Accepting request 222281 from home:jsmeix:branches:Printing

CUPS security fix for CVE-2012-5519 to have better default protection against misuse of CUPS admin privileges (bnc#789566) plus clean up of cups.spec by having strictly separated sections how cupsd is launched (either via SysVinit or via systemd) OBS-URL: https://build.opensuse.org/request/show/222281 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=276
2014-02-14 08:37:00 +00:00
parent 29e44712ee
commit ad3ceda791
3 changed files with 586 additions and 62 deletions
--- a/cups.spec
+++ b/cups.spec
@@ -45,7 +45,7 @@ BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(systemd)
 %{?systemd_requires}
 %define have_systemd 1
-#may not be defined in older systemd macros..
+# may not be defined in older systemd macros..
 %{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d }
 %endif
 # The "BuildRequires: poppler-tools" installs /usr/bin/pdftops for the
@@ -177,7 +177,7 @@ Patch107:       cups-provides-cupsd-service.patch
 #   http://lists.opensuse.org/opensuse-factory/2013-01/msg00578.html
 Patch108:       cups-move-everything-to-run.patch
 # Patch109 fixes STR #4190: Send-Document failure ignored
-#(also applies to client-error-not-authorized)
+# (also applies to client-error-not-authorized)
 Patch109:       str4190.patch
 # Patch110 avoids any possible busy loop in cups-polld in case of unusual issues
 # by sleeping interval seconds see https://bugzilla.novell.com/show_bug.cgi?id=828228
@@ -192,6 +192,10 @@ Patch111:       cups-0002-systemd-listen-only-on-localhost-for-socket-activation
 # see https://bugzilla.novell.com/show_bug.cgi?id=857372#c61
 # Patch111 must be applied on top of Patch105.
 Patch112:       cups-0003-systemd-secure-cups.service-unit-file.patch
+# Patch113 adds protection against privilege escalation by non-root users
+# who have been allowed by root to do CUPS configuration changes
+# (CUPS STR#4223 CVE-2012-5519 Novell/Suse Bugzilla bnc#789566):
+Patch113:       cups-1.5.4-CVE-2012-5519.patch
 # Install into this non-root directory (required when norootforbuild is used):
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

@@ -348,6 +352,10 @@ printer drivers for CUPS.
 # see https://bugzilla.novell.com/show_bug.cgi?id=857372#c61
 # Patch111 must be applied on top of Patch105.
 %patch112
+# Patch113 adds protection against privilege escalation by non-root users
+# who have been allowed by root to do CUPS configuration changes
+# (CUPS STR#4223 CVE-2012-5519 Novell/Suse Bugzilla bnc#789566):
+%patch113

 %build
 # Disable SILENT run of make so that make runs verbose as usual:
@@ -376,6 +384,7 @@ export CXX=g++
 	--with-docdir=%{_datadir}/cups/webcontent \
 	--with-cups-user=lp \
 	--with-cups-group=lp \
+	--with-system-groups=root \
 	--enable-debug \
 	--enable-relro \
 	--enable-gssapi \
@@ -395,8 +404,7 @@ export CXX=g++
 make %{?_smp_mflags} CXX=g++

 %install
-make BUILDROOT=$RPM_BUILD_ROOT install
-install -d -m755 $RPM_BUILD_ROOT/etc/init.d
+make BUILDROOT=%{buildroot} install
 # Use CUPS' own fonts (i.e. make CUPS work again in compliance with upstream).
 # In ancient times (see the RPM changelog entry dated "Thu Aug 16 17:05:19 CEST 2001")
 # there was the general opinion it would be a great idea to deviate from CUPS upstream
@@ -416,48 +424,41 @@ install -d -m755 $RPM_BUILD_ROOT/etc/init.d
 # and the only way out is to move CUPS' own fonts to an artificial
 # surrogate directory /usr/share/cups/CUPSfonts and have the
 # symbolic link /usr/share/cups/fonts -> /usr/share/cups/CUPSfonts:
-pushd $RPM_BUILD_ROOT/usr/share/cups/
+pushd %{buildroot}/usr/share/cups/
 mv fonts CUPSfonts && ln -s CUPSfonts fonts
 popd
-# Source101: cups.init
-install -m755 %{SOURCE101} $RPM_BUILD_ROOT/etc/init.d/cups
-ln -sf ../../etc/init.d/cups $RPM_BUILD_ROOT/usr/sbin/rccups
-%if %suse_version > 1220
-sed -i -e 's|/var/run|/run|g' $RPM_BUILD_ROOT/etc/init.d/cups
-sed -i -e 's|/var/lock|/run/lock|g' $RPM_BUILD_ROOT/etc/init.d/cups
-%endif
 # Source103: cups.sysconfig
-install -d -m755 $RPM_BUILD_ROOT/var/adm/fillup-templates
-install -m 644 %{SOURCE103} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.cups
+install -d -m755 %{buildroot}/var/adm/fillup-templates
+install -m 644 %{SOURCE103} %{buildroot}/var/adm/fillup-templates/sysconfig.cups
 # Make directory for ssl files:
-mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/cups/ssl
+mkdir -p %{buildroot}%{_sysconfdir}/cups/ssl
 # Add a client.conf as template (Source108: cups-client.conf):
-install -m644 %{SOURCE108} $RPM_BUILD_ROOT%{_sysconfdir}/cups/client.conf
+install -m644 %{SOURCE108} %{buildroot}%{_sysconfdir}/cups/client.conf
 %if %suse_version > 1220
-sed -i -e 's|/var/run|/run|g' $RPM_BUILD_ROOT%{_sysconfdir}/cups/client.conf
+sed -i -e 's|/var/run|/run|g' %{buildroot}%{_sysconfdir}/cups/client.conf
 %endif
 # Source104: cups.xinetd
-mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/xinetd.d
-install -m 644 -D %{SOURCE104} $RPM_BUILD_ROOT%{_sysconfdir}/xinetd.d/cups-lpd
+mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d
+install -m 644 -D %{SOURCE104} %{buildroot}%{_sysconfdir}/xinetd.d/cups-lpd
 # Make the libraries accessible also via generic named links:
-ln -sf libcupsimage.so.2 $RPM_BUILD_ROOT%{_libdir}/libcupsimage.so
-ln -sf libcups.so.2 $RPM_BUILD_ROOT%{_libdir}/libcups.so
+ln -sf libcupsimage.so.2 %{buildroot}%{_libdir}/libcupsimage.so
+ln -sf libcups.so.2 %{buildroot}%{_libdir}/libcups.so
 # Add missing usual directories:
-install -d -m755 $RPM_BUILD_ROOT%{_datadir}/cups/drivers
-install -d -m755 $RPM_BUILD_ROOT/var/cache/cups
+install -d -m755 %{buildroot}%{_datadir}/cups/drivers
+install -d -m755 %{buildroot}/var/cache/cups
 # Add conf/pam.suse regarding support for PAM (see Patch100: cups-pam.diff):
-install -m 644 -D conf/pam.suse $RPM_BUILD_ROOT/etc/pam.d/cups
+install -m 644 -D conf/pam.suse %{buildroot}/etc/pam.d/cups
 # Add missing usual documentation:
-install -d -m755 $RPM_BUILD_ROOT/%{_defaultdocdir}/cups
+install -d -m755 %{buildroot}/%{_defaultdocdir}/cups
 for f in CHANGES*.txt CREDITS.txt INSTALL.txt LICENSE.txt README.txt
-do install -m 644 "$f" $RPM_BUILD_ROOT%{_defaultdocdir}/cups/
+do install -m 644 "$f" %{buildroot}%{_defaultdocdir}/cups/
 done
 # Source102: postscript.ppd.bz2
-bzip2 -cd < %{SOURCE102} > $RPM_BUILD_ROOT%{_datadir}/cups/model/Postscript.ppd
+bzip2 -cd < %{SOURCE102} > %{buildroot}%{_datadir}/cups/model/Postscript.ppd
 # Source105: PSLEVEL1.PPD.bz2
-bzip2 -cd < %{SOURCE105} > $RPM_BUILD_ROOT%{_datadir}/cups/model/Postscript-level1.ppd
+bzip2 -cd < %{SOURCE105} > %{buildroot}%{_datadir}/cups/model/Postscript-level1.ppd
 # Source106: PSLEVEL2.PPD.bz2
-bzip2 -cd < %{SOURCE106} > $RPM_BUILD_ROOT%{_datadir}/cups/model/Postscript-level2.ppd
+bzip2 -cd < %{SOURCE106} > %{buildroot}%{_datadir}/cups/model/Postscript-level2.ppd
 find %{buildroot}/usr/share/cups/model -name "*.ppd" | while read FILE
 do # Change default paper size from Letter to A4 if possible
   # https://bugzilla.novell.com/show_bug.cgi?id=suse30662
@@ -469,42 +470,65 @@ do # Change default paper size from Letter to A4 if possible
   gzip -9 "$FILE"
 done
 # Add files for desktop menu:
-rm -f $RPM_BUILD_ROOT/usr/share/applications/cups.desktop
+rm -f %{buildroot}/usr/share/applications/cups.desktop
 %suse_update_desktop_file -i cups PrintingUtility 2>/dev/null
-mkdir $RPM_BUILD_ROOT/usr/share/pixmaps
-install -m 644 $RPM_BUILD_ROOT/usr/share/icons/hicolor/64x64/apps/cups.png $RPM_BUILD_ROOT/usr/share/pixmaps
-rm -rf $RPM_BUILD_ROOT/usr/share/icons
-# Norwegian is "nb", "zh" is probably "zh_CN"
-mv $RPM_BUILD_ROOT/usr/share/locale/{no,nb}
-mv $RPM_BUILD_ROOT/usr/share/locale/{zh,zh_CN}
+mkdir %{buildroot}/usr/share/pixmaps
+install -m 644 %{buildroot}/usr/share/icons/hicolor/64x64/apps/cups.png %{buildroot}/usr/share/pixmaps
+rm -rf %{buildroot}/usr/share/icons
+# Norwegian is "nb", "zh" is probably "zh_CN":
+mv %{buildroot}/usr/share/locale/{no,nb}
+mv %{buildroot}/usr/share/locale/{zh,zh_CN}
 # Save /etc/cups/cupsd.conf and /etc/cups/cupsd.conf.default from becoming hardlinked
 # via the fdupes run below, see https://bugzilla.novell.com/show_bug.cgi?id=773971
 # by making their content different and at the same time fix the misleading comment.
 # Intentionally let the build fail if 'grep' does not find what 'sed' should change
 # because if upstream changed it 'sed' would silently no longer change the files
 # so that fdupes would make /etc/cups/cupsd.conf and /etc/cups/cupsd.conf.default hardlinked:
-grep -q '^# Sample configuration ' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.conf
-sed -i -e 's/^# Sample configuration /# Configuration /' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.conf
-grep -q '^# Sample configuration ' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.conf.default
-sed -i -e 's/^# Sample configuration /# Default configuration /' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.conf.default
-# systemd stuff:
+grep -q '^# Sample configuration ' %{buildroot}/%{_sysconfdir}/cups/cupsd.conf
+sed -i -e 's/^# Sample configuration /# Configuration /' %{buildroot}/%{_sysconfdir}/cups/cupsd.conf
+grep -q '^# Sample configuration ' %{buildroot}/%{_sysconfdir}/cups/cupsd.conf.default
+sed -i -e 's/^# Sample configuration /# Default configuration /' %{buildroot}/%{_sysconfdir}/cups/cupsd.conf.default
+# Begin how cupsd is launched (via SysVinit or systemd):
 %if 0%{?have_systemd}
-# move the installed cups.socket and cups.path into a documentation directory
+# Begin launch cupsd via systemd:
+# See http://en.opensuse.org/openSUSE:Systemd_packaging_guidelines
+# Move the installed cups.socket and cups.path into a documentation directory
 # so that experienced admins can make their own individual systemd unit files
 # for socket activation and/or path activation as they need it for their particular cases
 # see https://bugzilla.novell.com/show_bug.cgi?id=857372#c61
-mkdir $RPM_BUILD_ROOT/%{_defaultdocdir}/cups/systemd
-mv $RPM_BUILD_ROOT/%{_unitdir}/cups.path $RPM_BUILD_ROOT/%{_defaultdocdir}/cups/systemd/cups.path
-mv $RPM_BUILD_ROOT/%{_unitdir}/cups.socket $RPM_BUILD_ROOT/%{_defaultdocdir}/cups/systemd/cups.socket
-# install /usr/lib/tmpfiles.d/cups.conf
-mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
-cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/cups.conf <<EOF
+mkdir %{buildroot}/%{_defaultdocdir}/cups/systemd
+mv %{buildroot}/%{_unitdir}/cups.path %{buildroot}/%{_defaultdocdir}/cups/systemd/cups.path
+mv %{buildroot}/%{_unitdir}/cups.socket %{buildroot}/%{_defaultdocdir}/cups/systemd/cups.socket
+# Install /usr/lib/tmpfiles.d/cups.conf
+mkdir -p %{buildroot}%{_tmpfilesdir}
+cat > %{buildroot}%{_tmpfilesdir}/cups.conf <<EOF
 # See tmpfiles.d(5) for details
 d /run/cups 0755 root lp -
 d /run/cups/certs 0511 lp sys -
 d /var/spool/cups/tmp - - - 30d
 EOF
+# Provide SUSE policy symlink /usr/sbin/rcFOO -> /etc/init.d/FOO
+# /usr/sbin/service exists only since openSUSE 12.3:
+%if 0%{?suse_version} > 1220
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rccups
+%else
+ln -s /sbin/service %{buildroot}%{_sbindir}/rccups
 %endif
+# End launch cupsd via systemd
+%else
+# Begin launch cupsd via SysVinit:
+# Source101: cups.init
+install -d -m755 %{buildroot}/etc/init.d
+install -m755 %{SOURCE101} %{buildroot}/etc/init.d/cups
+ln -sf ../../etc/init.d/cups %{buildroot}/usr/sbin/rccups
+%if %suse_version > 1220
+# Adapt init script according to Patch108 that moves everything to /run
+sed -i -e 's|/var/run|/run|g' %{buildroot}/etc/init.d/cups
+sed -i -e 's|/var/lock|/run/lock|g' %{buildroot}/etc/init.d/cups
+%endif
+# End launch cupsd via SysVinit
+%endif
+# End how cupsd is launched (via SysVinit or systemd)
 # Run fdupes:
 # The RPM macro fdupes runs /usr/bin/fdupes that links files with identical content.
 # Never run fdupes carelessly over the whole buildroot directory
@@ -516,42 +540,79 @@ EOF
 # so that fdupes can only run for specific directories where linking files is safe.
 # Using fdupes -s, which will create symlinks that are easier to grasp for rpm and
 # rpmlint will give a "dangling symlink" error if the file and link ended up in different packages:
-%fdupes -s $RPM_BUILD_ROOT/%{_datadir}/cups
+%fdupes -s %{buildroot}/%{_datadir}/cups

 %pre
+# Use a real bash script with an explicit "exit 0" at the end to be by default fail safe
+# an explicit "exit 1" must be use to enforce package install/upgrade/erase failure where needed
+# see the "Shared_libraries" section in http://en.opensuse.org/openSUSE:Packaging_scriptlet_snippets
 /usr/sbin/groupadd -g 71 -o -r ntadmin 2>/dev/null || :
 %if 0%{?have_systemd}
-%service_add_pre cups.service cups.socket cups.path
+# Begin service_add_pre cups.service
+%service_add_pre cups.service
+# End service_add_pre cups.service
 %endif
 exit 0

 %post
-%{fillup_and_insserv -ny cups cups}
+# Use a real bash script with an explicit "exit 0" at the end to be by default fail safe
+# an explicit "exit 1" must be use to enforce package install/upgrade/erase failure where needed
+# see the "Shared_libraries" section in http://en.opensuse.org/openSUSE:Packaging_scriptlet_snippets
 %if 0%{?have_systemd}
-%service_add_post cups.service cups.socket cups.path
+# Begin service_add_post cups.service
+%service_add_post cups.service
+# End service_add_post cups.service
+%else
+# Begin fillup_and_insserv -ny cups cups
+%{fillup_and_insserv -ny cups cups}
+# End fillup_and_insserv -ny cups cups
 %endif
 exit 0

 %preun
-%stop_on_removal cups
+# Use a real bash script with an explicit "exit 0" at the end to be by default fail safe
+# an explicit "exit 1" must be use to enforce package install/upgrade/erase failure where needed
+# see the "Shared_libraries" section in http://en.opensuse.org/openSUSE:Packaging_scriptlet_snippets
 %if 0%{?have_systemd}
-%service_del_preun cups.service cups.socket cups.path
+# Begin service_del_preun cups.service
+%service_del_preun cups.service
+# End service_del_preun cups.service
+%else
+# Begin stop_on_removal cups
+%stop_on_removal cups
+# End stop_on_removal cups
 %endif
 exit 0

 %postun
-%restart_on_update cups
-%{insserv_cleanup}
+# Use a real bash script with an explicit "exit 0" at the end to be by default fail safe
+# an explicit "exit 1" must be use to enforce package install/upgrade/erase failure where needed
+# see the "Shared_libraries" section in http://en.opensuse.org/openSUSE:Packaging_scriptlet_snippets
 %if 0%{?have_systemd}
-%service_del_postun cups.service cups.socket cups.path
+# Begin service_del_postun cups.service
+%service_del_postun cups.service
+# End service_del_postun cups.service
+%else
+# Begin restart_on_update cups
+%restart_on_update cups
+# End restart_on_update cups
+# Begin insserv_cleanup
+%{insserv_cleanup}
+# End insserv_cleanup
 %endif
 exit 0

 %post libs
+# Use a real bash script with an explicit "exit 0" at the end to be by default fail safe
+# an explicit "exit 1" must be use to enforce package install/upgrade/erase failure where needed
+# see the "Shared_libraries" section in http://en.opensuse.org/openSUSE:Packaging_scriptlet_snippets
 /sbin/ldconfig
 exit 0

 %postun libs
+# Use a real bash script with an explicit "exit 0" at the end to be by default fail safe
+# an explicit "exit 1" must be use to enforce package install/upgrade/erase failure where needed
+# see the "Shared_libraries" section in http://en.opensuse.org/openSUSE:Packaging_scriptlet_snippets
 /sbin/ldconfig
 exit 0

@@ -572,12 +633,17 @@ exit 0
 %config(noreplace) %attr(640,root,lp) %{_sysconfdir}/cups/snmp.conf
 %config(noreplace) %attr(755,lp,lp) %{_sysconfdir}/cups/interfaces
 %config(noreplace) %{_sysconfdir}/xinetd.d/cups-lpd
-%config %attr(0755,root,root) %{_sysconfdir}/init.d/cups
 %config %{_sysconfdir}/pam.d/cups
 %config %{_sysconfdir}/dbus-1/system.d/cups.conf
 %dir %attr(700,root,lp) %{_sysconfdir}/cups/ssl
 %dir %attr(755,root,lp) %{_sysconfdir}/cups/ppd
 /var/adm/fillup-templates/sysconfig.cups
+%if 0%{?have_systemd}
+%{_unitdir}/cups.service
+%{_tmpfilesdir}/cups.conf
+%else
+%config %attr(0755,root,root) %{_sysconfdir}/init.d/cups
+%endif
 %{_bindir}/cupstestppd
 %{_sbindir}/cupsaddsmb
 %{_sbindir}/cupsctl
@@ -661,10 +727,6 @@ exit 0
 %doc %{_mandir}/man8/cupsfilter.8.gz
 %{_datadir}/cups/
 %exclude %{_datadir}/cups/ppdc/
-%if 0%{?have_systemd}
-%{_unitdir}/cups.service
-%{_tmpfilesdir}/cups.conf
-%endif

 %files client
 # Set explicite owner, group, and permissions for lppasswd