Accepting request 1185108 from Printing
CUPS version upgrade to 2.4.10 that provides the fixed upstream fix for CVE-2024-35235 in CUPS 2.4.9 (forwarded request 1185107 from jsmeix) OBS-URL: https://build.opensuse.org/request/show/1185108 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=174
This commit is contained in:
Ana Guerrero
Git OBS Bridge
commit
be91cc84b1
28
avoid_C99_mode_for_loop_initial_declarations.patch
Normal file
28
avoid_C99_mode_for_loop_initial_declarations.patch
Normal file
@ -0,0 +1,28 @@
|
||||
--- scheduler/client.c.orig 2024-06-18 13:11:05.000000000 +0200
|
||||
+++ scheduler/client.c 2024-07-02 14:51:25.359712447 +0200
|
||||
@@ -566,6 +566,7 @@ cupsdReadClient(cupsd_client_t *con) /*
|
||||
struct stat filestats; /* File information */
|
||||
mime_type_t *type; /* MIME type of file */
|
||||
static unsigned request_id = 0; /* Request ID for temp files */
|
||||
+ char *start; /* Avoid error: 'for' loop initial declarations are only allowed in C99 mode */
|
||||
|
||||
|
||||
status = HTTP_STATUS_CONTINUE;
|
||||
@@ -1145,7 +1146,7 @@ cupsdReadClient(cupsd_client_t *con) /*
|
||||
{
|
||||
unsigned int i = 0; // Array index
|
||||
|
||||
- for (char *start = con->uri + 9; *start && *start != '?' && i < sizeof(name);)
|
||||
+ for (*start = con->uri + 9; *start && *start != '?' && i < sizeof(name);)
|
||||
name[i++] = *start++;
|
||||
|
||||
name[i] = '\0';
|
||||
@@ -1185,7 +1186,7 @@ cupsdReadClient(cupsd_client_t *con) /*
|
||||
{
|
||||
unsigned int i = 0; // Array index
|
||||
|
||||
- for (char *start = con->uri + 10; *start && *start != '?' && i < sizeof(name);)
|
||||
+ for (*start = con->uri + 10; *start && *start != '?' && i < sizeof(name);)
|
||||
name[i++] = *start++;
|
||||
|
||||
name[i] = '\0';
|
||||
BIN
cups-2.4.10-source.tar.gz
(Stored with Git LFS)
Normal file
BIN
cups-2.4.10-source.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
cups-2.4.10-source.tar.gz.sig
Normal file
BIN
cups-2.4.10-source.tar.gz.sig
Normal file
Binary file not shown.
@ -1,87 +0,0 @@
|
||||
--- cups/http-addr.c.orig 2024-04-26 13:38:21.000000000 +0200
|
||||
+++ cups/http-addr.c 2024-06-11 10:20:21.866920900 +0200
|
||||
@@ -202,31 +202,30 @@ httpAddrListen(http_addr_t *addr, /* I -
|
||||
{
|
||||
mode_t mask; /* Umask setting */
|
||||
|
||||
- /*
|
||||
- * Remove any existing domain socket file...
|
||||
- */
|
||||
-
|
||||
- unlink(addr->un.sun_path);
|
||||
-
|
||||
- /*
|
||||
- * Save the current umask and set it to 0 so that all users can access
|
||||
- * the domain socket...
|
||||
- */
|
||||
-
|
||||
- mask = umask(0);
|
||||
-
|
||||
- /*
|
||||
- * Bind the domain socket...
|
||||
- */
|
||||
-
|
||||
- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
|
||||
-
|
||||
- /*
|
||||
- * Restore the umask and fix permissions...
|
||||
- */
|
||||
-
|
||||
- umask(mask);
|
||||
- chmod(addr->un.sun_path, 0140777);
|
||||
+ // Remove any existing domain socket file...
|
||||
+ if ((status = unlink(addr->un.sun_path)) < 0)
|
||||
+ {
|
||||
+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
|
||||
+
|
||||
+ if (errno == ENOENT)
|
||||
+ status = 0;
|
||||
+ }
|
||||
+
|
||||
+ if (!status)
|
||||
+ {
|
||||
+ // Save the current umask and set it to 0 so that all users can access
|
||||
+ // the domain socket...
|
||||
+ mask = umask(0);
|
||||
+
|
||||
+ // Bind the domain socket...
|
||||
+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
|
||||
+ {
|
||||
+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
|
||||
+ }
|
||||
+
|
||||
+ // Restore the umask...
|
||||
+ umask(mask);
|
||||
+ }
|
||||
}
|
||||
else
|
||||
#endif /* AF_LOCAL */
|
||||
--- scheduler/conf.c.orig 2024-04-26 13:38:21.000000000 +0200
|
||||
+++ scheduler/conf.c 2024-06-11 10:14:06.091882607 +0200
|
||||
@@ -3084,6 +3084,26 @@ read_cupsd_conf(cups_file_t *fp) /* I -
|
||||
|
||||
|
||||
/*
|
||||
+ * If we are launched on-demand, do not use domain sockets from the config
|
||||
+ * file. Also check that the domain socket path is not too long...
|
||||
+ */
|
||||
+
|
||||
+#ifdef HAVE_ONDEMAND
|
||||
+ if (*value == '/' && OnDemand)
|
||||
+ {
|
||||
+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
|
||||
+ continue;
|
||||
+ }
|
||||
+#endif // HAVE_ONDEMAND
|
||||
+
|
||||
+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
* Get the address list...
|
||||
*/
|
||||
|
||||
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:75c326b4ba73975efcc9a25078c4b04cdb4ee333caaad0d0823dbd522c6479a0
|
||||
size 8142007
|
||||
Binary file not shown.
46
cups.changes
46
cups.changes
@ -1,3 +1,49 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 2 11:45:58 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
|
||||
|
||||
- Version upgrade to 2.4.10:
|
||||
See https://github.com/openprinting/cups/releases
|
||||
CUPS 2.4.10 brings two fixes:
|
||||
* Fixed error handling when reading a mixed 1setOf attribute.
|
||||
* Fixed scheduler start if there is only domain socket
|
||||
to listen on (Issue #985) which is fix for regression
|
||||
after fix for CVE-2024-35235 in scenarios where is
|
||||
no other listeners in cupsd.conf than domain socket
|
||||
created on demand by systemd, launchd or upstart.
|
||||
Issues are those at https://github.com/OpenPrinting/cups/issues
|
||||
- Version upgrade to 2.4.9:
|
||||
See https://github.com/openprinting/cups/releases
|
||||
CUPS 2.4.9 brings security fix for CVE-2024-35235 and
|
||||
several bug fixes regarding CUPS Web User Interface,
|
||||
PPD generation and HTTP protocol implementation.
|
||||
Detailed list (from CHANGES.md):
|
||||
* Fixed domain socket handling (CVE-2024-35235)
|
||||
* Fixed creating of `cupsUrfSupported` PPD keyword
|
||||
(Issue #952)
|
||||
* Fixed searching for destinations in web ui (Issue #954)
|
||||
* Fixed TLS negotiation using OpenSSL with servers
|
||||
that require the TLS SNI extension.
|
||||
* Really raised `cups_enum_dests()` timeout for listing
|
||||
available IPP printers (Issue #751)...
|
||||
* Fixed `Host` header regression (Issue #967)
|
||||
* Fixed DNS-SD lookups of local services with Avahi
|
||||
(Issue #970)
|
||||
* Fixed listing jobs in destinations in web ui.
|
||||
(Apple issue #6204)
|
||||
* Fixed showing search query in web ui help page.
|
||||
(Issue #977)
|
||||
Issues are those at https://github.com/OpenPrinting/cups/issues
|
||||
Apple issues are those at https://github.com/apple/cups/issues
|
||||
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.10
|
||||
- Removed cups-2.4.8-CVE-2024-35235.patch : fixed upstream
|
||||
see the above CUPS 2.4.9 changes
|
||||
- avoid_C99_mode_for_loop_initial_declarations.patch avoids error
|
||||
"'for' loop initial declarations are only allowed in C99 mode"
|
||||
that happens when building for SLE12
|
||||
in scheduler/client.c at "for (char *start = ..." since
|
||||
https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
|
||||
see https://github.com/OpenPrinting/cups/issues/1000
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jun 11 08:28:32 UTC 2024 - Johannes Meixner <jsmeix@suse.com>
|
||||
|
||||
|
||||
38
cups.spec
38
cups.spec
@ -40,18 +40,18 @@ Name: cups
|
||||
# "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
|
||||
# "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
|
||||
# version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
|
||||
Version: 2.4.8
|
||||
Version: 2.4.10
|
||||
Release: 0
|
||||
Summary: The Common UNIX Printing System
|
||||
License: Apache-2.0
|
||||
Group: Hardware/Printing
|
||||
URL: https://openprinting.github.io/cups
|
||||
# To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
|
||||
# wget --no-check-certificate -O cups-2.4.7-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz
|
||||
Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.8/cups-2.4.8-source.tar.gz
|
||||
# wget --no-check-certificate -O cups-2.4.10-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz
|
||||
Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz
|
||||
# To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
|
||||
# wget --no-check-certificate -O cups-2.4.7-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.7/cups-2.4.7-source.tar.gz.sig
|
||||
Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.8/cups-2.4.8-source.tar.gz.sig
|
||||
# wget --no-check-certificate -O cups-2.4.10-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz.sig
|
||||
Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.10/cups-2.4.10-source.tar.gz.sig
|
||||
# To make Source2 use e.g.
|
||||
# gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
|
||||
# gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring
|
||||
@ -61,7 +61,7 @@ Source2: cups.keyring
|
||||
# To manually verify Source0 with Source1 and Source2 do e.g.
|
||||
# gpg --import cups.keyring
|
||||
# gpg --list-keys | grep -1 'Zdenek Dohnal'
|
||||
# gpg --verify cups-2.4.7-source.tar.gz.sig cups-2.4.7-source.tar.gz
|
||||
# gpg --verify cups-2.4.10-source.tar.gz.sig cups-2.4.10-source.tar.gz
|
||||
Source102: Postscript.ppd.gz
|
||||
Source105: Postscript-level1.ppd.gz
|
||||
Source106: Postscript-level2.ppd.gz
|
||||
@ -77,6 +77,12 @@ Patch10: cups-2.1.0-choose-uri-template.patch
|
||||
# because the files of the CUPS web content are no documentation, see CUPS STR #3578
|
||||
# and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments:
|
||||
Patch11: cups-2.1.0-default-webcontent-path.patch
|
||||
# Patch12 avoid_C99_mode_for_loop_initial_declarations.patch
|
||||
# avoids "error: 'for' loop initial declarations are only allowed in C99 mode"
|
||||
# that happens when building for SLE12 at "for (char *start = ..." since
|
||||
# https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
|
||||
# see https://github.com/OpenPrinting/cups/issues/1000
|
||||
Patch12: avoid_C99_mode_for_loop_initial_declarations.patch
|
||||
# Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
|
||||
# Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
|
||||
Patch100: cups-pam.diff
|
||||
@ -103,13 +109,6 @@ Patch108: downgrade-autoconf-requirement.patch
|
||||
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
|
||||
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
|
||||
Patch112: cups-2.4.2-additional_policies.patch
|
||||
# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
|
||||
# to apply to CUPS 2.4.8 in openSUSE Factory
|
||||
# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
|
||||
# https://bugzilla.suse.com/show_bug.cgi?id=1225365
|
||||
Patch113: cups-2.4.8-CVE-2024-35235.patch
|
||||
# Build Requirements:
|
||||
BuildRequires: dbus-1-devel
|
||||
BuildRequires: fdupes
|
||||
@ -337,13 +336,12 @@ printer drivers for CUPS.
|
||||
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
|
||||
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
|
||||
%patch -P 112 -b cups-2.4.2-additional_policies.orig
|
||||
# Patch113 cups-2.4.8-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5)
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f#advisory-comment-102901
|
||||
# to apply to CUPS 2.4.8 in openSUSE Factory
|
||||
# to fix CVE-2024-35235 "cupsd Listen port arbitrary chmod 0140777"
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
|
||||
# https://bugzilla.suse.com/show_bug.cgi?id=1225365
|
||||
%patch -P 113 -b cups-2.4.8-CVE-2024-35235.orig
|
||||
# Patch12 avoid_C99_mode_for_loop_initial_declarations.patch
|
||||
# avoids "error: 'for' loop initial declarations are only allowed in C99 mode"
|
||||
# that happens when building for SLE12 at "for (char *start = ..." since
|
||||
# https://github.com/OpenPrinting/cups/commit/a7eda84da73126e40400e05dd27d57f8c92d5b0d
|
||||
# see https://github.com/OpenPrinting/cups/issues/1000
|
||||
%patch -P 12 -b avoid_C99_mode_for_loop_initial_declarations.orig
|
||||
|
||||
%build
|
||||
# Remove ".SILENT" rule for verbose build output
|
||||
|
||||
@ -1,7 +1,5 @@
|
||||
Index: configure.ac
|
||||
===================================================================
|
||||
--- configure.ac.orig
|
||||
+++ configure.ac
|
||||
--- configure.ac.orig 2024-06-18 13:11:05.000000000 +0200
|
||||
+++ configure.ac 2024-07-02 13:55:46.880533719 +0200
|
||||
@@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0.
|
||||
dnl information.
|
||||
dnl
|
||||
@ -12,4 +10,4 @@ Index: configure.ac
|
||||
+AC_PREREQ([2.69])
|
||||
|
||||
dnl Package name and version...
|
||||
AC_INIT([CUPS],[2.4.8],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
|
||||
AC_INIT([CUPS],[2.4.10],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user