Accepting request 1180032 from Printing

Fix for CVE-2024-35235 bsc#1225365 (forwarded request 1180031 from jsmeix)

OBS-URL: https://build.opensuse.org/request/show/1180032
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=173

cups-2.4.7-source.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c
-size 8134809

cups-2.4.8-CVE-2024-35235.patch

@@ -0,0 +1,87 @@
+--- cups/http-addr.c.orig	2024-04-26 13:38:21.000000000 +0200
++++ cups/http-addr.c	2024-06-11 10:20:21.866920900 +0200
+@@ -202,31 +202,30 @@ httpAddrListen(http_addr_t *addr,	/* I -
+   {
+     mode_t	mask;			/* Umask setting */
+ 
+-   /*
+-    * Remove any existing domain socket file...
+-    */
+-
+-    unlink(addr->un.sun_path);
+-
+-   /*
+-    * Save the current umask and set it to 0 so that all users can access
+-    * the domain socket...
+-    */
+-
+-    mask = umask(0);
+-
+-   /*
+-    * Bind the domain socket...
+-    */
+-
+-    status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
+-
+-   /*
+-    * Restore the umask and fix permissions...
+-    */
+-
+-    umask(mask);
+-    chmod(addr->un.sun_path, 0140777);
++    // Remove any existing domain socket file...
++    if ((status = unlink(addr->un.sun_path)) < 0)
++    {
++      DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
++
++      if (errno == ENOENT)
++        status = 0;
++    }
++
++    if (!status)
++    {
++      // Save the current umask and set it to 0 so that all users can access
++      // the domain socket...
++      mask = umask(0);
++
++      // Bind the domain socket...
++      if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
++      {
++        DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
++      }
++
++      // Restore the umask...
++      umask(mask);
++    }
+   }
+   else
+ #endif /* AF_LOCAL */
+--- scheduler/conf.c.orig	2024-04-26 13:38:21.000000000 +0200
++++ scheduler/conf.c	2024-06-11 10:14:06.091882607 +0200
+@@ -3084,6 +3084,26 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
+ 
+ 
+      /*
++      * If we are launched on-demand, do not use domain sockets from the config
++      * file.  Also check that the domain socket path is not too long...
++      */
++
++#ifdef HAVE_ONDEMAND
++      if (*value == '/' && OnDemand)
++      {
++        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
++          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
++        continue;
++      }
++#endif // HAVE_ONDEMAND
++
++      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
++      {
++        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
++        continue;
++      }
++
++     /*
+       * Get the address list...
+       */
+ 

cups-2.4.8-source.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:75c326b4ba73975efcc9a25078c4b04cdb4ee333caaad0d0823dbd522c6479a0
+size 8142007

cups.changes

@@ -1,3 +1,82 @@
+-------------------------------------------------------------------
+Tue Jun 11 08:28:32 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
+
+- cups-2.4.8-CVE-2024-35235.patch is derived
+  from the upstream patch against master (CUPS 2.5)
+  to apply to CUPS 2.4.8 in openSUSE Factory to fix CVE-2024-35235
+  "cupsd Listen port arbitrary chmod 0140777"
+  https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
+  bsc#1225365
+
+-------------------------------------------------------------------
+Wed May 29 12:29:38 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Update to version 2.4.8:
+  See https://github.com/openprinting/cups/releases
+  CUPS 2.4.8 brings many bug fixes which aggregated over the last
+  half a year. It brings the important fix for race conditions
+  and errors which can happen when installing permanent
+  IPP Everywhere printer, support for PAM modules password-auth
+  and system-auth and new option for lpstat which can show only
+  the successful jobs.
+  Detailed list (from CHANGES.md):
+  * Added warning if the device has to be asked for
+    'all,media-col-database' separately (Issue #829)
+  * Added new value for 'lpstat' option '-W' - successfull - for
+    getting successfully printed jobs (Issue #830)
+  * Added support for PAM modules password-auth
+    and system-auth (Issue #892)
+  * Updated IPP Everywhere printer creation error
+    reporting (Issue #347)
+  * Updated and documented the MIME typing buffering
+    limit (Issue #925)
+  * Raised 'cups_enum_dests()' timeout for listing
+    available IPP printers (Issue #751)
+  * Now report an error for temporary printer defaults
+    with lpadmin (Issue #237)
+  * Fixed mapping of PPD InputSlot, MediaType,
+    and OutputBin values (Issue #238)
+  * Fixed "document-unprintable-error" handling (Issue #391)
+  * Fixed the web interface not showing an error
+    for a non-existent printer (Issue #423)
+  * Fixed printing of jobs with job name longer than 255 chars
+    on older printers (Issue #644)
+  * Really backported fix for Issue #742
+  * Fixed 'cupsCopyDestInfo' device connection
+    detection (Issue #586)
+  * Fixed "Upgrade" header handling when there is
+    no TLS support (Issue #775)
+  * Fixed memory leak when unloading a job (Issue #813)
+  * Fixed memory leak when creating color profiles (Issue #815)
+  * Fixed a punch finishing bug in the IPP Everywhere
+    support (Issue #821)
+  * Fixed crash in 'scan_ps()' if incoming argument
+    is NULL (Issue #831)
+  * Fixed setting job state reasons for successful
+    jobs (Issue #832)
+  * Fixed infinite loop in IPP backend if hostname
+    is IP address with Kerberos (Issue #838)
+  * Added additional check on socket if 'revents' from 'poll()'
+    returns POLLHUP together with POLLIN or POLLOUT
+    in 'httpAddrConnect2()' (Issue #839)
+  * Fixed crash in 'ppdEmitString()' if 'size' is NULL (Issue #850)
+  * Fixed reporting 'media-source-supported' when
+    sharing printer  which has numbers as strings instead of
+    keywords as 'InputSlot' values (Issue #859)
+  * Fixed IPP backend to support the "print-scaling" option
+    with IPP printers (Issue #862)
+  * Fixed potential race condition for the creation
+    of temporary queues (Issue #871)
+  * Fixed 'httpGets' timeout handling (Issue #879)
+  * Fixed checking for required attributes during
+    PPD generation (Issue #890)
+  * Fixed encoding of IPv6 addresses in HTTP requests (Issue #903)
+  * Fixed sending response headers to client (Issue #927)
+  * Fixed CGI program initialization and validation
+    of form checkbox and text fields.
+  Issues are those at https://github.com/OpenPrinting/cups/issues
+- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.8
+
 -------------------------------------------------------------------
 Mon Feb 26 10:48:53 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 

cups.spec

@@ -40,7 +40,7 @@ Name:           cups
 # "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
 # "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
 # version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
-Version:        2.4.7
+Version:        2.4.8
 Release:        0
 Summary:        The Common UNIX Printing System
 License:        Apache-2.0
@@ -48,10 +48,10 @@ Group:          Hardware/Printing
 URL:            https://openprinting.github.io/cups
 # To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
 # wget --no-check-certificate -O cups-2.4.7-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz
-Source0:        https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz
+Source0:        https://github.com/OpenPrinting/cups/releases/download/v2.4.8/cups-2.4.8-source.tar.gz
 # To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
 # wget --no-check-certificate -O cups-2.4.7-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz.sig
-Source1:        https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz.sig
+Source1:        https://github.com/OpenPrinting/cups/releases/download/v2.4.8/cups-2.4.8-source.tar.gz.sig
 # To make Source2 use e.g.
 #   gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
 #   gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring
@@ -103,6 +103,13 @@ Patch108:       downgrade-autoconf-requirement.patch
 # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
 # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
 Patch112:       cups-2.4.2-additional_policies.patch
+# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
+# to apply to CUPS 2.4.8 in openSUSE Factory
+# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
+# https://bugzilla.suse.com/show_bug.cgi?id=1225365
+Patch113:       cups-2.4.8-CVE-2024-35235.patch
 # Build Requirements:
 BuildRequires:  dbus-1-devel
 BuildRequires:  fdupes
@@ -330,6 +337,13 @@ printer drivers for CUPS.
 # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
 # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
 %patch -P 112 -b cups-2.4.2-additional_policies.orig
+# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
+# to apply to CUPS 2.4.8 in openSUSE Factory
+# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
+# https://bugzilla.suse.com/show_bug.cgi?id=1225365
+%patch -P 113 -b cups-2.4.8-CVE-2024-35235.orig
 
 %build
 # Remove ".SILENT" rule for verbose build output

downgrade-autoconf-requirement.patch

@@ -1,5 +1,7 @@
---- configure.ac.orig	2023-09-20 15:25:54.000000000 +0200
-+++ configure.ac	2024-01-24 09:19:28.344274065 +0100
+Index: configure.ac
+===================================================================
+--- configure.ac.orig
++++ configure.ac
 @@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0.
  dnl information.
  dnl
@@ -10,4 +12,4 @@
 +AC_PREREQ([2.69])
  
  dnl Package name and version...
- AC_INIT([CUPS],[2.4.7],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
+ AC_INIT([CUPS],[2.4.8],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])