pool/cups
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1185107 from home:jsmeix:branches:Printing

Browse Source 
CUPS version upgrade to 2.4.10 that provides the fixed upstream fix for CVE-2024-35235 in CUPS 2.4.9

OBS-URL: https://build.opensuse.org/request/show/1185107
OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=413
This commit is contained in:
Johannes Meixner 2024-07-03 11:21:05 +00:00 committed by Git OBS Bridge
parent 9c2057097a
commit 39594fc8e3
9 changed files with 98 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
avoid_C99_mode_for_loop_initial_declarations.patch Normal file
View File

@ -0,0 +1,28 @@
--- scheduler/client.c.orig 2024-06-18 13:11:05.000000000 +0200
+++ scheduler/client.c 2024-07-02 14:51:25.359712447 +0200
@@ -566,6 +566,7 @@ cupsdReadClient(cupsd_client_t *con) /*
struct stat filestats; /* File information */
mime_type_t *type; /* MIME type of file */
static unsigned request_id = 0; /* Request ID for temp files */
+ char *start; /* Avoid error: 'for' loop initial declarations are only allowed in C99 mode */
status = HTTP_STATUS_CONTINUE;
@@ -1145,7 +1146,7 @@ cupsdReadClient(cupsd_client_t *con) /*
{
unsigned int i = 0; // Array index
- for (char *start = con->uri + 9; *start && *start != '?' && i < sizeof(name);)
+ for (*start = con->uri + 9; *start && *start != '?' && i < sizeof(name);)
name[i++] = *start++;
name[i] = '\0';
@@ -1185,7 +1186,7 @@ cupsdReadClient(cupsd_client_t *con) /*
{
unsigned int i = 0; // Array index
- for (char *start = con->uri + 10; *start && *start != '?' && i < sizeof(name);)
+ for (*start = con->uri + 10; *start && *start != '?' && i < sizeof(name);)
name[i++] = *start++;
name[i] = '\0';

BIN
cups-2.4.10-source.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
cups-2.4.10-source.tar.gz.sig Normal file
View File

Binary file not shown.

87
cups-2.4.8-CVE-2024-35235.patch
View File

@ -1,87 +0,0 @@
--- cups/http-addr.c.orig 2024-04-26 13:38:21.000000000 +0200
+++ cups/http-addr.c 2024-06-11 10:20:21.866920900 +0200
@@ -202,31 +202,30 @@ httpAddrListen(http_addr_t *addr, /* I -
{
mode_t mask; /* Umask setting */
- /*
- * Remove any existing domain socket file...
- */
-
- unlink(addr->un.sun_path);
-
- /*
- * Save the current umask and set it to 0 so that all users can access
- * the domain socket...
- */
-
- mask = umask(0);
-
- /*
- * Bind the domain socket...
- */
-
- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
-
- /*
- * Restore the umask and fix permissions...
- */
-
- umask(mask);
- chmod(addr->un.sun_path, 0140777);
+ // Remove any existing domain socket file...
+ if ((status = unlink(addr->un.sun_path)) < 0)
+ {
+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
+
+ if (errno == ENOENT)
+ status = 0;
+ }
+
+ if (!status)
+ {
+ // Save the current umask and set it to 0 so that all users can access
+ // the domain socket...
+ mask = umask(0);
+
+ // Bind the domain socket...
+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
+ {
+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
+ }
+
+ // Restore the umask...
+ umask(mask);
+ }
}
else
#endif /* AF_LOCAL */
--- scheduler/conf.c.orig 2024-04-26 13:38:21.000000000 +0200
+++ scheduler/conf.c 2024-06-11 10:14:06.091882607 +0200
@@ -3084,6 +3084,26 @@ read_cupsd_conf(cups_file_t *fp) /* I -
/*
+ * If we are launched on-demand, do not use domain sockets from the config
+ * file. Also check that the domain socket path is not too long...
+ */
+
+#ifdef HAVE_ONDEMAND
+ if (*value == '/' && OnDemand)
+ {
+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
+ continue;
+ }
+#endif // HAVE_ONDEMAND
+
+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
+ {
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
+ continue;
+ }
+
+ /*
* Get the address list...
*/

3
cups-2.4.8-source.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:75c326b4ba73975efcc9a25078c4b04cdb4ee333caaad0d0823dbd522c6479a0
size 8142007

BIN
cups-2.4.8-source.tar.gz.sig
View File

Binary file not shown.

46
cups.changes
View File

@ -1,3 +1,49 @@
-------------------------------------------------------------------
Tue Jul 2 11:45:58 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
- Version upgrade to 2.4.10:
See https://github.com/openprinting/cups/releases
CUPS 2.4.10 brings two fixes:
* Fixed error handling when reading a mixed 1setOf attribute.
* Fixed scheduler start if there is only domain socket
to listen on (Issue #985) which is fix for regression
after fix for CVE-2024-35235 in scenarios where is
no other listeners in cupsd.conf than domain socket
created on demand by systemd, launchd or upstart.
Issues are those at https://github.com/OpenPrinting/cups/issues
- Version upgrade to 2.4.9:
See https://github.com/openprinting/cups/releases
CUPS 2.4.9 brings security fix for CVE-2024-35235 and
several bug fixes regarding CUPS Web User Interface,
PPD generation and HTTP protocol implementation.
Detailed list (from CHANGES.md):
* Fixed domain socket handling (CVE-2024-35235)
* Fixed creating of `cupsUrfSupported` PPD keyword
(Issue #952)
* Fixed searching for destinations in web ui (Issue #954)
* Fixed TLS negotiation using OpenSSL with servers
that require the TLS SNI extension.
* Really raised `cups_enum_dests()` timeout for listing
available IPP printers (Issue #751)...
* Fixed `Host` header regression (Issue #967)
* Fixed DNS-SD lookups of local services with Avahi
(Issue #970)
* Fixed listing jobs in destinations in web ui.
(Apple issue #6204)
* Fixed showing search query in web ui help page.
(Issue #977)
Issues are those at https://github.com/OpenPrinting/cups/issues
Apple issues are those at https://github.com/apple/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.10
- Removed cups-2.4.8-CVE-2024-35235.patch : fixed upstream
see the above CUPS 2.4.9 changes
- avoid_C99_mode_for_loop_initial_declarations.patch avoids error
"'for' loop initial declarations are only allowed in C99 mode"
that happens when building for SLE12
in scheduler/client.c at "for (char *start = ..." since
https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
see https://github.com/OpenPrinting/cups/issues/1000
-------------------------------------------------------------------
Tue Jun 11 08:28:32 UTC 2024 - Johannes Meixner <jsmeix@suse.com>

38
cups.spec
View File

@ -40,18 +40,18 @@ Name: cups
# "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
# "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
# version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
Version: 2.4.8
Version: 2.4.10
Release: 0
Summary: The Common UNIX Printing System
License: Apache-2.0
Group: Hardware/Printing
URL: https://openprinting.github.io/cups
# To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
# wget --no-check-certificate -O cups-2.4.7-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz
Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.8/cups-2.4.8-source.tar.gz
# wget --no-check-certificate -O cups-2.4.10-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz
Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz
# To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
# wget --no-check-certificate -O cups-2.4.7-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz.sig
Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.8/cups-2.4.8-source.tar.gz.sig
# wget --no-check-certificate -O cups-2.4.10-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz.sig
Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz.sig
# To make Source2 use e.g.
# gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
# gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring
@ -61,7 +61,7 @@ Source2: cups.keyring
# To manually verify Source0 with Source1 and Source2 do e.g.
# gpg --import cups.keyring
# gpg --list-keys | grep -1 'Zdenek Dohnal'
# gpg --verify cups-2.4.7-source.tar.gz.sig cups-2.4.7-source.tar.gz
# gpg --verify cups-2.4.10-source.tar.gz.sig cups-2.4.10-source.tar.gz
Source102: Postscript.ppd.gz
Source105: Postscript-level1.ppd.gz
Source106: Postscript-level2.ppd.gz
@ -77,6 +77,12 @@ Patch10: cups-2.1.0-choose-uri-template.patch
# because the files of the CUPS web content are no documentation, see CUPS STR #3578
# and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments:
Patch11: cups-2.1.0-default-webcontent-path.patch
# Patch12 avoid_C99_mode_for_loop_initial_declarations.patch
# avoids "error: 'for' loop initial declarations are only allowed in C99 mode"
# that happens when building for SLE12 at "for (char *start = ..." since
# https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
# see https://github.com/OpenPrinting/cups/issues/1000
Patch12: avoid_C99_mode_for_loop_initial_declarations.patch
# Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
# Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
Patch100: cups-pam.diff
@ -103,13 +109,6 @@ Patch108: downgrade-autoconf-requirement.patch
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
Patch112: cups-2.4.2-additional_policies.patch
# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
# to apply to CUPS 2.4.8 in openSUSE Factory
# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
# https://bugzilla.suse.com/show_bug.cgi?id=1225365
Patch113: cups-2.4.8-CVE-2024-35235.patch
# Build Requirements:
BuildRequires: dbus-1-devel
BuildRequires: fdupes
@ -337,13 +336,12 @@ printer drivers for CUPS.
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
%patch -P 112 -b cups-2.4.2-additional_policies.orig
# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
# to apply to CUPS 2.4.8 in openSUSE Factory
# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
# https://bugzilla.suse.com/show_bug.cgi?id=1225365
%patch -P 113 -b cups-2.4.8-CVE-2024-35235.orig
# Patch12 avoid_C99_mode_for_loop_initial_declarations.patch
# avoids "error: 'for' loop initial declarations are only allowed in C99 mode"
# that happens when building for SLE12 at "for (char *start = ..." since
# https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
# see https://github.com/OpenPrinting/cups/issues/1000
%patch -P 12 -b avoid_C99_mode_for_loop_initial_declarations.orig
%build
# Remove ".SILENT" rule for verbose build output

8
downgrade-autoconf-requirement.patch
View File

@ -1,7 +1,5 @@
Index: configure.ac
===================================================================
--- configure.ac.orig
+++ configure.ac
--- configure.ac.orig 2024-06-18 13:11:05.000000000 +0200
+++ configure.ac 2024-07-02 13:55:46.880533719 +0200
@@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0.
dnl information.
dnl
@ -12,4 +10,4 @@ Index: configure.ac
+AC_PREREQ([2.69])
dnl Package name and version...
AC_INIT([CUPS],[2.4.8],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
AC_INIT([CUPS],[2.4.10],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])