exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

dsa-379.txt

dsa-379.txt
Posted Sep 13, 2003
Authored by Debian, Alexander Hvostov, Julien Blache, Aurelien Jarno | Site debian.org

Debian Security Advisory DSA 379-1 - Several security related problems have been discovered in the sane-backends package that allows a remote attacker to cause a denial of service.

tags | advisory, remote, denial of service
systems | linux, debian
advisories | CVE-2003-0773, CVE-2003-0774
SHA-256 | 14a8b86eb3fe69526f71c2cb0d208516e1418ab00a1d3f518b0deb76cd6e4dd8

dsa-379.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 379-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
September 11th, 2003 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : sane-backends
Vulnerability : several vulnerabilities
Problem-Type : remote
Debian-specific: no
CVE references : CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-20
03-0777 CAN-2003-0778

Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. Thes problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.

You are only vulnerable if you actually run saned e.g. in xinetd or
inetd. If the entries in the configuration file of xinetd or inetd
respectively are commented out or do not exist, you are safe.

Try "telnet localhost 6566" on the server that may run saned. If you
get "connection refused" saned is not running and you are safe.

The Common Vulnerabilities and Exposures project identifies the
following problems:

CAN-2003-0773:

saned checks the identity (IP address) of the remote host only
after the first communication took place (SANE_NET_INIT). So
everyone can send that RPC, even if the remote host is not allowed
to scan (not listed in saned.conf).

CAN-2003-0774:

saned lacks error checking nearly everywhere in the code. So
connection drops are detected very late. If the drop of the
connection isn't detected, the access to the internal wire buffer
leaves the limits of the allocated memory. So random memory "after"
the wire buffer is read which will be followed by a segmentation
fault.

CAN-2003-0775:

If saned expects strings, it mallocs the memory necessary to store
the complete string after it receives the size of the string. If
the connection was dropped before transmitting the size, malloc
will reserve an arbitrary size of memory. Depending on that size
and the amount of memory available either malloc fails (->saned
quits nicely) or a huge amount of memory is allocated. Swapping and
and OOM measures may occur depending on the kernel.

CAN-2003-0776:

saned doesn't check the validity of the RPC numbers it gets before
getting the parameters.

CAN-2003-0777:

If debug messages are enabled and a connection is dropped,
non-null-terminated strings may be printed and segamentation faults
may occur.

CAN-2003-0778:

It's possible to allocate an arbitrary amount of memory on the
server running saned even if the connection isn't dropped. At the
moment this can not easily be fixed according to the author.
Better limit the total amount of memory saned may use (ulimit).

For the stable distribution (woody) this problem has been
fixed in version 1.0.7-4.

For the unstable distribution (sid) this problem has been fixed in
version 1.0.11-1 and later.

We recommend that you upgrade your libsane packages.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/s/sane-backends/sane-backends_
1.0.7-4.dsc
Size/MD5 checksum: 650 fce2bccda1eca4e4185deee5681f738f
http://security.debian.org/pool/updates/main/s/sane-backends/sane-backends_
1.0.7-4.diff.gz
Size/MD5 checksum: 27898 56454dddbb589c56c5404c3228c0e4e8
http://security.debian.org/pool/updates/main/s/sane-backends/sane-backends_
1.0.7.orig.tar.gz
Size/MD5 checksum: 1867577 6010d68d8a8c29d1dcbf0c6d5005770b

Alpha architecture:

http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_alpha.deb
Size/MD5 checksum: 1797436 3cc566a8518565d305f8d81d3fa6d766
http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_alpha.deb
Size/MD5 checksum: 5560004 5b99bc14cb5207a656ed0f11b9f43d05

ARM architecture:

http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_arm.deb
Size/MD5 checksum: 1590972 2a1255e8be662d9415096eec2cc33d8e
http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_arm.deb
Size/MD5 checksum: 4750680 20fba2388a627f9504cbc621873e2d7a

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_i386.deb
Size/MD5 checksum: 1451240 c0726d631d9426eaecd8aaa2667eb801
http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_i386.deb
Size/MD5 checksum: 4524636 37934f30ed8726f7f39791cfb2760bb5

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_ia64.deb
Size/MD5 checksum: 2240324 3efa00ae110d3dae825b39685d24ff93
http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_ia64.deb
Size/MD5 checksum: 4892446 9ce7e0ff7db5e7bebe6b9c5497d9c855

HP Precision architecture:

http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_hppa.deb
Size/MD5 checksum: 1762866 7a2d25d300f2aef6972c656f1cf0918e
http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_hppa.deb
Size/MD5 checksum: 5099552 d529ee8a61cd316ae2d19d1ecf2ae249

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_m68k.deb
Size/MD5 checksum: 1447178 b499ce366fc07a291b00edcacdf2312d
http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_m68k.deb
Size/MD5 checksum: 4410546 40a8fb70043f6f84e0cd7a02d1428b31

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_mips.deb
Size/MD5 checksum: 1488654 f9e09f27924d704d35dec4ab2b42c84d
http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_mips.deb
Size/MD5 checksum: 4859694 08ec5fdf4c847800d82935fbe782179f

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_mipsel.deb
Size/MD5 checksum: 1490928 87a4f046310a9e76917fa16df8271c3d
http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_mipsel.deb
Size/MD5 checksum: 4624290 314367f2ea0ef4328a1a904236452528

PowerPC architecture:

http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_powerpc.deb
Size/MD5 checksum: 1597728 b9b3588129d046d76b1bde2f20d51e4a
http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_powerpc.deb
Size/MD5 checksum: 4913074 6e7d5fcf31ccff0be85b9b6855a117b4

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_s390.deb
Size/MD5 checksum: 1492610 c80c5467c124f57da1a0ec0d78be75b0
http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_s390.deb
Size/MD5 checksum: 4566136 68d3e765375e43ea891a5a9f39fdc40a

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_sparc.deb
Size/MD5 checksum: 1584884 b84ac77275bd2910851e0f4f35d22a4d
http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_sparc.deb
Size/MD5 checksum: 4770392 d64709c90f73c1f9259f96a54e5bcb45


These files will probably be moved into the stable distribution on
its next revision.

- -----------------------------------------------------------------------------
----
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/ma
in
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/YDdGW5ql+IAeqTIRAnkkAJ9STIHOorHmz0sE7KFg4HPxJaTxbwCePcOL
1yIdA3J/3/B6AOPjaUJTjL4=
=A4Bj
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close