!42 [sync] PR-36: Fix CVE-2023-46047 and CVE-2023-46052

From: @openeuler-sync-bot 
Reviewed-by: @wu-leilei 
Signed-off-by: @wu-leilei

Add-check-for-ports-to-avoid-Segmentation-fault.patch

@@ -0,0 +1,37 @@
+From d7bd15792ea3d2613aa5a0b09d948dc2ef77dfcf Mon Sep 17 00:00:00 2001
+From: lingsheng <lingsheng@huawei.com>
+Date: Wed, 27 Jan 2021 15:00:32 +0800
+Subject: [PATCH] Add check for ports to avoid Segmentation fault
+
+---
+ tools/umax_pp.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/tools/umax_pp.c b/tools/umax_pp.c
+index 7b127e3..00ffea9 100644
+--- a/tools/umax_pp.c
++++ b/tools/umax_pp.c
+@@ -355,12 +355,15 @@ main (int argc, char **argv)
+       if (rc != 1)
+ 	{
+ 	  ports = sanei_parport_find_port ();
+-	  i = 0;
+-	  rc = 0;
+-	  while ((ports[i] != NULL) && (rc != 1))
++	  if (ports != NULL)
+ 	    {
+-	      rc = sanei_umax_pp_initPort (strtol (ports[i], NULL, 16), NULL);
+-	      i++;
++	      i = 0;
++	      rc = 0;
++	      while ((ports[i] != NULL) && (rc != 1))
++	        {
++	          rc = sanei_umax_pp_initPort (strtol (ports[i], NULL, 16), NULL);
++	          i++;
++	        }
+ 	    }
+ 	}
+       if (rc != 1)
+-- 
+2.23.0
+

CVE-2020-12862.patch

@@ -0,0 +1,75 @@
+From 27ea994d23ee52fe1ec1249c92ebc1080a358288 Mon Sep 17 00:00:00 2001
+From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
+Date: Thu, 30 Apr 2020 21:15:45 +0900
+Subject: [PATCH] epsonds: Do not read beyond the end of the token
+
+Addresses GHSL-2020-082, re #279.
+---
+ backend/epsonds-cmd.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c
+index 9a4db3080..7ca660f1f 100644
+--- a/backend/epsonds-cmd.c
++++ b/backend/epsonds-cmd.c
+@@ -255,18 +255,20 @@ static int decode_value(char *buf, int len)
+ }
+ 
+ /* h000 */
+-static char *decode_binary(char *buf)
++static char *decode_binary(char *buf, int len)
+ {
+ 	char tmp[6];
+ 	int hl;
+ 
+ 	memcpy(tmp, buf, 4);
+ 	tmp[4] = '\0';
++	len -= 4;
+ 
+ 	if (buf[0] != 'h')
+ 		return NULL;
+ 
+ 	hl = strtol(tmp + 1, NULL, 16);
++	if (hl > len) hl = len;
+ 	if (hl) {
+ 
+ 		char *v = malloc(hl + 1);
+@@ -279,9 +281,9 @@ static char *decode_binary(char *buf)
+ 	return NULL;
+ }
+ 
+-static char *decode_string(char *buf)
++static char *decode_string(char *buf, int len)
+ {
+-	char *p, *s = decode_binary(buf);
++	char *p, *s = decode_binary(buf, len);
+ 	if (s == NULL)
+ 		return NULL;
+ 
+@@ -326,20 +328,20 @@ static SANE_Status info_cb(void *userdata, char *token, int len)
+ 
+ 	if (strncmp("PRD", token, 3) == 0) {
+ 		free(s->hw->model);
+-		s->hw->model = decode_string(value);
++		s->hw->model = decode_string(value, len);
+ 		s->hw->sane.model = s->hw->model;
+ 		DBG(1, " product: %s\n", s->hw->model);
+ 		/* we will free the string later */
+ 	}
+ 
+ 	if (strncmp("VER", token, 3) == 0) {
+-		char *v = decode_string(value);
++		char *v = decode_string(value, len);
+ 		DBG(1, " version: %s\n", v);
+ 		free(v);
+ 	}
+ 
+ 	if (strncmp("S/N", token, 3) == 0) {
+-		char *v = decode_string(value);
++		char *v = decode_string(value, len);
+ 		DBG(1, "  serial: %s\n", v);
+ 		free(v);
+ 	}
+-- 
+GitLab
+

CVE-2020-12863.patch

@@ -0,0 +1,27 @@
+From db9480b09ea807e52029f2334769a55d4b95e45b Mon Sep 17 00:00:00 2001
+From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
+Date: Mon, 27 Apr 2020 18:24:56 +0900
+Subject: [PATCH] epsonds: Read only up to seven hexdigits to determine payload
+ size
+
+Addresses GHSL-2020-083, re #279.
+---
+ backend/epsonds-cmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c
+index 9a4db3080..23327bb18 100644
+--- a/backend/epsonds-cmd.c
++++ b/backend/epsonds-cmd.c
+@@ -117,7 +117,7 @@ esci2_check_header(const char *cmd, const char *buf, unsigned int *more)
+ 		return 0;
+ 	}
+ 
+-	err = sscanf(&buf[5], "%x#", more);
++	err = sscanf(&buf[5], "%7x#", more);
+ 	if (err != 1) {
+ 		DBG(1, "cannot decode length from header\n");
+ 		return 0;
+-- 
+GitLab
+

CVE-2020-12865.patch

@@ -0,0 +1,72 @@
+From b9b0173409df73e235da2aa0dae5edd21fb55967 Mon Sep 17 00:00:00 2001
+From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
+Date: Mon, 27 Apr 2020 18:48:29 +0900
+Subject: [PATCH] epsonds: Prevent possible buffer overflow when reading image
+ data
+
+Addresses GHSL-2020-084, re #279.
+---
+ backend/epsonds-cmd.c |  5 +++++
+ backend/epsonds.c     | 12 +++++++-----
+ backend/epsonds.h     |  1 +
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c
+index 9a4db3080..c182aa51a 100644
+--- a/backend/epsonds-cmd.c
++++ b/backend/epsonds-cmd.c
+@@ -876,6 +876,11 @@ esci2_img(struct epsonds_scanner *s, SANE_Int *length)
+ 		return parse_status;
+ 	}
+ 
++	/* more data than was accounted for in s->buf */
++	if (more > s->bsz) {
++		return SANE_STATUS_IO_ERROR;
++	}
++
+ 	/* ALWAYS read image data */
+ 	if (s->hw->connection == SANE_EPSONDS_NET) {
+ 		epsonds_net_request_read(s, more);
+diff --git a/backend/epsonds.c b/backend/epsonds.c
+index ff5d68106..fb9694a88 100644
+--- a/backend/epsonds.c
++++ b/backend/epsonds.c
+@@ -1230,16 +1230,18 @@ sane_start(SANE_Handle handle)
+ 	if (s->line_buffer == NULL)
+ 		return SANE_STATUS_NO_MEM;
+ 
+-	/* ring buffer for front page, twice bsz */
++	/* transfer buffer size, bsz */
+ 	/* XXX read value from scanner */
+-	status = eds_ring_init(&s->front, (65536 * 4) * 2);
++	s->bsz = (65536 * 4);
++
++	/* ring buffer for front page */
++	status = eds_ring_init(&s->front, s->bsz * 2);
+ 	if (status != SANE_STATUS_GOOD) {
+ 		return status;
+ 	}
+ 
+-	/* transfer buffer, bsz */
+-	/* XXX read value from scanner */
+-	s->buf = realloc(s->buf, 65536 * 4);
++	/* transfer buffer */
++	s->buf = realloc(s->buf, s->bsz);
+ 	if (s->buf == NULL)
+ 		return SANE_STATUS_NO_MEM;
+ 
+diff --git a/backend/epsonds.h b/backend/epsonds.h
+index 0427ef3b4..401b0f32c 100644
+--- a/backend/epsonds.h
++++ b/backend/epsonds.h
+@@ -160,6 +160,7 @@ struct epsonds_scanner
+ 	Option_Value val[NUM_OPTIONS];
+ 	SANE_Parameters params;
+ 
++	size_t bsz;		/* transfer buffer size */
+ 	SANE_Byte *buf, *line_buffer;
+ 	ring_buffer *current, front, back;
+ 
+-- 
+GitLab
+

CVE-2020-12867.patch

@@ -0,0 +1,249 @@
+From fff83e7eacd0f27bb2d71c42488e0fd735c15ac3 Mon Sep 17 00:00:00 2001
+From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
+Date: Thu, 30 Apr 2020 18:24:51 +0900
+Subject: [PATCH] epson2: Rewrite network I/O
+
+This addresses GHSL-2020-075 as well as all other problematic code
+uncovered as a result of investigating that.  This includes:
+
+- buffer overflows due to use of unchecked lengths
+- integer overflows due to type conversions
+- potential memory leaks
+- checking for memory allocation failures
+
+Re #279.
+---
+ backend/epson2_net.c | 140 +++++++++++++++++++++++++------------------
+ backend/epson2_net.h |   4 +-
+ 2 files changed, 85 insertions(+), 59 deletions(-)
+
+diff --git a/backend/epson2_net.c b/backend/epson2_net.c
+index 8d0fe9ea7..7f804eea8 100644
+--- a/backend/epson2_net.c
++++ b/backend/epson2_net.c
+@@ -32,11 +32,12 @@
+ 
+ #include "sane/sanei_debug.h"
+ 
+-static int
++static ssize_t
+ sanei_epson_net_read_raw(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
+ 		       SANE_Status *status)
+ {
+-	int ready, read = -1;
++	int ready;
++	ssize_t read = -1;
+ 	fd_set readable;
+ 	struct timeval tv;
+ 
+@@ -62,111 +63,136 @@ sanei_epson_net_read_raw(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
+ 	return read;
+ }
+ 
+-int
+-sanei_epson_net_read(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
++static ssize_t
++sanei_epson_net_read_buf(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
+ 		       SANE_Status * status)
+ {
+-	ssize_t size;
+ 	ssize_t read = 0;
+-	unsigned char header[12];
+ 
+-	/* read from buffer, if available */
+-	if (s->netptr != s->netbuf) {
+-		DBG(23, "reading %lu from buffer at %p, %lu available\n",
+-			(u_long) wanted, s->netptr, (u_long) s->netlen);
++	DBG(23, "%s: reading up to %lu from buffer at %p, %lu available\n",
++		__func__, (u_long) wanted, s->netptr, (u_long) s->netlen);
+ 
+-		memcpy(buf, s->netptr, wanted);
+-		read = wanted;
++	if ((size_t) wanted > s->netlen) {
++		*status = SANE_STATUS_IO_ERROR;
++		wanted = s->netlen;
++	}
+ 
+-		s->netlen -= wanted;
++	memcpy(buf, s->netptr, wanted);
++	read = wanted;
+ 
+-		if (s->netlen == 0) {
+-			DBG(23, "%s: freeing %p\n", __func__, s->netbuf);
+-			free(s->netbuf);
+-			s->netbuf = s->netptr = NULL;
+-			s->netlen = 0;
+-		}
++	s->netptr += read;
++	s->netlen -= read;
++
++	if (s->netlen == 0) {
++		DBG(23, "%s: freeing %p\n", __func__, s->netbuf);
++		free(s->netbuf);
++		s->netbuf = s->netptr = NULL;
++		s->netlen = 0;
++	}
++
++	return read;
++}
++
++ssize_t
++sanei_epson_net_read(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
++		       SANE_Status * status)
++{
++	if (wanted < 0) {
++		*status = SANE_STATUS_INVAL;
++		return 0;
++	}
++
++	size_t size;
++	ssize_t read = 0;
++	unsigned char header[12];
+ 
+-		return read;
++	/* read from remainder of buffer */
++	if (s->netptr) {
++		return sanei_epson_net_read_buf(s, buf, wanted, status);
+ 	}
+ 
+ 	/* receive net header */
+-	size = sanei_epson_net_read_raw(s, header, 12, status);
+-	if (size != 12) {
++	read = sanei_epson_net_read_raw(s, header, 12, status);
++	if (read != 12) {
+ 		return 0;
+ 	}
+ 
++	/* validate header */
+ 	if (header[0] != 'I' || header[1] != 'S') {
+ 		DBG(1, "header mismatch: %02X %02x\n", header[0], header[1]);
+ 		*status = SANE_STATUS_IO_ERROR;
+ 		return 0;
+ 	}
+ 
++	/* parse payload size */
+ 	size = be32atoh(&header[6]);
+ 
+-	DBG(23, "%s: wanted = %lu, available = %lu\n", __func__,
+-		(u_long) wanted, (u_long) size);
+-
+ 	*status = SANE_STATUS_GOOD;
+ 
+-	if (size == wanted) {
+-
+-		DBG(15, "%s: full read\n", __func__);
+-
+-		read = sanei_epson_net_read_raw(s, buf, size, status);
++	if (!s->netbuf) {
++		DBG(15, "%s: direct read\n", __func__);
++		DBG(23, "%s: wanted = %lu, available = %lu\n", __func__,
++			(u_long) wanted, (u_long) size);
+ 
+-		if (s->netbuf) {
+-			free(s->netbuf);
+-			s->netbuf = NULL;
+-			s->netlen = 0;
++		if ((size_t) wanted > size) {
++			wanted = size;
+ 		}
+ 
+-		if (read < 0) {
+-			return 0;
+-		}
+-
+-/*	} else if (wanted < size && s->netlen == size) { */
++		read = sanei_epson_net_read_raw(s, buf, wanted, status);
+ 	} else {
+-		DBG(23, "%s: partial read\n", __func__);
++		DBG(15, "%s: buffered read\n", __func__);
++		DBG(23, "%s: bufferable = %lu, available = %lu\n", __func__,
++			(u_long) s->netlen, (u_long) size);
+ 
+-		read = sanei_epson_net_read_raw(s, s->netbuf, size, status);
+-		if (read != size) {
+-			return 0;
++		if (s->netlen > size) {
++			s->netlen = size;
+ 		}
+ 
+-		s->netlen = size - wanted;
+-		s->netptr += wanted;
+-		read = wanted;
+-
+-		DBG(23, "0,4 %02x %02x\n", s->netbuf[0], s->netbuf[4]);
+-		DBG(23, "storing %lu to buffer at %p, next read at %p, %lu bytes left\n",
+-			(u_long) size, s->netbuf, s->netptr, (u_long) s->netlen);
++		/* fill buffer */
++		read = sanei_epson_net_read_raw(s, s->netbuf, s->netlen, status);
++		s->netptr = s->netbuf;
++		s->netlen = (read > 0 ? read : 0);
+ 
+-		memcpy(buf, s->netbuf, wanted);
++		/* copy wanted part */
++		read = sanei_epson_net_read_buf(s, buf, wanted, status);
+ 	}
+ 
+ 	return read;
+ }
+ 
+-
+-int
++size_t
+ sanei_epson_net_write(Epson_Scanner *s, unsigned int cmd, const unsigned char *buf,
+ 			size_t buf_size, size_t reply_len, SANE_Status *status)
+ {
+ 	unsigned char *h1, *h2, *payload;
+ 	unsigned char *packet = malloc(12 + 8 + buf_size);
+ 
+-	/* XXX check allocation failure */
++	if (!packet) {
++		*status = SANE_STATUS_NO_MEM;
++		return 0;
++	}
+ 
+ 	h1 = packet;
+ 	h2 = packet + 12;
+ 	payload = packet + 12 + 8;
+ 
+ 	if (reply_len) {
+-		s->netbuf = s->netptr = malloc(reply_len);
++		if (s->netbuf) {
++			DBG(23, "%s, freeing %p, %ld bytes unprocessed\n",
++				__func__, s->netbuf, (u_long) s->netlen);
++			free(s->netbuf);
++			s->netbuf = s->netptr = NULL;
++			s->netlen = 0;
++		}
++		s->netbuf = malloc(reply_len);
++		if (!s->netbuf) {
++			free(packet);
++			*status = SANE_STATUS_NO_MEM;
++			return 0;
++		}
+ 		s->netlen = reply_len;
+-		DBG(24, "allocated %lu bytes at %p\n",
+-			(u_long) reply_len, s->netbuf);
++		DBG(24, "%s: allocated %lu bytes at %p\n", __func__,
++			(u_long) s->netlen, s->netbuf);
+ 	}
+ 
+ 	DBG(24, "%s: cmd = %04x, buf = %p, buf_size = %lu, reply_len = %lu\n",
+diff --git a/backend/epson2_net.h b/backend/epson2_net.h
+index 6aef2b725..7db671bf1 100644
+--- a/backend/epson2_net.h
++++ b/backend/epson2_net.h
+@@ -4,9 +4,9 @@
+ #include <sys/types.h>
+ #include "../include/sane/sane.h"
+ 
+-extern int sanei_epson_net_read(struct Epson_Scanner *s, unsigned char *buf, ssize_t buf_size,
++extern ssize_t sanei_epson_net_read(struct Epson_Scanner *s, unsigned char *buf, ssize_t buf_size,
+ 				SANE_Status *status);
+-extern int sanei_epson_net_write(struct Epson_Scanner *s, unsigned int cmd, const unsigned char *buf,
++extern size_t sanei_epson_net_write(struct Epson_Scanner *s, unsigned int cmd, const unsigned char *buf,
+ 				size_t buf_size, size_t reply_len,
+ 				SANE_Status *status);
+ extern SANE_Status sanei_epson_net_lock(struct Epson_Scanner *s);
+-- 
+GitLab
+

CVE-2023-46047.patch

@@ -0,0 +1,30 @@
+From a617461c630da22f4bcc22c687f5a299b5630e2d Mon Sep 17 00:00:00 2001
+From: Ralph Little <skelband@gmail.com>
+Date: Mon, 2 Oct 2023 16:40:27 -0700
+Subject: [PATCH] sanei_config: malformed line can return NULL for token. We
+ should check.
+
+---
+ sanei/sanei_config.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sanei/sanei_config.c b/sanei/sanei_config.c
+index 07c85c964..45f380337 100644
+--- a/sanei/sanei_config.c
++++ b/sanei/sanei_config.c
+@@ -295,6 +295,12 @@ sanei_configure_attach (const char *config_file, SANEI_Config * config,
+        * So we parse the line 2 time to find an option */
+       /* check if it is an option */
+       lp = sanei_config_get_string (lp, &token);
++      if (NULL == token)
++        {
++          // Invalid format?
++          continue;
++        }
++
+       if (strncmp (token, "option", 6) == 0)
+ 	{
+ 	  /* skip the "option" token */
+-- 
+GitLab
+

CVE-2023-46052.patch

@@ -0,0 +1,126 @@
+From 6fc47c4c1472ea244561b18d5d6e3e8eefb1cde7 Mon Sep 17 00:00:00 2001
+From: Ralph Little <skelband@gmail.com>
+Date: Mon, 2 Oct 2023 16:23:07 -0700
+Subject: [PATCH] test: added validation checks for config string option
+ saelections.
+
+This will avoid a reported buffer overflow issue related to invalid (long) options being specified.
+---
+ backend/test.c | 63 ++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 51 insertions(+), 12 deletions(-)
+
+diff --git a/backend/test.c b/backend/test.c
+index ea7329073..4663a16e4 100644
+--- a/backend/test.c
++++ b/backend/test.c
+@@ -1432,6 +1432,43 @@ read_option (SANE_String line, SANE_String option_string,
+   return SANE_STATUS_GOOD;
+ }
+ 
++
++static SANE_Status
++read_option_str_list (SANE_String line, SANE_String option_string,
++                      parameter_type p_type, void *value,
++                      SANE_String_Const *string_list)
++{
++  SANE_String new_value = NULL;
++
++  SANE_Status ret = read_option (line, option_string, p_type, &new_value);
++  if (ret != SANE_STATUS_GOOD)
++    {
++      if (new_value)
++        {
++          free(new_value);
++        }
++      return ret;
++    }
++
++  for (SANE_String_Const *option = string_list; *option; option++)
++    {
++      if (strcmp (*option, new_value) == 0)
++        {
++
++          if (*(SANE_String*) value)
++            {
++              free (*(SANE_String*) value);
++            }
++          *(SANE_String*) value = new_value;
++
++          return SANE_STATUS_GOOD;
++        }
++    }
++
++  return SANE_STATUS_INVAL;
++}
++
++
+ static SANE_Status
+ reader_process (Test_Device * test_device, SANE_Int fd)
+ {
+@@ -1636,7 +1673,6 @@ print_options (Test_Device * test_device)
+ 
+ /***************************** SANE API ****************************/
+ 
+-
+ SANE_Status
+ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_unused__ authorize)
+ {
+@@ -1736,20 +1772,23 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
+ 
+ 	  DBG (5, "sane_init: config file line %3d: `%s'\n",
+ 	       linenumber, line);
++
+ 	  if (read_option (line, "number_of_devices", param_int,
+ 			   &init_number_of_devices) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "mode", param_string,
+-			   &init_mode) == SANE_STATUS_GOOD)
+-	    continue;
++
++          if (read_option_str_list (line, "mode", param_string,
++                                    &init_mode, mode_list) == SANE_STATUS_GOOD)
++              continue;
++
+ 	  if (read_option (line, "hand-scanner", param_bool,
+ 			   &init_hand_scanner) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "three-pass", param_bool,
+ 			   &init_three_pass) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "three-pass-order", param_string,
+-			   &init_three_pass_order) == SANE_STATUS_GOOD)
++	  if (read_option_str_list (line, "three-pass-order", param_string,
++	                            &init_three_pass_order, order_list) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "resolution_min", param_fixed,
+ 			   &resolution_range.min) == SANE_STATUS_GOOD)
+@@ -1766,11 +1805,11 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
+ 	  if (read_option (line, "depth", param_int,
+ 			   &init_depth) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "scan-source", param_string,
+-			   &init_scan_source) == SANE_STATUS_GOOD)
++	  if (read_option_str_list (line, "scan-source", param_string,
++	                            &init_scan_source, source_list) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "test-picture", param_string,
+-			   &init_test_picture) == SANE_STATUS_GOOD)
++	  if (read_option_str_list (line, "test-picture", param_string,
++	                               &init_test_picture, test_picture_list) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "invert-endianess", param_bool,
+ 			   &init_invert_endianess) == SANE_STATUS_GOOD)
+@@ -1787,8 +1826,8 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
+ 	  if (read_option (line, "read-delay-duration", param_int,
+ 			   &init_read_delay_duration) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "read-status-code", param_string,
+-			   &init_read_status_code) == SANE_STATUS_GOOD)
++	  if (read_option_str_list (line, "read-status-code", param_string,
++	                            &init_read_status_code, read_status_code_list) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "ppl-loss", param_int,
+ 			   &init_ppl_loss) == SANE_STATUS_GOOD)
+-- 
+GitLab
+

sane-backends.spec

@@ -3,9 +3,9 @@
 
 Name:              sane-backends
 Version:           1.0.28
-Release:           7
+Release:           12
 Summary:           Scanner access software
-License:           GPLv2+ and GPLv2+ with exceptions and Public Domain and IJG and LGPLv2+ and MIT
+License:           GPLv2+ and GPLv2+ and Public Domain and IJG and LGPLv2+ and MIT
 URL:               http://www.sane-project.org
 Source0:           https://gitlab.com/sane-project/backends/uploads/9e718daff347826f4cfe21126c8d5091/%{name}-%{version}.tar.gz
 Source1:           saned.socket
@@ -22,6 +22,15 @@ Patch0000:         0001-genesys-Make-sure-calib_reg-are-available-before-wri.pat
 Patch0001:         sane-xerox-mfp-blacklist-C460-for-JPEG.patch
 Patch0002:         sane-genesys-vector-glibcxxassert.patch
 Patch0003:         CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch
+Patch0004:         CVE-2020-12867.patch
+Patch0005:         Add-check-for-ports-to-avoid-Segmentation-fault.patch
+Patch0006:         CVE-2020-12862.patch
+Patch0007:         CVE-2020-12865.patch
+Patch0008:	   CVE-2020-12863.patch
+# https://gitlab.com/sane-project/backends/-/commit/fd7b83c8f7b4da4a9e1fb715d070aa2fd96832ff
+Patch0009:         CVE-2023-46047.patch
+# https://gitlab.com/sane-project/backends/-/commit/a92ffb3d978329c29513b0acb98ae7987ec1bed7
+Patch0010:         CVE-2023-46052.patch
 
 %description
 SANE (Scanner Access Now Easy) is a sane and simple interface to both local and networked scanners
@@ -204,6 +213,21 @@ exit 0
 %{_unitdir}/*
 
 %changelog
+* Fri May 10 2024 yaoxin <yao_xin001@hoperun.com> - 1.0.28-12
+- Fix CVE-2023-46047 and CVE-2023-46052
+
+* Sat Oct 09 2021 houyingchao <houyingchao@huawei.com> - 1.0.28-11
+- Fix CVE-2020-12863
+
+* Fri Feb 05 2021 wangyue <wangyue92@huawei.com> - 1.0.28-10
+- Fix CVE-2020-12862 CVE-2020-12865
+
+* Wed Jan 27 2021 lingsheng <lingsheng@huawei.com> - 1.0.28-9
+- Add check for ports to avoid Segmentation fault
+
+* Mon Jan 18 2021 zhanghua <zhanghua40@huawei.com> - 1.0.28-8
+- fix CVE-2020-12867
+
 * Wed Dec 16 2020 zhanghua <zhanghua40@huawei.com> - 1.0.28-7
 - fix CVE-2020-12861, CVE-2020-12866, CVE-2020-12864