From 82b4e584ace745517feab0a5ebfb906e1024f1f1f3579f221d617b314ac6b2a3 Mon Sep 17 00:00:00 2001 From: Johannes Meixner Date: Tue, 4 Jun 2024 08:49:04 +0000 Subject: [PATCH 1/3] Accepting request 1177576 from home:dimstar:Factory - Update to version 2.4.8: + Added warning if the device has to be asked for 'all,media-col-database' separately. + Added new value for 'lpstat' option '-W' - successfull - for getting successfully printed jobs. + Added support for PAM modules password-auth and system-auth. + Updated IPP Everywhere printer creation error reporting. + Updated and documented the MIME typing buffering limit. + Now report an error for temporary printer defaults with lpadmin. + Fixed mapping of PPD InputSlot, MediaType, and OutputBin values. + Fixed "document-unprintable-error" handling. + Fixed the web interface not showing an error for a non-existent printer. + Fixed printing of jobs with job name longer than 255 chars on older printers. + Fixed cupsCopyDestInfo device connection detection. + Fixed "Upgrade" header handling when there is no TLS support. + Fixed memory leak when unloading a job. + Fixed memory leak when creating color profiles. + Fixed a punch finishing bug in the IPP Everywhere support. + Fixed crash in scan_ps() if incoming argument is NULL. + Fixed setting job state reasons for successful jobs. + Fixed infinite loop in IPP backend if hostname is IP address with Kerberos. + Added additional check on socket if revents from poll() returns POLLHUP together with POLLIN or POLLOUT in httpAddrConnect2(). + Fixed crash in ppdEmitString() if size is NULL. + Fixed reporting media-source-supported when sharing printer OBS-URL: https://build.opensuse.org/request/show/1177576 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=409 --- cups-2.4.7-source.tar.gz | 3 -- cups-2.4.7-source.tar.gz.sig | Bin 119 -> 0 bytes cups-2.4.8-source.tar.gz | 3 ++ cups-2.4.8-source.tar.gz.sig | Bin 0 -> 119 bytes cups.changes | 46 +++++++++++++++++++++++++++ cups.spec | 6 ++-- downgrade-autoconf-requirement.patch | 8 +++-- 7 files changed, 57 insertions(+), 9 deletions(-) delete mode 100644 cups-2.4.7-source.tar.gz delete mode 100644 cups-2.4.7-source.tar.gz.sig create mode 100644 cups-2.4.8-source.tar.gz create mode 100644 cups-2.4.8-source.tar.gz.sig diff --git a/cups-2.4.7-source.tar.gz b/cups-2.4.7-source.tar.gz deleted file mode 100644 index 41d3d7a..0000000 --- a/cups-2.4.7-source.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c -size 8134809 diff --git a/cups-2.4.7-source.tar.gz.sig b/cups-2.4.7-source.tar.gz.sig deleted file mode 100644 index 8396880b389b7dcb660155fe9c718cb7c152315bb8aaf240052804c8056e146c..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 119 zcmeAuWnmEGVvrS6WGQG`u#`)0QVPFC!-FS5x@TsqZ0sfZBYp`Hg4urVPrVH{ZX%+*-ek-(GmRT|L@l| U)M1=-`h`t}XpBLaM$CRb07wZk$N&HU diff --git a/cups-2.4.8-source.tar.gz b/cups-2.4.8-source.tar.gz new file mode 100644 index 0000000..e1bd316 --- /dev/null +++ b/cups-2.4.8-source.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:75c326b4ba73975efcc9a25078c4b04cdb4ee333caaad0d0823dbd522c6479a0 +size 8142007 diff --git a/cups-2.4.8-source.tar.gz.sig b/cups-2.4.8-source.tar.gz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..ef6db51bf4567af21276b3697259e39bf7c9c9740430772217af7937fe43357c GIT binary patch literal 119 zcmeAuWnmEGVvrS6WGQG`u#`)0QVPFC!-FS5x@Tsq4t_a0Fg=sD*DLrsB_@vuwUI14JHgo_0 literal 0 HcmV?d00001 diff --git a/cups.changes b/cups.changes index 4d3f78f..c78c7d0 100644 --- a/cups.changes +++ b/cups.changes @@ -1,3 +1,49 @@ +------------------------------------------------------------------- +Wed May 29 12:29:38 UTC 2024 - Dominique Leuenberger + +- Update to version 2.4.8: + + Added warning if the device has to be asked for + 'all,media-col-database' separately. + + Added new value for 'lpstat' option '-W' - successfull - for + getting successfully printed jobs. + + Added support for PAM modules password-auth and system-auth. + + Updated IPP Everywhere printer creation error reporting. + + Updated and documented the MIME typing buffering limit. + + Now report an error for temporary printer defaults with + lpadmin. + + Fixed mapping of PPD InputSlot, MediaType, and OutputBin + values. + + Fixed "document-unprintable-error" handling. + + Fixed the web interface not showing an error for a non-existent + printer. + + Fixed printing of jobs with job name longer than 255 chars on + older printers. + + Fixed cupsCopyDestInfo device connection detection. + + Fixed "Upgrade" header handling when there is no TLS support. + + Fixed memory leak when unloading a job. + + Fixed memory leak when creating color profiles. + + Fixed a punch finishing bug in the IPP Everywhere support. + + Fixed crash in scan_ps() if incoming argument is NULL. + + Fixed setting job state reasons for successful jobs. + + Fixed infinite loop in IPP backend if hostname is IP address + with Kerberos. + + Added additional check on socket if revents from poll() returns + POLLHUP together with POLLIN or POLLOUT in httpAddrConnect2(). + + Fixed crash in ppdEmitString() if size is NULL. + + Fixed reporting media-source-supported when sharing printer + which has numbers as strings instead of keywords as InputSlot + values. + + Fixed IPP backend to support the "print-scaling" option with + IPP printers. + + Fixed potential race condition for the creation of temporary + queues. + + Fixed httpGets timeout handling. + + Fixed checking for required attributes during PPD generation. + + Fixed encoding of IPv6 addresses in HTTP requests. + + Fixed sending response headers to client. + + Fixed CGI program initialization and validation of form + checkbox and text fields. + ------------------------------------------------------------------- Mon Feb 26 10:48:53 UTC 2024 - Dominique Leuenberger diff --git a/cups.spec b/cups.spec index 1aca9b2..400fc66 100644 --- a/cups.spec +++ b/cups.spec @@ -40,7 +40,7 @@ Name: cups # "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and # "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that # version upgrades from 2.2.x via 2.3.b* to 2.3.0 work: -Version: 2.4.7 +Version: 2.4.8 Release: 0 Summary: The Common UNIX Printing System License: Apache-2.0 @@ -48,10 +48,10 @@ Group: Hardware/Printing URL: https://openprinting.github.io/cups # To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g. # wget --no-check-certificate -O cups-2.4.7-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz -Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz +Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.8/cups-2.4.8-source.tar.gz # To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g. # wget --no-check-certificate -O cups-2.4.7-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz.sig -Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz.sig +Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.8/cups-2.4.8-source.tar.gz.sig # To make Source2 use e.g. # gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 # gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring diff --git a/downgrade-autoconf-requirement.patch b/downgrade-autoconf-requirement.patch index 7647590..b2da577 100644 --- a/downgrade-autoconf-requirement.patch +++ b/downgrade-autoconf-requirement.patch @@ -1,5 +1,7 @@ ---- configure.ac.orig 2023-09-20 15:25:54.000000000 +0200 -+++ configure.ac 2024-01-24 09:19:28.344274065 +0100 +Index: configure.ac +=================================================================== +--- configure.ac.orig ++++ configure.ac @@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0. dnl information. dnl @@ -10,4 +12,4 @@ +AC_PREREQ([2.69]) dnl Package name and version... - AC_INIT([CUPS],[2.4.7],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups]) + AC_INIT([CUPS],[2.4.8],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups]) From 6eb4ff17385f8944ff3bf2193edbcc68e89689b84923e6af3133dfa6b58f849a Mon Sep 17 00:00:00 2001 From: Johannes Meixner Date: Tue, 4 Jun 2024 09:09:41 +0000 Subject: [PATCH 2/3] Reformatted and enhanced latest changes entry OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=410 --- cups.changes | 105 +++++++++++++++++++++++++++++++-------------------- 1 file changed, 64 insertions(+), 41 deletions(-) diff --git a/cups.changes b/cups.changes index c78c7d0..25639e7 100644 --- a/cups.changes +++ b/cups.changes @@ -2,47 +2,70 @@ Wed May 29 12:29:38 UTC 2024 - Dominique Leuenberger - Update to version 2.4.8: - + Added warning if the device has to be asked for - 'all,media-col-database' separately. - + Added new value for 'lpstat' option '-W' - successfull - for - getting successfully printed jobs. - + Added support for PAM modules password-auth and system-auth. - + Updated IPP Everywhere printer creation error reporting. - + Updated and documented the MIME typing buffering limit. - + Now report an error for temporary printer defaults with - lpadmin. - + Fixed mapping of PPD InputSlot, MediaType, and OutputBin - values. - + Fixed "document-unprintable-error" handling. - + Fixed the web interface not showing an error for a non-existent - printer. - + Fixed printing of jobs with job name longer than 255 chars on - older printers. - + Fixed cupsCopyDestInfo device connection detection. - + Fixed "Upgrade" header handling when there is no TLS support. - + Fixed memory leak when unloading a job. - + Fixed memory leak when creating color profiles. - + Fixed a punch finishing bug in the IPP Everywhere support. - + Fixed crash in scan_ps() if incoming argument is NULL. - + Fixed setting job state reasons for successful jobs. - + Fixed infinite loop in IPP backend if hostname is IP address - with Kerberos. - + Added additional check on socket if revents from poll() returns - POLLHUP together with POLLIN or POLLOUT in httpAddrConnect2(). - + Fixed crash in ppdEmitString() if size is NULL. - + Fixed reporting media-source-supported when sharing printer - which has numbers as strings instead of keywords as InputSlot - values. - + Fixed IPP backend to support the "print-scaling" option with - IPP printers. - + Fixed potential race condition for the creation of temporary - queues. - + Fixed httpGets timeout handling. - + Fixed checking for required attributes during PPD generation. - + Fixed encoding of IPv6 addresses in HTTP requests. - + Fixed sending response headers to client. - + Fixed CGI program initialization and validation of form - checkbox and text fields. + See https://github.com/openprinting/cups/releases + CUPS 2.4.8 brings many bug fixes which aggregated over the last + half a year. It brings the important fix for race conditions + and errors which can happen when installing permanent + IPP Everywhere printer, support for PAM modules password-auth + and system-auth and new option for lpstat which can show only + the successful jobs. + Detailed list (from CHANGES.md): + * Added warning if the device has to be asked for + 'all,media-col-database' separately (Issue #829) + * Added new value for 'lpstat' option '-W' - successfull - for + getting successfully printed jobs (Issue #830) + * Added support for PAM modules password-auth + and system-auth (Issue #892) + * Updated IPP Everywhere printer creation error + reporting (Issue #347) + * Updated and documented the MIME typing buffering + limit (Issue #925) + * Raised 'cups_enum_dests()' timeout for listing + available IPP printers (Issue #751) + * Now report an error for temporary printer defaults + with lpadmin (Issue #237) + * Fixed mapping of PPD InputSlot, MediaType, + and OutputBin values (Issue #238) + * Fixed "document-unprintable-error" handling (Issue #391) + * Fixed the web interface not showing an error + for a non-existent printer (Issue #423) + * Fixed printing of jobs with job name longer than 255 chars + on older printers (Issue #644) + * Really backported fix for Issue #742 + * Fixed 'cupsCopyDestInfo' device connection + detection (Issue #586) + * Fixed "Upgrade" header handling when there is + no TLS support (Issue #775) + * Fixed memory leak when unloading a job (Issue #813) + * Fixed memory leak when creating color profiles (Issue #815) + * Fixed a punch finishing bug in the IPP Everywhere + support (Issue #821) + * Fixed crash in 'scan_ps()' if incoming argument + is NULL (Issue #831) + * Fixed setting job state reasons for successful + jobs (Issue #832) + * Fixed infinite loop in IPP backend if hostname + is IP address with Kerberos (Issue #838) + * Added additional check on socket if 'revents' from 'poll()' + returns POLLHUP together with POLLIN or POLLOUT + in 'httpAddrConnect2()' (Issue #839) + * Fixed crash in 'ppdEmitString()' if 'size' is NULL (Issue #850) + * Fixed reporting 'media-source-supported' when + sharing printer which has numbers as strings instead of + keywords as 'InputSlot' values (Issue #859) + * Fixed IPP backend to support the "print-scaling" option + with IPP printers (Issue #862) + * Fixed potential race condition for the creation + of temporary queues (Issue #871) + * Fixed 'httpGets' timeout handling (Issue #879) + * Fixed checking for required attributes during + PPD generation (Issue #890) + * Fixed encoding of IPv6 addresses in HTTP requests (Issue #903) + * Fixed sending response headers to client (Issue #927) + * Fixed CGI program initialization and validation + of form checkbox and text fields. + Issues are those at https://github.com/OpenPrinting/cups/issues +- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.8 ------------------------------------------------------------------- Mon Feb 26 10:48:53 UTC 2024 - Dominique Leuenberger From 9c2057097a7eb0919c4b9ab9a5ed2b0f482db4170ac9be297798c2111b68dc85 Mon Sep 17 00:00:00 2001 From: Johannes Meixner Date: Tue, 11 Jun 2024 14:28:04 +0000 Subject: [PATCH 3/3] Accepting request 1180031 from home:jsmeix:branches:Printing Fix for CVE-2024-35235 bsc#1225365 OBS-URL: https://build.opensuse.org/request/show/1180031 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=411 --- cups-2.4.8-CVE-2024-35235.patch | 87 +++++++++++++++++++++++++++++++++ cups.changes | 10 ++++ cups.spec | 14 ++++++ 3 files changed, 111 insertions(+) create mode 100644 cups-2.4.8-CVE-2024-35235.patch diff --git a/cups-2.4.8-CVE-2024-35235.patch b/cups-2.4.8-CVE-2024-35235.patch new file mode 100644 index 0000000..5529ad0 --- /dev/null +++ b/cups-2.4.8-CVE-2024-35235.patch @@ -0,0 +1,87 @@ +--- cups/http-addr.c.orig 2024-04-26 13:38:21.000000000 +0200 ++++ cups/http-addr.c 2024-06-11 10:20:21.866920900 +0200 +@@ -202,31 +202,30 @@ httpAddrListen(http_addr_t *addr, /* I - + { + mode_t mask; /* Umask setting */ + +- /* +- * Remove any existing domain socket file... +- */ +- +- unlink(addr->un.sun_path); +- +- /* +- * Save the current umask and set it to 0 so that all users can access +- * the domain socket... +- */ +- +- mask = umask(0); +- +- /* +- * Bind the domain socket... +- */ +- +- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); +- +- /* +- * Restore the umask and fix permissions... +- */ +- +- umask(mask); +- chmod(addr->un.sun_path, 0140777); ++ // Remove any existing domain socket file... ++ if ((status = unlink(addr->un.sun_path)) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ ++ if (errno == ENOENT) ++ status = 0; ++ } ++ ++ if (!status) ++ { ++ // Save the current umask and set it to 0 so that all users can access ++ // the domain socket... ++ mask = umask(0); ++ ++ // Bind the domain socket... ++ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ } ++ ++ // Restore the umask... ++ umask(mask); ++ } + } + else + #endif /* AF_LOCAL */ +--- scheduler/conf.c.orig 2024-04-26 13:38:21.000000000 +0200 ++++ scheduler/conf.c 2024-06-11 10:14:06.091882607 +0200 +@@ -3084,6 +3084,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - + + + /* ++ * If we are launched on-demand, do not use domain sockets from the config ++ * file. Also check that the domain socket path is not too long... ++ */ ++ ++#ifdef HAVE_ONDEMAND ++ if (*value == '/' && OnDemand) ++ { ++ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); ++ continue; ++ } ++#endif // HAVE_ONDEMAND ++ ++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); ++ continue; ++ } ++ ++ /* + * Get the address list... + */ + diff --git a/cups.changes b/cups.changes index 25639e7..ba077a2 100644 --- a/cups.changes +++ b/cups.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue Jun 11 08:28:32 UTC 2024 - Johannes Meixner + +- cups-2.4.8-CVE-2024-35235.patch is derived + from the upstream patch against master (CUPS 2.5) + to apply to CUPS 2.4.8 in openSUSE Factory to fix CVE-2024-35235 + "cupsd Listen port arbitrary chmod 0140777" + https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f + bsc#1225365 + ------------------------------------------------------------------- Wed May 29 12:29:38 UTC 2024 - Dominique Leuenberger diff --git a/cups.spec b/cups.spec index 400fc66..c0784f8 100644 --- a/cups.spec +++ b/cups.spec @@ -103,6 +103,13 @@ Patch108: downgrade-autoconf-requirement.patch # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309 Patch112: cups-2.4.2-additional_policies.patch +# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5) +# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901 +# to apply to CUPS 2.4.8 in openSUSE Factory +# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777" +# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f +# https://bugzilla.suse.com/show_bug.cgi?id=1225365 +Patch113: cups-2.4.8-CVE-2024-35235.patch # Build Requirements: BuildRequires: dbus-1-devel BuildRequires: fdupes @@ -330,6 +337,13 @@ printer drivers for CUPS. # Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf # see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309 %patch -P 112 -b cups-2.4.2-additional_policies.orig +# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5) +# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901 +# to apply to CUPS 2.4.8 in openSUSE Factory +# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777" +# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f +# https://bugzilla.suse.com/show_bug.cgi?id=1225365 +%patch -P 113 -b cups-2.4.8-CVE-2024-35235.orig %build # Remove ".SILENT" rule for verbose build output