Accepting request 1180032 from Printing
Fix for CVE-2024-35235 bsc#1225365 (forwarded request 1180031 from jsmeix) OBS-URL: https://build.opensuse.org/request/show/1180032 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=173
This commit is contained in:
commit
a6cdaa2d65
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c
|
|
||||||
size 8134809
|
|
Binary file not shown.
87
cups-2.4.8-CVE-2024-35235.patch
Normal file
87
cups-2.4.8-CVE-2024-35235.patch
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
--- cups/http-addr.c.orig 2024-04-26 13:38:21.000000000 +0200
|
||||||
|
+++ cups/http-addr.c 2024-06-11 10:20:21.866920900 +0200
|
||||||
|
@@ -202,31 +202,30 @@ httpAddrListen(http_addr_t *addr, /* I -
|
||||||
|
{
|
||||||
|
mode_t mask; /* Umask setting */
|
||||||
|
|
||||||
|
- /*
|
||||||
|
- * Remove any existing domain socket file...
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
- unlink(addr->un.sun_path);
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * Save the current umask and set it to 0 so that all users can access
|
||||||
|
- * the domain socket...
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
- mask = umask(0);
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * Bind the domain socket...
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * Restore the umask and fix permissions...
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
- umask(mask);
|
||||||
|
- chmod(addr->un.sun_path, 0140777);
|
||||||
|
+ // Remove any existing domain socket file...
|
||||||
|
+ if ((status = unlink(addr->un.sun_path)) < 0)
|
||||||
|
+ {
|
||||||
|
+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
|
||||||
|
+
|
||||||
|
+ if (errno == ENOENT)
|
||||||
|
+ status = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!status)
|
||||||
|
+ {
|
||||||
|
+ // Save the current umask and set it to 0 so that all users can access
|
||||||
|
+ // the domain socket...
|
||||||
|
+ mask = umask(0);
|
||||||
|
+
|
||||||
|
+ // Bind the domain socket...
|
||||||
|
+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
|
||||||
|
+ {
|
||||||
|
+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // Restore the umask...
|
||||||
|
+ umask(mask);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
else
|
||||||
|
#endif /* AF_LOCAL */
|
||||||
|
--- scheduler/conf.c.orig 2024-04-26 13:38:21.000000000 +0200
|
||||||
|
+++ scheduler/conf.c 2024-06-11 10:14:06.091882607 +0200
|
||||||
|
@@ -3084,6 +3084,26 @@ read_cupsd_conf(cups_file_t *fp) /* I -
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
+ * If we are launched on-demand, do not use domain sockets from the config
|
||||||
|
+ * file. Also check that the domain socket path is not too long...
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#ifdef HAVE_ONDEMAND
|
||||||
|
+ if (*value == '/' && OnDemand)
|
||||||
|
+ {
|
||||||
|
+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
|
||||||
|
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+#endif // HAVE_ONDEMAND
|
||||||
|
+
|
||||||
|
+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
|
||||||
|
+ {
|
||||||
|
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
* Get the address list...
|
||||||
|
*/
|
||||||
|
|
3
cups-2.4.8-source.tar.gz
Normal file
3
cups-2.4.8-source.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:75c326b4ba73975efcc9a25078c4b04cdb4ee333caaad0d0823dbd522c6479a0
|
||||||
|
size 8142007
|
BIN
cups-2.4.8-source.tar.gz.sig
Normal file
BIN
cups-2.4.8-source.tar.gz.sig
Normal file
Binary file not shown.
79
cups.changes
79
cups.changes
@ -1,3 +1,82 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jun 11 08:28:32 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
|
||||||
|
|
||||||
|
- cups-2.4.8-CVE-2024-35235.patch is derived
|
||||||
|
from the upstream patch against master (CUPS 2.5)
|
||||||
|
to apply to CUPS 2.4.8 in openSUSE Factory to fix CVE-2024-35235
|
||||||
|
"cupsd Listen port arbitrary chmod 0140777"
|
||||||
|
https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
|
||||||
|
bsc#1225365
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed May 29 12:29:38 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||||
|
|
||||||
|
- Update to version 2.4.8:
|
||||||
|
See https://github.com/openprinting/cups/releases
|
||||||
|
CUPS 2.4.8 brings many bug fixes which aggregated over the last
|
||||||
|
half a year. It brings the important fix for race conditions
|
||||||
|
and errors which can happen when installing permanent
|
||||||
|
IPP Everywhere printer, support for PAM modules password-auth
|
||||||
|
and system-auth and new option for lpstat which can show only
|
||||||
|
the successful jobs.
|
||||||
|
Detailed list (from CHANGES.md):
|
||||||
|
* Added warning if the device has to be asked for
|
||||||
|
'all,media-col-database' separately (Issue #829)
|
||||||
|
* Added new value for 'lpstat' option '-W' - successfull - for
|
||||||
|
getting successfully printed jobs (Issue #830)
|
||||||
|
* Added support for PAM modules password-auth
|
||||||
|
and system-auth (Issue #892)
|
||||||
|
* Updated IPP Everywhere printer creation error
|
||||||
|
reporting (Issue #347)
|
||||||
|
* Updated and documented the MIME typing buffering
|
||||||
|
limit (Issue #925)
|
||||||
|
* Raised 'cups_enum_dests()' timeout for listing
|
||||||
|
available IPP printers (Issue #751)
|
||||||
|
* Now report an error for temporary printer defaults
|
||||||
|
with lpadmin (Issue #237)
|
||||||
|
* Fixed mapping of PPD InputSlot, MediaType,
|
||||||
|
and OutputBin values (Issue #238)
|
||||||
|
* Fixed "document-unprintable-error" handling (Issue #391)
|
||||||
|
* Fixed the web interface not showing an error
|
||||||
|
for a non-existent printer (Issue #423)
|
||||||
|
* Fixed printing of jobs with job name longer than 255 chars
|
||||||
|
on older printers (Issue #644)
|
||||||
|
* Really backported fix for Issue #742
|
||||||
|
* Fixed 'cupsCopyDestInfo' device connection
|
||||||
|
detection (Issue #586)
|
||||||
|
* Fixed "Upgrade" header handling when there is
|
||||||
|
no TLS support (Issue #775)
|
||||||
|
* Fixed memory leak when unloading a job (Issue #813)
|
||||||
|
* Fixed memory leak when creating color profiles (Issue #815)
|
||||||
|
* Fixed a punch finishing bug in the IPP Everywhere
|
||||||
|
support (Issue #821)
|
||||||
|
* Fixed crash in 'scan_ps()' if incoming argument
|
||||||
|
is NULL (Issue #831)
|
||||||
|
* Fixed setting job state reasons for successful
|
||||||
|
jobs (Issue #832)
|
||||||
|
* Fixed infinite loop in IPP backend if hostname
|
||||||
|
is IP address with Kerberos (Issue #838)
|
||||||
|
* Added additional check on socket if 'revents' from 'poll()'
|
||||||
|
returns POLLHUP together with POLLIN or POLLOUT
|
||||||
|
in 'httpAddrConnect2()' (Issue #839)
|
||||||
|
* Fixed crash in 'ppdEmitString()' if 'size' is NULL (Issue #850)
|
||||||
|
* Fixed reporting 'media-source-supported' when
|
||||||
|
sharing printer which has numbers as strings instead of
|
||||||
|
keywords as 'InputSlot' values (Issue #859)
|
||||||
|
* Fixed IPP backend to support the "print-scaling" option
|
||||||
|
with IPP printers (Issue #862)
|
||||||
|
* Fixed potential race condition for the creation
|
||||||
|
of temporary queues (Issue #871)
|
||||||
|
* Fixed 'httpGets' timeout handling (Issue #879)
|
||||||
|
* Fixed checking for required attributes during
|
||||||
|
PPD generation (Issue #890)
|
||||||
|
* Fixed encoding of IPv6 addresses in HTTP requests (Issue #903)
|
||||||
|
* Fixed sending response headers to client (Issue #927)
|
||||||
|
* Fixed CGI program initialization and validation
|
||||||
|
of form checkbox and text fields.
|
||||||
|
Issues are those at https://github.com/OpenPrinting/cups/issues
|
||||||
|
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.8
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Feb 26 10:48:53 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
|
Mon Feb 26 10:48:53 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||||
|
|
||||||
|
20
cups.spec
20
cups.spec
@ -40,7 +40,7 @@ Name: cups
|
|||||||
# "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
|
# "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
|
||||||
# "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
|
# "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
|
||||||
# version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
|
# version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
|
||||||
Version: 2.4.7
|
Version: 2.4.8
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: The Common UNIX Printing System
|
Summary: The Common UNIX Printing System
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
@ -48,10 +48,10 @@ Group: Hardware/Printing
|
|||||||
URL: https://openprinting.github.io/cups
|
URL: https://openprinting.github.io/cups
|
||||||
# To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
|
# To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
|
||||||
# wget --no-check-certificate -O cups-2.4.7-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz
|
# wget --no-check-certificate -O cups-2.4.7-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz
|
||||||
Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz
|
Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.8/cups-2.4.8-source.tar.gz
|
||||||
# To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
|
# To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
|
||||||
# wget --no-check-certificate -O cups-2.4.7-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz.sig
|
# wget --no-check-certificate -O cups-2.4.7-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz.sig
|
||||||
Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz.sig
|
Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.8/cups-2.4.8-source.tar.gz.sig
|
||||||
# To make Source2 use e.g.
|
# To make Source2 use e.g.
|
||||||
# gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
|
# gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
|
||||||
# gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring
|
# gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring
|
||||||
@ -103,6 +103,13 @@ Patch108: downgrade-autoconf-requirement.patch
|
|||||||
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
|
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
|
||||||
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
|
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
|
||||||
Patch112: cups-2.4.2-additional_policies.patch
|
Patch112: cups-2.4.2-additional_policies.patch
|
||||||
|
# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
|
||||||
|
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
|
||||||
|
# to apply to CUPS 2.4.8 in openSUSE Factory
|
||||||
|
# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
|
||||||
|
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
|
||||||
|
# https://bugzilla.suse.com/show_bug.cgi?id=1225365
|
||||||
|
Patch113: cups-2.4.8-CVE-2024-35235.patch
|
||||||
# Build Requirements:
|
# Build Requirements:
|
||||||
BuildRequires: dbus-1-devel
|
BuildRequires: dbus-1-devel
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
@ -330,6 +337,13 @@ printer drivers for CUPS.
|
|||||||
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
|
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
|
||||||
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
|
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
|
||||||
%patch -P 112 -b cups-2.4.2-additional_policies.orig
|
%patch -P 112 -b cups-2.4.2-additional_policies.orig
|
||||||
|
# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
|
||||||
|
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
|
||||||
|
# to apply to CUPS 2.4.8 in openSUSE Factory
|
||||||
|
# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
|
||||||
|
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
|
||||||
|
# https://bugzilla.suse.com/show_bug.cgi?id=1225365
|
||||||
|
%patch -P 113 -b cups-2.4.8-CVE-2024-35235.orig
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# Remove ".SILENT" rule for verbose build output
|
# Remove ".SILENT" rule for verbose build output
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
--- configure.ac.orig 2023-09-20 15:25:54.000000000 +0200
|
Index: configure.ac
|
||||||
+++ configure.ac 2024-01-24 09:19:28.344274065 +0100
|
===================================================================
|
||||||
|
--- configure.ac.orig
|
||||||
|
+++ configure.ac
|
||||||
@@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0.
|
@@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0.
|
||||||
dnl information.
|
dnl information.
|
||||||
dnl
|
dnl
|
||||||
@ -10,4 +12,4 @@
|
|||||||
+AC_PREREQ([2.69])
|
+AC_PREREQ([2.69])
|
||||||
|
|
||||||
dnl Package name and version...
|
dnl Package name and version...
|
||||||
AC_INIT([CUPS],[2.4.7],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
|
AC_INIT([CUPS],[2.4.8],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
|
||||||
|
Loading…
x
Reference in New Issue
Block a user