From 39594fc8e37c5c33db8bebe62b088d647974a90f9c2a353aab8bb72ad05b21b8 Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Wed, 3 Jul 2024 11:21:05 +0000
Subject: [PATCH] Accepting request 1185107 from home:jsmeix:branches:Printing

CUPS version upgrade to 2.4.10 that provides the fixed upstream fix for CVE-2024-35235 in CUPS 2.4.9

OBS-URL: https://build.opensuse.org/request/show/1185107
OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=413
---
 ...9_mode_for_loop_initial_declarations.patch |  28 ++++++
 cups-2.4.10-source.tar.gz                     |   3 +
 cups-2.4.10-source.tar.gz.sig                 | Bin 0 -> 119 bytes
 cups-2.4.8-CVE-2024-35235.patch               |  87 ------------------
 cups-2.4.8-source.tar.gz                      |   3 -
 cups-2.4.8-source.tar.gz.sig                  | Bin 119 -> 0 bytes
 cups.changes                                  |  46 +++++++++
 cups.spec                                     |  38 ++++----
 downgrade-autoconf-requirement.patch          |   8 +-
 9 files changed, 98 insertions(+), 115 deletions(-)
 create mode 100644 avoid_C99_mode_for_loop_initial_declarations.patch
 create mode 100644 cups-2.4.10-source.tar.gz
 create mode 100644 cups-2.4.10-source.tar.gz.sig
 delete mode 100644 cups-2.4.8-CVE-2024-35235.patch
 delete mode 100644 cups-2.4.8-source.tar.gz
 delete mode 100644 cups-2.4.8-source.tar.gz.sig

diff --git a/avoid_C99_mode_for_loop_initial_declarations.patch b/avoid_C99_mode_for_loop_initial_declarations.patch
new file mode 100644
index 0000000..bec8cc2
--- /dev/null
+++ b/avoid_C99_mode_for_loop_initial_declarations.patch
@@ -0,0 +1,28 @@
+--- scheduler/client.c.orig	2024-06-18 13:11:05.000000000 +0200
++++ scheduler/client.c	2024-07-02 14:51:25.359712447 +0200
+@@ -566,6 +566,7 @@ cupsdReadClient(cupsd_client_t *con)	/*
+   struct stat		filestats;	/* File information */
+   mime_type_t		*type;		/* MIME type of file */
+   static unsigned	request_id = 0;	/* Request ID for temp files */
++  char			*start;		/* Avoid error: 'for' loop initial declarations are only allowed in C99 mode */
+ 
+ 
+   status = HTTP_STATUS_CONTINUE;
+@@ -1145,7 +1146,7 @@ cupsdReadClient(cupsd_client_t *con)	/*
+ 		  {
+ 		    unsigned int i = 0;	// Array index
+ 
+-		    for (char *start = con->uri + 9; *start && *start != '?' && i < sizeof(name);)
++		    for (*start = con->uri + 9; *start && *start != '?' && i < sizeof(name);)
+ 		      name[i++] = *start++;
+ 
+ 		    name[i] = '\0';
+@@ -1185,7 +1186,7 @@ cupsdReadClient(cupsd_client_t *con)	/*
+ 		  {
+ 		    unsigned int i = 0;	// Array index
+ 
+-		    for (char *start = con->uri + 10; *start && *start != '?' && i < sizeof(name);)
++		    for (*start = con->uri + 10; *start && *start != '?' && i < sizeof(name);)
+ 		      name[i++] = *start++;
+ 
+ 		    name[i] = '\0';
diff --git a/cups-2.4.10-source.tar.gz b/cups-2.4.10-source.tar.gz
new file mode 100644
index 0000000..8e4e0e6
--- /dev/null
+++ b/cups-2.4.10-source.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d75757c2bc0f7a28b02ee4d52ca9e4b1aa1ba2affe16b985854f5336940e5ad7
+size 8145236
diff --git a/cups-2.4.10-source.tar.gz.sig b/cups-2.4.10-source.tar.gz.sig
new file mode 100644
index 0000000000000000000000000000000000000000000000000000000000000000..f7caaea05802f5ac1ecb7c7d59a3fabfe902147a33cd641fb9697ebd03937a25
GIT binary patch
literal 119
zcmeAuWnmEGVvrS6WGQG`u#`)0QVPFC!-FS5x@Tsq<bP*nN-NBcV&LKwfQd-oWB6Z{
zGd*$njiR6>#R39Ct6h@ZnqD60G&bFC>vwpbZo`zRj0{KjGMkl7P;+`E#J%GF%haEa
UW}gBUEGfAY`_OylmroxU0faU(#sB~S

literal 0
HcmV?d00001

diff --git a/cups-2.4.8-CVE-2024-35235.patch b/cups-2.4.8-CVE-2024-35235.patch
deleted file mode 100644
index 5529ad0..0000000
--- a/cups-2.4.8-CVE-2024-35235.patch
+++ /dev/null
@@ -1,87 +0,0 @@
---- cups/http-addr.c.orig	2024-04-26 13:38:21.000000000 +0200
-+++ cups/http-addr.c	2024-06-11 10:20:21.866920900 +0200
-@@ -202,31 +202,30 @@ httpAddrListen(http_addr_t *addr,	/* I -
-   {
-     mode_t	mask;			/* Umask setting */
- 
--   /*
--    * Remove any existing domain socket file...
--    */
--
--    unlink(addr->un.sun_path);
--
--   /*
--    * Save the current umask and set it to 0 so that all users can access
--    * the domain socket...
--    */
--
--    mask = umask(0);
--
--   /*
--    * Bind the domain socket...
--    */
--
--    status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
--
--   /*
--    * Restore the umask and fix permissions...
--    */
--
--    umask(mask);
--    chmod(addr->un.sun_path, 0140777);
-+    // Remove any existing domain socket file...
-+    if ((status = unlink(addr->un.sun_path)) < 0)
-+    {
-+      DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
-+
-+      if (errno == ENOENT)
-+        status = 0;
-+    }
-+
-+    if (!status)
-+    {
-+      // Save the current umask and set it to 0 so that all users can access
-+      // the domain socket...
-+      mask = umask(0);
-+
-+      // Bind the domain socket...
-+      if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
-+      {
-+        DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
-+      }
-+
-+      // Restore the umask...
-+      umask(mask);
-+    }
-   }
-   else
- #endif /* AF_LOCAL */
---- scheduler/conf.c.orig	2024-04-26 13:38:21.000000000 +0200
-+++ scheduler/conf.c	2024-06-11 10:14:06.091882607 +0200
-@@ -3084,6 +3084,26 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
- 
- 
-      /*
-+      * If we are launched on-demand, do not use domain sockets from the config
-+      * file.  Also check that the domain socket path is not too long...
-+      */
-+
-+#ifdef HAVE_ONDEMAND
-+      if (*value == '/' && OnDemand)
-+      {
-+        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
-+          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
-+        continue;
-+      }
-+#endif // HAVE_ONDEMAND
-+
-+      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
-+      {
-+        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
-+        continue;
-+      }
-+
-+     /*
-       * Get the address list...
-       */
- 
diff --git a/cups-2.4.8-source.tar.gz b/cups-2.4.8-source.tar.gz
deleted file mode 100644
index e1bd316..0000000
--- a/cups-2.4.8-source.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:75c326b4ba73975efcc9a25078c4b04cdb4ee333caaad0d0823dbd522c6479a0
-size 8142007
diff --git a/cups-2.4.8-source.tar.gz.sig b/cups-2.4.8-source.tar.gz.sig
deleted file mode 100644
index ef6db51bf4567af21276b3697259e39bf7c9c9740430772217af7937fe43357c..0000000000000000000000000000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 119
zcmeAuWnmEGVvrS6WGQG`u#`)0QVPFC!-FS5x@Tsq<bP*nO4FXy#lXcW028^x&hSs;
zP*}*igLOaT_8nGsUwXo5!H53V`{7(~KDV;|-E%h6iIL&gD!=J>4t_a0<MEfhI@hfB
VR0;>Fg=sD*DLrsB_@vuwUI14JHgo_0

diff --git a/cups.changes b/cups.changes
index ba077a2..f5d3671 100644
--- a/cups.changes
+++ b/cups.changes
@@ -1,3 +1,49 @@
+-------------------------------------------------------------------
+Tue Jul  2 11:45:58 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
+
+- Version upgrade to 2.4.10:
+  See https://github.com/openprinting/cups/releases
+  CUPS 2.4.10 brings two fixes:
+  * Fixed error handling when reading a mixed 1setOf attribute.
+  * Fixed scheduler start if there is only domain socket
+    to listen on (Issue #985) which is fix for regression
+    after fix for CVE-2024-35235 in scenarios where is
+    no other listeners in cupsd.conf than domain socket
+    created on demand by systemd, launchd or upstart.
+  Issues are those at https://github.com/OpenPrinting/cups/issues
+- Version upgrade to 2.4.9:
+  See https://github.com/openprinting/cups/releases
+  CUPS 2.4.9 brings security fix for CVE-2024-35235 and
+  several bug fixes regarding CUPS Web User Interface,
+  PPD generation and HTTP protocol implementation.
+  Detailed list (from CHANGES.md):
+  * Fixed domain socket handling (CVE-2024-35235)
+  * Fixed creating of `cupsUrfSupported` PPD keyword
+    (Issue #952)
+  * Fixed searching for destinations in web ui (Issue #954)
+  * Fixed TLS negotiation using OpenSSL with servers
+    that require the TLS SNI extension.
+  * Really raised `cups_enum_dests()` timeout for listing
+    available IPP printers (Issue #751)...
+  * Fixed `Host` header regression (Issue #967)
+  * Fixed DNS-SD lookups of local services with Avahi
+    (Issue #970)
+  * Fixed listing jobs in destinations in web ui.
+    (Apple issue #6204)
+  * Fixed showing search query in web ui help page.
+    (Issue #977)
+  Issues are those at https://github.com/OpenPrinting/cups/issues
+  Apple issues are those at https://github.com/apple/cups/issues
+- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.10
+- Removed cups-2.4.8-CVE-2024-35235.patch : fixed upstream
+  see the above CUPS 2.4.9 changes
+- avoid_C99_mode_for_loop_initial_declarations.patch avoids error
+  "'for' loop initial declarations are only allowed in C99 mode"
+  that happens when building for SLE12
+  in scheduler/client.c at "for (char *start = ..." since
+  https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
+  see https://github.com/OpenPrinting/cups/issues/1000
+
 -------------------------------------------------------------------
 Tue Jun 11 08:28:32 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
 
diff --git a/cups.spec b/cups.spec
index c0784f8..00a2f91 100644
--- a/cups.spec
+++ b/cups.spec
@@ -40,18 +40,18 @@ Name:           cups
 # "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
 # "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
 # version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
-Version:        2.4.8
+Version:        2.4.10
 Release:        0
 Summary:        The Common UNIX Printing System
 License:        Apache-2.0
 Group:          Hardware/Printing
 URL:            https://openprinting.github.io/cups
 # To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
-# wget --no-check-certificate -O cups-2.4.7-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz
-Source0:        https://github.com/OpenPrinting/cups/releases/download/v2.4.8/cups-2.4.8-source.tar.gz
+# wget --no-check-certificate -O cups-2.4.10-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz
+Source0:        https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz
 # To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
-# wget --no-check-certificate -O cups-2.4.7-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz.sig
-Source1:        https://github.com/OpenPrinting/cups/releases/download/v2.4.8/cups-2.4.8-source.tar.gz.sig
+# wget --no-check-certificate -O cups-2.4.10-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz.sig
+Source1:        https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz.sig
 # To make Source2 use e.g.
 #   gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
 #   gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring
@@ -61,7 +61,7 @@ Source2:        cups.keyring
 # To manually verify Source0 with Source1 and Source2 do e.g.
 #   gpg --import cups.keyring
 #   gpg --list-keys | grep -1 'Zdenek Dohnal'
-#   gpg --verify cups-2.4.7-source.tar.gz.sig cups-2.4.7-source.tar.gz
+#   gpg --verify cups-2.4.10-source.tar.gz.sig cups-2.4.10-source.tar.gz
 Source102:      Postscript.ppd.gz
 Source105:      Postscript-level1.ppd.gz
 Source106:      Postscript-level2.ppd.gz
@@ -77,6 +77,12 @@ Patch10:        cups-2.1.0-choose-uri-template.patch
 # because the files of the CUPS web content are no documentation, see CUPS STR #3578
 # and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments:
 Patch11:        cups-2.1.0-default-webcontent-path.patch
+# Patch12 avoid_C99_mode_for_loop_initial_declarations.patch
+# avoids "error: 'for' loop initial declarations are only allowed in C99 mode"
+# that happens when building for SLE12 at "for (char *start = ..." since
+# https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
+# see https://github.com/OpenPrinting/cups/issues/1000
+Patch12:        avoid_C99_mode_for_loop_initial_declarations.patch
 # Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
 # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
 Patch100:       cups-pam.diff
@@ -103,13 +109,6 @@ Patch108:       downgrade-autoconf-requirement.patch
 # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
 # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
 Patch112:       cups-2.4.2-additional_policies.patch
-# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
-# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
-# to apply to CUPS 2.4.8 in openSUSE Factory
-# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
-# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
-# https://bugzilla.suse.com/show_bug.cgi?id=1225365
-Patch113:       cups-2.4.8-CVE-2024-35235.patch
 # Build Requirements:
 BuildRequires:  dbus-1-devel
 BuildRequires:  fdupes
@@ -337,13 +336,12 @@ printer drivers for CUPS.
 # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
 # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
 %patch -P 112 -b cups-2.4.2-additional_policies.orig
-# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
-# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
-# to apply to CUPS 2.4.8 in openSUSE Factory
-# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
-# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
-# https://bugzilla.suse.com/show_bug.cgi?id=1225365
-%patch -P 113 -b cups-2.4.8-CVE-2024-35235.orig
+# Patch12 avoid_C99_mode_for_loop_initial_declarations.patch
+# avoids "error: 'for' loop initial declarations are only allowed in C99 mode"
+# that happens when building for SLE12 at "for (char *start = ..." since
+# https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
+# see https://github.com/OpenPrinting/cups/issues/1000
+%patch -P 12 -b avoid_C99_mode_for_loop_initial_declarations.orig
 
 %build
 # Remove ".SILENT" rule for verbose build output
diff --git a/downgrade-autoconf-requirement.patch b/downgrade-autoconf-requirement.patch
index b2da577..6bc8d97 100644
--- a/downgrade-autoconf-requirement.patch
+++ b/downgrade-autoconf-requirement.patch
@@ -1,7 +1,5 @@
-Index: configure.ac
-===================================================================
---- configure.ac.orig
-+++ configure.ac
+--- configure.ac.orig	2024-06-18 13:11:05.000000000 +0200
++++ configure.ac	2024-07-02 13:55:46.880533719 +0200
 @@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0.
  dnl information.
  dnl
@@ -12,4 +10,4 @@ Index: configure.ac
 +AC_PREREQ([2.69])
  
  dnl Package name and version...
- AC_INIT([CUPS],[2.4.8],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
+ AC_INIT([CUPS],[2.4.10],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])