SLFO-pool/cups
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main cups revision 9cc06bac42f87e59c88ec60470e2518a

Browse Source
This commit is contained in:
Adrian Schröter 2024-07-22 16:59:41 +02:00
parent f11dd59b7b
commit 0b0134fb11
12 changed files with 316 additions and 161 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
avoid_C99_mode_for_loop_initial_declarations.patch Normal file
View File

@ -0,0 +1,28 @@
--- scheduler/client.c.orig 2024-06-18 13:11:05.000000000 +0200
+++ scheduler/client.c 2024-07-02 14:51:25.359712447 +0200
@@ -566,6 +566,7 @@ cupsdReadClient(cupsd_client_t *con) /*
struct stat filestats; /* File information */
mime_type_t *type; /* MIME type of file */
static unsigned request_id = 0; /* Request ID for temp files */
+ char *start; /* Avoid error: 'for' loop initial declarations are only allowed in C99 mode */
status = HTTP_STATUS_CONTINUE;
@@ -1145,7 +1146,7 @@ cupsdReadClient(cupsd_client_t *con) /*
{
unsigned int i = 0; // Array index
- for (char *start = con->uri + 9; *start && *start != '?' && i < sizeof(name);)
+ for (*start = con->uri + 9; *start && *start != '?' && i < sizeof(name);)
name[i++] = *start++;
name[i] = '\0';
@@ -1185,7 +1186,7 @@ cupsdReadClient(cupsd_client_t *con) /*
{
unsigned int i = 0; // Array index
- for (char *start = con->uri + 10; *start && *start != '?' && i < sizeof(name);)
+ for (*start = con->uri + 10; *start && *start != '?' && i < sizeof(name);)
name[i++] = *start++;
name[i] = '\0';

BIN
cups-2.4.10-source.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
cups-2.4.10-source.tar.gz.sig Normal file
View File

Binary file not shown.

12
cups-2.4.2-CVE-2023-32324.patch
View File

@ -1,12 +0,0 @@
--- cups/string.c.orig 2022-05-26 08:17:21.000000000 +0200
+++ cups/string.c 2023-06-01 13:26:33.175494819 +0200
@@ -730,6 +730,9 @@ _cups_strlcpy(char *dst, /* O - D
size_t srclen; /* Length of source string */
+ if (size == 0)
+ return (0);
+
/*
* Figure out how much room is needed...
*/

18
cups-2.4.2-CVE-2023-32360.patch
View File

@ -1,18 +0,0 @@
--- conf/cupsd.conf.in.orig 2022-05-26 08:17:21.000000000 +0200
+++ conf/cupsd.conf.in 2023-09-20 13:39:53.316719260 +0200
@@ -68,7 +68,14 @@ IdleExitTimeout @EXIT_TIMEOUT@
Order deny,allow
</Limit>
- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+ </Limit>
+
+ # Require authentication for CUPS-Get-Document otherwise unauthenticated users could access print job documents:
+ <Limit CUPS-Get-Document>
+ AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>

46
cups-2.4.2-CVE-2023-34241.patch
View File

@ -1,46 +0,0 @@
--- scheduler/client.c.orig 2022-05-26 08:17:21.000000000 +0200
+++ scheduler/client.c 2023-06-22 12:47:25.329404393 +0200
@@ -193,13 +193,10 @@ cupsdAcceptClient(cupsd_listener_t *lis)
/*
* Can't have an unresolved IP address with double-lookups enabled...
*/
-
- httpClose(con->http);
-
cupsdLogClient(con, CUPSD_LOG_WARN,
- "Name lookup failed - connection from %s closed!",
+ "Name lookup failed - closing connection from %s!",
httpGetHostname(con->http, NULL, 0));
-
+ httpClose(con->http);
free(con);
return;
}
@@ -234,12 +231,10 @@ cupsdAcceptClient(cupsd_listener_t *lis)
* Can't have a hostname that doesn't resolve to the same IP address
* with double-lookups enabled...
*/
-
- httpClose(con->http);
-
cupsdLogClient(con, CUPSD_LOG_WARN,
- "IP lookup failed - connection from %s closed!",
+ "IP lookup failed - closing connection from %s!",
httpGetHostname(con->http, NULL, 0));
+ httpClose(con->http);
free(con);
return;
}
@@ -256,11 +251,10 @@ cupsdAcceptClient(cupsd_listener_t *lis)
if (!hosts_access(&wrap_req))
{
- httpClose(con->http);
-
cupsdLogClient(con, CUPSD_LOG_WARN,
"Connection from %s refused by /etc/hosts.allow and "
"/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
+ httpClose(con->http);
free(con);
return;
}

21
cups-2.4.2-CVE-2023-4504.patch
View File

@ -1,21 +0,0 @@
--- cups/raster-interpret.c.orig 2022-05-26 08:17:21.000000000 +0200
+++ cups/raster-interpret.c 2023-09-20 14:56:44.666363324 +0200
@@ -1113,6 +1113,18 @@ scan_ps(_cups_ps_stack_t *st, /* I - S
cur ++;
+ /*
+ * Return NULL if we reached NULL terminator, a lone backslash
+ * is not a valid character in PostScript.
+ */
+
+ if (!*cur)
+ {
+ *ptr = NULL;
+
+ return (NULL);
+ }
+
if (*cur == 'b')
*valptr++ = '\b';
else if (*cur == 'f')

BIN
cups-2.4.2-source.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

BIN
cups-2.4.2-source.tar.gz.sig
View File

Binary file not shown.

253
cups.changes
View File

@ -1,3 +1,256 @@
-------------------------------------------------------------------
Tue Jul 2 11:45:58 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
- Version upgrade to 2.4.10:
See https://github.com/openprinting/cups/releases
CUPS 2.4.10 brings two fixes:
* Fixed error handling when reading a mixed 1setOf attribute.
* Fixed scheduler start if there is only domain socket
to listen on (Issue #985) which is fix for regression
after fix for CVE-2024-35235 in scenarios where is
no other listeners in cupsd.conf than domain socket
created on demand by systemd, launchd or upstart.
Issues are those at https://github.com/OpenPrinting/cups/issues
- Version upgrade to 2.4.9:
See https://github.com/openprinting/cups/releases
CUPS 2.4.9 brings security fix for CVE-2024-35235 and
several bug fixes regarding CUPS Web User Interface,
PPD generation and HTTP protocol implementation.
Detailed list (from CHANGES.md):
* Fixed domain socket handling (CVE-2024-35235)
* Fixed creating of `cupsUrfSupported` PPD keyword
(Issue #952)
* Fixed searching for destinations in web ui (Issue #954)
* Fixed TLS negotiation using OpenSSL with servers
that require the TLS SNI extension.
* Really raised `cups_enum_dests()` timeout for listing
available IPP printers (Issue #751)...
* Fixed `Host` header regression (Issue #967)
* Fixed DNS-SD lookups of local services with Avahi
(Issue #970)
* Fixed listing jobs in destinations in web ui.
(Apple issue #6204)
* Fixed showing search query in web ui help page.
(Issue #977)
Issues are those at https://github.com/OpenPrinting/cups/issues
Apple issues are those at https://github.com/apple/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.10
- Removed cups-2.4.8-CVE-2024-35235.patch : fixed upstream
see the above CUPS 2.4.9 changes
- avoid_C99_mode_for_loop_initial_declarations.patch avoids error
"'for' loop initial declarations are only allowed in C99 mode"
that happens when building for SLE12
in scheduler/client.c at "for (char *start = ..." since
https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
see https://github.com/OpenPrinting/cups/issues/1000
-------------------------------------------------------------------
Tue Jun 11 08:28:32 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
- cups-2.4.8-CVE-2024-35235.patch is derived
from the upstream patch against master (CUPS 2.5)
to apply to CUPS 2.4.8 in openSUSE Factory to fix CVE-2024-35235
"cupsd Listen port arbitrary chmod 0140777"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
bsc#1225365
-------------------------------------------------------------------
Wed May 29 12:29:38 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Update to version 2.4.8:
See https://github.com/openprinting/cups/releases
CUPS 2.4.8 brings many bug fixes which aggregated over the last
half a year. It brings the important fix for race conditions
and errors which can happen when installing permanent
IPP Everywhere printer, support for PAM modules password-auth
and system-auth and new option for lpstat which can show only
the successful jobs.
Detailed list (from CHANGES.md):
* Added warning if the device has to be asked for
'all,media-col-database' separately (Issue #829)
* Added new value for 'lpstat' option '-W' - successfull - for
getting successfully printed jobs (Issue #830)
* Added support for PAM modules password-auth
and system-auth (Issue #892)
* Updated IPP Everywhere printer creation error
reporting (Issue #347)
* Updated and documented the MIME typing buffering
limit (Issue #925)
* Raised 'cups_enum_dests()' timeout for listing
available IPP printers (Issue #751)
* Now report an error for temporary printer defaults
with lpadmin (Issue #237)
* Fixed mapping of PPD InputSlot, MediaType,
and OutputBin values (Issue #238)
* Fixed "document-unprintable-error" handling (Issue #391)
* Fixed the web interface not showing an error
for a non-existent printer (Issue #423)
* Fixed printing of jobs with job name longer than 255 chars
on older printers (Issue #644)
* Really backported fix for Issue #742
* Fixed 'cupsCopyDestInfo' device connection
detection (Issue #586)
* Fixed "Upgrade" header handling when there is
no TLS support (Issue #775)
* Fixed memory leak when unloading a job (Issue #813)
* Fixed memory leak when creating color profiles (Issue #815)
* Fixed a punch finishing bug in the IPP Everywhere
support (Issue #821)
* Fixed crash in 'scan_ps()' if incoming argument
is NULL (Issue #831)
* Fixed setting job state reasons for successful
jobs (Issue #832)
* Fixed infinite loop in IPP backend if hostname
is IP address with Kerberos (Issue #838)
* Added additional check on socket if 'revents' from 'poll()'
returns POLLHUP together with POLLIN or POLLOUT
in 'httpAddrConnect2()' (Issue #839)
* Fixed crash in 'ppdEmitString()' if 'size' is NULL (Issue #850)
* Fixed reporting 'media-source-supported' when
sharing printer which has numbers as strings instead of
keywords as 'InputSlot' values (Issue #859)
* Fixed IPP backend to support the "print-scaling" option
with IPP printers (Issue #862)
* Fixed potential race condition for the creation
of temporary queues (Issue #871)
* Fixed 'httpGets' timeout handling (Issue #879)
* Fixed checking for required attributes during
PPD generation (Issue #890)
* Fixed encoding of IPv6 addresses in HTTP requests (Issue #903)
* Fixed sending response headers to client (Issue #927)
* Fixed CGI program initialization and validation
of form checkbox and text fields.
Issues are those at https://github.com/OpenPrinting/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.8
-------------------------------------------------------------------
Mon Feb 26 10:48:53 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Use %patch -P N instead of deprecated %patchN.
-------------------------------------------------------------------
Fri Feb 2 13:45:06 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
- Removed outdated ntadmin stuff from cups.spec (boo#1219503)
-------------------------------------------------------------------
Wed Jan 24 07:47:38 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
- Version upgrade to 2.4.7:
See https://github.com/openprinting/cups/releases
CUPS 2.4.7 is released to ship the fix for CVE-2023-4504
and several other changes, among them it is
adding OpenSSL support for cupsHashData function and bug fixes.
Detailed list:
* CVE-2023-4504 - Fixed Heap-based buffer overflow when
reading Postscript in PPD files
* Added OpenSSL support for cupsHashData (Issue #762)
* Fixed delays in lpd backend (Issue #741)
* Fixed extensive logging in scheduler (Issue #604)
* Fixed hanging of lpstat on IBM AIX (Issue #773)
* Fixed hanging of lpstat on Solaris (Issue #156)
* Fixed printing to stderr if we can't open cups-files.conf
(Issue #777)
* Fixed purging job files via cancel -x (Issue #742)
* Fixed RFC 1179 port reserving behavior in LPD backend
(Issue #743)
* Fixed a bug in the PPD command interpretation code
(Issue #768)
Issues are those at https://github.com/OpenPrinting/cups/issues
- Version upgrade to 2.4.6:
See https://github.com/openprinting/cups/releases
CUPS 2.4.6 is released to ship the fix for CVE-2023-34241
and two other bug fixes.
Detailed list:
* Fix linking error on old MacOS (Issue #715)
* Fix printing multiple files on specific printers (Issue #643)
* Fix use-after-free when logging warnings in case of failures
in cupsdAcceptClient() (fixes CVE-2023-34241)
Issues are those at https://github.com/OpenPrinting/cups/issues
- Version upgrade to 2.4.5:
See https://github.com/openprinting/cups/releases
CUPS 2.4.5 is a hotfix release for a bug which corrupted
locally saved certificates, which broke secured printing
via TLS after the first print job.
- Version upgrade to 2.4.4:
See https://github.com/openprinting/cups/releases
CUPS 2.4.4 release is created as a hotfix for segfault
in cupsGetNamedDest(), when caller tries to find
the default destination and the default destination
is not set on the machine.
- Version upgrade to 2.4.3:
See https://github.com/openprinting/cups/releases
CUPS 2.4.3 brings fix for CVE-2023-32324, several improvements
and many bug fixes. CUPS now implements fallback for printers
with broken firmware, which is not capable of answering
to IPP request get-printer-attributes with all,
media-col-database - this enables driverless support for
bunch of printers which don't follow IPP Everywhere standard.
Aside from the CVE fix the most important fixes are around color
settings, printer application support fixes and OpenSSL support.
Detailed list of changes:
* Added a title with device uri for found network printers
(Issues #402, #393)
* Added new media sizes defined by IANA (Issues #501)
* Added quirk for GoDEX label printers (Issue #440)
* Fixed --enable-libtool-unsupported (Issue #394)
* Fixed configuration on RISC-V machines (Issue #404)
* Fixed the device_uri invalid pointer for driverless printers
with .local hostname (Issue #419)
* Fixed an OpenSSL crash bug (Issue #409)
* Fixed a potential SNMP OID value overflow issue (Issue #431)
* Fixed an OpenSSL certificate loading issue (Issue #465)
* Fixed Brazilian Portuguese translations (Issue #288)
* Fixed cupsd default keychain location when building
with OpenSSL (Issue #529)
* Fixed default color settings for CMYK printers as well
(Issue #500)
* Fixed duplicate PPD2IPP media-type names (Issue #688)
* Fixed possible heap buffer overflow in _cups_strlcpy()
(fixes CVE-2023-32324)
* Fixed InputSlot heuristic for photo sizes smaller than 5x7"
if there is no media-source in the request (Issue #569)
* Fixed invalid memory access during generating IPP Everywhere
queue (Issue #466)
* Fixed lprm if no destination is provided (Issue #457)
* Fixed memory leaks in create_local_bg_thread() (Issue #466)
* Fixed media size tolerance in ippeveprinter (Issue #487)
* Fixed passing command name without path into ippeveprinter
(Issue #629)
* Fixed saving strings file path in printers.conf (Issue #710)
* Fixed TLS certificate generation bugs (Issue #652)
* ippDeleteValues would not delete the last value (Issue #556)
* Ignore some of IPP defaults if the application sends
its PPD alternative (Issue #484)
* Make Letter the default size in ippevepcl (Issue #543)
* Now accessing Admin page in Web UI requires authentication
(Issue #518)
* Now look for default printer on network if needed (Issue #452)
* Now we poll media-col-database separately if we fail at first
(Issue #599)
* Now report fax attributes and values as needed (Issue #459)
* Now localize HTTP responses using the Content-Language value
(Issue #426)
* Raised file size limit for importing PPD via Web UI
(Issue #433)
* Raised maximum listen backlog size to INT MAX (Issue #626)
* Update print-color-mode if the printer is modified
via ColorModel PPD option (Issue #451)
* Use localhost when printing via printer application
(Issue #353)
* Write defaults into /etc/cups/lpoptions if we're root
(Issue #456)
Issues are those at https://github.com/OpenPrinting/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.7
- Removed cups-2.4.2-CVE-2023-4504.patch : fixed upstream
see the above CUPS 2.4.7 changes
- Removed cups-2.4.2-CVE-2023-32360.patch : fixed upstream via
https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
- Removed cups-2.4.2-CVE-2023-34241.patch : fixed upstream
see the above CUPS 2.4.6 changes
- Removed cups-2.4.2-CVE-2023-32324.patch : fixed upstream
see the above CUPS 2.4.3 changes
-------------------------------------------------------------------
Wed Sep 20 13:01:03 UTC 2023 - Johannes Meixner <jsmeix@suse.com>

87
cups.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package cups
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -40,18 +40,18 @@ Name: cups
# "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
# "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
# version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
Version: 2.4.2
Version: 2.4.10
Release: 0
Summary: The Common UNIX Printing System
License: Apache-2.0
Group: Hardware/Printing
URL: https://openprinting.github.io/cups
# To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
# wget --no-check-certificate -O cups-2.4.2-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz
Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz
# wget --no-check-certificate -O cups-2.4.10-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz
Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz
# To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
# wget --no-check-certificate -O cups-2.4.2-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz.sig
Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz.sig
# wget --no-check-certificate -O cups-2.4.10-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz.sig
Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz.sig
# To make Source2 use e.g.
# gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
# gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring
@ -61,7 +61,7 @@ Source2: cups.keyring
# To manually verify Source0 with Source1 and Source2 do e.g.
# gpg --import cups.keyring
# gpg --list-keys | grep -1 'Zdenek Dohnal'
# gpg --verify cups-2.4.2-source.tar.gz.sig cups-2.4.2-source.tar.gz
# gpg --verify cups-2.4.10-source.tar.gz.sig cups-2.4.10-source.tar.gz
Source102: Postscript.ppd.gz
Source105: Postscript-level1.ppd.gz
Source106: Postscript-level2.ppd.gz
@ -77,6 +77,12 @@ Patch10: cups-2.1.0-choose-uri-template.patch
# because the files of the CUPS web content are no documentation, see CUPS STR #3578
# and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments:
Patch11: cups-2.1.0-default-webcontent-path.patch
# Patch12 avoid_C99_mode_for_loop_initial_declarations.patch
# avoids "error: 'for' loop initial declarations are only allowed in C99 mode"
# that happens when building for SLE12 at "for (char *start = ..." since
# https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
# see https://github.com/OpenPrinting/cups/issues/1000
Patch12: avoid_C99_mode_for_loop_initial_declarations.patch
# Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
# Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
Patch100: cups-pam.diff
@ -97,31 +103,12 @@ Patch104: cups-config-libs.patch
# see https://bugzilla.suse.com/show_bug.cgi?id=1195288
Patch107: harden_cups.service.patch
# Patch108 downgrade-autoconf-requirement.patch
# downgrades the autoconf requirement to the autoconf available in Tumbleweed as of this writing:
# downgrades the autoconf requirement in configure.ac from autoconf 2.71 to autoconf 2.69
# that is available in Tumbleweed as of this writing (March 2022)
Patch108: downgrade-autoconf-requirement.patch
# Patch109 cups-2.4.2-CVE-2023-32324.patch
# fixes CVE-2023-32324 "Heap buffer overflow in cupsd"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
# https://bugzilla.suse.com/show_bug.cgi?id=1211643
Patch109: cups-2.4.2-CVE-2023-32324.patch
# Patch110 cups-2.4.2-CVE-2023-34241.patch
# fixes CVE-2023-34241 "use-after-free in cupsdAcceptClient()"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
# https://bugzilla.suse.com/show_bug.cgi?id=1212230
Patch110: cups-2.4.2-CVE-2023-34241.patch
# Patch111 cups-2.4.2-CVE-2023-32360.patch
# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
# https://bugzilla.suse.com/show_bug.cgi?id=1214254
Patch111: cups-2.4.2-CVE-2023-32360.patch
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
Patch112: cups-2.4.2-additional_policies.patch
# Patch113 cups-2.4.2-CVE-2023-4504.patch
# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
# https://bugzilla.suse.com/show_bug.cgi?id=1215204
Patch113: cups-2.4.2-CVE-2023-4504.patch
# Build Requirements:
BuildRequires: dbus-1-devel
BuildRequires: fdupes
@ -318,57 +305,43 @@ printer drivers for CUPS.
# Patch0...Patch9 is for patches from upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Patch10 cups-2.1.0-choose-uri-template.patch adds 'smb://...' URIs to templates/choose-uri.tmpl:
%patch10 -b choose-uri-template.orig
%patch -P 10 -b choose-uri-template.orig
# Patch11 cups-2.1.0-default-webcontent-path.patch changes the default path whereto the
# web content is installed from /usr/share/doc/cups to /usr/share/cups/webcontent
# because the files of the CUPS web content are no documentation, see CUPS STR #3578
# and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments:
%patch11 -b default-webcontent-path.orig
%patch -P 11 -b default-webcontent-path.orig
# Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
# Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
%patch100 -b cups-pam.orig
%patch -P 100 -b cups-pam.orig
# Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch
# reverts the change which was added by Michael Sweet in Jan 2007
# which strips the word "recommended" from NickName in PPDs because
# at least yast2-printer in SUSE needs it, compare the
# 'Why not "recommend" PPDs in the NickName?' and the subsequent
# 'RFC: New Driver Rating/Information Attributes' mail thread on cups@easysw.com:
%patch103 -b do_not_strip_recommended_from_PPDs.orig
%patch -P 103 -b do_not_strip_recommended_from_PPDs.orig
# Patch104 cups-config-libs.patch fixes option --libs in cups-config script:
%patch104 -b cups-config-libs.orig
%patch -P 104 -b cups-config-libs.orig
# Patch107 harden_cups.service.patch adds hardening to systemd service cups.service
# see https://bugzilla.suse.com/show_bug.cgi?id=1181400
# and https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
# where the default hardening settings are enhanced by adding
# ReadWritePaths=/etc/cups because cupsd needs write access in /etc/cups
# see https://bugzilla.suse.com/show_bug.cgi?id=1195288
%patch107 -p1 -b harden_cups.service.orig
%patch -P 107 -p1 -b harden_cups.service.orig
# Patch108 downgrade-autoconf-requirement.patch
# downgrades the autoconf requirement to the autoconf available in Tumbleweed as of this writing:
%patch108 -b downgrade-autoconf-requirement.orig
# Patch109 cups-2.4.2-CVE-2023-32324.patch
# fixes CVE-2023-32324 "Heap buffer overflow in cupsd"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
# https://bugzilla.suse.com/show_bug.cgi?id=1211643
%patch109 -b cups-2.4.2-CVE-2023-32324.orig
# Patch110 cups-2.4.2-CVE-2023-34241.patch
# fixes CVE-2023-34241 "use-after-free in cupsdAcceptClient()"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
# https://bugzilla.suse.com/show_bug.cgi?id=1212230
%patch110 -b cups-2.4.2-CVE-2023-34241.orig
# Patch111 cups-2.4.2-CVE-2023-32360.patch
# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
# https://bugzilla.suse.com/show_bug.cgi?id=1214254
%patch111 -b cups-2.4.2-CVE-2023-32360.orig
%patch -P 108 -b downgrade-autoconf-requirement.orig
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
%patch112 -b cups-2.4.2-additional_policies.orig
# Patch113 cups-2.4.2-CVE-2023-4504.patch
# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
# https://bugzilla.suse.com/show_bug.cgi?id=1215204
%patch113 -b cups-2.4.2-CVE-2023-4504.orig
%patch -P 112 -b cups-2.4.2-additional_policies.orig
# Patch12 avoid_C99_mode_for_loop_initial_declarations.patch
# avoids "error: 'for' loop initial declarations are only allowed in C99 mode"
# that happens when building for SLE12 at "for (char *start = ..." since
# https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
# see https://github.com/OpenPrinting/cups/issues/1000
%patch -P 12 -b avoid_C99_mode_for_loop_initial_declarations.orig
%build
# Remove ".SILENT" rule for verbose build output
@ -543,7 +516,6 @@ for i in pam.d/cups ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done
%endif
getent group ntadmin >/dev/null || %{_sbindir}/groupadd -g 71 -o -r ntadmin
%service_add_pre cups.service cups-lpd.socket cups.socket
%post -p /bin/bash
@ -713,7 +685,6 @@ exit 0
/usr/lib/cups/notifier/dbus
/usr/lib/cups/notifier/mailto
/usr/lib/cups/notifier/rss
%dir %attr(0775,root,ntadmin) %{_datadir}/cups/drivers
%doc %{_defaultdocdir}/cups
%doc %{_mandir}/man1/cups.1.gz
%doc %{_mandir}/man1/cupstestppd.1.gz

6
downgrade-autoconf-requirement.patch
View File

@ -1,5 +1,5 @@
--- configure.ac.orig 2022-05-26 08:17:21.000000000 +0200
+++ configure.ac 2022-05-30 10:26:29.258674533 +0200
--- configure.ac.orig 2024-06-18 13:11:05.000000000 +0200
+++ configure.ac 2024-07-02 13:55:46.880533719 +0200
@@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0.
dnl information.
dnl
@ -10,4 +10,4 @@
+AC_PREREQ([2.69])
dnl Package name and version...
AC_INIT([CUPS],[2.4.2],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
AC_INIT([CUPS],[2.4.10],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])