Bug 729312 (CVE-2020-12861, CVE-2020-12862, CVE-2020-12863, CVE-2020-12864, CVE-2020-12865, CVE-2020-12866, CVE-2020-12867)

Summary:	<media-gfx/sane-backends-1.0.30: Multiple vulnerabilities (CVE-2020-{12861,12862,12863,12864,12865,12866,12867}))
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	grknight, jer, maintainer-needed
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html
See Also:	https://github.com/gentoo/gentoo/pull/16384 https://bugs.gentoo.org/show_bug.cgi?id=734134
Whiteboard:	B3 [noglsa cve]
Package list:	=media-gfx/sane-backends-1.0.30-r2	Runtime testing required:	---

Description Sam James archtester

2020-06-23 14:22:48 UTC

From URL:
 - `epson2`: fixes CVE-2020-12867 (GHSL-2020-075) and several memory
   management issues found while addressing that CVE
 - `epsonds`: addresses out-of-bound memory access issues to fix
   CVE-2020-12862 (GHSL-2020-082) and CVE-2020-12863 (GHSL-2020-083),
   addresses a buffer overflow fixing CVE-2020-12865 (GHSL-2020-084)
   and disables network autodiscovery to mitigate CVE-2020-12866
   (GHSL-2020-079), CVE-2020-12861 (GHSL-2020-080) and CVE-2020-12864
   (GHSL-2020-081).  Note that this backend does not support network
   scanners to begin with.
 - `magicolor`: fixes a floating point exception and uninitialized data
   read
 - fixes an overflow in `sanei_tcp_read()`

Comment 1 Sam James archtester

2020-06-23 14:25:57 UTC

NOTE: there was an (abandoned) PR for 1.0.28 (we need 1.0.30), https://github.com/gentoo/gentoo/pull/14330, which may be useful.

Comment 2 Brian Evans (RETIRED) gentoo-dev

2020-06-23 14:30:10 UTC

There is an important post-release patch to prevent compile errors at https://gitlab.com/sane-project/backends/-/commit/6bb87fdf1f3dc190cfc4b7d64b0c8c8c3d10151b.diff

Comment 3 Larry the Git Cow gentoo-dev

2020-06-26 22:34:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2359950077b026cc6bbe861b1126f5d34b6eac45

commit 2359950077b026cc6bbe861b1126f5d34b6eac45
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-06-22 21:42:47 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-26 22:34:03 +0000

    media-gfx/sane-backends: security bump to 1.0.30
    
    Closes: https://bugs.gentoo.org/691204
    Bug: https://bugs.gentoo.org/729312
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Closes: https://github.com/gentoo/gentoo/pull/16384
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-gfx/sane-backends/Manifest                   |   1 +
 ...ne-backends-1.0.30-missing-stdint-include.patch |  14 +
 .../sane-backends/sane-backends-1.0.30.ebuild      | 344 +++++++++++++++++++++
 3 files changed, 359 insertions(+)

Comment 4 Sam James archtester

2020-06-26 22:36:31 UTC

Let's give it a few days until stabilisation because I don't use this package, and we were a few versions behind until now.

Comment 5 Larry the Git Cow gentoo-dev

2020-06-28 07:41:02 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4f54515916bb0fb696fb3cbf7632573e1651d60

commit a4f54515916bb0fb696fb3cbf7632573e1651d60
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-06-27 05:21:55 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-06-28 07:40:46 +0000

    media-gfx/sane-backends: add ricoh2 backend, fix IUSE defaults, etc
    
    Changes:
    * Add the ricoh2 backend
    
    * Set +zeroconf by default, to avoid a REQUIRED_USE choice
      being required out of the box. The other backends with
      a REQUIRED_USE are disabled by default.
    
      We could switch to turning off escl by default instead,
      if defaulting to zeroconf is unfavourable.
    
    * Switch escl dep to be multilib, and add
      missing avahi dependency.
    
    * Add pixma libjpeg dep, which was referenced in
      the ChangeLog for 1.0.28.
    
    Bug: https://bugs.gentoo.org/729312
    Closes: https://bugs.gentoo.org/729850
    Closes: https://bugs.gentoo.org/729808
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Closes: https://github.com/gentoo/gentoo/pull/16447
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 .../sane-backends/sane-backends-1.0.30-r2.ebuild   | 345 +++++++++++++++++++++
 1 file changed, 345 insertions(+)

Comment 6 Larry the Git Cow gentoo-dev

2020-06-28 08:24:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=49491819885af7f659dafe3a116ada80fbcfe1d7

commit 49491819885af7f659dafe3a116ada80fbcfe1d7
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-06-28 08:23:11 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-06-28 08:24:53 +0000

    media-gfx/sane-backends: Fix genesys backend on bigendian
    
    Fixes a compile failure on HPPA (and other BE architectures):
    
    backend/genesys/low.cpp:542:9: error: ‘depth’ was not declared in this
    scope
    
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Bug: https://bugs.gentoo.org/729312
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 .../files/sane-backends-1.0.30-bigendian-depth.patch       | 14 ++++++++++++++
 media-gfx/sane-backends/sane-backends-1.0.30-r2.ebuild     |  3 ++-
 2 files changed, 16 insertions(+), 1 deletion(-)

Comment 7 Sam James archtester

2020-06-29 00:19:31 UTC

(In reply to Larry the Git Cow from comment #6)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=49491819885af7f659dafe3a116ada80fbcfe1d7
> 
> commit 49491819885af7f659dafe3a116ada80fbcfe1d7
> Author:     Jeroen Roovers <jer@gentoo.org>

Thanks jer for this.

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2020-07-06 07:30:24 UTC

ppc/ppc64 stable

Comment 9 Sam James archtester

2020-07-06 11:32:07 UTC

arm64 stable

Comment 10 Sam James archtester

2020-07-10 13:24:41 UTC

arm stable

Comment 11 Sam James archtester

2020-07-11 18:22:08 UTC

sparc stable

Comment 12 Sam James archtester

2020-07-17 00:06:35 UTC

amd64, x86, hppa: ping

Comment 13 Agostino Sarubbo gentoo-dev

2020-07-17 07:22:29 UTC

amd64 stable

Comment 14 Rolf Eike Beer archtester

2020-07-18 09:47:50 UTC

~hppa is fine.

Comment 15 Sam James archtester

2020-08-08 01:39:22 UTC

GLSA vote: no

Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev

2020-08-29 17:58:30 UTC

x86 stable

Comment 17 Rolf Eike Beer archtester

2020-09-02 20:30:01 UTC

~hppa is fine

Comment 18 Sam James archtester

2020-09-02 20:35:35 UTC

Needs cleanup.

Comment 19 NATTkA bot gentoo-dev

2020-09-02 20:36:56 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 20 Larry the Git Cow gentoo-dev

2020-09-17 23:20:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=619a6b6164660089f7dee5fcb6ea484f7bcff72b

commit 619a6b6164660089f7dee5fcb6ea484f7bcff72b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-09-17 23:20:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-09-17 23:20:22 +0000

    media-gfx/sane-backends: security cleanup
    
    Bug: https://bugs.gentoo.org/729312
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/sane-backends/Manifest                   |   1 -
 .../sane-backends-1.0.27-canon-lide-100.patch      |  17 -
 .../files/sane-backends-1.0.27-network.patch       |  42 ---
 .../sane-backends-1.0.27-revert-samsung.patch      | 406 ---------------------
 ...ne-backends-1.0.27-uninitialized-variable.patch |  25 --
 .../sane-backends/sane-backends-1.0.27-r3.ebuild   | 344 -----------------
 6 files changed, 835 deletions(-)