignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDCC: (none) => nicolas.salguero
mga7, x86_64 Added any missing components before updating and checked xsane. That was working fine. Updated all the packages and also installed simple-scan. Tried out xsane and simple-scan. simple-scan located the HP Photosmart 5520 without any fuss. Generated a PDF. No problem viewing the image using xpdf. An immediate problem with xsane while scanning for devices. Had to crash out. Removed the configuration files for the user in .sane/xsane/ and restarted. That cleared the problem. Detected the scanner device. Changed to full colour mode, changed resolution and selected PNG output. Saved file and exited. The image looks fine.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0360.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED