SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SANE Vendors:   sane-project.org
(Conectiva Issues Fix) Scanner Access Now Easy (SANE) Flaws Let Remote Users Crash the 'saned' Daemon
SecurityTracker Alert ID:  1007986
SecurityTracker URL:  http://securitytracker.com/id/1007986
CVE Reference:   CVE-2003-0773, CVE-2003-0774, CVE-2003-0775, CVE-2003-0776, CVE-2003-0777, CVE-2003-0778   (Links to External Site)
Updated:  Dec 1 2003
Original Entry Date:  Oct 23 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.7 and prior versions
Description:   Several vulnerabilities were reported in the Scanner Access Now Easy (SANE) application. A remote user can cause denial of service conditions.

It is reported that the the sane-backends package contains several flaws. If the 'saned' daemon is running on your system, you may be affected. A remote user can cause saned to consume large amounts of memory or crash. The remote user can exploit these flaws even if the remote user's host is not listed in the 'saned.conf' file, the report said.

It is reported that saned fails to validate the IP address of the remote host for the SANE_NET_INIT RPC message (the first message of a SANE session). A host that is not explicitly permitted in accordance with the 'saned.conf' file settings (CVE: CVE-2003-0773).

It is reported that the code does not properly check for communication errors. A remote user can drop a connection without having the target system detect the drop, resulting in a buffer overflow and segmentation fault (CVE: CVE-2003-0774).

A remote user can connect and then drop the connection before sending the size of strings (ostensibly to be sent as a subsequent part of the connection). This will cause the target system to malloc an arbitrary amount of memory and fail or crash (CVE: CVE-2003-0775)

It is reported that the saned daemon fails to check the validity of user-supplied RPC numbers (CVE: CVE-2003-0776). The impact of this flaw is reported to be uncertain.

If a remote user drops a connection when debug messages are enabled on the target server, the target server may print non-null-terminated strings and crash (CVE: CVE-2003-0777).

It is also reported that a remote user can cause an arbitrary amount of memory to be allocated on the target server (CVE: CVE-2003-0778).

Debian credits Alexander Hvostov, Julien Blache, and Aurelien Jarno with discovering these flaws.

Impact:   A remote user can cause the target server to consume large amounts of memory or crash.
Solution:   Conectiva has released a fix.

ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sane-1.0.4-3U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sane-devel-1.0.4-3U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sane-devel-static-1.0.4-3U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sane-1.0.4-3U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sane-1.0.6-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sane-devel-1.0.6-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sane-devel-static-1.0.6-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/sane-1.0.6-3U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/sane-1.0.9-23360U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/sane-devel-1.0.9-23360U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/sane-devel-static-1.0.9-23360U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/sane-1.0.9-23360U90_1cl.src.rpm

Vendor URL:  www.sane-project.org/ (Links to External Site)
Cause:   Boundary error, Resource error, State error
Underlying OS:  Linux (Conectiva)
Underlying OS Comments:  7.0, 8, 9

Message History:   This archive entry is a follow-up to the message listed below.
Oct 23 2003 Scanner Access Now Easy (SANE) Flaws Let Remote Users Crash the 'saned' Daemon



 Source Message Contents

Subject:  [conectiva-updates] [CLA-2003:769] Conectiva Security Announcement - sane


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : sane
SUMMARY   : Vulnerabilities in saned and in temporary files handling
DATE      : 2003-10-22 17:55:00
ID        : CLA-2003:769
RELEVANT
RELEASES  : 7.0, 8, 9

- -------------------------------------------------------------------------

DESCRIPTION
 SANE (Scanner Access Now Easy) is an interface to both local and
 networked scanners and other image acquisition devices. The sane
 package contains several scanner drivers, utilities and saned, a
 application that allows the sharing of scanners across a network.
 
 This update fixes several vulnerabilities in the sane package:
 
 - Remote vulnerabilities in saned. These vulnerabilities can be
 exploited by remote attackers to cause a denial of service or even
 execute arbitrary code with the privileges of the user running saned
 (which is usually root). The Common Vulnerabilities and Exposures
 project (cve.mitre.org) has assigned[1,2,3,4,5,6] the names
 CAN-2003-0773, CAN-2003-0774, CAN-2003-0775, CAN-2003-0776,
 CAN-2003-0777 and CAN-2003-0778 to these issues.
 
 - Temporary file handling vulnerabilities (does not affect Conectiva
 Linux 9). In several sane backends (drivers), temporary files are
 created in an unsafe manner. A local attacker can exploit these
 vulnerabilities to overwrite arbitrary system or user files. The
 Common Vulnerabilities and Exposures project (cve.mitre.org) has
 assigned the name CAN-2001-0890[7] to this issue.
 
 The Conectiva Linux 9 package (sane-1.0.9) also includes fixes for a
 bug[8] in the plustek driver which may cause hardware damage in EPSON
 1260 scanners (previous versions do not contain the driver).


SOLUTION
 All users of the sane package should upgrade.
 
 
 REFERENCES:
 1.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0773
 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0774
 3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0775
 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0776
 5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0777
 6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0778
 7.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0890
 8.http://www.gjaeger.de/scanner/plustek.html#epson


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sane-1.0.4-3U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sane-devel-1.0.4-3U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sane-devel-static-1.0.4-3U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sane-1.0.4-3U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sane-1.0.6-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sane-devel-1.0.6-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sane-devel-static-1.0.6-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/sane-1.0.6-3U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/sane-1.0.9-23360U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/sane-devel-1.0.9-23360U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/sane-devel-static-1.0.9-23360U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/sane-1.0.9-23360U90_1cl.src.rpm


ADDITIONAL INSTRUCTIONS
 The apt tool can be used to perform RPM packages upgrades:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/luDM42jd0JmAcZARAqfJAJ9Ua/3VDbbbbASQFDe303KOMFdXyQCdGwz4
Fz1fwvgojBjRZSI4oODNbAE=
=smmb
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC