Bugzilla – Bug 1172524
VUL-0: CVE-2020-12861, CVE-2020-12862,CVE-2020-12863,CVE-2020-12864,CVE-2020-12865,CVE-2020-12866,CVE-2020-12867: sane-backends: memory corruption bugs
Last modified: 2021-01-27 17:05:21 UTC
CVE-2020-12867 A NULL pointer dereference in sanei_epson_net_read in SANE Backends through 1.0.29 allows a malicious device connected to the same local network as the victim to cause a denial of service, aka GHSL-2020-075. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12867 https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html https://gitlab.com/sane-project/backends/-/issues/279#issue-1-ghsl-2020-075-null-pointer-dereference-in-sanei_epson_net_read
Kevin Backhouse of the [GitHub Security Lab team][1] has discovered several issues in the epson2, epsonds and magicolor backends that could be exploited by a malicious network device. All three backends are enabled by default. Moreover, all enable automatic discovery of network devices. The issues can be used to crash SANE frontends at start up or when starting a scan as well as corrupt memory leading to a possibility of remote code execution. [1]: https://securitylab.github.com This release fixes the issues for the epson2 and magicolor backends and mitigates them for the epsonds backend. We recommend that you upgrade to this release. The source tarball and checksums can be found on the [releases page][2]. [2]: https://gitlab.com/sane-project/backends/-/releases Please note that this page also mentions a "Source code" pull down menu from which you can download the corresponding git repository. These archives do *not* include generated files such as the configure script, Makefile.in files and more. A nicely formatted version of the release notes can be found at the [releases page][2] as well. For your convenience, the "raw" Markdown is included below. ### Backends - `epson2`: fixes CVE-2020-12867 (GHSL-2020-075) and several memory management issues found while addressing that CVE - `epsonds`: addresses out-of-bound memory access issues to fix CVE-2020-12862 (GHSL-2020-082) and CVE-2020-12863 (GHSL-2020-083), addresses a buffer overflow fixing CVE-2020-12865 (GHSL-2020-084) and disables network autodiscovery to mitigate CVE-2020-12866 (GHSL-2020-079), CVE-2020-12861 (GHSL-2020-080) and CVE-2020-12864 (GHSL-2020-081). Note that this backend does not support network scanners to begin with. - `magicolor`: fixes a floating point exception and uninitialized data read - fixes an overflow in `sanei_tcp_read()`
Upstream commits: https://gitlab.com/sane-project/backends/-/commit/fff83e7eacd0f27bb2d71c42488e0fd735c15ac3 https://gitlab.com/sane-project/backends/-/commit/b9b0173409df73e235da2aa0dae5edd21fb55967 https://gitlab.com/sane-project/backends/-/commit/27ea994d23ee52fe1ec1249c92ebc1080a358288 https://gitlab.com/sane-project/backends/-/commit/db9480b09ea807e52029f2334769a55d4b95e45b https://gitlab.com/sane-project/backends/-/commit/fe08bbee6b238ea0be73af67b560ffc2c47562fd https://gitlab.com/sane-project/backends/-/commit/af0442f15cc966bbc3d7d9322380005ea0ee8340 https://gitlab.com/sane-project/backends/-/commit/8682023faa27c61156a354955c89617a3304d66f All in one: https://gitlab.com/sane-project/backends/-/commit/757b7cf463718de9b4f7b29b0cd61eb9bde10f86
Exploit for CVE-2020-12861 (adjacent network code execution): https://github.com/github/securitylab/tree/38b182e96a48f19b412039c0b321d6faec2b5c55/SecurityExploits/SANE/epsonds_CVE-2020-12861
Steps to reproduce: - Run the fake scanner on a 2nd machine in the same subnet CVE-2020-12861: ./fakescanner epson 2 # OOB write CVE-2020-12862: ./fakescanner epson 4 # OOB read CVE-2020-12863: ./fakescanner epson 6 # OOB read CVE-2020-12864: ./fakescanner epson 3 # OOB read CVE-2020-12865: ./fakescanner epson 8 # OOB write CVE-2020-12866: ./fakescanner epson 1 # null ptr deref CVE-2020-12867: ./fakescanner epson 0 # null ptr deref - Run simple-scan. Some of the bugs require the user to press the "Scan" button". Not reproducible on SLE-11-SP1. Please double-check. Reproducible on SLE-12 and SLE-15.
SUSE-SU-2020:3065-1: An update that fixes 7 vulnerabilities, contains four features is now available. Category: security (important) Bug References: 1172524 CVE References: CVE-2020-12861,CVE-2020-12862,CVE-2020-12863,CVE-2020-12864,CVE-2020-12865,CVE-2020-12866,CVE-2020-12867 JIRA References: ECO-2418,PM-2118,SLE-15560,SLE-15561 Sources used: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): sane-backends-1.0.31-6.3.2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src): sane-backends-1.0.31-6.3.2 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): sane-backends-1.0.31-6.3.2 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): sane-backends-1.0.31-6.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1791-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1172524 CVE References: CVE-2020-12861,CVE-2020-12862,CVE-2020-12863,CVE-2020-12864,CVE-2020-12865,CVE-2020-12866,CVE-2020-12867 JIRA References: Sources used: openSUSE Leap 15.1 (src): sane-backends-1.0.31-lp151.6.3.1
openSUSE-SU-2020:1798-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1172524 CVE References: CVE-2020-12861,CVE-2020-12862,CVE-2020-12863,CVE-2020-12864,CVE-2020-12865,CVE-2020-12866,CVE-2020-12867 JIRA References: Sources used: openSUSE Leap 15.2 (src): sane-backends-1.0.31-lp152.7.3.1
SUSE-SU-2020:3125-1: An update that fixes 8 vulnerabilities, contains three features is now available. Category: security (important) Bug References: 1172524 CVE References: CVE-2017-6318,CVE-2020-12861,CVE-2020-12862,CVE-2020-12863,CVE-2020-12864,CVE-2020-12865,CVE-2020-12866,CVE-2020-12867 JIRA References: ECO-2418,SLE-15560,SLE-15561 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): sane-backends-1.0.31-4.3.1 SUSE OpenStack Cloud Crowbar 8 (src): sane-backends-1.0.31-4.3.1 SUSE OpenStack Cloud 9 (src): sane-backends-1.0.31-4.3.1 SUSE OpenStack Cloud 8 (src): sane-backends-1.0.31-4.3.1 SUSE OpenStack Cloud 7 (src): sane-backends-1.0.31-4.3.1 SUSE Linux Enterprise Workstation Extension 12-SP5 (src): sane-backends-1.0.31-4.3.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): sane-backends-1.0.31-4.3.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): sane-backends-1.0.31-4.3.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): sane-backends-1.0.31-4.3.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): sane-backends-1.0.31-4.3.1 SUSE Linux Enterprise Server 12-SP5 (src): sane-backends-1.0.31-4.3.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): sane-backends-1.0.31-4.3.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): sane-backends-1.0.31-4.3.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): sane-backends-1.0.31-4.3.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): sane-backends-1.0.31-4.3.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): sane-backends-1.0.31-4.3.1 SUSE Enterprise Storage 5 (src): sane-backends-1.0.31-4.3.1 HPE Helion Openstack 8 (src): sane-backends-1.0.31-4.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
DONE