Accepting request 1185107 from home:jsmeix:branches:Printing

CUPS version upgrade to 2.4.10 that provides the fixed upstream fix for CVE-2024-35235 in CUPS 2.4.9

OBS-URL: https://build.opensuse.org/request/show/1185107
OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=413

avoid_C99_mode_for_loop_initial_declarations.patch

@@ -0,0 +1,28 @@
+--- scheduler/client.c.orig	2024-06-18 13:11:05.000000000 +0200
++++ scheduler/client.c	2024-07-02 14:51:25.359712447 +0200
+@@ -566,6 +566,7 @@ cupsdReadClient(cupsd_client_t *con)	/*
+   struct stat		filestats;	/* File information */
+   mime_type_t		*type;		/* MIME type of file */
+   static unsigned	request_id = 0;	/* Request ID for temp files */
++  char			*start;		/* Avoid error: 'for' loop initial declarations are only allowed in C99 mode */
+ 
+ 
+   status = HTTP_STATUS_CONTINUE;
+@@ -1145,7 +1146,7 @@ cupsdReadClient(cupsd_client_t *con)	/*
+ 		  {
+ 		    unsigned int i = 0;	// Array index
+ 
+-		    for (char *start = con->uri + 9; *start && *start != '?' && i < sizeof(name);)
++		    for (*start = con->uri + 9; *start && *start != '?' && i < sizeof(name);)
+ 		      name[i++] = *start++;
+ 
+ 		    name[i] = '\0';
+@@ -1185,7 +1186,7 @@ cupsdReadClient(cupsd_client_t *con)	/*
+ 		  {
+ 		    unsigned int i = 0;	// Array index
+ 
+-		    for (char *start = con->uri + 10; *start && *start != '?' && i < sizeof(name);)
++		    for (*start = con->uri + 10; *start && *start != '?' && i < sizeof(name);)
+ 		      name[i++] = *start++;
+ 
+ 		    name[i] = '\0';

cups-2.4.8-CVE-2024-35235.patch

@@ -1,87 +0,0 @@
---- cups/http-addr.c.orig	2024-04-26 13:38:21.000000000 +0200
-+++ cups/http-addr.c	2024-06-11 10:20:21.866920900 +0200
-@@ -202,31 +202,30 @@ httpAddrListen(http_addr_t *addr,	/* I -
-   {
-     mode_t	mask;			/* Umask setting */
- 
--   /*
--    * Remove any existing domain socket file...
--    */
--
--    unlink(addr->un.sun_path);
--
--   /*
--    * Save the current umask and set it to 0 so that all users can access
--    * the domain socket...
--    */
--
--    mask = umask(0);
--
--   /*
--    * Bind the domain socket...
--    */
--
--    status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
--
--   /*
--    * Restore the umask and fix permissions...
--    */
--
--    umask(mask);
--    chmod(addr->un.sun_path, 0140777);
-+    // Remove any existing domain socket file...
-+    if ((status = unlink(addr->un.sun_path)) < 0)
-+    {
-+      DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
-+
-+      if (errno == ENOENT)
-+        status = 0;
-+    }
-+
-+    if (!status)
-+    {
-+      // Save the current umask and set it to 0 so that all users can access
-+      // the domain socket...
-+      mask = umask(0);
-+
-+      // Bind the domain socket...
-+      if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
-+      {
-+        DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
-+      }
-+
-+      // Restore the umask...
-+      umask(mask);
-+    }
-   }
-   else
- #endif /* AF_LOCAL */
---- scheduler/conf.c.orig	2024-04-26 13:38:21.000000000 +0200
-+++ scheduler/conf.c	2024-06-11 10:14:06.091882607 +0200
-@@ -3084,6 +3084,26 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
- 
- 
-      /*
-+      * If we are launched on-demand, do not use domain sockets from the config
-+      * file.  Also check that the domain socket path is not too long...
-+      */
-+
-+#ifdef HAVE_ONDEMAND
-+      if (*value == '/' && OnDemand)
-+      {
-+        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
-+          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
-+        continue;
-+      }
-+#endif // HAVE_ONDEMAND
-+
-+      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
-+      {
-+        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
-+        continue;
-+      }
-+
-+     /*
-       * Get the address list...
-       */
- 

cups-2.4.8-source.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:75c326b4ba73975efcc9a25078c4b04cdb4ee333caaad0d0823dbd522c6479a0
-size 8142007

cups.changes

@@ -1,3 +1,49 @@
+-------------------------------------------------------------------
+Tue Jul  2 11:45:58 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
+
+- Version upgrade to 2.4.10:
+  See https://github.com/openprinting/cups/releases
+  CUPS 2.4.10 brings two fixes:
+  * Fixed error handling when reading a mixed 1setOf attribute.
+  * Fixed scheduler start if there is only domain socket
+    to listen on (Issue #985) which is fix for regression
+    after fix for CVE-2024-35235 in scenarios where is
+    no other listeners in cupsd.conf than domain socket
+    created on demand by systemd, launchd or upstart.
+  Issues are those at https://github.com/OpenPrinting/cups/issues
+- Version upgrade to 2.4.9:
+  See https://github.com/openprinting/cups/releases
+  CUPS 2.4.9 brings security fix for CVE-2024-35235 and
+  several bug fixes regarding CUPS Web User Interface,
+  PPD generation and HTTP protocol implementation.
+  Detailed list (from CHANGES.md):
+  * Fixed domain socket handling (CVE-2024-35235)
+  * Fixed creating of `cupsUrfSupported` PPD keyword
+    (Issue #952)
+  * Fixed searching for destinations in web ui (Issue #954)
+  * Fixed TLS negotiation using OpenSSL with servers
+    that require the TLS SNI extension.
+  * Really raised `cups_enum_dests()` timeout for listing
+    available IPP printers (Issue #751)...
+  * Fixed `Host` header regression (Issue #967)
+  * Fixed DNS-SD lookups of local services with Avahi
+    (Issue #970)
+  * Fixed listing jobs in destinations in web ui.
+    (Apple issue #6204)
+  * Fixed showing search query in web ui help page.
+    (Issue #977)
+  Issues are those at https://github.com/OpenPrinting/cups/issues
+  Apple issues are those at https://github.com/apple/cups/issues
+- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.10
+- Removed cups-2.4.8-CVE-2024-35235.patch : fixed upstream
+  see the above CUPS 2.4.9 changes
+- avoid_C99_mode_for_loop_initial_declarations.patch avoids error
+  "'for' loop initial declarations are only allowed in C99 mode"
+  that happens when building for SLE12
+  in scheduler/client.c at "for (char *start = ..." since
+  https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
+  see https://github.com/OpenPrinting/cups/issues/1000
+
 -------------------------------------------------------------------
 Tue Jun 11 08:28:32 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
 

cups.spec

@@ -40,18 +40,18 @@ Name:           cups
 # "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
 # "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
 # version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
-Version:        2.4.8
+Version:        2.4.10
 Release:        0
 Summary:        The Common UNIX Printing System
 License:        Apache-2.0
 Group:          Hardware/Printing
 URL:            https://openprinting.github.io/cups
 # To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
-# wget --no-check-certificate -O cups-2.4.7-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz
+# wget --no-check-certificate -O cups-2.4.10-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz
-Source0:        https://github.com/OpenPrinting/cups/releases/download/v2.4.8/cups-2.4.8-source.tar.gz
+Source0:        https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz
 # To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
-# wget --no-check-certificate -O cups-2.4.7-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz.sig
+# wget --no-check-certificate -O cups-2.4.10-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz.sig
-Source1:        https://github.com/OpenPrinting/cups/releases/download/v2.4.8/cups-2.4.8-source.tar.gz.sig
+Source1:        https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz.sig
 # To make Source2 use e.g.
 #   gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
 #   gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring
@@ -61,7 +61,7 @@ Source2:        cups.keyring
 # To manually verify Source0 with Source1 and Source2 do e.g.
 #   gpg --import cups.keyring
 #   gpg --list-keys | grep -1 'Zdenek Dohnal'
-#   gpg --verify cups-2.4.7-source.tar.gz.sig cups-2.4.7-source.tar.gz
+#   gpg --verify cups-2.4.10-source.tar.gz.sig cups-2.4.10-source.tar.gz
 Source102:      Postscript.ppd.gz
 Source105:      Postscript-level1.ppd.gz
 Source106:      Postscript-level2.ppd.gz
@@ -77,6 +77,12 @@ Patch10:        cups-2.1.0-choose-uri-template.patch
 # because the files of the CUPS web content are no documentation, see CUPS STR #3578
 # and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments:
 Patch11:        cups-2.1.0-default-webcontent-path.patch
+# Patch12 avoid_C99_mode_for_loop_initial_declarations.patch
+# avoids "error: 'for' loop initial declarations are only allowed in C99 mode"
+# that happens when building for SLE12 at "for (char *start = ..." since
+# https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
+# see https://github.com/OpenPrinting/cups/issues/1000
+Patch12:        avoid_C99_mode_for_loop_initial_declarations.patch
 # Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
 # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
 Patch100:       cups-pam.diff
@@ -103,13 +109,6 @@ Patch108:       downgrade-autoconf-requirement.patch
 # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
 # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
 Patch112:       cups-2.4.2-additional_policies.patch
-# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
-# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
-# to apply to CUPS 2.4.8 in openSUSE Factory
-# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
-# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
-# https://bugzilla.suse.com/show_bug.cgi?id=1225365
-Patch113:       cups-2.4.8-CVE-2024-35235.patch
 # Build Requirements:
 BuildRequires:  dbus-1-devel
 BuildRequires:  fdupes
@@ -337,13 +336,12 @@ printer drivers for CUPS.
 # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
 # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
 %patch -P 112 -b cups-2.4.2-additional_policies.orig
-# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
+# Patch12 avoid_C99_mode_for_loop_initial_declarations.patch
-# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
+# avoids "error: 'for' loop initial declarations are only allowed in C99 mode"
-# to apply to CUPS 2.4.8 in openSUSE Factory
+# that happens when building for SLE12 at "for (char *start = ..." since
-# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
+# https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
-# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
+# see https://github.com/OpenPrinting/cups/issues/1000
-# https://bugzilla.suse.com/show_bug.cgi?id=1225365
+%patch -P 12 -b avoid_C99_mode_for_loop_initial_declarations.orig
-%patch -P 113 -b cups-2.4.8-CVE-2024-35235.orig
 
 %build
 # Remove ".SILENT" rule for verbose build output

downgrade-autoconf-requirement.patch

@@ -1,7 +1,5 @@
-Index: configure.ac
+--- configure.ac.orig	2024-06-18 13:11:05.000000000 +0200
-===================================================================
++++ configure.ac	2024-07-02 13:55:46.880533719 +0200
---- configure.ac.orig
-+++ configure.ac
 @@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0.
  dnl information.
  dnl
@@ -12,4 +10,4 @@ Index: configure.ac
 +AC_PREREQ([2.69])
  
  dnl Package name and version...
- AC_INIT([CUPS],[2.4.8],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
+ AC_INIT([CUPS],[2.4.10],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])