pool/cups
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1142944 from Printing

Browse Source 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1142944
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=170
This commit is contained in:
Ana Guerrero 2024-01-31 22:53:34 +00:00 committed by Git OBS Bridge
commit 11cd3c7caf
11 changed files with 133 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cups-2.4.2-CVE-2023-32324.patch
View File

@ -1,12 +0,0 @@
--- cups/string.c.orig 2022-05-26 08:17:21.000000000 +0200
+++ cups/string.c 2023-06-01 13:26:33.175494819 +0200
@@ -730,6 +730,9 @@ _cups_strlcpy(char *dst, /* O - D
size_t srclen; /* Length of source string */
+ if (size == 0)
+ return (0);
+
/*
* Figure out how much room is needed...
*/

18
cups-2.4.2-CVE-2023-32360.patch
View File

@ -1,18 +0,0 @@
--- conf/cupsd.conf.in.orig 2022-05-26 08:17:21.000000000 +0200
+++ conf/cupsd.conf.in 2023-09-20 13:39:53.316719260 +0200
@@ -68,7 +68,14 @@ IdleExitTimeout @EXIT_TIMEOUT@
Order deny,allow
</Limit>
- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+ </Limit>
+
+ # Require authentication for CUPS-Get-Document otherwise unauthenticated users could access print job documents:
+ <Limit CUPS-Get-Document>
+ AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>

46
cups-2.4.2-CVE-2023-34241.patch
View File

@ -1,46 +0,0 @@
--- scheduler/client.c.orig 2022-05-26 08:17:21.000000000 +0200
+++ scheduler/client.c 2023-06-22 12:47:25.329404393 +0200
@@ -193,13 +193,10 @@ cupsdAcceptClient(cupsd_listener_t *lis)
/*
* Can't have an unresolved IP address with double-lookups enabled...
*/
-
- httpClose(con->http);
-
cupsdLogClient(con, CUPSD_LOG_WARN,
- "Name lookup failed - connection from %s closed!",
+ "Name lookup failed - closing connection from %s!",
httpGetHostname(con->http, NULL, 0));
-
+ httpClose(con->http);
free(con);
return;
}
@@ -234,12 +231,10 @@ cupsdAcceptClient(cupsd_listener_t *lis)
* Can't have a hostname that doesn't resolve to the same IP address
* with double-lookups enabled...
*/
-
- httpClose(con->http);
-
cupsdLogClient(con, CUPSD_LOG_WARN,
- "IP lookup failed - connection from %s closed!",
+ "IP lookup failed - closing connection from %s!",
httpGetHostname(con->http, NULL, 0));
+ httpClose(con->http);
free(con);
return;
}
@@ -256,11 +251,10 @@ cupsdAcceptClient(cupsd_listener_t *lis)
if (!hosts_access(&wrap_req))
{
- httpClose(con->http);
-
cupsdLogClient(con, CUPSD_LOG_WARN,
"Connection from %s refused by /etc/hosts.allow and "
"/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
+ httpClose(con->http);
free(con);
return;
}

21
cups-2.4.2-CVE-2023-4504.patch
View File

@ -1,21 +0,0 @@
--- cups/raster-interpret.c.orig 2022-05-26 08:17:21.000000000 +0200
+++ cups/raster-interpret.c 2023-09-20 14:56:44.666363324 +0200
@@ -1113,6 +1113,18 @@ scan_ps(_cups_ps_stack_t *st, /* I - S
cur ++;
+ /*
+ * Return NULL if we reached NULL terminator, a lone backslash
+ * is not a valid character in PostScript.
+ */
+
+ if (!*cur)
+ {
+ *ptr = NULL;
+
+ return (NULL);
+ }
+
if (*cur == 'b')
*valptr++ = '\b';
else if (*cur == 'f')

BIN
cups-2.4.2-source.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

BIN
cups-2.4.2-source.tar.gz.sig
View File

Binary file not shown.

3
cups-2.4.7-source.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c
size 8134809

BIN
cups-2.4.7-source.tar.gz.sig Normal file
View File

Binary file not shown.

118
cups.changes
View File

@ -1,3 +1,121 @@
-------------------------------------------------------------------
Wed Jan 24 07:47:38 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
- Version upgrade to 2.4.7:
See https://github.com/openprinting/cups/releases
CUPS 2.4.7 is released to ship the fix for CVE-2023-4504
and several other changes, among them it is
adding OpenSSL support for cupsHashData function and bug fixes.
Detailed list:
* CVE-2023-4504 - Fixed Heap-based buffer overflow when
reading Postscript in PPD files
* Added OpenSSL support for cupsHashData (Issue #762)
* Fixed delays in lpd backend (Issue #741)
* Fixed extensive logging in scheduler (Issue #604)
* Fixed hanging of lpstat on IBM AIX (Issue #773)
* Fixed hanging of lpstat on Solaris (Issue #156)
* Fixed printing to stderr if we can't open cups-files.conf
(Issue #777)
* Fixed purging job files via cancel -x (Issue #742)
* Fixed RFC 1179 port reserving behavior in LPD backend
(Issue #743)
* Fixed a bug in the PPD command interpretation code
(Issue #768)
Issues are those at https://github.com/OpenPrinting/cups/issues
- Version upgrade to 2.4.6:
See https://github.com/openprinting/cups/releases
CUPS 2.4.6 is released to ship the fix for CVE-2023-34241
and two other bug fixes.
Detailed list:
* Fix linking error on old MacOS (Issue #715)
* Fix printing multiple files on specific printers (Issue #643)
* Fix use-after-free when logging warnings in case of failures
in cupsdAcceptClient() (fixes CVE-2023-34241)
Issues are those at https://github.com/OpenPrinting/cups/issues
- Version upgrade to 2.4.5:
See https://github.com/openprinting/cups/releases
CUPS 2.4.5 is a hotfix release for a bug which corrupted
locally saved certificates, which broke secured printing
via TLS after the first print job.
- Version upgrade to 2.4.4:
See https://github.com/openprinting/cups/releases
CUPS 2.4.4 release is created as a hotfix for segfault
in cupsGetNamedDest(), when caller tries to find
the default destination and the default destination
is not set on the machine.
- Version upgrade to 2.4.3:
See https://github.com/openprinting/cups/releases
CUPS 2.4.3 brings fix for CVE-2023-32324, several improvements
and many bug fixes. CUPS now implements fallback for printers
with broken firmware, which is not capable of answering
to IPP request get-printer-attributes with all,
media-col-database - this enables driverless support for
bunch of printers which don't follow IPP Everywhere standard.
Aside from the CVE fix the most important fixes are around color
settings, printer application support fixes and OpenSSL support.
Detailed list of changes:
* Added a title with device uri for found network printers
(Issues #402, #393)
* Added new media sizes defined by IANA (Issues #501)
* Added quirk for GoDEX label printers (Issue #440)
* Fixed --enable-libtool-unsupported (Issue #394)
* Fixed configuration on RISC-V machines (Issue #404)
* Fixed the device_uri invalid pointer for driverless printers
with .local hostname (Issue #419)
* Fixed an OpenSSL crash bug (Issue #409)
* Fixed a potential SNMP OID value overflow issue (Issue #431)
* Fixed an OpenSSL certificate loading issue (Issue #465)
* Fixed Brazilian Portuguese translations (Issue #288)
* Fixed cupsd default keychain location when building
with OpenSSL (Issue #529)
* Fixed default color settings for CMYK printers as well
(Issue #500)
* Fixed duplicate PPD2IPP media-type names (Issue #688)
* Fixed possible heap buffer overflow in _cups_strlcpy()
(fixes CVE-2023-32324)
* Fixed InputSlot heuristic for photo sizes smaller than 5x7"
if there is no media-source in the request (Issue #569)
* Fixed invalid memory access during generating IPP Everywhere
queue (Issue #466)
* Fixed lprm if no destination is provided (Issue #457)
* Fixed memory leaks in create_local_bg_thread() (Issue #466)
* Fixed media size tolerance in ippeveprinter (Issue #487)
* Fixed passing command name without path into ippeveprinter
(Issue #629)
* Fixed saving strings file path in printers.conf (Issue #710)
* Fixed TLS certificate generation bugs (Issue #652)
* ippDeleteValues would not delete the last value (Issue #556)
* Ignore some of IPP defaults if the application sends
its PPD alternative (Issue #484)
* Make Letter the default size in ippevepcl (Issue #543)
* Now accessing Admin page in Web UI requires authentication
(Issue #518)
* Now look for default printer on network if needed (Issue #452)
* Now we poll media-col-database separately if we fail at first
(Issue #599)
* Now report fax attributes and values as needed (Issue #459)
* Now localize HTTP responses using the Content-Language value
(Issue #426)
* Raised file size limit for importing PPD via Web UI
(Issue #433)
* Raised maximum listen backlog size to INT MAX (Issue #626)
* Update print-color-mode if the printer is modified
via ColorModel PPD option (Issue #451)
* Use localhost when printing via printer application
(Issue #353)
* Write defaults into /etc/cups/lpoptions if we're root
(Issue #456)
Issues are those at https://github.com/OpenPrinting/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.7
- Removed cups-2.4.2-CVE-2023-4504.patch : fixed upstream
see the above CUPS 2.4.7 changes
- Removed cups-2.4.2-CVE-2023-32360.patch : fixed upstream via
https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
- Removed cups-2.4.2-CVE-2023-34241.patch : fixed upstream
see the above CUPS 2.4.6 changes
- Removed cups-2.4.2-CVE-2023-32324.patch : fixed upstream
see the above CUPS 2.4.3 changes
-------------------------------------------------------------------
Wed Sep 20 13:01:03 UTC 2023 - Johannes Meixner <jsmeix@suse.com>

57
cups.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package cups
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -40,18 +40,18 @@ Name: cups
# "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
# "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
# version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
Version: 2.4.2
Version: 2.4.7
Release: 0
Summary: The Common UNIX Printing System
License: Apache-2.0
Group: Hardware/Printing
URL: https://openprinting.github.io/cups
# To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
# wget --no-check-certificate -O cups-2.4.2-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz
Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz
# wget --no-check-certificate -O cups-2.4.7-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz
Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz
# To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
# wget --no-check-certificate -O cups-2.4.2-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz.sig
Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz.sig
# wget --no-check-certificate -O cups-2.4.7-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz.sig
Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz.sig
# To make Source2 use e.g.
# gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
# gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring
@ -61,7 +61,7 @@ Source2: cups.keyring
# To manually verify Source0 with Source1 and Source2 do e.g.
# gpg --import cups.keyring
# gpg --list-keys | grep -1 'Zdenek Dohnal'
# gpg --verify cups-2.4.2-source.tar.gz.sig cups-2.4.2-source.tar.gz
# gpg --verify cups-2.4.7-source.tar.gz.sig cups-2.4.7-source.tar.gz
Source102: Postscript.ppd.gz
Source105: Postscript-level1.ppd.gz
Source106: Postscript-level2.ppd.gz
@ -97,31 +97,12 @@ Patch104: cups-config-libs.patch
# see https://bugzilla.suse.com/show_bug.cgi?id=1195288
Patch107: harden_cups.service.patch
# Patch108 downgrade-autoconf-requirement.patch
# downgrades the autoconf requirement to the autoconf available in Tumbleweed as of this writing:
# downgrades the autoconf requirement in configure.ac from autoconf 2.71 to autoconf 2.69
# that is available in Tumbleweed as of this writing (March 2022)
Patch108: downgrade-autoconf-requirement.patch
# Patch109 cups-2.4.2-CVE-2023-32324.patch
# fixes CVE-2023-32324 "Heap buffer overflow in cupsd"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
# https://bugzilla.suse.com/show_bug.cgi?id=1211643
Patch109: cups-2.4.2-CVE-2023-32324.patch
# Patch110 cups-2.4.2-CVE-2023-34241.patch
# fixes CVE-2023-34241 "use-after-free in cupsdAcceptClient()"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
# https://bugzilla.suse.com/show_bug.cgi?id=1212230
Patch110: cups-2.4.2-CVE-2023-34241.patch
# Patch111 cups-2.4.2-CVE-2023-32360.patch
# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
# https://bugzilla.suse.com/show_bug.cgi?id=1214254
Patch111: cups-2.4.2-CVE-2023-32360.patch
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
Patch112: cups-2.4.2-additional_policies.patch
# Patch113 cups-2.4.2-CVE-2023-4504.patch
# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
# https://bugzilla.suse.com/show_bug.cgi?id=1215204
Patch113: cups-2.4.2-CVE-2023-4504.patch
# Build Requirements:
BuildRequires: dbus-1-devel
BuildRequires: fdupes
@ -346,29 +327,9 @@ printer drivers for CUPS.
# Patch108 downgrade-autoconf-requirement.patch
# downgrades the autoconf requirement to the autoconf available in Tumbleweed as of this writing:
%patch108 -b downgrade-autoconf-requirement.orig
# Patch109 cups-2.4.2-CVE-2023-32324.patch
# fixes CVE-2023-32324 "Heap buffer overflow in cupsd"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
# https://bugzilla.suse.com/show_bug.cgi?id=1211643
%patch109 -b cups-2.4.2-CVE-2023-32324.orig
# Patch110 cups-2.4.2-CVE-2023-34241.patch
# fixes CVE-2023-34241 "use-after-free in cupsdAcceptClient()"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
# https://bugzilla.suse.com/show_bug.cgi?id=1212230
%patch110 -b cups-2.4.2-CVE-2023-34241.orig
# Patch111 cups-2.4.2-CVE-2023-32360.patch
# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
# https://bugzilla.suse.com/show_bug.cgi?id=1214254
%patch111 -b cups-2.4.2-CVE-2023-32360.orig
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
%patch112 -b cups-2.4.2-additional_policies.orig
# Patch113 cups-2.4.2-CVE-2023-4504.patch
# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
# https://bugzilla.suse.com/show_bug.cgi?id=1215204
%patch113 -b cups-2.4.2-CVE-2023-4504.orig
%build
# Remove ".SILENT" rule for verbose build output

6
downgrade-autoconf-requirement.patch
View File

@ -1,5 +1,5 @@
--- configure.ac.orig 2022-05-26 08:17:21.000000000 +0200
+++ configure.ac 2022-05-30 10:26:29.258674533 +0200
--- configure.ac.orig 2023-09-20 15:25:54.000000000 +0200
+++ configure.ac 2024-01-24 09:19:28.344274065 +0100
@@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0.
dnl information.
dnl
@ -10,4 +10,4 @@
+AC_PREREQ([2.69])
dnl Package name and version...
AC_INIT([CUPS],[2.4.2],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
AC_INIT([CUPS],[2.4.7],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])