Sync from SUSE:SLFO:Main cups revision 9cc06bac42f87e59c88ec60470e2518a

2024-07-22 16:59:41 +02:00 · 2024-07-22 16:59:41 +02:00 · 0b0134fb11
commit 0b0134fb11
parent f11dd59b7b
12 changed files with 316 additions and 161 deletions
--- a/avoid_C99_mode_for_loop_initial_declarations.patch
+++ b/avoid_C99_mode_for_loop_initial_declarations.patch
@ -0,0 +1,28 @@
 --- scheduler/client.c.orig	2024-06-18 13:11:05.000000000 +0200
 +++ scheduler/client.c	2024-07-02 14:51:25.359712447 +0200
@@ -566,6 +566,7 @@ cupsdReadClient(cupsd_client_t *con)	/*
   struct stat		filestats;	/* File information */
   mime_type_t		*type;		/* MIME type of file */
   static unsigned	request_id = 0;	/* Request ID for temp files */
 +  char			*start;		/* Avoid error: 'for' loop initial declarations are only allowed in C99 mode */
   status = HTTP_STATUS_CONTINUE;
@@ -1145,7 +1146,7 @@ cupsdReadClient(cupsd_client_t *con)	/*
 		  {
 		    unsigned int i = 0;	// Array index
 -		    for (char *start = con->uri + 9; *start && *start != '?' && i < sizeof(name);)
 +		    for (*start = con->uri + 9; *start && *start != '?' && i < sizeof(name);)
 		      name[i++] = *start++;
 		    name[i] = '\0';
@@ -1185,7 +1186,7 @@ cupsdReadClient(cupsd_client_t *con)	/*
 		  {
 		    unsigned int i = 0;	// Array index
 -		    for (char *start = con->uri + 10; *start && *start != '?' && i < sizeof(name);)
 +		    for (*start = con->uri + 10; *start && *start != '?' && i < sizeof(name);)
 		      name[i++] = *start++;
 		    name[i] = '\0';
--- a/cups-2.4.10-source.tar.gz
+++ b/cups-2.4.10-source.tar.gz
--- a/cups-2.4.10-source.tar.gz.sig
+++ b/cups-2.4.10-source.tar.gz.sig
--- a/cups-2.4.2-CVE-2023-32324.patch
+++ b/cups-2.4.2-CVE-2023-32324.patch
@ -1,12 +0,0 @@
 --- cups/string.c.orig	2022-05-26 08:17:21.000000000 +0200
 +++ cups/string.c	2023-06-01 13:26:33.175494819 +0200
@@ -730,6 +730,9 @@ _cups_strlcpy(char       *dst,		/* O - D
   size_t	srclen;			/* Length of source string */
 +  if (size == 0)
 +    return (0);
 +
  /*
   * Figure out how much room is needed...
   */
--- a/cups-2.4.2-CVE-2023-32360.patch
+++ b/cups-2.4.2-CVE-2023-32360.patch
@ -1,18 +0,0 @@
 --- conf/cupsd.conf.in.orig	2022-05-26 08:17:21.000000000 +0200
 +++ conf/cupsd.conf.in	2023-09-20 13:39:53.316719260 +0200
@@ -68,7 +68,14 @@ IdleExitTimeout @EXIT_TIMEOUT@
     Order deny,allow
   </Limit>
 -  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
 +  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
 +    Require user @OWNER @SYSTEM
 +    Order deny,allow
 +  </Limit>
 +
 +  # Require authentication for CUPS-Get-Document otherwise unauthenticated users could access print job documents:
 +  <Limit CUPS-Get-Document>
 +    AuthType Default
     Require user @OWNER @SYSTEM
     Order deny,allow
   </Limit>
--- a/cups-2.4.2-CVE-2023-34241.patch
+++ b/cups-2.4.2-CVE-2023-34241.patch
@ -1,46 +0,0 @@
 --- scheduler/client.c.orig	2022-05-26 08:17:21.000000000 +0200
 +++ scheduler/client.c	2023-06-22 12:47:25.329404393 +0200
@@ -193,13 +193,10 @@ cupsdAcceptClient(cupsd_listener_t *lis)
    /*
     * Can't have an unresolved IP address with double-lookups enabled...
     */
 -
 -    httpClose(con->http);
 -
     cupsdLogClient(con, CUPSD_LOG_WARN,
 -                    "Name lookup failed - connection from %s closed!",
 +                    "Name lookup failed - closing connection from %s!",
                     httpGetHostname(con->http, NULL, 0));
 -
 +    httpClose(con->http);
     free(con);
     return;
   }
@@ -234,12 +231,10 @@ cupsdAcceptClient(cupsd_listener_t *lis)
       * Can't have a hostname that doesn't resolve to the same IP address
       * with double-lookups enabled...
       */
 -
 -      httpClose(con->http);
 -
       cupsdLogClient(con, CUPSD_LOG_WARN,
 -                      "IP lookup failed - connection from %s closed!",
 +                      "IP lookup failed - closing connection from %s!",
                       httpGetHostname(con->http, NULL, 0));
 +      httpClose(con->http);
       free(con);
       return;
     }
@@ -256,11 +251,10 @@ cupsdAcceptClient(cupsd_listener_t *lis)
   if (!hosts_access(&wrap_req))
   {
 -    httpClose(con->http);
 -
     cupsdLogClient(con, CUPSD_LOG_WARN,
                     "Connection from %s refused by /etc/hosts.allow and "
 		    "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
 +    httpClose(con->http);
     free(con);
     return;
   }
--- a/cups-2.4.2-CVE-2023-4504.patch
+++ b/cups-2.4.2-CVE-2023-4504.patch
@ -1,21 +0,0 @@
 --- cups/raster-interpret.c.orig	2022-05-26 08:17:21.000000000 +0200
 +++ cups/raster-interpret.c	2023-09-20 14:56:44.666363324 +0200
@@ -1113,6 +1113,18 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - S
 	    cur ++;
 +          /*
 +           * Return NULL if we reached NULL terminator, a lone backslash
 +           * is not a valid character in PostScript.
 +           */
 +
 +           if (!*cur)
 +           {
 +             *ptr = NULL;
 +
 +             return (NULL);
 +           }
 +
             if (*cur == 'b')
 	      *valptr++ = '\b';
 	    else if (*cur == 'f')
--- a/cups-2.4.2-source.tar.gz
+++ b/cups-2.4.2-source.tar.gz
--- a/cups-2.4.2-source.tar.gz.sig
+++ b/cups-2.4.2-source.tar.gz.sig
--- a/cups.changes
+++ b/cups.changes
@ -1,3 +1,256 @@
 -------------------------------------------------------------------
 Tue Jul  2 11:45:58 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
 - Version upgrade to 2.4.10:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.10 brings two fixes:
  * Fixed error handling when reading a mixed 1setOf attribute.
  * Fixed scheduler start if there is only domain socket
    to listen on (Issue #985) which is fix for regression
    after fix for CVE-2024-35235 in scenarios where is
    no other listeners in cupsd.conf than domain socket
    created on demand by systemd, launchd or upstart.
  Issues are those at https://github.com/OpenPrinting/cups/issues
 - Version upgrade to 2.4.9:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.9 brings security fix for CVE-2024-35235 and
  several bug fixes regarding CUPS Web User Interface,
  PPD generation and HTTP protocol implementation.
  Detailed list (from CHANGES.md):
  * Fixed domain socket handling (CVE-2024-35235)
  * Fixed creating of `cupsUrfSupported` PPD keyword
    (Issue #952)
  * Fixed searching for destinations in web ui (Issue #954)
  * Fixed TLS negotiation using OpenSSL with servers
    that require the TLS SNI extension.
  * Really raised `cups_enum_dests()` timeout for listing
    available IPP printers (Issue #751)...
  * Fixed `Host` header regression (Issue #967)
  * Fixed DNS-SD lookups of local services with Avahi
    (Issue #970)
  * Fixed listing jobs in destinations in web ui.
    (Apple issue #6204)
  * Fixed showing search query in web ui help page.
    (Issue #977)
  Issues are those at https://github.com/OpenPrinting/cups/issues
  Apple issues are those at https://github.com/apple/cups/issues
 - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.10
 - Removed cups-2.4.8-CVE-2024-35235.patch : fixed upstream
  see the above CUPS 2.4.9 changes
 - avoid_C99_mode_for_loop_initial_declarations.patch avoids error
  "'for' loop initial declarations are only allowed in C99 mode"
  that happens when building for SLE12
  in scheduler/client.c at "for (char *start = ..." since
  https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
  see https://github.com/OpenPrinting/cups/issues/1000
 -------------------------------------------------------------------
 Tue Jun 11 08:28:32 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
 - cups-2.4.8-CVE-2024-35235.patch is derived
  from the upstream patch against master (CUPS 2.5)
  to apply to CUPS 2.4.8 in openSUSE Factory to fix CVE-2024-35235
  "cupsd Listen port arbitrary chmod 0140777"
  https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
  bsc#1225365
 -------------------------------------------------------------------
 Wed May 29 12:29:38 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 - Update to version 2.4.8:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.8 brings many bug fixes which aggregated over the last
  half a year. It brings the important fix for race conditions
  and errors which can happen when installing permanent
  IPP Everywhere printer, support for PAM modules password-auth
  and system-auth and new option for lpstat which can show only
  the successful jobs.
  Detailed list (from CHANGES.md):
  * Added warning if the device has to be asked for
    'all,media-col-database' separately (Issue #829)
  * Added new value for 'lpstat' option '-W' - successfull - for
    getting successfully printed jobs (Issue #830)
  * Added support for PAM modules password-auth
    and system-auth (Issue #892)
  * Updated IPP Everywhere printer creation error
    reporting (Issue #347)
  * Updated and documented the MIME typing buffering
    limit (Issue #925)
  * Raised 'cups_enum_dests()' timeout for listing
    available IPP printers (Issue #751)
  * Now report an error for temporary printer defaults
    with lpadmin (Issue #237)
  * Fixed mapping of PPD InputSlot, MediaType,
    and OutputBin values (Issue #238)
  * Fixed "document-unprintable-error" handling (Issue #391)
  * Fixed the web interface not showing an error
    for a non-existent printer (Issue #423)
  * Fixed printing of jobs with job name longer than 255 chars
    on older printers (Issue #644)
  * Really backported fix for Issue #742
  * Fixed 'cupsCopyDestInfo' device connection
    detection (Issue #586)
  * Fixed "Upgrade" header handling when there is
    no TLS support (Issue #775)
  * Fixed memory leak when unloading a job (Issue #813)
  * Fixed memory leak when creating color profiles (Issue #815)
  * Fixed a punch finishing bug in the IPP Everywhere
    support (Issue #821)
  * Fixed crash in 'scan_ps()' if incoming argument
    is NULL (Issue #831)
  * Fixed setting job state reasons for successful
    jobs (Issue #832)
  * Fixed infinite loop in IPP backend if hostname
    is IP address with Kerberos (Issue #838)
  * Added additional check on socket if 'revents' from 'poll()'
    returns POLLHUP together with POLLIN or POLLOUT
    in 'httpAddrConnect2()' (Issue #839)
  * Fixed crash in 'ppdEmitString()' if 'size' is NULL (Issue #850)
  * Fixed reporting 'media-source-supported' when
    sharing printer  which has numbers as strings instead of
    keywords as 'InputSlot' values (Issue #859)
  * Fixed IPP backend to support the "print-scaling" option
    with IPP printers (Issue #862)
  * Fixed potential race condition for the creation
    of temporary queues (Issue #871)
  * Fixed 'httpGets' timeout handling (Issue #879)
  * Fixed checking for required attributes during
    PPD generation (Issue #890)
  * Fixed encoding of IPv6 addresses in HTTP requests (Issue #903)
  * Fixed sending response headers to client (Issue #927)
  * Fixed CGI program initialization and validation
    of form checkbox and text fields.
  Issues are those at https://github.com/OpenPrinting/cups/issues
 - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.8
 -------------------------------------------------------------------
 Mon Feb 26 10:48:53 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 - Use %patch -P N instead of deprecated %patchN.
 -------------------------------------------------------------------
 Fri Feb  2 13:45:06 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
 - Removed outdated ntadmin stuff from cups.spec (boo#1219503)
 -------------------------------------------------------------------
 Wed Jan 24 07:47:38 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
 - Version upgrade to 2.4.7:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.7 is released to ship the fix for CVE-2023-4504
  and several other changes, among them it is
  adding OpenSSL support for cupsHashData function and bug fixes.
  Detailed list:
  * CVE-2023-4504 - Fixed Heap-based buffer overflow when
    reading Postscript in PPD files
  * Added OpenSSL support for cupsHashData (Issue #762)
  * Fixed delays in lpd backend (Issue #741)
  * Fixed extensive logging in scheduler (Issue #604)
  * Fixed hanging of lpstat on IBM AIX (Issue #773)
  * Fixed hanging of lpstat on Solaris (Issue #156)
  * Fixed printing to stderr if we can't open cups-files.conf
    (Issue #777)
  * Fixed purging job files via cancel -x (Issue #742)
  * Fixed RFC 1179 port reserving behavior in LPD backend
    (Issue #743)
  * Fixed a bug in the PPD command interpretation code
    (Issue #768)
  Issues are those at https://github.com/OpenPrinting/cups/issues
 - Version upgrade to 2.4.6:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.6 is released to ship the fix for CVE-2023-34241
  and two other bug fixes.
  Detailed list:
  * Fix linking error on old MacOS (Issue #715)
  * Fix printing multiple files on specific printers (Issue #643)
  * Fix use-after-free when logging warnings in case of failures
    in cupsdAcceptClient() (fixes CVE-2023-34241)
  Issues are those at https://github.com/OpenPrinting/cups/issues
 - Version upgrade to 2.4.5:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.5 is a hotfix release for a bug which corrupted
  locally saved certificates, which broke secured printing
  via TLS after the first print job.
 - Version upgrade to 2.4.4:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.4 release is created as a hotfix for segfault
  in cupsGetNamedDest(), when caller tries to find
  the default destination and the default destination
  is not set on the machine.
 - Version upgrade to 2.4.3:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.3 brings fix for CVE-2023-32324, several improvements
  and many bug fixes. CUPS now implements fallback for printers
  with broken firmware, which is not capable of answering
  to IPP request get-printer-attributes with all,
  media-col-database - this enables driverless support for
  bunch of printers which don't follow IPP Everywhere standard.
  Aside from the CVE fix the most important fixes are around color
  settings, printer application support fixes and OpenSSL support.
  Detailed list of changes:
  * Added a title with device uri for found network printers
    (Issues #402, #393)
  * Added new media sizes defined by IANA (Issues #501)
  * Added quirk for GoDEX label printers (Issue #440)
  * Fixed --enable-libtool-unsupported (Issue #394)
  * Fixed configuration on RISC-V machines (Issue #404)
  * Fixed the device_uri invalid pointer for driverless printers
    with .local hostname (Issue #419)
  * Fixed an OpenSSL crash bug (Issue #409)
  * Fixed a potential SNMP OID value overflow issue (Issue #431)
  * Fixed an OpenSSL certificate loading issue (Issue #465)
  * Fixed Brazilian Portuguese translations (Issue #288)
  * Fixed cupsd default keychain location when building
    with OpenSSL (Issue #529)
  * Fixed default color settings for CMYK printers as well
    (Issue #500)
  * Fixed duplicate PPD2IPP media-type names (Issue #688)
  * Fixed possible heap buffer overflow in _cups_strlcpy()
    (fixes CVE-2023-32324)
  * Fixed InputSlot heuristic for photo sizes smaller than 5x7"
    if there is no media-source in the request (Issue #569)
  * Fixed invalid memory access during generating IPP Everywhere
    queue (Issue #466)
  * Fixed lprm if no destination is provided (Issue #457)
  * Fixed memory leaks in create_local_bg_thread() (Issue #466)
  * Fixed media size tolerance in ippeveprinter (Issue #487)
  * Fixed passing command name without path into ippeveprinter
    (Issue #629)
  * Fixed saving strings file path in printers.conf (Issue #710)
  * Fixed TLS certificate generation bugs (Issue #652)
  * ippDeleteValues would not delete the last value (Issue #556)
  * Ignore some of IPP defaults if the application sends
    its PPD alternative (Issue #484)
  * Make Letter the default size in ippevepcl (Issue #543)
  * Now accessing Admin page in Web UI requires authentication
    (Issue #518)
  * Now look for default printer on network if needed (Issue #452)
  * Now we poll media-col-database separately if we fail at first
    (Issue #599)
  * Now report fax attributes and values as needed (Issue #459)
  * Now localize HTTP responses using the Content-Language value
    (Issue #426)
  * Raised file size limit for importing PPD via Web UI
    (Issue #433)
  * Raised maximum listen backlog size to INT MAX (Issue #626)
  * Update print-color-mode if the printer is modified
    via ColorModel PPD option (Issue #451)
  * Use localhost when printing via printer application
    (Issue #353)
  * Write defaults into /etc/cups/lpoptions if we're root
    (Issue #456)
  Issues are those at https://github.com/OpenPrinting/cups/issues
 - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.7
 - Removed cups-2.4.2-CVE-2023-4504.patch : fixed upstream
  see the above CUPS 2.4.7 changes
 - Removed cups-2.4.2-CVE-2023-32360.patch : fixed upstream via
  https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
 - Removed cups-2.4.2-CVE-2023-34241.patch : fixed upstream
  see the above CUPS 2.4.6 changes
 - Removed cups-2.4.2-CVE-2023-32324.patch : fixed upstream
  see the above CUPS 2.4.3 changes
 -------------------------------------------------------------------
 Wed Sep 20 13:01:03 UTC 2023 - Johannes Meixner <jsmeix@suse.com>
--- a/cups.spec
+++ b/cups.spec
@ -1,7 +1,7 @@
 #
 # spec file for package cups
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -40,18 +40,18 @@ Name:           cups
 # "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
 # "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
 # version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
-Version:        2.4.2
+Version:        2.4.10
 Release:        0
 Summary:        The Common UNIX Printing System
 License:        Apache-2.0
 Group:          Hardware/Printing
 URL:            https://openprinting.github.io/cups
 # To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
-# wget --no-check-certificate -O cups-2.4.2-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz
+# wget --no-check-certificate -O cups-2.4.10-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz
-Source0:        https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz
+Source0:        https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz
 # To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
-# wget --no-check-certificate -O cups-2.4.2-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz.sig
+# wget --no-check-certificate -O cups-2.4.10-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz.sig
-Source1:        https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz.sig
+Source1:        https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz.sig
 # To make Source2 use e.g.
 #   gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
 #   gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring
@ -61,7 +61,7 @@ Source2:        cups.keyring
 # To manually verify Source0 with Source1 and Source2 do e.g.
 #   gpg --import cups.keyring
 #   gpg --list-keys | grep -1 'Zdenek Dohnal'
-#   gpg --verify cups-2.4.2-source.tar.gz.sig cups-2.4.2-source.tar.gz
+#   gpg --verify cups-2.4.10-source.tar.gz.sig cups-2.4.10-source.tar.gz
 Source102:      Postscript.ppd.gz
 Source105:      Postscript-level1.ppd.gz
 Source106:      Postscript-level2.ppd.gz
@ -77,6 +77,12 @@ Patch10:        cups-2.1.0-choose-uri-template.patch
 # because the files of the CUPS web content are no documentation, see CUPS STR #3578
 # and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments:
 Patch11:        cups-2.1.0-default-webcontent-path.patch
 # Patch12 avoid_C99_mode_for_loop_initial_declarations.patch
 # avoids "error: 'for' loop initial declarations are only allowed in C99 mode"
 # that happens when building for SLE12 at "for (char *start = ..." since
 # https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
 # see https://github.com/OpenPrinting/cups/issues/1000
 Patch12:        avoid_C99_mode_for_loop_initial_declarations.patch
 # Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
 # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
 Patch100:       cups-pam.diff
@ -97,31 +103,12 @@ Patch104:       cups-config-libs.patch
 # see https://bugzilla.suse.com/show_bug.cgi?id=1195288
 Patch107:       harden_cups.service.patch
 # Patch108 downgrade-autoconf-requirement.patch
-# downgrades the autoconf requirement to the autoconf available in Tumbleweed as of this writing:
+# downgrades the autoconf requirement in configure.ac from autoconf 2.71 to autoconf 2.69
 # that is available in Tumbleweed as of this writing (March 2022)
 Patch108:       downgrade-autoconf-requirement.patch
 # Patch109 cups-2.4.2-CVE-2023-32324.patch
 # fixes CVE-2023-32324 "Heap buffer overflow in cupsd"
 # https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
 # https://bugzilla.suse.com/show_bug.cgi?id=1211643
 Patch109:       cups-2.4.2-CVE-2023-32324.patch
 # Patch110 cups-2.4.2-CVE-2023-34241.patch
 # fixes CVE-2023-34241 "use-after-free in cupsdAcceptClient()"
 # https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
 # https://bugzilla.suse.com/show_bug.cgi?id=1212230
 Patch110:       cups-2.4.2-CVE-2023-34241.patch
 # Patch111 cups-2.4.2-CVE-2023-32360.patch
 # fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation"
 # https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
 # https://bugzilla.suse.com/show_bug.cgi?id=1214254
 Patch111:       cups-2.4.2-CVE-2023-32360.patch
 # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
 # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
 Patch112:       cups-2.4.2-additional_policies.patch
 # Patch113 cups-2.4.2-CVE-2023-4504.patch
 # fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
 # https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
 # https://bugzilla.suse.com/show_bug.cgi?id=1215204
 Patch113:       cups-2.4.2-CVE-2023-4504.patch
 # Build Requirements:
 BuildRequires:  dbus-1-devel
 BuildRequires:  fdupes
@ -318,57 +305,43 @@ printer drivers for CUPS.
 # Patch0...Patch9 is for patches from upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
 # Patch10 cups-2.1.0-choose-uri-template.patch adds 'smb://...' URIs to templates/choose-uri.tmpl:
-%patch10 -b choose-uri-template.orig
+%patch -P 10 -b choose-uri-template.orig
 # Patch11 cups-2.1.0-default-webcontent-path.patch changes the default path whereto the
 # web content is installed from /usr/share/doc/cups to /usr/share/cups/webcontent
 # because the files of the CUPS web content are no documentation, see CUPS STR #3578
 # and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments:
-%patch11 -b default-webcontent-path.orig
+%patch -P 11 -b default-webcontent-path.orig
 # Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
 # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
-%patch100 -b cups-pam.orig
+%patch -P 100 -b cups-pam.orig
 # Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch
 # reverts the change which was added by Michael Sweet in Jan 2007
 # which strips the word "recommended" from NickName in PPDs because
 # at least yast2-printer in SUSE needs it, compare the
 # 'Why not "recommend" PPDs in the NickName?' and the subsequent
 # 'RFC: New Driver Rating/Information Attributes' mail thread on cups@easysw.com:
-%patch103 -b do_not_strip_recommended_from_PPDs.orig
+%patch -P 103 -b do_not_strip_recommended_from_PPDs.orig
 # Patch104 cups-config-libs.patch fixes option --libs in cups-config script:
-%patch104 -b cups-config-libs.orig
+%patch -P 104 -b cups-config-libs.orig
 # Patch107 harden_cups.service.patch adds hardening to systemd service cups.service
 # see https://bugzilla.suse.com/show_bug.cgi?id=1181400
 # and https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 # where the default hardening settings are enhanced by adding
 # ReadWritePaths=/etc/cups because cupsd needs write access in /etc/cups
 # see https://bugzilla.suse.com/show_bug.cgi?id=1195288
-%patch107 -p1 -b harden_cups.service.orig
+%patch -P 107 -p1 -b harden_cups.service.orig
 # Patch108 downgrade-autoconf-requirement.patch
 # downgrades the autoconf requirement to the autoconf available in Tumbleweed as of this writing:
-%patch108 -b downgrade-autoconf-requirement.orig
+%patch -P 108 -b downgrade-autoconf-requirement.orig
 # Patch109 cups-2.4.2-CVE-2023-32324.patch
 # fixes CVE-2023-32324 "Heap buffer overflow in cupsd"
 # https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
 # https://bugzilla.suse.com/show_bug.cgi?id=1211643
 %patch109 -b cups-2.4.2-CVE-2023-32324.orig
 # Patch110 cups-2.4.2-CVE-2023-34241.patch
 # fixes CVE-2023-34241 "use-after-free in cupsdAcceptClient()"
 # https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
 # https://bugzilla.suse.com/show_bug.cgi?id=1212230
 %patch110 -b cups-2.4.2-CVE-2023-34241.orig
 # Patch111 cups-2.4.2-CVE-2023-32360.patch
 # fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation"
 # https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
 # https://bugzilla.suse.com/show_bug.cgi?id=1214254
 %patch111 -b cups-2.4.2-CVE-2023-32360.orig
 # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
 # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
-%patch112 -b cups-2.4.2-additional_policies.orig
+%patch -P 112 -b cups-2.4.2-additional_policies.orig
-# Patch113 cups-2.4.2-CVE-2023-4504.patch
+# Patch12 avoid_C99_mode_for_loop_initial_declarations.patch
-# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
+# avoids "error: 'for' loop initial declarations are only allowed in C99 mode"
-# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
+# that happens when building for SLE12 at "for (char *start = ..." since
-# https://bugzilla.suse.com/show_bug.cgi?id=1215204
+# https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
-%patch113 -b cups-2.4.2-CVE-2023-4504.orig
+# see https://github.com/OpenPrinting/cups/issues/1000
 %patch -P 12 -b avoid_C99_mode_for_loop_initial_declarations.orig
 %build
 # Remove ".SILENT" rule for verbose build output
@ -543,7 +516,6 @@ for i in pam.d/cups ; do
     test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
 done
 %endif
 getent group ntadmin >/dev/null || %{_sbindir}/groupadd -g 71 -o -r ntadmin
 %service_add_pre cups.service cups-lpd.socket cups.socket
 %post -p /bin/bash
@ -713,7 +685,6 @@ exit 0
 /usr/lib/cups/notifier/dbus
 /usr/lib/cups/notifier/mailto
 /usr/lib/cups/notifier/rss
 %dir %attr(0775,root,ntadmin) %{_datadir}/cups/drivers
 %doc %{_defaultdocdir}/cups
 %doc %{_mandir}/man1/cups.1.gz
 %doc %{_mandir}/man1/cupstestppd.1.gz
--- a/downgrade-autoconf-requirement.patch
+++ b/downgrade-autoconf-requirement.patch
@ -1,5 +1,5 @@
--- configure.ac.orig	2022-05-26 08:17:21.000000000 +0200
+--- configure.ac.orig	2024-06-18 13:11:05.000000000 +0200
-+++ configure.ac	2022-05-30 10:26:29.258674533 +0200
+++ configure.ac	2024-07-02 13:55:46.880533719 +0200
@@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0.
 dnl information.
 dnl
@ -10,4 +10,4 @@
 +AC_PREREQ([2.69])
 dnl Package name and version...
- AC_INIT([CUPS],[2.4.2],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
+ AC_INIT([CUPS],[2.4.10],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])