pool/cups
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 969223 from Printing

Browse Source 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/969223
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=162
This commit is contained in:
Dominique Leuenberger 2022-04-13 19:04:16 +00:00 committed by Git OBS Bridge
commit 9c4a497beb
14 changed files with 360 additions and 432 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
cups-2.1.0-cups-systemd-socket.patch
View File

@ -1,43 +0,0 @@
--- scheduler/main.c.orig 2015-06-08 20:32:35.000000000 +0200
+++ scheduler/main.c 2015-09-01 11:19:36.000000000 +0200
@@ -656,7 +656,15 @@ main(int argc, /* I - Number of comm
#if defined(HAVE_LAUNCHD) || defined(HAVE_SYSTEMD)
if (OnDemand)
+ {
cupsdAddEvent(CUPSD_EVENT_SERVER_STARTED, NULL, NULL, "Scheduler started on demand.");
+# ifdef HAVE_SYSTEMD
+ sd_notifyf(0, "READY=1\n"
+ "STATUS=Scheduler is running...\n"
+ "MAINPID=%lu",
+ (unsigned long) getpid());
+# endif /* HAVE_SYSTEMD */
+ }
else
#endif /* HAVE_LAUNCHD || HAVE_SYSTEMD */
if (fg)
--- scheduler/org.cups.cupsd.path.in.orig 2014-03-21 15:50:24.000000000 +0100
+++ scheduler/org.cups.cupsd.path.in 2015-09-01 11:20:37.000000000 +0200
@@ -3,6 +3,7 @@ Description=CUPS Scheduler
[Path]
PathExists=@CUPS_CACHEDIR@/org.cups.cupsd
+PathExistsGlob=@CUPS_REQUESTS@/d*
[Install]
WantedBy=multi-user.target
--- scheduler/org.cups.cupsd.service.in.orig 2014-10-21 13:54:05.000000000 +0200
+++ scheduler/org.cups.cupsd.service.in 2015-09-01 11:22:09.000000000 +0200
@@ -1,10 +1,11 @@
[Unit]
Description=CUPS Scheduler
Documentation=man:cupsd(8)
+After=network.target
[Service]
ExecStart=@sbindir@/cupsd -l
-Type=simple
+Type=notify
[Install]
Also=org.cups.cupsd.socket org.cups.cupsd.path

32
cups-2.1.0-default-webcontent-path.patch
View File

@ -1,17 +1,21 @@
--- config-scripts/cups-directories.m4.orig 2014-03-21 17:42:53.000000000 +0100
+++ config-scripts/cups-directories.m4 2015-09-01 11:08:43.000000000 +0200
@@ -206,11 +206,11 @@ fi
AC_SUBST(MENUDIR)
--- config-scripts/cups-directories.m4
+++ config-scripts/cups-directories.m4.orig
@@ -166,15 +166,15 @@ AS_IF([test "x$menudir" = x], [
AC_SUBST([MENUDIR])
# Documentation files
-AC_ARG_WITH(docdir, [ --with-docdir set path for documentation],docdir="$withval",docdir="")
+AC_ARG_WITH(docdir, [ --with-docdir set path and DocumentRoot directive for web content, default=datadir/cups/webcontent],docdir="$withval",docdir="")
-AC_ARG_WITH([docdir], AS_HELP_STRING([--with-docdir], [set path for documentation]), [
+AC_ARG_WITH([docdir], AS_HELP_STRING([--with-docdir], [set path and DocumentRoot directive for web content, default=datadir/cups/webcontent]), [
docdir="$withval"
], [
docdir=""
])
if test x$docdir = x; then
- CUPS_DOCROOT="$datadir/doc/cups"
- docdir="$datadir/doc/cups"
+ CUPS_DOCROOT="$datadir/cups/webcontent"
+ docdir="$datadir/cups/webcontent"
else
CUPS_DOCROOT="$docdir"
fi
AS_IF([test x$docdir = x], [
- CUPS_DOCROOT="$datadir/doc/cups"
- docdir="$datadir/doc/cups"
+ CUPS_DOCROOT="$datadir/cups/webcontent"
+ docdir="$datadir/cups/webcontent"
], [
CUPS_DOCROOT="$docdir"
])

3
cups-2.3.3op2-source.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:deb3575bbe79c0ae963402787f265bfcf8d804a71fc2c94318a74efec86f96df
size 7993205

BIN
cups-2.3.3op2-source.tar.gz.sig
View File

Binary file not shown.

3
cups-2.4.1-source.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c7339f75f8d4f2dec50c673341a45fc06b6885bb6d4366d6bf59a4e6c10ae178
size 8113914

BIN
cups-2.4.1-source.tar.gz.sig Normal file
View File

Binary file not shown.

2
cups-config-libs.patch
View File

@ -4,7 +4,7 @@
# flags for compiler and linker...
CFLAGS=""
LDFLAGS="@EXPORT_LDFLAGS@"
-LIBS="@LIBGSSAPI@ @DNSSDLIBS@ @EXPORT_SSLLIBS@ @LIBZ@ @LIBS@"
-LIBS="@LIBGSSAPI@ @DNSSDLIBS@ @EXPORT_TLSLIBS@ @LIBZ@ @LIBS@"
+LIBS=""
# Check for local invocation...

206
cups.changes
View File

@ -1,3 +1,209 @@
-------------------------------------------------------------------
Mon Apr 4 12:45:16 UTC 2022 - jsmeix@suse.de
- Have cups.pc in %{_libdir} to avoid a conflict
that cups-devel and cups-devel-32bit would
both contain /usr/lib/pkgconfig/cups.pc because
when cups.pc is arch dependent it has to be in %{_libdir}
which it is because it contains 'libdir=/usr/lib64' on x86_64
(if it was arch independent it would have to be in %{_datadir})
cf. https://build.opensuse.org/request/show/965680
-------------------------------------------------------------------
Fri Mar 4 11:34:13 UTC 2022 - jsmeix@suse.de
- Improved comments in spec file and in changes file
- Have cups.keyring in ASCII armored format
- Do not error out when 'make test' fails in the 'check' section
because https://github.com/OpenPrinting/cups/issues/155
is not yet actually fixed so currently the testsuite
still sometimes fails
-------------------------------------------------------------------
Tue Mar 1 18:16:11 UTC 2022 - Aurelien Joga <aurelienjoga@gmail.com>
- Version upgrade to 2.4.1:
See https://github.com/openprinting/cups/releases
CUPS 2.4.1 is the first bug fix release from 2.4.x series.
Among the other bug fixes it fixes sharing default color mode
to clients and several memory leaks.
* The default color mode now is now configurable and defaults
to the printer's reported default mode (Issue #277)
* Configuration script now checks linking for -Wl,-pie flags
(Issue #303)
* Fixed memory leaks -
in testi18n (Issue #313),
in cups_enum_dests() (Issue #317),
in _cupsEncodeOption() and http_tls_upgrade() (Issue #322)
* Fixed missing bracket in de/index.html (Issue #299)
* Fixed typos in configuration scripts (Issues #304, #316)
* Removed remaining legacy code for RIP_MAX_CACHE environment
variable (Issue #323)
* Removed deprecated directives from cupsctl and
cups-files.conf (Issue #300)
* Removed purge-jobs legacy code from CGI scripts and
templates (Issue #325)
- Version upgrade to 2.4.0:
CUPS 2.4.0 is the latest stable OpenPrinting CUPS release.
Among the changes from beta and release candidate
the stable release adds two new configuration options for
optimizing cupsd setup on servers and several other changes.
* Added configure option --with-idle-exit-timeout (Issue #294)
* Added --with-systemd-timeoutstartsec configure
option (Issue #298)
* DigestOptions now are applied for MD5 Digest authentication
defined by RFC 2069 as well (Issue #287)
* Fixed compilation on Solaris (Issue #293)
* Fixed and improved German translations (Issue #296, Issue #297)
- Version upgrade to 2.4rc1:
CUPS 2.4rc1 is a release candidate for OpenPrinting CUPS 2.4.0,
which adds two enhancements before the stable release.
* Added warning and debug messages when loading printers
if the queue is raw or with driver (Issue #286)
* Compilation now uses -fstack-protector-strong
if available (Issue #285)
- Version upgrade to 2.4b1:
CUPS 2.4b1 is the beta release for OpenPrinting CUPS 2.4
which contains several new features such as basic OAuth support,
support for AirPrint and Mopria clients and support for running
CUPS as a snap, several deprecations (Kerberos, cups-config),
removals of old deprecated directives, and many bug fixes.
* Added support for CUPS running in a Snapcraft snap.
* Added basic OAuth 2.0 client support (Issue #100)
* Added support for AirPrint and Mopria clients (Issue #105)
* Added configure support for specifying systemd dependencies
in the CUPS service file (Issue #144)
* Added several features and improvements to ipptool (Issue #153)
* Added a JSON output mode for ipptool.
* The ipptool command now correctly reports an error
when a test file cannot be found.
* CUPS library now uses thread safe getpwnam_r and getpwuid_r
functions (Issue #274)
* Fixed Kerberos authentication for the web interface (Issue #19)
* The ZPL sample driver now supports more "standard" label
sizes (Issue #70)
* Fixed reporting of printer instances when enumerating and when
no options are set for the main instance (Issue #71)
* Reverted USB read limit enforcement change
from CUPS 2.2.12 (Issue #72)
* The IPP backend did not return the correct status code
when a job was canceled at the printer/server (Issue #74)
* The testlang unit test program now loops over all of the
available locales by default (Issue #85)
* The cupsfilter command now shows error messages when options
are used incorrectly (Issue #88)
* The PPD functions now treat boolean values as
case-insensitive (Issue #106)
* Temporary queue names no longer end with an
underscore (Issue #110)
* The USB backend now runs as root (Issue #121)
* Added pkg-config file for libcups (Issue #122)
* Fixed a PPD memory leak caused by emulator
definitions (Issue #124)
* Fixed a DISPLAY bug in ipptool (Issue #139)
* The scheduler now includes the [Job N] prefix for job log
messages, even when using syslog logging (Issue #154)
* Added support for locales using the GB18030
character set (Issue #159)
* httpReconnect2 did not reset the socket file descriptor
when the TLS negotiation failed (Apple #5907)
* httpUpdate did not reset the socket file descriptor
when the TLS negotiation failed (Apple #5915)
* The IPP backend now retries Validate-Job requests (Issue #132)
* Now show better error messages when a driver interface program
fails to provide a PPD file (Issue #148)
* Added dark mode support to the CUPS web interface (Issue #152)
* Added a workaround for Solaris in httpAddrConnect2 (Issue #156)
* Fixed an interaction between --remote-admin and --remote-any
for the cupsctl command (Issue #158)
* Now use a 60 second timeout for reading USB backchannel
data (Issue #160)
* The USB backend now tries harder to find a serial
number (Issue #170)
* Fixed @IF(name) handling in cupsd.conf (Apple #5918)
* Fixed documentation and added examples for CUPS' limited
CGI support (Apple #5940)
* Fixed the lpc command prompt (Apple #5946)
* Now always pass "localhost" in the Host: header when talking
over a domain socket or the loopback interface (Issue #185)
* Fixed a job history update issue in the scheduler (Issue #187)
* Fixed job-pages-per-set value for duplex print jobs.
* Fixed an edge case in ippReadIO to make sure that only complete
attributes and values are retained on an error (Issue #195)
* Hardened ippReadIO to prevent invalid IPP messages from being
propagated (Issue #195, Issue #196)
* The scheduler now supports the "everywhere" model
directly (Issue #201)
* Fixed some IPP Everywhere option mapping problems (Issue #238)
* Fixed support for "job-hold-until" with the Restart-Job
operation (Issue #250)
* Fixed the default color/grayscale presets for
IPP Everywhere PPDs (Issue #262)
* Fixed support for the 'offline-report' state for all
USB backends (Issue #264)
* Documentation fixes (Issue #92, Issue #163, Issue #177,
Issue #184)
* Localization updates (Issue #123, Issue #129, Issue #134,
Issue #146, Issue #164)
* USB quirk updates (Issue #192, Issue #270, Apple #5766,
Apple #5838, Apple #5843, Apple #5867)
* Web interface updates (Issue #142, Issue #218)
* The ippeveprinter tool now automatically uses an
available port.
* Fixed several Windows TLS and hashing issues.
* Deprecated cups-config (Issue #97)
* Deprecated Kerberos (AuthType Negotiate)
authentication (Issue #98)
* Removed support for the (long deprecated and unused)
FontPath, ListenBackLog, LPDConfigFile, KeepAliveTimeout,
RIPCache, and SMBConfigFile directives in cupsd.conf
and cups-files.conf.
* Stubbed out deprecated httpMD5 functions.
* Add test for undefined page ranges during printing.
- downgrade-autoconf-requirement.patch downgrades the
autoconf requirement to what is currently available in openSUSE
- fix-negotiate-authentication-between-CGIs-and-scheduler.patch
is obsolete because it is included in the upstream code, see
https://github.com/OpenPrinting/cups/commit/3ff789ee90b18205c735e42e599eb3ee3043e88a
https://github.com/OpenPrinting/cups/pull/19
https://github.com/apple/cups/pull/5847
https://github.com/apple/cups/issues/5596
- upstream_pull_174.patch
is obsolete because it is included in the upstream code, see
https://github.com/OpenPrinting/cups/commit/43edb9df51b977d92929b084186dcd67d4f5ca44
https://github.com/OpenPrinting/cups/pull/174
https://github.com/OpenPrinting/cups/issues/72
- patch cups-2.1.0-cups-systemd-socket.patch
is obsolete because it is included in the upstream code, see
https://github.com/OpenPrinting/cups/commit/e96e96b4bd0d4e6f634bbb66b95d6e475501541c
- Updated upstream source tarball signing key in cups.keyring, see
https://github.com/OpenPrinting/cups/discussions/327#discussioncomment-2060579
- Re-enabled the CUPS upstream testsuite via 'make test'
and removed 'make check' because since the upstream commit
https://github.com/OpenPrinting/cups/commit/96ba46ebc818b610b0e40cbc9d62ef1dcd3ec9b6
the two Makefile targets 'test' and 'check' are identical.
- Changed cups-2.1.0-cups-systemd-socket.patch
to accomodate new coding style
- Changed cups-config-libs.orig to accommodate
recent code changes (SSL->TLS)
- Changed cups-2.1.0-default-webcontent-path.patch
to accommodate code changes
-------------------------------------------------------------------
Tue Feb 1 09:18:27 UTC 2022 - jsmeix@suse.de
- Enhanced harden_cups.service.patch by adding
ReadWritePaths=/etc/cups
because cupsd needs write access in /etc/cups
(boo#1195288)
-------------------------------------------------------------------
Fri Oct 15 07:31:10 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400), see
https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
Added patch: harden_cups.service.patch
-------------------------------------------------------------------
Mon Jun 7 13:23:25 CEST 2021 - jsmeix@suse.de

61
cups.keyring
View File

@ -1,53 +1,14 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: GPGTools - https://gpgtools.org
mQINBFplA9UBEACjPmClfkcn4YO05KHTyClVseJYVzGGHl+HLZGFPoadk2UKh3DD
UAoNruBMQS4xFd1MNFZfduCntLIoLEzwwHAWMhEB5O9FZZZrlwN2my4xlWdaX/Bg
FGhVsqGGp5C4n81996f1EmWJS+nTXHPQx0LJ5ahai6wuXJUhJwGHRVsJeVMYg9XZ
eJgz73scH4ISFAIRTfH2PqkBqKL51quUN6E/poSA1iggsPa0tg6klb+kUGvvMjGO
JUGg0L0lSwmJWbfbA6usD0ERSXA5h+TeSKTwuxTVYNTUpnVhSwfv5+wYHsoaeAiN
qbqbHw6TpJS5NvyClQLXE45Y1u/COlUvWA7/ThmRfP8LDgNXHQgdgOVv8eh/3Wos
zLfbw+wWFvaRCDZdzWBmUfJrS6K7dsABr6AQf5khqvazRv/Ma8ovNSd1WUUKTAm2
O1/eOydFLJpNaiyYc+ETbjdD//hKtiSCf6sxER5uE0cKiWhMQeFGgesgzRYjSKCg
Pk4Elux8q61uWqqPNjngFgRYRDuD/4jvTdD4mQqp+ASUYl1eXliKVH9tYJB4tcQ8
n7+szE+Czh7iSKvCCTV2VHfYASHYT79efDhtrmbB/Q2Vkoyuxl78PHKM0m/6hZze
+G1Cp4R3Ood/pOKlDrQdAWWlwOErZEu4pMSHoLJeuXfdFW7bAmEyKkoFZQARAQAB
tCtNaWNoYWVsIFIgU3dlZXQgPG1pY2hhZWwuci5zd2VldEBnbWFpbC5jb20+iQJU
BBMBCgA+FiEEhFRkZgtoaqs2VAtvmZVZoCeBWVUFAlplA9UCGwMFCQeGH4AFCwkI
BwMFFQoJCAsFFgIDAQACHgECF4AACgkQmZVZoCeBWVWyeQ//S3hfd0chikcg4m/r
EScY2cFL3WxIAexKcDmFOsKZG85fyJxQYQzaZ5zccXWye6t15Y06W4iglE1WFXGB
b3ZYgUev3iNZYjUHNaEB7GvSdtZ8e0RCbj/p/t2JEzU8c0KtGqbeyFXg3EMkGdad
TRh6y8BatGzAdq2aFbmIW5irfLf4BxUB3NnHs93cfkt7heHIN8S7VNViAK0gXdeL
yukHGG9wE0oRIp2Zln6WSnLFH9bdDFgl6lRa0KEQCgh75MsP+y5V0JMGwOtzV5hE
eH0Lz12xJx0MgHacFOwH1YUiVAPDH0Uk/uVuZRWRAdcU5rBQQN4jg8vJjc+25E2l
HpkoLKYPWWHcCG6yl2mVDjgnnM1hzqkbhftXiI0HrZuidM11sMPj0s1xSer/AOaY
SANNnv5CBxojD6M08KAMKk6HzcLILLdbqEjnWuGI8Yt8rT8YfwQBPZeGzfi/8ZMr
f7vM3wqrx+25kASo3luVw6M6YJmuPTwQrQ2HPI7EHDOuLB/o7B0RpUORVC8pHH/Y
aiRzOJghiLxUgi26d4XwwiXd7m1zatCcl6Or0AdVVhbKthQC33HbBTwW9hYXyeK+
sssKaFundLPa3me+BqWTy5bSyc3spCWjK8Bsr5BoUV9mTX60UUsTDzI94DOei8+i
05ksTD5du5kk+tq4PWJWgNfUlOa5Ag0EWmUD1QEQANL89kasctOoEuleT0FlqpMh
1JwF1piS3ek1NjFBUBFxIBKoWnftxfaisanSStN5HDqs1mGCRtQ8/HOsSjjDufcM
7JSXe+IX2dKE85FrlNA5QmpFDf7cAkQqM4y/IbEsOI1f79zIKeS7i0l1oXUZ9bRn
dVUcZb52p3tjw1oTfo1QwKWsUq+93ontCsS1aGm5GLmHFJozoBbrk4+XOBNgsmbi
gcRnVopeCE99kdJTJc1YIndLtED3tDhzJJ/kqpQS9iDs6RNDs9FlYF7vlyD1i6yx
94WdE+xHJUdG4mCu0GxqQyCSmbU5A3SHOKSJ4NrNDNn+5e9Oh8WeK3x/Hn0WBVYg
Eyn4EEilHGhhzuFh7US+QX8AM2R21SrfU7rcbUQ+ZFCIhe5p8aT5MsUF8cztBjcu
IDKO9TirI3+OcEFRS0k1vOubXdRdeoxY89Ap9ssVxvGeJJcipmSVrTsxI3oqS/A9
DNAgIXC0VeZGYfjq6bcFH0+klgJxaY3PuvCspe0XfFQyFMqNvfNFZD5ZAj5DMeOa
wfJMTjw1eHILZLWPYOBXgyIW7RvKrOks+my6+vyFeqNkWKLHxXW7Fu57I0JSlBR+
Zef+s8hZdAju756e79mk4sMiT/2Pfsty1RBwi5JTF+r8A7p6l+ZqLVa5tr07L+Js
QF8+F2fcwGRuRdZsmYOnABEBAAGJAjwEGAEKACYWIQSEVGRmC2hqqzZUC2+ZlVmg
J4FZVQUCWmUD1QIbDAUJB4YfgAAKCRCZlVmgJ4FZVQiRD/4gf2L4CU+zjviH12FC
DZudGDOw4f6f2Q82Z0J45mtOmVUcoqVo5jzl+H1tR2D0XlV+LG7YpegMS06GvOMl
HG3e+0M5IGwhG/Lv0aq7TA4Hd13ZJaHQvieLXbQzelAE0bbn8QeKSMYrJfGzl0v7
zZfBQt7L2t06HQKIkfJDAwFRiNs/EbvLHslOq7VDjoEqxFkRsL1Ie3efOb1ZejeS
b5smfaDJ94plO2Goaj1IHrngQhXu4v+PLqSYQgu4lRUmSOg7FAn/JpWHSsDRf1zf
EW/TyM4ctO05vS//mdMI4xR3D0RMvZieUOUUjjFk0xlWcvboroiZrlz7Xb64uvZw
XGA9iJ1j4IlsBmuE7L6Q61i/o7KR4DlLVMoOPYLpMwtVITWf7HDFiww37JaQutoA
eRvO/GLd7X7aDcB6XReGCYSeD1wczDap+fBkKQlNEctHizkIJG2PD0pNz9EUKeTa
xh0csb+548c/DccCSx62siNSi3WnQwvbbDUVNftGHfifa15d350072jb8LP57O20
GzhdE+0raeg8GqqSeT1MApdInL3BMP+LQxuSpEnEQx9Nsu4bpuSplcTPUot+fNJb
uwg7uetsyqagUI6HSYwbPbmU2ELor+P2LP81Yexwkf/DE215mrIITXnr+dqL5+NG
nNLcOZRqTFo/oxx+IaRhSJ6adg==
=YD80
mDMEYfKEjRYJKwYBBAHaRw8BAQdAJggn9NALyWqrgrFGPJ9RvPb7wYbskxKRKQcL
v+8Hpbq0QVpkZW5layBEb2huYWwgKFRoZSBvbGQgNEQ0MjI3RDcga2V5IHJldm9r
ZWQpIDx6ZG9obmFsQHJlZGhhdC5jb20+iJQEExYKADwWIQRwgqClCi6SZA84gODk
Ui3MmyRv9wUCYfKEjQIbAwULCQgHAgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQ
5FItzJskb/fbUQEAm6R78JoZSIOpu68gtUUp1qbfDdsfoQkbdyfws/myB6gA/A6/
9QiIk50DNCmBTisZk5CFP51YNvwnyxafmE3cDn8GuDgEYfKEjRIKKwYBBAGXVQEF
AQEHQF6Qgj5UQqUdvqvnDqygQ6Vm59nRGHbPVDTwendtM5cCAwEIB4h4BBgWCgAg
FiEEcIKgpQoukmQPOIDg5FItzJskb/cFAmHyhI0CGwwACgkQ5FItzJskb/e2CwD/
SyRi/I5Il5XY5VXEL/eBsnNvvtaO0T10V4/vBMiDb+sBAK3YmRl6WStfRiEvMXQv
OhMT+sEjx6ufQXkuPeXHvrgK
=vSEm
-----END PGP PUBLIC KEY BLOCK-----

125
cups.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package cups
#
# Copyright (c) 2021 SUSE LLC
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -16,11 +16,12 @@
#
# Cf. https://rpm.org/user_doc/conditional_builds.html
# by default enable testsuite (i.e. in the 'check' section run make check and make test)
#bcond_without testsuite
# disable testsuite for now until https://github.com/OpenPrinting/cups/issues/155 is fixed
%bcond_with testsuite
# By default enable testsuite (i.e. in the 'check' section run 'make test')
# cf. https://rpm.org/user_doc/conditional_builds.html
# To disable the testsuite you may set 'bcond_with testsuite' instead
# until https://github.com/OpenPrinting/cups/issues/155 is actually fixed
# but we do not error out when 'make test' fails (see the 'check' section):
%bcond_without testsuite
# _tmpfilesdir is not defined in systemd macros up to openSUSE 13.2
%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d }
@ -29,34 +30,34 @@ Name: cups
# "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
# "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
# version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
Version: 2.3.3op2
Version: 2.4.1
Release: 0
Summary: The Common UNIX Printing System
License: Apache-2.0
Group: Hardware/Printing
URL: https://openprinting.github.io/cups
# To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
# wget --no-check-certificate -O cups-2.3.3op2-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.3.3op2/cups-2.3.3op2-source.tar.gz
Source0: https://github.com/OpenPrinting/cups/releases/download/v2.3.3op2/cups-2.3.3op2-source.tar.gz
# wget --no-check-certificate -O cups-2.4.1-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.1/cups-2.4.1-source.tar.gz
Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.1/cups-2.4.1-source.tar.gz
# To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
# wget --no-check-certificate -O cups-2.3.3op2-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.3.3op2/cups-2.3.3op2-source.tar.gz.sig
Source1: https://github.com/OpenPrinting/cups/releases/download/v2.3.3op2/cups-2.3.3op2-source.tar.gz.sig
# To get Source2 go to https://www.msweet.org/pgp.html
# PGP Fingerprint: 845464660B686AAB36540B6F999559A027815955
# wget --no-check-certificate -O cups-2.4.1-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.1/cups-2.4.1-source.tar.gz.sig
Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.1/cups-2.4.1-source.tar.gz.sig
# To make Source2 use e.g.
# gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
# gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring
# See https://github.com/OpenPrinting/cups/discussions/327#discussioncomment-2060579
# PGP Fingerprint: 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
Source2: cups.keyring
# To manually verify Source0 with Source1 and Source2 do e.g.
# gpg --import cups.keyring
# gpg --list-keys | grep -1 'Michael R Sweet' | grep -v 'expired'
# gpg --verify cups-2.3.3op2-source.tar.gz.sig cups-2.3.3op2-source.tar.gz
# gpg --list-keys | grep -1 'Zdenek Dohnal'
# gpg --verify cups-2.4.1-source.tar.gz.sig cups-2.4.1-source.tar.gz
Source102: Postscript.ppd.gz
Source105: Postscript-level1.ppd.gz
Source106: Postscript-level2.ppd.gz
Source108: cups-client.conf
Source109: baselibs.conf
# Patch0...Patch9 is for patches from upstream:
# Patch1 upstream_pull_174.patch is https://github.com/OpenPrinting/cups/pull/174
# Use 60s timeout for read_thread, revert read limits
Patch1: upstream_pull_174.patch
# Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Patch10 cups-2.1.0-choose-uri-template.patch adds 'smb://...' URIs to templates/choose-uri.tmpl:
@ -64,15 +65,13 @@ Patch10: cups-2.1.0-choose-uri-template.patch
# Patch11 cups-2.1.0-default-webcontent-path.patch changes the default path whereto the
# web content is installed from /usr/share/doc/cups to /usr/share/cups/webcontent
# because the files of the CUPS web content are no documentation, see CUPS STR #3578
# and http://bugzilla.novell.com/show_bug.cgi?id=546023#c6 and subsequent comments:
# and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments:
Patch11: cups-2.1.0-default-webcontent-path.patch
# Patch12 cups-2.1.0-cups-systemd-socket.patch Use systemd socket activation properly:
Patch12: cups-2.1.0-cups-systemd-socket.patch
# Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
# Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
Patch100: cups-pam.diff
# Patch101 cups-2.0.3-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
# see https://fate.novell.com/303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
Patch101: cups-2.0.3-additional_policies.patch
# Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch
# reverts the change which was added by Michael Sweet in Jan 2007
@ -83,8 +82,16 @@ Patch101: cups-2.0.3-additional_policies.patch
Patch103: cups-1.4-do_not_strip_recommended_from_PPDs.patch
# Patch104 cups-config-libs.patch fixes option --libs in cups-config script:
Patch104: cups-config-libs.patch
# Patch106 Fixes web UI Kerberos authentication (bsc#1175960)
Patch106: fix-negotiate-authentication-between-CGIs-and-scheduler.patch
# Patch107 harden_cups.service.patch adds hardening to systemd service cups.service
# see https://bugzilla.suse.com/show_bug.cgi?id=1181400
# and https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
# where the default hardening settings are enhanced by adding
# ReadWritePaths=/etc/cups because cupsd needs write access in /etc/cups
# see https://bugzilla.suse.com/show_bug.cgi?id=1195288
Patch107: harden_cups.service.patch
# Patch108 downgrade-autoconf-requirement.patch
# downgrades the autoconf requirement to the autoconf available in Tumbleweed as of this writing:
Patch108: downgrade-autoconf-requirement.patch
# Build Requirements:
BuildRequires: dbus-1-devel
BuildRequires: fdupes
@ -279,24 +286,19 @@ printer drivers for CUPS.
%prep
%setup -q
# Patch0...Patch9 is for patches from upstream:
# Patch1 upstream_pull_174.patch is https://github.com/OpenPrinting/cups/pull/174
# Use 60s timeout for read_thread, revert read limits
%patch1 -p1
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Patch10 cups-2.1.0-choose-uri-template.patch adds 'smb://...' URIs to templates/choose-uri.tmpl:
%patch10 -b choose-uri-template.orig
# Patch11 cups-2.1.0-default-webcontent-path.patch changes the default path whereto the
# web content is installed from /usr/share/doc/cups to /usr/share/cups/webcontent
# because the files of the CUPS web content are no documentation, see CUPS STR #3578
# and http://bugzilla.novell.com/show_bug.cgi?id=546023#c6 and subsequent comments:
# and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments:
%patch11 -b default-webcontent-path.orig
# Patch12 cups-2.1.0-cups-systemd-socket.patch Use systemd socket activation properly:
#patch12 -b cups-systemd-socket.orig
# Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
# Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
%patch100 -b cups-pam.orig
# Patch101 cups-2.0.3-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
# see https://fate.novell.com/303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
%patch101 -b additional_policies.orig
# Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch
# reverts the change which was added by Michael Sweet in Jan 2007
@ -307,8 +309,16 @@ printer drivers for CUPS.
%patch103 -b do_not_strip_recommended_from_PPDs.orig
# Patch104 cups-config-libs.patch fixes option --libs in cups-config script:
%patch104 -b cups-config-libs.orig
# Patch106 Fixes web UI Kerberos authentication (bsc#1175960)
%patch106 -p1
# Patch107 harden_cups.service.patch adds hardening to systemd service cups.service
# see https://bugzilla.suse.com/show_bug.cgi?id=1181400
# and https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
# where the default hardening settings are enhanced by adding
# ReadWritePaths=/etc/cups because cupsd needs write access in /etc/cups
# see https://bugzilla.suse.com/show_bug.cgi?id=1195288
%patch107 -p1 -b harden_cups.service.orig
# Patch108 downgrade-autoconf-requirement.patch
# downgrades the autoconf requirement to the autoconf available in Tumbleweed as of this writing:
%patch108 -p1 -b downgrade-autoconf-requirement.orig
%build
# Remove ".SILENT" rule for verbose build output
@ -327,7 +337,7 @@ export CC=cc
# default with-docdir path whereto the web content is installed
# from /usr/share/doc/cups to /usr/share/cups/webcontent because the
# files of the CUPS web content are no documentation, see CUPS STR #3578
# and http://bugzilla.novell.com/show_bug.cgi?id=546023#c6 and subsequent comments
# and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments
# so that the new default could be used as is but upstream may accept
# cups-2.1.0-default-webcontent-path.patch in general but change its default
# so that with-docdir is explicitly set here to be future proof.
@ -377,6 +387,14 @@ install -m644 %{SOURCE108} %{buildroot}%{_sysconfdir}/cups/client.conf
# Make the libraries accessible also via generic named links:
ln -sf libcupsimage.so.2 %{buildroot}%{_libdir}/libcupsimage.so
ln -sf libcups.so.2 %{buildroot}%{_libdir}/libcups.so
# Move /usr/lib/pkgconfig/cups.pc to _libdir if it is not there
# to avoid a conflict that cups-devel and cups-devel-32bit
# would both contain /usr/lib/pkgconfig/cups.pc because
# when cups.pc is arch dependent it has to be in _libdir
# which it is because it contains 'libdir=/usr/lib64' on x86_64
# (if it was arch independent it would have to be in _datadir)
# cf. https://build.opensuse.org/request/show/965680
test -d %{buildroot}%{_libdir}/pkgconfig || mv %{buildroot}/usr/lib/pkgconfig %{buildroot}%{_libdir}/pkgconfig
# Add missing usual directories:
install -d -m755 %{buildroot}%{_datadir}/cups/drivers
install -d -m755 %{buildroot}%{_localstatedir}/cache/cups
@ -398,7 +416,7 @@ install -m 644 %{SOURCE106} %{buildroot}%{_datadir}/cups/model/Postscript-level2
rm -f %{buildroot}%{_datadir}/applications/cups.desktop
rm -rf %{buildroot}%{_datadir}/icons
# Save /etc/cups/cupsd.conf and /etc/cups/cupsd.conf.default from becoming hardlinked
# via the fdupes run below, see https://bugzilla.novell.com/show_bug.cgi?id=773971
# via the fdupes run below, see https://bugzilla.suse.com/show_bug.cgi?id=773971
# by making their content different and at the same time fix the misleading comment.
# Intentionally let the build fail if 'grep' does not find what 'sed' should change
# because if upstream changed it 'sed' would silently no longer change the files:
@ -427,22 +445,38 @@ EOF
# Never run fdupes carelessly over the whole buildroot directory
# because in older openSUSE and SLE11 versions fdupes
# links files with different owner, group, or permissions
# see https://bugzilla.novell.com/show_bug.cgi?id=784670
# see https://bugzilla.suse.com/show_bug.cgi?id=784670
# and even in current openSUSE versions fdupes links across sub-package
# boundaries, compare https://bugzilla.novell.com/show_bug.cgi?id=784869
# boundaries, compare https://bugzilla.suse.com/show_bug.cgi?id=784869
%fdupes -s %{buildroot}/%{_datadir}/cups/templates
%check
%if %{with testsuite}
# There appears to be some kind of race condition when running make check and make test
# There appears to be some kind of race condition when running 'make test'
# cf. https://github.com/OpenPrinting/cups/issues/155
# We print all logs for debugging purposes if either testsuite fails
echo "DEBUG: running make check"
bash -c 'make %{?_smp_mflags} check; EXIT=$?; if [ $EXIT -ne 0 ]; then cat test/*_log*-$(whoami); fi; exit $EXIT'
echo "DEBUG: running make test"
bash -c 'make %{?_smp_mflags} test; EXIT=$?; if [ $EXIT -ne 0 ]; then cat test/*_log*-$(whoami); fi; exit $EXIT'
# so we do not call 'make %{?_smp_mflags} test' but plain 'make test'
# cf. https://github.com/OpenPrinting/cups/issues/155#issuecomment-802886811
# We print the log files for debugging purposes if the testsuite fails.
# The log files in the test directory are named like
# access_log-2022-03-04-abuild
# debug_log-2022-03-04-abuild
# error_log-2022-03-04-abuild
# page_log-2022-03-04-abuild
# We do not error out because https://github.com/OpenPrinting/cups/issues/155
# is not yet actually fixed so currently the testsuite still sometimes fails:
echo "TEST: running 'make test'"
if make test
then echo "TEST: succeeded"
else echo "TEST: 'make test' FAILED"
for logfile in test/*_log-*-$(whoami)
do echo "TEST: printing log file $logfile:"
cat $logfile
echo "TEST: end of log file $logfile"
done
echo "TEST: end of printing log files"
fi
%else
echo "DEBUG: skipped running make check and make test, cf. https://github.com/OpenPrinting/cups/issues/155"
echo "TEST: skipped 'make test', cf. https://github.com/OpenPrinting/cups/issues/155"
%endif
%pre -p /bin/bash
@ -527,7 +561,7 @@ exit 0
# This avoids that CUPS' configure magic might silently
# not build and install an executable when whatever condition
# for configure's automated tests is not fulfilled in the build system.
# See https://bugzilla.novell.com/show_bug.cgi?id=526847#c9
# See https://bugzilla.suse.com/show_bug.cgi?id=526847#c9
# Regarding specific owner group and permission settings for directories
# see https://bugzilla.suse.com/show_bug.cgi?id=1184161
# When cupsd creates directories with specific owner group and permissions
@ -682,6 +716,7 @@ exit 0
%{_includedir}/cups/
%{_libdir}/libcups.so
%{_libdir}/libcupsimage.so
%{_libdir}/pkgconfig/cups.pc
%files ddk
%defattr(-,root,root)

15
downgrade-autoconf-requirement.patch Normal file
View File

@ -0,0 +1,15 @@
diff --git a/configure.ac b/configure.ac
index a8c6c1040..6ace74a8d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0. See the file "LICENSE" for more
dnl information.
dnl
-dnl We need at least autoconf 2.71...
-AC_PREREQ([2.71])
+dnl We need at least autoconf 2.69...
+AC_PREREQ([2.69])
dnl Package name and version...
AC_INIT([CUPS],[2.4.1],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])

223
fix-negotiate-authentication-between-CGIs-and-scheduler.patch
View File

@ -1,223 +0,0 @@
From d4521ed0df7e625ccf2bc079bab6f48c46ef9bf9 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 26 Oct 2020 17:35:22 +0100
Subject: [PATCH 1/4] Avoid infinite loop in admin.cgi when negotiate is used
SetAuthorizationString with NULL argument sets an empty string.
Related: #5596
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
cups/auth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cups/auth.c b/cups/auth.c
index db45bbba6..f2409350a 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -295,7 +295,7 @@ cupsDoAuthentication(
}
}
- if (http->authstring)
+ if (http->authstring && http->authstring[0])
{
DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\".", http->authstring));
--
2.30.2
From 61ad7780bc7d0593e3225d088ac6dff31badf801 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 27 Oct 2020 16:11:41 +0100
Subject: [PATCH 2/4] Add cups_is_local_connection() to check if connection is
to localhost
Related: #5596
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
cups/auth.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/cups/auth.c b/cups/auth.c
index f2409350a..d2956438d 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -90,6 +90,7 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status,
# define cups_gss_printf(major, minor, message)
# endif /* DEBUG */
#endif /* HAVE_GSSAPI */
+static int cups_is_local_connection(http_t *http);
static int cups_local_auth(http_t *http);
@@ -916,6 +917,14 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */
# endif /* DEBUG */
#endif /* HAVE_GSSAPI */
+static int /* O - 0 if not a local connection */
+ /* 1 if local connection */
+cups_is_local_connection(http_t *http) /* I - HTTP connection to server */
+{
+ if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
+ return 0;
+ return 1;
+}
/*
* 'cups_local_auth()' - Get the local authorization certificate if
@@ -958,7 +967,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
* See if we are accessing localhost...
*/
- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
+ if (!cups_is_local_connection(http))
{
DEBUG_puts("8cups_local_auth: Not a local connection!");
return (1);
--
2.30.2
From f629d079750a86b1b605c285f99c0dea3933ca50 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 27 Oct 2020 16:23:30 +0100
Subject: [PATCH 3/4] Try local kerberos ccache credentials only for remote
servers
If connecting to localhost then proceed to ask the client for the
authorization using cupsGetPassword2. The get password callback will
return 401 to the client with WWW-Authenticate: Negotiate.
Fixes: #5596
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
cups/auth.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/cups/auth.c b/cups/auth.c
index d2956438d..9661657fc 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -175,10 +175,10 @@ cupsDoAuthentication(
DEBUG_printf(("2cupsDoAuthentication: Trying scheme \"%s\"...", scheme));
#ifdef HAVE_GSSAPI
- if (!_cups_strcasecmp(scheme, "Negotiate"))
+ if (!_cups_strcasecmp(scheme, "Negotiate") && !cups_is_local_connection(http))
{
/*
- * Kerberos authentication...
+ * Kerberos authentication to remote server...
*/
int gss_status; /* Auth status */
@@ -202,7 +202,9 @@ cupsDoAuthentication(
}
else
#endif /* HAVE_GSSAPI */
- if (_cups_strcasecmp(scheme, "Basic") && _cups_strcasecmp(scheme, "Digest"))
+ if (_cups_strcasecmp(scheme, "Basic") &&
+ _cups_strcasecmp(scheme, "Digest") &&
+ _cups_strcasecmp(scheme, "Negotiate"))
{
/*
* Other schemes not yet supported...
@@ -216,7 +218,7 @@ cupsDoAuthentication(
* See if we should retry the current username:password...
*/
- if ((http->digest_tries > 1 || !http->userpass[0]) && (!_cups_strcasecmp(scheme, "Basic") || (!_cups_strcasecmp(scheme, "Digest"))))
+ if (http->digest_tries > 1 || !http->userpass[0])
{
/*
* Nope - get a new password from the user...
--
2.30.2
From 0563a28b18b21d5574a5e0e38b74246146074bbf Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 27 Oct 2020 16:18:03 +0100
Subject: [PATCH 4/4] Allow Local authentication for Negotiate
PeerCred is also possible if address family is AF_LOCAL. This will allow
the CGI programs to generate the authorization from the local
certificates based on PID also when Negotiate is used for local
connections:
Client CGI
Browser <- Remote conn -> admin.cgi <--- Localhost conn ---> Scheduler
| | |
+ --- HTTP/POST /admin/ --> | |
| + --- CUPS-Get-Devices ------------> |
| | |
| | <-- 401 Unauthorized --------------+
| | WWW-Authenticate: |
| | Negotiate, (PeerCred,) Local |
| | |
| <-- 401 Unauthorized -----+ |
| WWW-Authenticate: | |
| Negotiate | |
| | |
| --- HTTP/POST /admin/ --> | |
| Authorization: + --- IPP CUPS-GetDevices ---------> |
| Negotiate | Authorization: Local <cert> |
| | |
Fixes: #5596
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
cups/auth.c | 5 -----
scheduler/client.c | 9 ++-------
2 files changed, 2 insertions(+), 12 deletions(-)
diff --git a/cups/auth.c b/cups/auth.c
index 9661657fc..b6fec6b98 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -1043,11 +1043,6 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
}
# endif /* HAVE_AUTHORIZATION_H */
-# ifdef HAVE_GSSAPI
- if (cups_auth_find(www_auth, "Negotiate"))
- return (1);
-# endif /* HAVE_GSSAPI */
-
# if defined(SO_PEERCRED) && defined(AF_LOCAL)
/*
* See if we can authenticate using the peer credentials provided over a
diff --git a/scheduler/client.c b/scheduler/client.c
index c2ee8f12a..56797d58d 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -2109,18 +2109,13 @@ cupsdSendHeader(
}
else if (auth_type == CUPSD_AUTH_NEGOTIATE)
{
-#if defined(SO_PEERCRED) && defined(AF_LOCAL)
- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
- strlcpy(auth_str, "PeerCred", sizeof(auth_str));
- else
-#endif /* SO_PEERCRED && AF_LOCAL */
strlcpy(auth_str, "Negotiate", sizeof(auth_str));
}
- if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
+ if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
{
/*
- * Add a "trc" (try root certification) parameter for local non-Kerberos
+ * Add a "trc" (try root certification) parameter for local
* requests when the request requires system group membership - then the
* client knows the root certificate can/should be used.
*
--
2.30.2

26
harden_cups.service.patch Normal file
View File

@ -0,0 +1,26 @@
Index: cups-2.3.3op2/scheduler/cups.service.in
===================================================================
--- cups-2.3.3op2.orig/scheduler/cups.service.in
+++ cups-2.3.3op2/scheduler/cups.service.in
@@ -5,6 +5,21 @@ After=network.target sssd.service ypbind
Requires=cups.socket
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
+# cupsd needs write access in /etc/cups see
+# https://bugzilla.opensuse.org/show_bug.cgi?id=1195288
+ReadWritePaths=/etc/cups
+# end of SUSE additions
ExecStart=@sbindir@/cupsd -l
Type=notify
Restart=on-failure

53
upstream_pull_174.patch
View File

@ -1,53 +0,0 @@
From c37d71b1a31d26a4790166e2508822b18934a5c0 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Tue, 13 Apr 2021 15:44:14 +0200
Subject: [PATCH 1/2] backend/usb-libusb.c: Use 60s timeout for reading at
backchannel
Some older models malfunction if timeout is too short.
---
CHANGES.md | 1 +
backend/usb-libusb.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
--- a/backend/usb-libusb.c
+++ b/backend/usb-libusb.c
@@ -1704,7 +1704,7 @@ static void *read_thread(void *reference)
readstatus = libusb_bulk_transfer(g.printer->handle,
g.printer->read_endp,
readbuffer, rbytes,
- &rbytes, 250);
+ &rbytes, 60000);
if (readstatus == LIBUSB_SUCCESS && rbytes > 0)
{
fprintf(stderr, "DEBUG: Read %d bytes of back-channel data...\n", (int)rbytes);
From 4cb6f6806cdbe040d478b266a1d351b19341dd79 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Tue, 13 Apr 2021 15:47:37 +0200
Subject: [PATCH 2/2] backend/usb-libusb.c: Revert enforcing read limits
This commit reverts the change introduced by 2.2.12 [1] - its
implementation caused a regression with Lexmark filters.
[1]
https://github.com/apple/cups/commit/35e927f83529cd9b4bc37bcd418c50e307fced35
---
CHANGES.md | 1 +
backend/usb-libusb.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/backend/usb-libusb.c b/backend/usb-libusb.c
index fbb0d9d89..89b5182f7 100644
--- a/backend/usb-libusb.c
+++ b/backend/usb-libusb.c
@@ -1721,7 +1721,8 @@ static void *read_thread(void *reference)
* Make sure this loop executes no more than once every 250 miliseconds...
*/
- if ((g.wait_eof || !g.read_thread_stop))
+ if ((readstatus != LIBUSB_SUCCESS || rbytes == 0) &&
+ (g.wait_eof || !g.read_thread_stop))
usleep(250000);
}
while (g.wait_eof || !g.read_thread_stop);