diff --git a/cups-2.4.11-source.tar.gz b/cups-2.4.11-source.tar.gz new file mode 100644 index 0000000..db9511a --- /dev/null +++ b/cups-2.4.11-source.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9a88fe1da3a29a917c3fc67ce6eb3178399d68e1a548c6d86c70d9b13651fd71 +size 8147763 diff --git a/cups-2.4.11-source.tar.gz.sig b/cups-2.4.11-source.tar.gz.sig new file mode 100644 index 0000000..02d3cf2 Binary files /dev/null and b/cups-2.4.11-source.tar.gz.sig differ diff --git a/cups-2.4.2-CVE-2023-32324.patch b/cups-2.4.2-CVE-2023-32324.patch deleted file mode 100644 index 81160a5..0000000 --- a/cups-2.4.2-CVE-2023-32324.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- cups/string.c.orig 2022-05-26 08:17:21.000000000 +0200 -+++ cups/string.c 2023-06-01 13:26:33.175494819 +0200 -@@ -730,6 +730,9 @@ _cups_strlcpy(char *dst, /* O - D - size_t srclen; /* Length of source string */ - - -+ if (size == 0) -+ return (0); -+ - /* - * Figure out how much room is needed... - */ diff --git a/cups-2.4.2-CVE-2023-32360.patch b/cups-2.4.2-CVE-2023-32360.patch deleted file mode 100644 index 4a86ce0..0000000 --- a/cups-2.4.2-CVE-2023-32360.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- conf/cupsd.conf.in.orig 2022-05-26 08:17:21.000000000 +0200 -+++ conf/cupsd.conf.in 2023-09-20 13:39:53.316719260 +0200 -@@ -68,7 +68,14 @@ IdleExitTimeout @EXIT_TIMEOUT@ - Order deny,allow - - -- -+ -+ Require user @OWNER @SYSTEM -+ Order deny,allow -+ -+ -+ # Require authentication for CUPS-Get-Document otherwise unauthenticated users could access print job documents: -+ -+ AuthType Default - Require user @OWNER @SYSTEM - Order deny,allow - diff --git a/cups-2.4.2-CVE-2023-34241.patch b/cups-2.4.2-CVE-2023-34241.patch deleted file mode 100644 index 8cea29b..0000000 --- a/cups-2.4.2-CVE-2023-34241.patch +++ /dev/null @@ -1,46 +0,0 @@ ---- scheduler/client.c.orig 2022-05-26 08:17:21.000000000 +0200 -+++ scheduler/client.c 2023-06-22 12:47:25.329404393 +0200 -@@ -193,13 +193,10 @@ cupsdAcceptClient(cupsd_listener_t *lis) - /* - * Can't have an unresolved IP address with double-lookups enabled... - */ -- -- httpClose(con->http); -- - cupsdLogClient(con, CUPSD_LOG_WARN, -- "Name lookup failed - connection from %s closed!", -+ "Name lookup failed - closing connection from %s!", - httpGetHostname(con->http, NULL, 0)); -- -+ httpClose(con->http); - free(con); - return; - } -@@ -234,12 +231,10 @@ cupsdAcceptClient(cupsd_listener_t *lis) - * Can't have a hostname that doesn't resolve to the same IP address - * with double-lookups enabled... - */ -- -- httpClose(con->http); -- - cupsdLogClient(con, CUPSD_LOG_WARN, -- "IP lookup failed - connection from %s closed!", -+ "IP lookup failed - closing connection from %s!", - httpGetHostname(con->http, NULL, 0)); -+ httpClose(con->http); - free(con); - return; - } -@@ -256,11 +251,10 @@ cupsdAcceptClient(cupsd_listener_t *lis) - - if (!hosts_access(&wrap_req)) - { -- httpClose(con->http); -- - cupsdLogClient(con, CUPSD_LOG_WARN, - "Connection from %s refused by /etc/hosts.allow and " - "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0)); -+ httpClose(con->http); - free(con); - return; - } diff --git a/cups-2.4.2-CVE-2023-4504.patch b/cups-2.4.2-CVE-2023-4504.patch deleted file mode 100644 index 70325f5..0000000 --- a/cups-2.4.2-CVE-2023-4504.patch +++ /dev/null @@ -1,21 +0,0 @@ ---- cups/raster-interpret.c.orig 2022-05-26 08:17:21.000000000 +0200 -+++ cups/raster-interpret.c 2023-09-20 14:56:44.666363324 +0200 -@@ -1113,6 +1113,18 @@ scan_ps(_cups_ps_stack_t *st, /* I - S - - cur ++; - -+ /* -+ * Return NULL if we reached NULL terminator, a lone backslash -+ * is not a valid character in PostScript. -+ */ -+ -+ if (!*cur) -+ { -+ *ptr = NULL; -+ -+ return (NULL); -+ } -+ - if (*cur == 'b') - *valptr++ = '\b'; - else if (*cur == 'f') diff --git a/cups-2.4.2-source.tar.gz b/cups-2.4.2-source.tar.gz deleted file mode 100644 index a635d2f..0000000 --- a/cups-2.4.2-source.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f03ccb40b087d1e30940a40e0141dcbba263f39974c20eb9f2521066c9c6c908 -size 8128785 diff --git a/cups-2.4.2-source.tar.gz.sig b/cups-2.4.2-source.tar.gz.sig deleted file mode 100644 index ce94fae..0000000 Binary files a/cups-2.4.2-source.tar.gz.sig and /dev/null differ diff --git a/cups.changes b/cups.changes index c22d66e..fad1817 100644 --- a/cups.changes +++ b/cups.changes @@ -1,3 +1,305 @@ +------------------------------------------------------------------- +Wed Oct 16 14:58:07 UTC 2024 - Dominique Leuenberger + +- Drop rcFOO symlinks for CODE16 (PED-266). + +------------------------------------------------------------------- +Mon Sep 30 12:41:11 UTC 2024 - Johannes Meixner + +- Version upgrade to 2.4.11: + See https://github.com/openprinting/cups/releases + CUPS 2.4.11 brings several bug fixes regarding IPP response + validation, processing PPD values, Web UI support + (checkbox support, modifying printers) and others fixes. + Detailed list (from CHANGES.md): + * Updated the maximum file descriptor limit + for `cupsd` to 64k-1 (Issue #989) + * Fixed `lpoptions -d` with a discovered + but not added printer (Issue #833) + * Fixed incorrect error message for HTTP/IPP errors (Issue #893) + * Fixed JobPrivateAccess and SubscriptionPrivateAccess support + for "all" (Issue #990) + * Fixed issues with cupsGetDestMediaByXxx (Issue #993) + * Fixed adding and modifying of printers + via the web interface (Issue #998) + * Fixed HTTP PeerCred authentication + for domain users (Issue #1001) + * Fixed checkbox support (Issue #1008) + * Fixed printer state notifications (Issue #1013) + * Fixed IPP Everywhere printer setup (Issue #1033) + Issues are those at https://github.com/OpenPrinting/cups/issues + In particular CUPS 2.4.11 contains those commit regarding + IPP response validation and processing PPD values: + * "Quote PPD localized strings" + https://github.com/OpenPrinting/cups/commit/1e6ca5913eceee906038bc04cc7ccfbe2923bdfd + plus a cleanup to "Fix warnings for unused vars" + https://github.com/OpenPrinting/cups/commit/2abe1ba8a66864aa82cd9836b37e57103b8e1a3b +- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.11 +- avoid_C99_mode_for_loop_initial_declarations.patch + is no longer needed because the issue is fixed upstream. + +------------------------------------------------------------------- +Mon Jul 8 13:50:50 UTC 2024 - Johannes Meixner + +- Replaced avoid_C99_mode_for_loop_initial_declarations.patch + which is now the upstream fix + https://github.com/OpenPrinting/cups/commit/a2b8872ea95564e065e3a08e2aa12a15515bc993 + see https://github.com/OpenPrinting/cups/issues/1000 + and https://github.com/OpenPrinting/cups/pull/1004 + +------------------------------------------------------------------- +Tue Jul 2 11:45:58 UTC 2024 - Johannes Meixner + +- Version upgrade to 2.4.10: + See https://github.com/openprinting/cups/releases + CUPS 2.4.10 brings two fixes: + * Fixed error handling when reading a mixed 1setOf attribute. + * Fixed scheduler start if there is only domain socket + to listen on (Issue #985) which is fix for regression + after fix for CVE-2024-35235 in scenarios where is + no other listeners in cupsd.conf than domain socket + created on demand by systemd, launchd or upstart. + Issues are those at https://github.com/OpenPrinting/cups/issues +- Version upgrade to 2.4.9: + See https://github.com/openprinting/cups/releases + CUPS 2.4.9 brings security fix for CVE-2024-35235 and + several bug fixes regarding CUPS Web User Interface, + PPD generation and HTTP protocol implementation. + Detailed list (from CHANGES.md): + * Fixed domain socket handling (CVE-2024-35235) + * Fixed creating of `cupsUrfSupported` PPD keyword + (Issue #952) + * Fixed searching for destinations in web ui (Issue #954) + * Fixed TLS negotiation using OpenSSL with servers + that require the TLS SNI extension. + * Really raised `cups_enum_dests()` timeout for listing + available IPP printers (Issue #751)... + * Fixed `Host` header regression (Issue #967) + * Fixed DNS-SD lookups of local services with Avahi + (Issue #970) + * Fixed listing jobs in destinations in web ui. + (Apple issue #6204) + * Fixed showing search query in web ui help page. + (Issue #977) + Issues are those at https://github.com/OpenPrinting/cups/issues + Apple issues are those at https://github.com/apple/cups/issues +- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.10 +- Removed cups-2.4.8-CVE-2024-35235.patch : fixed upstream + see the above CUPS 2.4.9 changes +- avoid_C99_mode_for_loop_initial_declarations.patch avoids error + "'for' loop initial declarations are only allowed in C99 mode" + that happens when building for SLE12 + in scheduler/client.c at "for (char *start = ..." since + https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d + see https://github.com/OpenPrinting/cups/issues/1000 + +------------------------------------------------------------------- +Tue Jun 11 08:28:32 UTC 2024 - Johannes Meixner + +- cups-2.4.8-CVE-2024-35235.patch is derived + from the upstream patch against master (CUPS 2.5) + to apply to CUPS 2.4.8 in openSUSE Factory to fix CVE-2024-35235 + "cupsd Listen port arbitrary chmod 0140777" + https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f + bsc#1225365 + +------------------------------------------------------------------- +Wed May 29 12:29:38 UTC 2024 - Dominique Leuenberger + +- Update to version 2.4.8: + See https://github.com/openprinting/cups/releases + CUPS 2.4.8 brings many bug fixes which aggregated over the last + half a year. It brings the important fix for race conditions + and errors which can happen when installing permanent + IPP Everywhere printer, support for PAM modules password-auth + and system-auth and new option for lpstat which can show only + the successful jobs. + Detailed list (from CHANGES.md): + * Added warning if the device has to be asked for + 'all,media-col-database' separately (Issue #829) + * Added new value for 'lpstat' option '-W' - successfull - for + getting successfully printed jobs (Issue #830) + * Added support for PAM modules password-auth + and system-auth (Issue #892) + * Updated IPP Everywhere printer creation error + reporting (Issue #347) + * Updated and documented the MIME typing buffering + limit (Issue #925) + * Raised 'cups_enum_dests()' timeout for listing + available IPP printers (Issue #751) + * Now report an error for temporary printer defaults + with lpadmin (Issue #237) + * Fixed mapping of PPD InputSlot, MediaType, + and OutputBin values (Issue #238) + * Fixed "document-unprintable-error" handling (Issue #391) + * Fixed the web interface not showing an error + for a non-existent printer (Issue #423) + * Fixed printing of jobs with job name longer than 255 chars + on older printers (Issue #644) + * Really backported fix for Issue #742 + * Fixed 'cupsCopyDestInfo' device connection + detection (Issue #586) + * Fixed "Upgrade" header handling when there is + no TLS support (Issue #775) + * Fixed memory leak when unloading a job (Issue #813) + * Fixed memory leak when creating color profiles (Issue #815) + * Fixed a punch finishing bug in the IPP Everywhere + support (Issue #821) + * Fixed crash in 'scan_ps()' if incoming argument + is NULL (Issue #831) + * Fixed setting job state reasons for successful + jobs (Issue #832) + * Fixed infinite loop in IPP backend if hostname + is IP address with Kerberos (Issue #838) + * Added additional check on socket if 'revents' from 'poll()' + returns POLLHUP together with POLLIN or POLLOUT + in 'httpAddrConnect2()' (Issue #839) + * Fixed crash in 'ppdEmitString()' if 'size' is NULL (Issue #850) + * Fixed reporting 'media-source-supported' when + sharing printer which has numbers as strings instead of + keywords as 'InputSlot' values (Issue #859) + * Fixed IPP backend to support the "print-scaling" option + with IPP printers (Issue #862) + * Fixed potential race condition for the creation + of temporary queues (Issue #871) + * Fixed 'httpGets' timeout handling (Issue #879) + * Fixed checking for required attributes during + PPD generation (Issue #890) + * Fixed encoding of IPv6 addresses in HTTP requests (Issue #903) + * Fixed sending response headers to client (Issue #927) + * Fixed CGI program initialization and validation + of form checkbox and text fields. + Issues are those at https://github.com/OpenPrinting/cups/issues +- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.8 + +------------------------------------------------------------------- +Mon Feb 26 10:48:53 UTC 2024 - Dominique Leuenberger + +- Use %patch -P N instead of deprecated %patchN. + +------------------------------------------------------------------- +Fri Feb 2 13:45:06 UTC 2024 - Johannes Meixner + +- Removed outdated ntadmin stuff from cups.spec (boo#1219503) + +------------------------------------------------------------------- +Wed Jan 24 07:47:38 UTC 2024 - Johannes Meixner + +- Version upgrade to 2.4.7: + See https://github.com/openprinting/cups/releases + CUPS 2.4.7 is released to ship the fix for CVE-2023-4504 + and several other changes, among them it is + adding OpenSSL support for cupsHashData function and bug fixes. + Detailed list: + * CVE-2023-4504 - Fixed Heap-based buffer overflow when + reading Postscript in PPD files + * Added OpenSSL support for cupsHashData (Issue #762) + * Fixed delays in lpd backend (Issue #741) + * Fixed extensive logging in scheduler (Issue #604) + * Fixed hanging of lpstat on IBM AIX (Issue #773) + * Fixed hanging of lpstat on Solaris (Issue #156) + * Fixed printing to stderr if we can't open cups-files.conf + (Issue #777) + * Fixed purging job files via cancel -x (Issue #742) + * Fixed RFC 1179 port reserving behavior in LPD backend + (Issue #743) + * Fixed a bug in the PPD command interpretation code + (Issue #768) + Issues are those at https://github.com/OpenPrinting/cups/issues +- Version upgrade to 2.4.6: + See https://github.com/openprinting/cups/releases + CUPS 2.4.6 is released to ship the fix for CVE-2023-34241 + and two other bug fixes. + Detailed list: + * Fix linking error on old MacOS (Issue #715) + * Fix printing multiple files on specific printers (Issue #643) + * Fix use-after-free when logging warnings in case of failures + in cupsdAcceptClient() (fixes CVE-2023-34241) + Issues are those at https://github.com/OpenPrinting/cups/issues +- Version upgrade to 2.4.5: + See https://github.com/openprinting/cups/releases + CUPS 2.4.5 is a hotfix release for a bug which corrupted + locally saved certificates, which broke secured printing + via TLS after the first print job. +- Version upgrade to 2.4.4: + See https://github.com/openprinting/cups/releases + CUPS 2.4.4 release is created as a hotfix for segfault + in cupsGetNamedDest(), when caller tries to find + the default destination and the default destination + is not set on the machine. +- Version upgrade to 2.4.3: + See https://github.com/openprinting/cups/releases + CUPS 2.4.3 brings fix for CVE-2023-32324, several improvements + and many bug fixes. CUPS now implements fallback for printers + with broken firmware, which is not capable of answering + to IPP request get-printer-attributes with all, + media-col-database - this enables driverless support for + bunch of printers which don't follow IPP Everywhere standard. + Aside from the CVE fix the most important fixes are around color + settings, printer application support fixes and OpenSSL support. + Detailed list of changes: + * Added a title with device uri for found network printers + (Issues #402, #393) + * Added new media sizes defined by IANA (Issues #501) + * Added quirk for GoDEX label printers (Issue #440) + * Fixed --enable-libtool-unsupported (Issue #394) + * Fixed configuration on RISC-V machines (Issue #404) + * Fixed the device_uri invalid pointer for driverless printers + with .local hostname (Issue #419) + * Fixed an OpenSSL crash bug (Issue #409) + * Fixed a potential SNMP OID value overflow issue (Issue #431) + * Fixed an OpenSSL certificate loading issue (Issue #465) + * Fixed Brazilian Portuguese translations (Issue #288) + * Fixed cupsd default keychain location when building + with OpenSSL (Issue #529) + * Fixed default color settings for CMYK printers as well + (Issue #500) + * Fixed duplicate PPD2IPP media-type names (Issue #688) + * Fixed possible heap buffer overflow in _cups_strlcpy() + (fixes CVE-2023-32324) + * Fixed InputSlot heuristic for photo sizes smaller than 5x7" + if there is no media-source in the request (Issue #569) + * Fixed invalid memory access during generating IPP Everywhere + queue (Issue #466) + * Fixed lprm if no destination is provided (Issue #457) + * Fixed memory leaks in create_local_bg_thread() (Issue #466) + * Fixed media size tolerance in ippeveprinter (Issue #487) + * Fixed passing command name without path into ippeveprinter + (Issue #629) + * Fixed saving strings file path in printers.conf (Issue #710) + * Fixed TLS certificate generation bugs (Issue #652) + * ippDeleteValues would not delete the last value (Issue #556) + * Ignore some of IPP defaults if the application sends + its PPD alternative (Issue #484) + * Make Letter the default size in ippevepcl (Issue #543) + * Now accessing Admin page in Web UI requires authentication + (Issue #518) + * Now look for default printer on network if needed (Issue #452) + * Now we poll media-col-database separately if we fail at first + (Issue #599) + * Now report fax attributes and values as needed (Issue #459) + * Now localize HTTP responses using the Content-Language value + (Issue #426) + * Raised file size limit for importing PPD via Web UI + (Issue #433) + * Raised maximum listen backlog size to INT MAX (Issue #626) + * Update print-color-mode if the printer is modified + via ColorModel PPD option (Issue #451) + * Use localhost when printing via printer application + (Issue #353) + * Write defaults into /etc/cups/lpoptions if we're root + (Issue #456) + Issues are those at https://github.com/OpenPrinting/cups/issues +- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.7 +- Removed cups-2.4.2-CVE-2023-4504.patch : fixed upstream + see the above CUPS 2.4.7 changes +- Removed cups-2.4.2-CVE-2023-32360.patch : fixed upstream via + https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 +- Removed cups-2.4.2-CVE-2023-34241.patch : fixed upstream + see the above CUPS 2.4.6 changes +- Removed cups-2.4.2-CVE-2023-32324.patch : fixed upstream + see the above CUPS 2.4.3 changes + ------------------------------------------------------------------- Wed Sep 20 13:01:03 UTC 2023 - Johannes Meixner diff --git a/cups.spec b/cups.spec index e66a203..b80ab70 100644 --- a/cups.spec +++ b/cups.spec @@ -1,7 +1,7 @@ # # spec file for package cups # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -40,18 +40,18 @@ Name: cups # "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and # "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that # version upgrades from 2.2.x via 2.3.b* to 2.3.0 work: -Version: 2.4.2 +Version: 2.4.11 Release: 0 Summary: The Common UNIX Printing System License: Apache-2.0 Group: Hardware/Printing URL: https://openprinting.github.io/cups # To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g. -# wget --no-check-certificate -O cups-2.4.2-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz -Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz +# wget --no-check-certificate -O cups-2.4.11-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.11/cups-2.4.11-source.tar.gz +Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.11/cups-2.4.11-source.tar.gz # To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g. -# wget --no-check-certificate -O cups-2.4.2-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz.sig -Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz.sig +# wget --no-check-certificate -O cups-2.4.11-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.11/cups-2.4.11-source.tar.gz.sig +Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.11/cups-2.4.11-source.tar.gz.sig # To make Source2 use e.g. # gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 # gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring @@ -61,7 +61,7 @@ Source2: cups.keyring # To manually verify Source0 with Source1 and Source2 do e.g. # gpg --import cups.keyring # gpg --list-keys | grep -1 'Zdenek Dohnal' -# gpg --verify cups-2.4.2-source.tar.gz.sig cups-2.4.2-source.tar.gz +# gpg --verify cups-2.4.11-source.tar.gz.sig cups-2.4.11-source.tar.gz Source102: Postscript.ppd.gz Source105: Postscript-level1.ppd.gz Source106: Postscript-level2.ppd.gz @@ -97,31 +97,12 @@ Patch104: cups-config-libs.patch # see https://bugzilla.suse.com/show_bug.cgi?id=1195288 Patch107: harden_cups.service.patch # Patch108 downgrade-autoconf-requirement.patch -# downgrades the autoconf requirement to the autoconf available in Tumbleweed as of this writing: +# downgrades the autoconf requirement in configure.ac from autoconf 2.71 to autoconf 2.69 +# that is available in Tumbleweed as of this writing (March 2022) Patch108: downgrade-autoconf-requirement.patch -# Patch109 cups-2.4.2-CVE-2023-32324.patch -# fixes CVE-2023-32324 "Heap buffer overflow in cupsd" -# https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7 -# https://bugzilla.suse.com/show_bug.cgi?id=1211643 -Patch109: cups-2.4.2-CVE-2023-32324.patch -# Patch110 cups-2.4.2-CVE-2023-34241.patch -# fixes CVE-2023-34241 "use-after-free in cupsdAcceptClient()" -# https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25 -# https://bugzilla.suse.com/show_bug.cgi?id=1212230 -Patch110: cups-2.4.2-CVE-2023-34241.patch -# Patch111 cups-2.4.2-CVE-2023-32360.patch -# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation" -# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g -# https://bugzilla.suse.com/show_bug.cgi?id=1214254 -Patch111: cups-2.4.2-CVE-2023-32360.patch # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309 Patch112: cups-2.4.2-additional_policies.patch -# Patch113 cups-2.4.2-CVE-2023-4504.patch -# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow" -# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h -# https://bugzilla.suse.com/show_bug.cgi?id=1215204 -Patch113: cups-2.4.2-CVE-2023-4504.patch # Build Requirements: BuildRequires: dbus-1-devel BuildRequires: fdupes @@ -318,57 +299,37 @@ printer drivers for CUPS. # Patch0...Patch9 is for patches from upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Patch10 cups-2.1.0-choose-uri-template.patch adds 'smb://...' URIs to templates/choose-uri.tmpl: -%patch10 -b choose-uri-template.orig +%patch -P 10 -b choose-uri-template.orig # Patch11 cups-2.1.0-default-webcontent-path.patch changes the default path whereto the # web content is installed from /usr/share/doc/cups to /usr/share/cups/webcontent # because the files of the CUPS web content are no documentation, see CUPS STR #3578 # and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments: -%patch11 -b default-webcontent-path.orig +%patch -P 11 -b default-webcontent-path.orig # Patch100...Patch999 is for private patches from SUSE which are not intended for upstream: # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE: -%patch100 -b cups-pam.orig +%patch -P 100 -b cups-pam.orig # Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch # reverts the change which was added by Michael Sweet in Jan 2007 # which strips the word "recommended" from NickName in PPDs because # at least yast2-printer in SUSE needs it, compare the # 'Why not "recommend" PPDs in the NickName?' and the subsequent # 'RFC: New Driver Rating/Information Attributes' mail thread on cups@easysw.com: -%patch103 -b do_not_strip_recommended_from_PPDs.orig +%patch -P 103 -b do_not_strip_recommended_from_PPDs.orig # Patch104 cups-config-libs.patch fixes option --libs in cups-config script: -%patch104 -b cups-config-libs.orig +%patch -P 104 -b cups-config-libs.orig # Patch107 harden_cups.service.patch adds hardening to systemd service cups.service # see https://bugzilla.suse.com/show_bug.cgi?id=1181400 # and https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort # where the default hardening settings are enhanced by adding # ReadWritePaths=/etc/cups because cupsd needs write access in /etc/cups # see https://bugzilla.suse.com/show_bug.cgi?id=1195288 -%patch107 -p1 -b harden_cups.service.orig +%patch -P 107 -p1 -b harden_cups.service.orig # Patch108 downgrade-autoconf-requirement.patch # downgrades the autoconf requirement to the autoconf available in Tumbleweed as of this writing: -%patch108 -b downgrade-autoconf-requirement.orig -# Patch109 cups-2.4.2-CVE-2023-32324.patch -# fixes CVE-2023-32324 "Heap buffer overflow in cupsd" -# https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7 -# https://bugzilla.suse.com/show_bug.cgi?id=1211643 -%patch109 -b cups-2.4.2-CVE-2023-32324.orig -# Patch110 cups-2.4.2-CVE-2023-34241.patch -# fixes CVE-2023-34241 "use-after-free in cupsdAcceptClient()" -# https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25 -# https://bugzilla.suse.com/show_bug.cgi?id=1212230 -%patch110 -b cups-2.4.2-CVE-2023-34241.orig -# Patch111 cups-2.4.2-CVE-2023-32360.patch -# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation" -# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g -# https://bugzilla.suse.com/show_bug.cgi?id=1214254 -%patch111 -b cups-2.4.2-CVE-2023-32360.orig +%patch -P 108 -b downgrade-autoconf-requirement.orig # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309 -%patch112 -b cups-2.4.2-additional_policies.orig -# Patch113 cups-2.4.2-CVE-2023-4504.patch -# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow" -# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h -# https://bugzilla.suse.com/show_bug.cgi?id=1215204 -%patch113 -b cups-2.4.2-CVE-2023-4504.orig +%patch -P 112 -b cups-2.4.2-additional_policies.orig %build # Remove ".SILENT" rule for verbose build output @@ -479,9 +440,11 @@ rm -rf %{buildroot}%{_datadir}/icons # because if upstream changed it 'sed' would silently no longer change the files: grep -q '^# Configuration ' %{buildroot}/%{_sysconfdir}/cups/cupsd.conf.default sed -i -e 's/^# Configuration /# Default configuration /' %{buildroot}/%{_sysconfdir}/cups/cupsd.conf.default +%if 0%{?suse_version} < 1600 # rcbla aliases: ln -s service %{buildroot}%{_sbindir}/rccups ln -s service %{buildroot}%{_sbindir}/rccups-lpd +%endif # Install /usr/lib/tmpfiles.d/cups.conf # According to # https://developers.redhat.com/blog/2016/09/20/managing-temporary-files-with-systemd-tmpfiles-on-rhel7/ @@ -543,7 +506,6 @@ for i in pam.d/cups ; do test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: done %endif -getent group ntadmin >/dev/null || %{_sbindir}/groupadd -g 71 -o -r ntadmin %service_add_pre cups.service cups-lpd.socket cups.socket %post -p /bin/bash @@ -663,6 +625,7 @@ exit 0 %{_unitdir}/cups.service %{_unitdir}/cups.socket %{_unitdir}/cups.path +%{_unitdir}/system-cups.slice %{_unitdir}/cups-lpd.socket %{_unitdir}/cups-lpd@.service %{_tmpfilesdir}/cups.conf @@ -670,8 +633,10 @@ exit 0 %{_sbindir}/cupsctl %{_sbindir}/cupsd %{_sbindir}/cupsfilter +%if 0%{?suse_version} < 1600 %{_sbindir}/rccups %{_sbindir}/rccups-lpd +%endif %dir /usr/lib/cups %dir /usr/lib/cups/backend /usr/lib/cups/backend/dnssd @@ -713,7 +678,6 @@ exit 0 /usr/lib/cups/notifier/dbus /usr/lib/cups/notifier/mailto /usr/lib/cups/notifier/rss -%dir %attr(0775,root,ntadmin) %{_datadir}/cups/drivers %doc %{_defaultdocdir}/cups %doc %{_mandir}/man1/cups.1.gz %doc %{_mandir}/man1/cupstestppd.1.gz diff --git a/downgrade-autoconf-requirement.patch b/downgrade-autoconf-requirement.patch index 74e4372..2631d37 100644 --- a/downgrade-autoconf-requirement.patch +++ b/downgrade-autoconf-requirement.patch @@ -1,5 +1,5 @@ ---- configure.ac.orig 2022-05-26 08:17:21.000000000 +0200 -+++ configure.ac 2022-05-30 10:26:29.258674533 +0200 +--- configure.ac.orig 2024-09-30 13:38:35.000000000 +0200 ++++ configure.ac 2024-09-30 15:02:31.994893137 +0200 @@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0. dnl information. dnl @@ -10,4 +10,4 @@ +AC_PREREQ([2.69]) dnl Package name and version... - AC_INIT([CUPS],[2.4.2],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups]) + AC_INIT([CUPS],[2.4.11],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])