Accepting request 592040 from home:jsmeix:branches:Printing

CUPS version upgrade to 2.3b4 (fourth beta of the CUPS 2.3 series) that fixes in particular bsc#1061066 and bsc#1087018 CVE-2017-18248 (see also bsc#1087072)

OBS-URL: https://build.opensuse.org/request/show/592040
OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=348

cups-2.3b3-source.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9c40e3cc378a9d5f2bfffece646c1619016b9f3a8b59b90252e17d6890ba78ad
-size 10173349

cups-2.3b4-source.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a33ea7220f1fa58056fb529ecf4cc16f1bd4ef3ff120bfe92e6487a5343f0166
+size 10130356

cups.changes

@@ -1,3 +1,58 @@
+-------------------------------------------------------------------
+Wed Mar 28 13:58:32 CEST 2018 - jsmeix@suse.de
+
+- Version upgrade to 2.3b4:
+  This is the fourth beta of the CUPS 2.3 series.
+  For details see https://github.com/apple/cups/releases
+  or the CHANGES.md file.
+  Changes include:
+  * Additional security fixes for:
+    bsc#1061066 DBUS library aborts caller process
+    in _dbus_check_is_valid_utf8 (in particular that aborts cupsd)
+    and
+    bsc#1087018 CVE-2017-18248: cups: The add_job function in
+    scheduler/ipp.c in CUPS before 2.2.6, when D-Bus support is
+    enabled, can be crashed by remote attackers by sending print
+    jobs with an invalid username, related to a D-Bus notification
+    which are the CUPS upstream issues
+    https://github.com/apple/cups/issues/5143
+    Remote DoS attack against cupsd via invalid username
+    and malicious D-Bus library
+    and
+    https://github.com/apple/cups/issues/5186
+    squash non-UTF-8 strings into ASCII on plain IPP level
+    and
+    https://github.com/apple/cups/issues/5229
+    persistently substitute invalid job attributes
+    with default values - not only in add_job
+    see also
+    bsc#1087072 dbus-1:
+    Disable assertions to prevent un-expected DDoS attacks
+  * NOTICE: Raw print queues are now deprecated (Issue #5269)
+    so that now there is a warning message when you
+    add or modify a queue to use the "raw driver" but
+    raw printing will continue to work through CUPS 2.3.x, cf.
+    https://lists.cups.org/pipermail/cups/2018-March/074060.html
+  * Kerberized printing to another CUPS server did not work
+    correctly (Issue #5233)
+  * The scheduler now supports using temporary print queues
+    for older IPP/1.1 print queues like those shared by CUPS 1.3
+    and earlier (Issue #5241)
+  * Systemd did not restart cupsd when configuration changes
+    were made that required a restart (Issue #5263)
+  * Fixed an Avahi crash bug in the scheduler (Issue #5268)
+  * TLS connections now properly timeout (rdar://34938533)
+  * Removed support for the `-D_PPD_DEPRECATED=""` developer
+    cheat - the PPD API should no longer be used.
+  * Removed support for `-D_IPP_PRIVATE_STRUCTURES=1` developer
+    cheat - the IPP accessor functions should be used instead.
+  * The symlink rastertodymo -> rastertolabel
+    in /usr/lib/cups/filter is no longer provided.
+- Removed fix_filter_Makefile.patch
+  because since CUPS 2.3b4 it is fixed in the upstream code via
+  https://github.com/apple/cups/issues/5247 more precisely via
+  https://github.com/apple/cups/commit/ab89234de2d9bf36bb59f2aa4873d98e95ca4df2
+
 -------------------------------------------------------------------
 Thu Feb  8 14:21:22 CET 2018 - jsmeix@suse.de
 

cups.spec

@@ -19,28 +19,28 @@
 # _tmpfilesdir is not defined in systemd macros up to openSUSE 13.2
 %{!?_tmpfilesdir: %global _tmpfilesdir %{_libexecdir}/tmpfiles.d }
 Name:           cups
-# CUPS beta version numbers like "2.3b3" can be used as is because
+# CUPS beta version numbers like "2.3b4" can be used as is because
 # "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
-# "zypper vcmp 2.2.99 2.3b3" show "2.2.99 is older than 2.3b3" so that
+# "zypper vcmp 2.2.99 2.3b4" show "2.2.99 is older than 2.3b4" so that
 # version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
-Version:        2.3b3
+Version:        2.3b4
 Release:        0
 Summary:        The Common UNIX Printing System
 License:        Apache-2.0
 Group:          Hardware/Printing
 Url:            http://www.cups.org/
 # To get Source0 go to https://www.cups.org/software.html or https://github.com/apple/cups/releases or use e.g.
-# wget --no-check-certificate -O cups-2.3b3-source.tar.gz https://github.com/apple/cups/releases/download/v2.3b3/cups-2.3b3-source.tar.gz
-Source0:        https://github.com/apple/cups/releases/download/v2.3b3/cups-2.3b3-source.tar.gz
+# wget --no-check-certificate -O cups-2.3b4-source.tar.gz https://github.com/apple/cups/releases/download/v2.3b4/cups-2.3b4-source.tar.gz
+Source0:        https://github.com/apple/cups/releases/download/v2.3b4/cups-2.3b4-source.tar.gz
 # To get Source1 go to https://www.cups.org/software.html or https://github.com/apple/cups/releases or use e.g.
-# wget --no-check-certificate -O cups-2.3b3-source.tar.gz.sig https://github.com/apple/cups/releases/download/v2.3b3/cups-2.3b3-source.tar.gz.sig
-Source1:        https://github.com/apple/cups/releases/download/v2.3b3/cups-2.3b3-source.tar.gz.sig
+# wget --no-check-certificate -O cups-2.3b4-source.tar.gz.sig https://github.com/apple/cups/releases/download/v2.3b4/cups-2.3b4-source.tar.gz.sig
+Source1:        https://github.com/apple/cups/releases/download/v2.3b4/cups-2.3b4-source.tar.gz.sig
 # To get Source2 go to https://www.cups.org/pgp.html
 Source2:        cups.keyring
 # To manually verify Source0 with Source1 and Source2 do e.g.
 #   gpg --import cups.keyring
 #   gpg --list-keys | grep -1 'CUPS.org' | grep -v 'expired'
-#   gpg --verify cups-2.3b3-source.tar.gz.sig cups-2.3b3-source.tar.gz
+#   gpg --verify cups-2.3b4-source.tar.gz.sig cups-2.3b4-source.tar.gz
 Source102:      Postscript.ppd.gz
 Source105:      Postscript-level1.ppd.gz
 Source106:      Postscript-level2.ppd.gz
@@ -73,8 +73,6 @@ Patch101:       cups-2.0.3-additional_policies.patch
 Patch103:       cups-1.4-do_not_strip_recommended_from_PPDs.patch
 # Patch104 cups-config-libs.patch fixes option --libs in cups-config script:
 Patch104:       cups-config-libs.patch
-# Patch990 fix_filter_Makefile.patch fixes https://github.com/apple/cups/issues/5247
-Patch990:       fix_filter_Makefile.patch
 BuildRequires:  dbus-1-devel
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
@@ -323,8 +321,6 @@ printer drivers for CUPS.
 %patch103 -b do_not_strip_recommended_from_PPDs.orig
 # Patch104 cups-config-libs.patch fixes option --libs in cups-config script:
 %patch104 -b cups-config-libs.orig
-# Patch990 fix_filter_Makefile.patch fixes https://github.com/apple/cups/issues/5247
-%patch990 -b fix_filter_Makefile.orig
 
 %build
 # Remove ".SILENT" rule for verbose build output
@@ -581,7 +577,6 @@ exit 0
 %{_libexecdir}/cups/filter/commandtops
 %{_libexecdir}/cups/filter/gziptoany
 %{_libexecdir}/cups/filter/pstops
-%{_libexecdir}/cups/filter/rastertodymo
 %{_libexecdir}/cups/filter/rastertoepson
 %{_libexecdir}/cups/filter/rastertohp
 %{_libexecdir}/cups/filter/rastertolabel

fix_filter_Makefile.patch

@@ -1,28 +0,0 @@
---- filter/Makefile.orig	2018-02-01 16:01:12.000000000 +0100
-+++ filter/Makefile	2018-02-08 14:17:24.000000000 +0100
-@@ -83,14 +83,14 @@ install-data:
- 
- install-exec:
- 	$(INSTALL_DIR) -m 755 $(SERVERBIN)/filter
--	for file in $(FILTERS); do \
-+	for file in $(TARGETS); do \
- 		$(INSTALL_BIN) $$file $(SERVERBIN)/filter; \
- 	done
- 	$(RM) $(SERVERBIN)/filter/rastertodymo
- 	$(LN) rastertolabel $(SERVERBIN)/filter/rastertodymo
- 	if test "x$(SYMROOT)" != "x"; then \
- 		$(INSTALL_DIR) $(SYMROOT); \
--		for file in $(FILTERS); do \
-+		for file in $(TARGETS); do \
- 			cp $$file $(SYMROOT); \
- 			dsymutil $(SYMROOT)/$$file; \
- 		done \
-@@ -116,7 +116,7 @@ install-libs:
- #
- 
- uninstall:
--	for file in $(FILTERS); do \
-+	for file in $(TARGETS); do \
- 		$(RM) $(SERVERBIN)/filter/$$file; \
- 	done
- 	$(RM) $(SERVERBIN)/filter/rastertodymo