pool/cups
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 286363 from home:scarabeus_iv:branches:Printing

Browse Source 
Final submission, there seem to be no activity on factory so it works
or nobody cares :)

- Add back the posttrans cleanup script as it is needed
- Add patch cups-systemd-socket.patch to fix socket activation
  and to match socket approach Fedora has.
- Version bump to 2.0.2:
  * Security: cupsRasterReadPixels buffer overflow with invalid page header and
    compressed raster data (STR #4551)
  * Mapping of PPD keywords to IPP keywords did not work if the PPD keyword was
    already an IPP keyword (<rdar://problem/19121005>)
  * cupsGetPPD* sent bad requests (STR #4567)
  * For detailed list see CHANGES.txt file
- Enable PIE for build
- Remove legacy paralel-port support as it is not really needed
  as most do not want it
- Update descriptions to just state what changed and let user
  find it out.
- Add back comment about %fdupes
- Remove exit 0 on scriptlets as it is provided by the %service bla
  ones already
- Fix the comment about openSUSE version on tmpfilesdir declaration
- cups-2.0.1 update:
  * lengthy list of changes see the upstream CHANGES.txt that is
    distributed with the package
  * Disabling of sslv3 to mitigate poodle
- Use gnutls to provide SSLOPtions configuration directive
  * openssl is no longer supported upstream
  * Remove the with-openssl-exception from license
- Remove cups.sysconfig as it is not used with systemd based distros
- Purposely lose support for SLE11 as it doubles size of some of the
  sections and keep suppor for openSUSE+SLE12
  * even with the conditions we would have to go unencrypted only

OBS-URL: https://build.opensuse.org/request/show/286363
OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=294
This commit is contained in:
Tomáš Chvátal 2015-02-16 15:27:41 +00:00 committed by Git OBS Bridge
parent a419140b09
commit c7ccef2b9b
30 changed files with 874 additions and 2738 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
PSLEVEL1.PPD.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:39b8fdf82b711bff408ddc05ee8777a2064b2d6656c8713bf46d302c737a4ade
size 3026

3
PSLEVEL2.PPD.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cd01bc308c1c6132d47aa2f33c8011879cbdbea676a9cf95c1c7b229a4601be9
size 3019

BIN
Postscript-level1.ppd.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
Postscript-level2.ppd.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
Postscript.ppd.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

519
cups-0001-systemd-add-systemd-socket-activation-and-unit-files.patch
View File

@ -1,519 +0,0 @@
--- config.h.in.orig
+++ config.h.in
@@ -496,6 +496,13 @@
/*
+ * Do we have systemd support?
+ */
+
+#undef HAVE_SYSTEMD
+
+
+/*
* Various scripting languages...
*/
--- /dev/null
+++ config-scripts/cups-systemd.m4
@@ -0,0 +1,36 @@
+dnl
+dnl "$Id$"
+dnl
+dnl systemd stuff for CUPS.
+
+dnl Find whether systemd is available
+
+SDLIBS=""
+AC_ARG_WITH([systemdsystemunitdir],
+ AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]),
+ [], [with_systemdsystemunitdir=$($PKGCONFIG --variable=systemdsystemunitdir systemd)])
+if test "x$with_systemdsystemunitdir" != xno; then
+ AC_MSG_CHECKING(for libsystemd-daemon)
+ if $PKGCONFIG --exists libsystemd-daemon; then
+ AC_MSG_RESULT(yes)
+ SDCFLAGS=`$PKGCONFIG --cflags libsystemd-daemon`
+ SDLIBS=`$PKGCONFIG --libs libsystemd-daemon`
+ AC_SUBST([systemdsystemunitdir], [$with_systemdsystemunitdir])
+ AC_DEFINE(HAVE_SYSTEMD)
+ else
+ AC_MSG_RESULT(no)
+ fi
+fi
+
+if test -n "$with_systemdsystemunitdir" -a "x$with_systemdsystemunitdir" != xno ; then
+ SYSTEMD_UNITS="cups.service cups.socket cups.path"
+else
+ SYSTEMD_UNITS=""
+fi
+
+AC_SUBST(SYSTEMD_UNITS)
+AC_SUBST(SDLIBS)
+
+dnl
+dnl "$Id$"
+dnl
--- configure.in.orig
+++ configure.in
@@ -37,6 +37,7 @@ sinclude(config-scripts/cups-pam.m4)
sinclude(config-scripts/cups-largefile.m4)
sinclude(config-scripts/cups-dnssd.m4)
sinclude(config-scripts/cups-launchd.m4)
+sinclude(config-scripts/cups-systemd.m4)
sinclude(config-scripts/cups-defaults.m4)
sinclude(config-scripts/cups-pdf.m4)
sinclude(config-scripts/cups-scripting.m4)
@@ -71,6 +72,9 @@ AC_OUTPUT(Makedefs
conf/snmp.conf
cups-config
data/testprint
+ data/cups.service
+ data/cups.socket
+ data/cups.path
desktop/cups.desktop
doc/help/ref-cupsd-conf.html
doc/help/standard.html
--- cups/usersys.c.orig
+++ cups/usersys.c
@@ -750,7 +750,7 @@ cups_read_client_conf(
struct stat sockinfo; /* Domain socket information */
if (!stat(CUPS_DEFAULT_DOMAINSOCKET, &sockinfo) &&
- (sockinfo.st_mode & S_IRWXO) == S_IRWXO)
+ (sockinfo.st_mode & (S_IROTH | S_IWOTH)) == (S_IROTH | S_IWOTH))
cups_server = CUPS_DEFAULT_DOMAINSOCKET;
else
#endif /* CUPS_DEFAULT_DOMAINSOCKET */
--- /dev/null
+++ data/cups.path.in
@@ -0,0 +1,8 @@
+[Unit]
+Description=CUPS Printer Service Spool
+
+[Path]
+PathExistsGlob=@CUPS_REQUESTS@/d*
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+++ data/cups.service.in
@@ -0,0 +1,9 @@
+[Unit]
+Description=CUPS Printing Service
+
+[Service]
+ExecStart=@sbindir@/cupsd -f
+
+[Install]
+Also=cups.socket cups.path
+WantedBy=printer.target
--- /dev/null
+++ data/cups.socket.in
@@ -0,0 +1,11 @@
+[Unit]
+Description=CUPS Printing Service Sockets
+
+[Socket]
+ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@
+ListenStream=631
+ListenDatagram=0.0.0.0:631
+BindIPv6Only=ipv6-only
+
+[Install]
+WantedBy=sockets.target
--- data/Makefile.orig
+++ data/Makefile
@@ -112,6 +112,12 @@ install-data:
$(INSTALL_DATA) $$file $(DATADIR)/ppdc; \
done
$(INSTALL_DIR) -m 755 $(DATADIR)/profiles
+ if test "x$(SYSTEMD_UNITS)" != "x" ; then \
+ $(INSTALL_DIR) -m 755 $(SYSTEMDUNITDIR); \
+ for file in $(SYSTEMD_UNITS); do \
+ $(INSTALL_DATA) $$file $(SYSTEMDUNITDIR); \
+ done; \
+ fi
#
@@ -159,6 +165,9 @@ uninstall:
-$(RMDIR) $(DATADIR)/charsets
-$(RMDIR) $(DATADIR)/banners
-$(RMDIR) $(DATADIR)
+ for file in $(SYSTEMD_UNITS); do \
+ $(RM) $(SYSTEMDUNITDIR)/$$file; \
+ done
#
--- Makedefs.in.orig
+++ Makedefs.in
@@ -143,6 +143,7 @@ CXXFLAGS = @CPPFLAGS@ @CXXFLAGS@
CXXLIBS = @CXXLIBS@
DBUS_NOTIFIER = @DBUS_NOTIFIER@
DBUS_NOTIFIERLIBS = @DBUS_NOTIFIERLIBS@
+SYSTEMD_UNITS = @SYSTEMD_UNITS@
DNSSD_BACKEND = @DNSSD_BACKEND@
DSOFLAGS = -L../cups @DSOFLAGS@
DSOLIBS = @DSOLIBS@ $(COMMONLIBS)
@@ -151,6 +152,7 @@ FONTS = @FONTS@
IMGLIBS = @IMGLIBS@
IMGFILTERS = @IMGFILTERS@
LAUNCHDLIBS = @LAUNCHDLIBS@
+SDLIBS = @SDLIBS@
LDFLAGS = -L../cgi-bin -L../cups -L../filter -L../ppdc \
-L../scheduler @LDARCHFLAGS@ \
@LDFLAGS@ @RELROFLAGS@ @PIEFLAGS@ $(OPTIM)
@@ -267,6 +269,7 @@ PAMFILE = @PAMFILE@
DEFAULT_LAUNCHD_CONF = @DEFAULT_LAUNCHD_CONF@
DBUSDIR = @DBUSDIR@
+SYSTEMDUNITDIR = $(BUILDROOT)@systemdsystemunitdir@
#
--- scheduler/client.h.orig
+++ scheduler/client.h
@@ -75,6 +75,9 @@ typedef struct
int fd; /* File descriptor for this server */
http_addr_t address; /* Bind address of socket */
http_encryption_t encryption; /* To encrypt or not to encrypt... */
+#ifdef HAVE_SYSTEMD
+ int is_systemd; /* Is this a systemd socket? */
+#endif /* HAVE_SYSTEMD */
} cupsd_listener_t;
--- scheduler/dirsvc.c.orig
+++ scheduler/dirsvc.c
@@ -1457,7 +1457,7 @@ cupsdStartBrowsing(void)
}
}
- if (BrowseSocket >= 0)
+ if (BrowseSocket >= 0 && !BrowseSocketIsSystemd)
{
/*
* Bind the socket to browse port...
@@ -1501,13 +1501,17 @@ cupsdStartBrowsing(void)
cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to set broadcast mode - %s.",
strerror(errno));
+ if (!BrowseSocketIsSystemd)
+ {
#ifdef WIN32
- closesocket(BrowseSocket);
+ closesocket(BrowseSocket);
#else
- close(BrowseSocket);
+ close(BrowseSocket);
#endif /* WIN32 */
- BrowseSocket = -1;
+ BrowseSocket = -1;
+ }
+
BrowseLocalProtocols &= ~BROWSE_CUPS;
BrowseRemoteProtocols &= ~BROWSE_CUPS;
@@ -1820,15 +1824,22 @@ cupsdStopBrowsing(void)
if (((BrowseLocalProtocols | BrowseRemoteProtocols) & BROWSE_CUPS) &&
BrowseSocket >= 0)
{
- /*
- * Close the socket and remove it from the input selection set.
- */
+ if (!BrowseSocketIsSystemd)
+ {
+ /*
+ * Close the socket.
+ */
#ifdef WIN32
- closesocket(BrowseSocket);
+ closesocket(BrowseSocket);
#else
- close(BrowseSocket);
+ close(BrowseSocket);
#endif /* WIN32 */
+ }
+
+ /*
+ * Remove it from the input selection set.
+ */
cupsdRemoveSelect(BrowseSocket);
BrowseSocket = -1;
@@ -5146,11 +5157,14 @@ update_cups_browse(void)
strerror(errno));
cupsdLogMessage(CUPSD_LOG_ERROR, "CUPS browsing turned off.");
+ if (!BrowseSocketIsSystemd)
+ {
#ifdef WIN32
- closesocket(BrowseSocket);
+ closesocket(BrowseSocket);
#else
- close(BrowseSocket);
+ close(BrowseSocket);
#endif /* WIN32 */
+ }
cupsdRemoveSelect(BrowseSocket);
BrowseSocket = -1;
--- scheduler/dirsvc.h.orig
+++ scheduler/dirsvc.h
@@ -96,6 +96,8 @@ VAR int Browsing VALUE(TRUE),
/* Short names for remote printers? */
BrowseSocket VALUE(-1),
/* Socket for browsing */
+ BrowseSocketIsSystemd VALUE(0),
+ /* BrowseSocket is systemd-provided? */
BrowsePort VALUE(IPP_PORT),
/* Port number for broadcasts */
BrowseInterval VALUE(DEFAULT_INTERVAL),
--- scheduler/listen.c.orig
+++ scheduler/listen.c
@@ -401,7 +401,11 @@ cupsdStopListening(void)
lis;
lis = (cupsd_listener_t *)cupsArrayNext(Listeners))
{
- if (lis->fd != -1)
+ if (lis->fd != -1
+#ifdef HAVE_SYSTEMD
+ && !lis->is_systemd
+#endif /* HAVE_SYSTEMD */
+ )
{
#ifdef WIN32
closesocket(lis->fd);
--- scheduler/main.c.orig
+++ scheduler/main.c
@@ -26,6 +26,8 @@
* launchd_checkin() - Check-in with launchd and collect the listening
* fds.
* launchd_checkout() - Update the launchd KeepAlive file as needed.
+ * systemd_checkin() - Check-in with systemd and collect the
+ * listening fds.
* parent_handler() - Catch USR1/CHLD signals...
* process_children() - Process all dead children...
* select_timeout() - Calculate the select timeout value.
@@ -62,6 +64,10 @@
# endif /* !LAUNCH_JOBKEY_SERVICEIPC */
#endif /* HAVE_LAUNCH_H */
+#ifdef HAVE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif /* HAVE_SYSTEMD */
+
#if defined(HAVE_MALLOC_H) && defined(HAVE_MALLINFO)
# include <malloc.h>
#endif /* HAVE_MALLOC_H && HAVE_MALLINFO */
@@ -78,6 +84,9 @@
static void launchd_checkin(void);
static void launchd_checkout(void);
#endif /* HAVE_LAUNCHD */
+#ifdef HAVE_SYSTEMD
+static void systemd_checkin(void);
+#endif /* HAVE_SYSTEMD */
static void parent_handler(int sig);
static void process_children(void);
static void sigchld_handler(int sig);
@@ -519,6 +528,13 @@ main(int argc, /* I - Number of comm
}
#endif /* HAVE_LAUNCHD */
+#ifdef HAVE_SYSTEMD
+ /*
+ * If we were started by systemd get the listen sockets file descriptors...
+ */
+ systemd_checkin();
+#endif /* HAVE_SYSTEMD */
+
/*
* Startup the server...
*/
@@ -730,6 +746,15 @@ main(int argc, /* I - Number of comm
}
#endif /* HAVE_LAUNCHD */
+#ifdef HAVE_SYSTEMD
+ /*
+ * If we were started by systemd get the listen sockets file
+ * descriptors...
+ */
+
+ systemd_checkin();
+#endif /* HAVE_SYSTEMD */
+
/*
* Startup the server...
*/
@@ -1535,6 +1560,147 @@ launchd_checkout(void)
}
#endif /* HAVE_LAUNCHD */
+#ifdef HAVE_SYSTEMD
+static void
+systemd_checkin(void)
+{
+ int n, fd;
+
+ n = sd_listen_fds(0);
+ if (n < 0)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "systemd_checkin: Failed to acquire sockets from systemd - %s",
+ strerror(-n));
+ exit(EXIT_FAILURE);
+ return;
+ }
+
+ if (n == 0)
+ return;
+
+ for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + n; fd ++)
+ {
+ http_addr_t addr;
+ socklen_t addrlen = sizeof (addr);
+ int r;
+ cupsd_listener_t *lis;
+ char s[256];
+
+ r = sd_is_socket(fd, AF_UNSPEC, SOCK_STREAM, 1);
+ if (r < 0)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "systemd_checkin: Unable to verify socket type - %s",
+ strerror(-r));
+ continue;
+ }
+
+ if (!r)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "Browsing=%d", Browsing);
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "BrowseLocalProtocols=%x", BrowseLocalProtocols);
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "BrowseRemoteProtocols=%x", BrowseRemoteProtocols);
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "BROWSE_CUPS=%x", BROWSE_CUPS);
+ if (Browsing &&
+ ((BrowseLocalProtocols | BrowseRemoteProtocols) & BROWSE_CUPS))
+ {
+ r = sd_is_socket(fd, AF_UNSPEC, SOCK_DGRAM, 0);
+ if (r < 0)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "systemd_checkin: Unable to verify socket type - %s",
+ strerror(-r));
+ continue;
+ }
+
+ if (r)
+ {
+ /*
+ * This is the browse socket.
+ */
+
+ char addrstr[256];
+ if (getsockname(fd, (struct sockaddr*) &addr, &addrlen))
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "systemd_checkin: Unable to get local address - %s",
+ strerror(errno));
+ continue;
+ }
+
+ httpAddrString (&addr, addrstr, sizeof (addrstr));
+ BrowseSocket = fd;
+ BrowseSocketIsSystemd = 1;
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "systemd_checkin: Matched browse (port %d) with fd %d:%s...",
+ BrowsePort, fd, addrstr);
+ continue;
+ }
+
+ }
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "systemd_checkin: Socket not of the right type");
+ continue;
+ }
+
+ if (getsockname(fd, (struct sockaddr*) &addr, &addrlen))
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "systemd_checkin: Unable to get local address - %s",
+ strerror(errno));
+ continue;
+ }
+
+ /*
+ * Try to match the systemd socket address to one of the listeners...
+ */
+
+ for (lis = (cupsd_listener_t *)cupsArrayFirst(Listeners);
+ lis;
+ lis = (cupsd_listener_t *)cupsArrayNext(Listeners))
+ if (httpAddrEqual(&lis->address, &addr))
+ break;
+
+ if (lis)
+ {
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "systemd_checkin: Matched existing listener %s with fd %d...",
+ httpAddrString(&(lis->address), s, sizeof(s)), fd);
+ }
+ else
+ {
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "systemd_checkin: Adding new listener %s with fd %d...",
+ httpAddrString(&addr, s, sizeof(s)), fd);
+
+ if ((lis = calloc(1, sizeof(cupsd_listener_t))) == NULL)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "systemd_checkin: Unable to allocate listener - "
+ "%s.", strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+
+ cupsArrayAdd(Listeners, lis);
+
+ memcpy(&lis->address, &addr, sizeof(lis->address));
+ }
+
+ lis->fd = fd;
+ lis->is_systemd = 1;
+
+# ifdef HAVE_SSL
+ if (_httpAddrPort(&(lis->address)) == 443)
+ lis->encryption = HTTP_ENCRYPT_ALWAYS;
+# endif /* HAVE_SSL */
+ }
+}
+#endif /* HAVE_SYSTEMD */
/*
* 'parent_handler()' - Catch USR1/CHLD signals...
--- scheduler/Makefile.orig
+++ scheduler/Makefile
@@ -379,7 +379,7 @@ cupsd: $(CUPSDOBJS) $(LIBCUPSMIME) ../cu
$(CC) $(LDFLAGS) -o cupsd $(CUPSDOBJS) -L. -lcupsmime \
$(LIBZ) $(SSLLIBS) $(LIBSLP) $(LIBLDAP) $(PAMLIBS) \
$(LIBPAPER) $(LIBMALLOC) $(SERVERLIBS) $(DNSSDLIBS) $(LIBS) \
- $(LIBGSSAPI) $(LIBWRAP)
+ $(LIBGSSAPI) $(LIBWRAP) $(SDLIBS)
cupsd-static: $(CUPSDOBJS) libcupsmime.a ../cups/$(LIBCUPSSTATIC)
echo Linking $@...
@@ -387,7 +387,7 @@ cupsd-static: $(CUPSDOBJS) libcupsmime.a
$(LIBZ) $(SSLLIBS) $(LIBSLP) $(LIBLDAP) $(PAMLIBS) \
../cups/$(LIBCUPSSTATIC) $(COMMONLIBS) $(LIBZ) $(LIBPAPER) \
$(LIBMALLOC) $(SERVERLIBS) $(DNSSDLIBS) $(LIBGSSAPI) \
- $(LIBWRAP)
+ $(LIBWRAP) $(SDLIBS)
#

15
cups-0002-systemd-listen-only-on-localhost-for-socket-activation.patch
View File

@ -1,15 +0,0 @@
--- data/cups.socket.in.orig 2014-01-08 15:31:12.000000000 +0100
+++ data/cups.socket.in 2014-01-08 15:33:07.000000000 +0100
@@ -3,8 +3,10 @@ Description=CUPS Printing Service Socket
[Socket]
ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@
-ListenStream=631
-ListenDatagram=0.0.0.0:631
+ListenStream=127.0.0.1:631
+ListenStream=[::1]:631
+ListenDatagram=127.0.0.1:631
+ListenDatagram=[::1]:631
BindIPv6Only=ipv6-only
[Install]

16
cups-0003-systemd-secure-cups.service-unit-file.patch
View File

@ -1,16 +0,0 @@
--- data/cups.service.in.orig 2014-01-29 13:57:17.000000000 +0100
+++ data/cups.service.in 2014-01-29 14:14:54.000000000 +0100
@@ -1,10 +1,10 @@
[Unit]
Description=CUPS Printing Service
+After=network.target
[Service]
ExecStart=@sbindir@/cupsd -f
[Install]
-Alias=cupsd.service
-Also=cups.socket cups.path
-WantedBy=printer.target
+WantedBy=multi-user.target
+

10
cups-1.3.6-access_conf.patch
View File

@ -1,10 +0,0 @@
--- cups-1.3.6/conf/cupsd.conf.in.orig 2008-02-28 20:08:52.000000000 +0100
+++ cups-1.3.6/conf/cupsd.conf.in 2008-02-28 20:13:47.000000000 +0100
@@ -29,6 +29,7 @@
# Restrict access to the server...
<Location />
Order allow,deny
+ Allow 127.0.0.2
</Location>
# Restrict access to the admin pages...

2
cups-1.3.9-desktop_file.patch
View File

@ -6,7 +6,7 @@ Index: desktop/cups.desktop.in
[Desktop Entry]
-Categories=System;Printing;HardwareSettings;X-Red-Hat-Base;
-Exec=@CUPS_HTMLVIEW@ http://localhost:631/
+Categories=Settings;Printing;HardwareSettings;
+Categories=System;Printing;Settings;HardwareSettings;
+Exec=desktop-launch http://localhost:631/
+NotShowIn=GNOME;
Icon=cups

408
cups-1.5.4-CVE-2012-5519.patch
View File

@ -1,408 +0,0 @@
--- doc/help/ref-cupsd-conf.html.in.orig 2012-01-30 22:40:21.000000000 +0100
+++ doc/help/ref-cupsd-conf.html.in 2014-02-05 14:13:23.000000000 +0100
@@ -917,6 +917,28 @@ ConfigFilePerm 0640
</BLOCKQUOTE>
+<H2 CLASS="title"><A NAME="ConfigurationChangeRestriction">ConfigurationChangeRestriction</A></H2>
+
+<H3>Examples</H3>
+
+<PRE CLASS="command">
+ConfigurationChangeRestriction all
+ConfigurationChangeRestriction root-only
+ConfigurationChangeRestriction none
+</PRE>
+
+<H3>Description</H3>
+
+<P>The <CODE>ConfigurationChangeRestriction</CODE> directive specifies
+the degree of restriction for changes to cupsd.conf. Keywords dealing
+with filenames, paths, and users are security-sensitive. Changes to
+them via HTTP are forbidden by default (<CODE>all</CODE>). The value
+<CODE>none</CODE> removes any restriction altogether (note that this
+is unsafe). The value <CODE>root-only</CODE> allows only users
+authorised as user "root" to adjust security-sensitive configuration
+settings, but note that users adjusting settings using polkit (via
+cups-pk-helper) are authenticated as user "root".</P>
+
<H2 CLASS="title"><A NAME="DataDir">DataDir</A></H2>
--- man/cupsctl.man.orig 2011-01-11 04:04:04.000000000 +0100
+++ man/cupsctl.man 2014-02-05 14:15:23.000000000 +0100
@@ -90,7 +90,8 @@ Disable printer sharing:
cupsctl --no-shared-printers
.fi
.LP
-Enable printing using the file: pseudo-device:
+Enable printing using the file: pseudo-device (note that this is
+forbidden by default):
.nf
cupsctl FileDevice=Yes
.fi
--- man/cupsd.conf.man.in.orig 2011-05-18 23:33:35.000000000 +0200
+++ man/cupsd.conf.man.in 2014-02-05 14:16:58.000000000 +0100
@@ -238,6 +238,21 @@ ConfigFilePerm mode
Specifies the permissions for all configuration files that the scheduler
writes.
.TP 5
+ConfigurationChangeRestriction all
+.TP 5
+ConfigurationChangeRestriction root-only
+.TP 5
+ConfigurationChangeRestriction none
+.br
+Specifies the degree of restriction for changes to cupsd.conf.
+Keywords dealing with filenames, paths, and users are
+security-sensitive. Changes to them via HTTP are forbidden by default
+("all"). The value "none" removes any restriction altogether (note
+that this is unsafe). The value "root-only" allows only users
+authorised as user "root" to adjust security-sensitive configuration
+settings, but note that users adjusting settings using polkit (via
+cups-pk-helper) are authenticated as user "root".
+.TP 5
DataDir path
.br
Specified the directory where data files can be found.
--- scheduler/client.c.orig 2012-03-07 07:05:39.000000000 +0100
+++ scheduler/client.c 2014-02-05 14:32:49.000000000 +0100
@@ -1685,13 +1685,10 @@ cupsdReadClient(cupsd_client_t *con) /*
* Validate the resource name...
*/
- if (strncmp(con->uri, "/admin/conf/", 12) ||
- strchr(con->uri + 12, '/') ||
- strlen(con->uri) == 12)
+ if (strcmp(con->uri, "/admin/conf/cupsd.conf"))
{
/*
- * PUT can only be done to configuration files under
- * /admin/conf...
+ * PUT can only be done to the cupsd.conf file...
*/
cupsdLogMessage(CUPSD_LOG_ERROR,
@@ -3827,6 +3824,8 @@ install_conf_file(cupsd_client_t *con) /
char buffer[16384]; /* Copy buffer */
ssize_t bytes; /* Number of bytes */
+ if (!cupsdCheckConfigurationAllowed (con))
+ return (HTTP_FORBIDDEN);
/*
* Open the request file...
--- scheduler/conf.h.orig 2011-04-22 19:47:03.000000000 +0200
+++ scheduler/conf.h 2014-02-05 14:44:49.000000000 +0100
@@ -92,6 +92,18 @@ typedef struct
/*
+ * Configuration change restriction (CVE-2012-5519)
+ */
+
+typedef enum
+{
+ CUPSD_CONFRESTRICT_NONE, /* No checking of PUT cupsd.conf */
+ CUPSD_CONFRESTRICT_ROOT, /* Only allow root to change all opts */
+ CUPSD_CONFRESTRICT_ALL, /* Restricted keywords not to be changed */
+} cupsd_confrestrict_t;
+
+
+/*
* Globals...
*/
@@ -165,6 +177,8 @@ VAR int ClassifyOverride VALUE(0),
/* Allow overrides? */
ConfigFilePerm VALUE(0640),
/* Permissions for config files */
+ ConfigurationChangeRestriction VALUE(CUPSD_CONFRESTRICT_ALL),
+ /* CVE-2012-5519 protection */
LogDebugHistory VALUE(200),
/* Amount of automatic debug history */
FatalErrors VALUE(CUPSD_FATAL_CONFIG),
@@ -291,6 +305,7 @@ __attribute__ ((__format__ (__printf__,
extern int cupsdLogPage(cupsd_job_t *job, const char *page);
extern int cupsdLogRequest(cupsd_client_t *con, http_status_t code);
extern int cupsdReadConfiguration(void);
+extern int cupsdCheckConfigurationAllowed(cupsd_client_t *con);
extern int cupsdWriteErrorLog(int level, const char *message);
--- scheduler/conf.c.orig 2011-11-16 16:28:11.000000000 +0100
+++ scheduler/conf.c 2014-02-05 15:03:28.000000000 +0100
@@ -3196,6 +3196,22 @@ read_configuration(cups_file_t *fp) /* I
cupsdLogMessage(CUPSD_LOG_INFO, "Polling %s:%d", pollp->hostname,
pollp->port);
}
+ else if (!strcasecmp(line, "ConfigurationChangeRestriction") && value)
+ {
+ if (!strcasecmp(value, "none"))
+ ConfigurationChangeRestriction = CUPSD_CONFRESTRICT_NONE;
+ else if (!strcasecmp(value, "root-only"))
+ ConfigurationChangeRestriction = CUPSD_CONFRESTRICT_ROOT;
+ else if (!strcasecmp(value, "all"))
+ ConfigurationChangeRestriction = CUPSD_CONFRESTRICT_ALL;
+ else
+ {
+ cupsdLogMessage(CUPSD_LOG_WARN,
+ "Unknown restriction type %s on line %d.",
+ value, linenum);
+ return (0);
+ }
+ }
else if (!_cups_strcasecmp(line, "DefaultAuthType") && value)
{
/*
@@ -3657,6 +3673,250 @@ read_configuration(cups_file_t *fp) /* I
}
+static cups_array_t *
+_cupsdGetBlacklistedConfLines(cups_file_t *fp)
+{
+ cups_array_t *conf;
+ int linenum;
+ char keyword[HTTP_MAX_BUFFER],
+ *temp,
+ *value;
+ const char **kw;
+ size_t len;
+ const char *blacklist[] = {
+ "ConfigurationChangeRestriction",
+ "AccessLog",
+ "BrowseLDAPCACertFile",
+ "CacheDir",
+ "ConfigFilePerm",
+ "DataDir",
+ "DocumentRoot",
+ "ErrorLog",
+ "FatalErrors",
+ "FileDevice",
+ "FontPath",
+ "Group",
+ "JobPrivateAccess",
+ "JobPrivateValues",
+ "LogFilePerm",
+ "PageLog",
+ "Printcap",
+ "PrintcapFormat",
+ "PrintcapGUI",
+ "RemoteRoot",
+ "RequestRoot",
+ "ServerBin",
+ "ServerCertificate",
+ "ServerKey",
+ "ServerRoot",
+ "StateDir",
+ "SubscriptionPrivateAccess",
+ "SubscriptionPrivateValues",
+ "SystemGroup",
+ "SystemGroupAuthKey",
+ "TempDir",
+ "User",
+ "WebInterface",
+ NULL
+ };
+
+ conf = cupsArrayNew (NULL, NULL);
+
+ /*
+ * Loop through each line in the file...
+ */
+
+ linenum = 0;
+
+ while (cupsFileGetConf(fp, keyword, sizeof(keyword), &value, &linenum))
+ {
+ for (kw = blacklist; *kw; kw++)
+ if (!strcasecmp (keyword, *kw))
+ break;
+
+ if (*kw == NULL)
+ continue;
+
+ /*
+ * Remember lines we might need to compare against, but only the
+ * last occurrence of each keyword, except for
+ * SystemGroup. SystemGroup is special because it is cumulative:
+ * each SystemGroup line adds groups to the list. For that reason,
+ * we remember multiple SystemGroup lines and don't care about the
+ * order...
+ */
+
+ len = strlen (keyword);
+ if (strcasecmp(keyword, "SystemGroup") != 0)
+ {
+ for (temp = (char *) cupsArrayFirst(conf);
+ temp;
+ temp = (char *) cupsArrayNext(conf))
+ {
+ if (!strncasecmp (temp, keyword, len) && temp[len] == ' ')
+ {
+ cupsArrayRemove(conf, temp);
+
+ /*
+ * There can only be one such line because we do this for each
+ * line containing a blacklisted keyword
+ */
+
+ break;
+ }
+ }
+ }
+
+ len += (value ? strlen (value) : 0) + 2;
+ temp = malloc (len);
+ if (!temp)
+ goto fail;
+
+ snprintf (temp, len, "%s %s", keyword, value ? value : "");
+ cupsArrayAdd(conf, temp);
+ }
+
+ return conf;
+
+fail:
+ for (temp = (char *) cupsArrayFirst(conf);
+ temp;
+ temp = (char *) cupsArrayNext(conf))
+ free(temp);
+ cupsArrayDelete(conf);
+ return NULL;
+}
+
+
+/*
+ * 'cupsdCheckConfigurationAllowed()' - Check whether the new configuration
+ * file can be installed
+ */
+
+int /* O - 1 if allowed, 0 otherwise */
+cupsdCheckConfigurationAllowed(cupsd_client_t *con)
+{
+ int status = 0;
+ cups_file_t *fp;
+ cups_array_t *oldconf,
+ *newconf = NULL;
+ char *oldline,
+ *newline;
+
+ if (ConfigurationChangeRestriction == CUPSD_CONFRESTRICT_NONE)
+ /*
+ * Option checking disabled...
+ */
+ return (1);
+
+ if (ConfigurationChangeRestriction == CUPSD_CONFRESTRICT_ROOT &&
+ !strcmp (con->username, "root"))
+ /*
+ * This is requested by root and our configuration tells us to
+ * accept it.
+ */
+ return (1);
+
+ /*
+ * First read the current cupsd.conf...
+ */
+
+ if ((fp = cupsFileOpen (ConfigurationFile, "r")) == NULL)
+ {
+ cupsdLogMessage(CUPSD_LOG_WARN, "Unable to open configuration file?!");
+ return (0);
+ }
+
+ oldconf = _cupsdGetBlacklistedConfLines(fp);
+ cupsFileClose(fp);
+ if (!oldconf)
+ return (0);
+
+ /*
+ * Now take a look at the proposed new cupsd.conf...
+ */
+
+ if ((fp = cupsFileOpen(con->filename, "r")) == NULL)
+ {
+ cupsdLogMessage(CUPSD_LOG_WARN, "Unable to examine new config file");
+ goto fail;
+ }
+
+ newconf = _cupsdGetBlacklistedConfLines(fp);
+ cupsFileClose(fp);
+ if (!newconf)
+ goto fail;
+
+ /*
+ * Now compare the blacklisted directives in each.
+ */
+
+ status = 1;
+ for (oldline = (char *) cupsArrayFirst(oldconf);
+ oldline;
+ oldline = (char *) cupsArrayNext(oldconf))
+ {
+ for (newline = (char *) cupsArrayFirst(newconf);
+ newline;
+ newline = (char *) cupsArrayNext(newconf))
+ if (!strcmp (oldline, newline))
+ break;
+
+ if (newline == NULL)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "Attempt to remove or change '%s' denied", oldline);
+ status = 0;
+ break;
+ }
+
+ cupsArrayRemove(newconf, newline);
+ free(newline);
+ }
+
+ if (status)
+ {
+ /*
+ * All the original directives are still present. Have any been added?
+ */
+
+ newline = (char *) cupsArrayFirst(newconf);
+ if (newline != NULL)
+ {
+ char *p;
+
+ cupsArrayRemove(newconf, newline);
+
+ p = strchr (newline, ' ');
+ if (p)
+ *p = '\0';
+
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Attempt to add '%s' directive denied", newline);
+ free(newline);
+ status = 0;
+ }
+ }
+
+fail:
+ for (oldline = (char *) cupsArrayFirst(oldconf);
+ oldline;
+ oldline = (char *) cupsArrayNext(oldconf))
+ free(oldline);
+ cupsArrayDelete(oldconf);
+
+ if (newconf)
+ {
+ for (newline = (char *) cupsArrayFirst(newconf);
+ newline;
+ newline = (char *) cupsArrayNext(newconf))
+ free(newline);
+ cupsArrayDelete(newconf);
+ }
+
+ return (status);
+}
+
+
/*
* 'read_location()' - Read a <Location path> definition.
*/

3
cups-1.5.4-source.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8023034e8b58eab1ad7279364e872270a77459f6fb59a84d03229cb1d2a6d0e5
size 9583002

288
cups-1.5.4-strftime.patch
View File

@ -1,288 +0,0 @@
diff -Nur cups-1.5.4.dist/cgi-bin/ipp-var.c cups-1.5.4/cgi-bin/ipp-var.c
--- cups-1.5.4.dist/cgi-bin/ipp-var.c 2011-05-20 05:49:49.000000000 +0200
+++ cups-1.5.4/cgi-bin/ipp-var.c 2014-03-09 13:21:20.065678625 +0100
@@ -1192,7 +1192,7 @@
t = (time_t)attr->values[i].integer;
date = localtime(&t);
- strftime(valptr, sizeof(value) - (valptr - value), "%c", date);
+ _cupsstrftime(valptr, sizeof(value) - (valptr - value), "%c", date);
}
else
snprintf(valptr, sizeof(value) - (valptr - value),
diff -Nur cups-1.5.4.dist/cups/language-private.h cups-1.5.4/cups/language-private.h
--- cups-1.5.4.dist/cups/language-private.h 2010-11-20 02:03:46.000000000 +0100
+++ cups-1.5.4/cups/language-private.h 2014-03-09 13:21:20.073680045 +0100
@@ -79,6 +79,7 @@
extern const char *_cupsMessageLookup(cups_array_t *a, const char *m);
extern void _cupsSetLocale(char *argv[]);
+extern size_t _cupsstrftime(char *s, size_t max, const char *format, const struct tm *tm);
# ifdef __cplusplus
}
diff -Nur cups-1.5.4.dist/cups/libcups2.def cups-1.5.4/cups/libcups2.def
--- cups-1.5.4.dist/cups/libcups2.def 2011-09-09 23:55:11.000000000 +0200
+++ cups-1.5.4/cups/libcups2.def 2014-03-09 13:21:20.077680723 +0100
@@ -9,6 +9,7 @@
_cupsLangPrintf
_cupsLangPuts
_cupsLangString
+_cupsstrftime
_cupsMD5Append
_cupsMD5Finish
_cupsMD5Init
diff -Nur cups-1.5.4.dist/cups/libcups_s.exp cups-1.5.4/cups/libcups_s.exp
--- cups-1.5.4.dist/cups/libcups_s.exp 2011-04-16 01:38:13.000000000 +0200
+++ cups-1.5.4/cups/libcups_s.exp 2014-03-09 13:21:20.085681923 +0100
@@ -7,6 +7,7 @@
_cupsLangPrintf
_cupsLangPuts
_cupsLangString
+_cupsstrftime
_cupsMD5Append
_cupsMD5Finish
_cupsMD5Init
diff -Nur cups-1.5.4.dist/cups/Makefile cups-1.5.4/cups/Makefile
--- cups-1.5.4.dist/cups/Makefile 2011-09-09 18:34:29.000000000 +0200
+++ cups-1.5.4/cups/Makefile 2014-03-09 13:21:20.089682442 +0100
@@ -63,6 +63,7 @@
snmp.o \
snprintf.o \
string.o \
+ strftime.o \
tempfile.o \
thread.o \
transcode.o \
diff -Nur cups-1.5.4.dist/cups/strftime.c cups-1.5.4/cups/strftime.c
--- cups-1.5.4.dist/cups/strftime.c 1970-01-01 01:00:00.000000000 +0100
+++ cups-1.5.4/cups/strftime.c 2014-03-09 13:21:20.093682921 +0100
@@ -0,0 +1,56 @@
+/*
+ * "$Id$"
+ *
+ * Localized strftime function for CUPS.
+ *
+ *
+ * Contents:
+ *
+ * _cupsstrftime() - format date and time
+ */
+
+/*
+ * Include necessary headers...
+ */
+
+#include "cups-private.h"
+
+
+/*
+ * '_cupsstrftime()' - format date and time in current locale and convert to UTF8
+ */
+
+size_t
+_cupsstrftime(char *s, size_t max, const char *format, const struct tm *tm)
+{
+ size_t size=0;
+ char date[256]; /* Date buffer */
+ cups_utf8_t utf8[256]; /* Date in utf8 */
+ _cups_globals_t *cg; /* Global data */
+
+ cg = _cupsGlobals();
+
+ if (!cg->lang_default)
+ cg->lang_default = cupsLangDefault();
+
+ if ((size=strftime(date, max, format, tm))!=0)
+ {
+
+ if (cg->lang_default->encoding != CUPS_UTF8)
+ {
+ cupsCharsetToUTF8(utf8, date, (int)sizeof(utf8), cg->lang_default->encoding);
+ strncpy(s, utf8, 256);
+ }
+ else {
+ strncpy(s, date, 256);
+ }
+ }
+ return ((size_t)size);
+}
+
+
+
+
+/*
+ * End of "$Id$".
+ */
diff -Nur cups-1.5.4.dist/cups/testipp.c cups-1.5.4/cups/testipp.c
--- cups-1.5.4.dist/cups/testipp.c 2011-09-14 02:31:10.000000000 +0200
+++ cups-1.5.4/cups/testipp.c 2014-03-09 13:21:20.101683760 +0100
@@ -891,7 +891,7 @@
{
vtime = ippDateToTime(val->date);
vdate = localtime(&vtime);
- strftime(vstring, sizeof(vstring), "%c", vdate);
+ _cupsstrftime(vstring, sizeof(vstring), "%c", vdate);
printf(" (%s)", vstring);
}
}
diff -Nur cups-1.5.4.dist/filter/bannertops.c cups-1.5.4/filter/bannertops.c
--- cups-1.5.4.dist/filter/bannertops.c 2011-05-20 05:49:49.000000000 +0200
+++ cups-1.5.4/filter/bannertops.c 2014-03-09 13:21:20.105684120 +0100
@@ -843,7 +843,7 @@
curtime = (time_t)atoi(option);
curdate = localtime(&curtime);
- strftime(text, sizeof(text), "%c", curdate);
+ _cupsstrftime(text, sizeof(text), "%c", curdate);
}
else
strlcpy(text, "?", sizeof(text));
@@ -865,7 +865,7 @@
curtime = (time_t)atoi(option);
curdate = localtime(&curtime);
- strftime(text, sizeof(text), "%c", curdate);
+ _cupsstrftime(text, sizeof(text), "%c", curdate);
}
else
strlcpy(text, "?", sizeof(text));
@@ -1066,7 +1066,7 @@
curtime = time(NULL);
curtm = localtime(&curtime);
- strftime(curdate, sizeof(curdate), "%c", curtm);
+ _cupsstrftime(curdate, sizeof(curdate), "%c", curtm);
puts("%!PS-Adobe-3.0");
printf("%%%%BoundingBox: %.0f %.0f %.0f %.0f\n", PageLeft, PageBottom,
diff -Nur cups-1.5.4.dist/filter/imagetops.c cups-1.5.4/filter/imagetops.c
--- cups-1.5.4.dist/filter/imagetops.c 2011-08-17 23:01:53.000000000 +0200
+++ cups-1.5.4/filter/imagetops.c 2014-03-09 13:21:20.113684721 +0100
@@ -618,7 +618,7 @@
puts("%%DocumentData: Clean7Bit");
puts("%%DocumentNeededResources: font Helvetica-Bold");
puts("%%Creator: imagetops/" CUPS_SVERSION);
- strftime(curdate, sizeof(curdate), "%c", curtm);
+ _cupsstrftime(curdate, sizeof(curdate), "%c", curtm);
printf("%%%%CreationDate: %s\n", curdate);
WriteTextComment("Title", argv[3]);
WriteTextComment("For", argv[2]);
diff -Nur cups-1.5.4.dist/filter/texttops.c cups-1.5.4/filter/texttops.c
--- cups-1.5.4.dist/filter/texttops.c 2010-12-03 07:29:20.000000000 +0100
+++ cups-1.5.4/filter/texttops.c 2014-03-09 13:21:20.117684961 +0100
@@ -223,7 +223,7 @@
curtime = time(NULL);
curtm = localtime(&curtime);
- strftime(curdate, sizeof(curdate), "%c", curtm);
+ _cupsstrftime(curdate, sizeof(curdate), "%c", curtm);
puts("%!PS-Adobe-3.0");
printf("%%%%BoundingBox: 0 0 %.0f %.0f\n", PageWidth, PageLength);
diff -Nur cups-1.5.4.dist/scheduler/testsub.c cups-1.5.4/scheduler/testsub.c
--- cups-1.5.4.dist/scheduler/testsub.c 2010-03-24 01:45:34.000000000 +0100
+++ cups-1.5.4/scheduler/testsub.c 2014-03-09 13:21:20.125685362 +0100
@@ -442,7 +442,7 @@
{
vtime = ippDateToTime(val->date);
vdate = localtime(&vtime);
- strftime(vstring, sizeof(vstring), "%c", vdate);
+ _cupsstrftime(vstring, sizeof(vstring), "%c", vdate);
printf(" (%s)", vstring);
}
}
diff -Nur cups-1.5.4.dist/systemv/lpstat.c cups-1.5.4/systemv/lpstat.c
--- cups-1.5.4.dist/systemv/lpstat.c 2011-10-07 23:41:07.000000000 +0200
+++ cups-1.5.4/systemv/lpstat.c 2014-03-09 13:21:20.133685662 +0100
@@ -744,7 +744,7 @@
if (match_list(printers, printer))
{
pdate = localtime(&ptime);
- strftime(printer_state_time, sizeof(printer_state_time), "%c", pdate);
+ _cupsstrftime(printer_state_time, sizeof(printer_state_time), "%c", pdate);
if (accepting)
_cupsLangPrintf(stdout, _("%s accepting requests since %s"),
@@ -1436,7 +1436,7 @@
* Show the consolidated output format for the SGI tools...
*/
- if (!strftime(date, sizeof(date), "%b %d %H:%M", jobdate))
+ if (!_cupsstrftime(date, sizeof(date), "%b %d %H:%M", jobdate))
strcpy(date, "Unknown");
_cupsLangPrintf(stdout, "%s;%s;%d;%s;%s",
@@ -1445,7 +1445,7 @@
}
else
{
- if (!strftime(date, sizeof(date), "%c", jobdate))
+ if (!_cupsstrftime(date, sizeof(date), "%c", jobdate))
strcpy(date, "Unknown");
if (ranking)
@@ -1764,7 +1764,7 @@
*/
pdate = localtime(&ptime);
- strftime(printer_state_time, sizeof(printer_state_time), "%c", pdate);
+ _cupsstrftime(printer_state_time, sizeof(printer_state_time), "%c", pdate);
switch (pstate)
{
--- cups-1.5.4.dist/test/run-stp-tests.sh 2014-03-12 08:35:30.805162912 +0100
+++ cups-1.5.4/test/run-stp-tests.sh 2014-03-12 09:45:53.668548631 +0100
@@ -411,6 +411,19 @@
i=`expr $i + 1`
done
+cat >>/tmp/cups-$user/printers.conf <<EOF
+<Printer test5.4>
+Accepting Yes
+DeviceURI file:/dev/null
+Info Test raw printer $i
+JobSheets none none
+Location CUPS test suite
+State Idle
+StateTime 1394607600
+StateMessage Printer $1 is idle.
+</Printer>
+EOF
+
if test -f /tmp/cups-$user/printers.conf; then
cp /tmp/cups-$user/printers.conf /tmp/cups-$user/printers.conf.orig
else
--- cups-1.5.4.dist/test/5.4-lpstat.sh 2014-03-12 08:26:22.738824487 +0100
+++ cups-1.5.4/test/5.4-lpstat.sh 2014-03-12 09:44:43.838713821 +0100
@@ -38,6 +38,30 @@
fi
echo ""
+echo "LPSTAT Test"
+echo ""
+echo " lpstat -p"
+state="`../systemv/lpstat -p test5.4 | head -1 2>&1`"
+if test $? != 0 -o "x$state" != "xprinter test5.4 is idle. enabled since Wed Mar 12 08:00:00 2014"; then
+ echo " FAILED"
+ exit 1
+else
+ echo " PASSED"
+fi
+echo ""
+
+echo "LPSTAT Test2"
+echo ""
+echo " LC_ALL=de_DE@euro lpstat -p"
+state="`LC_ALL=de_DE@euro ../systemv/lpstat -p test5.4 | head -1 2>&1`"
+if test $? != 0 -o "x$state" != "xprinter test5.4 is idle. enabled since Mi 12 Mär 2014 08:00:00 CET"; then
+ echo " FAILED"
+ exit 1
+else
+ echo " PASSED"
+fi
+echo ""
+
#
# End of "$Id: 5.4-lpstat.sh 8498 2009-04-13 17:03:15Z mike $".
#

17
cups-1.5-additional_policies.patch → cups-1.7-additional_policies.patch
View File

@ -1,9 +1,12 @@
--- conf/cupsd.conf.in.orig 2014-01-29 14:31:32.000000000 +0100
+++ conf/cupsd.conf.in 2014-01-29 15:20:30.000000000 +0100
@@ -136,6 +136,39 @@ WebInterface @CUPS_WEBIF@
Index: conf/cupsd.conf.in
===================================================================
--- conf/cupsd.conf.in.orig
+++ conf/cupsd.conf.in
@@ -127,3 +127,36 @@ WebInterface @CUPS_WEBIF@
Order deny,allow
</Limit>
</Policy>
+
+# The policy below is added by SUSE during build of our cups package.
+# The policy 'allowallforanybody' is totally open and insecure and therefore
+# it can only be used within an internal network where only trused users exist
@ -14,7 +17,7 @@
+# print jobs from an internal network to any external destination, see
+# http://en.opensuse.org/SDB:CUPS_in_a_Nutshell
+# For documentation regarding 'Managing Operation Policies' see
+# http://www.cups.org/documentation.php/doc-1.5/policies.html
+# http://www.cups.org/documentation.php/doc-1.7/policies.html
+<Policy allowallforanybody>
+ # Allow anybody to access job's private values:
+ JobPrivateAccess all
@ -36,7 +39,3 @@
+</Policy>
+# Explicitly set the CUPS 'default' policy to be used by default:
+DefaultPolicy default
+
#
# End of "$Id: cupsd.conf.in 9407 2010-12-09 21:24:51Z mike $".
#

3
cups-2.0.2-source.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:858720f76b66fd0441ae2a16f7cabd9554c8c64607e28ffacf16c36c53a3b18b
size 8766982

97
cups-client.conf
View File

@ -1,77 +1,28 @@
# Sample client configuration file for the Common UNIX Printing System
# (CUPS).
#
# Copyright 1997-2005 by Easy Software Products, all rights reserved.
# Klaus Singvogel <kssingvo@suse.de> modified it for SUSE distribution.
#
# These coded instructions, statements, and computer programs are the
# property of Easy Software Products and are protected by Federal
# copyright law. Distribution and use rights are outlined in the file
# "LICENSE.txt" which should have been included with this file. If this
# file is missing or damaged please contact Easy Software Products
# at:
#
# Attn: CUPS Licensing Information
# Easy Software Products
# 44141 Airport View Drive, Suite 204
# Hollywood, Maryland 20636 USA
#
# Voice: (301) 373-9600
# EMail: cups-info@cups.org
# WWW: http://www.cups.org
#
# CUPS client configuration file (optional).
########################################################################
# #
# This is the CUPS client configuration file. This file is used to #
# define client-specific parameters, such as the default server or #
# default encryption settings. #
# #
# Put this file on /etc/cups/client.conf (system use) or #
# ~/.cups/client.conf (personal use). #
# #
# more information in the manual page client.conf(5)
########################################################################
# You may use /etc/cups/client.conf (system wide)
# or ~/.cups/client.conf (per user).
# For more information see "man 5 client.conf".
#
# Encryption: directive specifies the default encryption settings for
# the client.
#
# Possible values:
#
# IfRequested
# Never
# Required
# Always
#
# The default value is "IfRequested".
# This parameter can also be set # using the CUPS_ENCRYPTION environment
# variable.
#
# The ServerName directive specifies the remote server
# that is to be used for all client operations. That is, it
# redirects all client requests directly to that remote server
# so that a local running cupsd is not used in this case.
# The default is to use the local server ("localhost") or domain socket.
# Only one ServerName directive may appear.
# If multiple names are present, only the last one is used.
# The default port number is 631 but can be overridden by adding
# a colon followed by the desired port number.
# The default IPP version is 2.0 but can be overridden by adding
# a slash followed by version=V where V is 1.0 or 1.1 or 2.0 or 2.1 or 2.2.
# IPP version 2.0 does do not work with CUPS 1.3 or older servers.
# If an CUPS 1.3 or older server is used, its older IPP version
# must be specified as .../version=1.1 or .../version=1.0.
#Encryption IfRequested
#Encryption Never
#Encryption Required
#Encryption Always
# Examples:
# ServerName sever.example.com
# ServerName 192.0.2.10
# ServerName sever.example.com:8631
# ServerName older.server.example.com/version=1.1
# ServerName older.server.example.com:8631/version=1.1
#
# ServerName: directive specifies sets the remote server that is to be
# used for all client operations. That is, it redirects all client
# requests to the remote server.
#
# By default CUPS will use the domain socket /var/run/cups/cups.sock or
# local server ("localhost"), if so configured. The value can be
# overwritten by the CUPS_SERVER environment variable.
#
# The default port number is 631 but can be overridden by adding a colon
# followed by the desired port number to the value.
#
# ONLY ONE SERVER NAME MAY BE SPECIFIED AT A TIME. To use more than one
# server you must use a local scheduler with browsing and possibly
# polling.
#
#ServerName /domain/socket
#ServerName foo.bar.com
#ServerName 11.22.33.444
#ServerName foo.bar.com:8631

10
cups-config-libs.patch
View File

@ -1,13 +1,11 @@
--- cups-config.in.orig
+++ cups-config.in
@@ -35,8 +35,8 @@ INSTALLSTATIC=@INSTALLSTATIC@
--- cups-config.in.orig 2011-08-27 11:23:01.000000000 +0200
+++ cups-config.in 2012-11-27 15:47:27.000000000 +0100
@@ -35,7 +35,7 @@ INSTALLSTATIC=@INSTALLSTATIC@
# flags for C++ compiler:
CFLAGS=""
LDFLAGS="@EXPORT_LDFLAGS@"
-LIBS="@LIBGSSAPI@ @EXPORT_SSLLIBS@ @EXPORT_LIBZ@ @LIBS@"
-IMGLIBS="@EXPORT_LIBTIFF@ @EXPORT_LIBJPEG@ @EXPORT_LIBPNG@"
-LIBS="@LIBGSSAPI@ @EXPORT_SSLLIBS@ @LIBZ@ @LIBS@"
+LIBS=""
+IMGLIBS=""
# Check for local invocation...
selfdir=`dirname $0`

33
cups-move-everything-to-run.patch
View File

@ -1,33 +0,0 @@
--- cups-1.5.4.orig/config.h.in
+++ cups-1.5.4/config.h.in
@@ -131,7 +131,7 @@
#define CUPS_SBINDIR "/usr/sbin"
#define CUPS_SERVERBIN "/usr/lib/cups"
#define CUPS_SERVERROOT "/etc/cups"
-#define CUPS_STATEDIR "/var/run/cups"
+#define CUPS_STATEDIR "/run/cups"
/*
--- cups-1.5.4.orig/configure
+++ cups-1.5.4/configure
@@ -6424,7 +6424,7 @@ case "$uname" in
;;
*)
# All others
- CUPS_STATEDIR="$localstatedir/run/cups"
+ CUPS_STATEDIR="/run/cups"
;;
esac
cat >>confdefs.h <<_ACEOF
--- cups-1.5.4.orig/config-scripts/cups-directories.m4
+++ cups-1.5.4/config-scripts/cups-directories.m4
@@ -429,7 +429,7 @@ case "$uname" in
;;
*)
# All others
- CUPS_STATEDIR="$localstatedir/run/cups"
+ CUPS_STATEDIR="/run/cups"
;;
esac
AC_DEFINE_UNQUOTED(CUPS_STATEDIR, "$CUPS_STATEDIR")

18
cups-polld_avoid_busy_loop.patch
View File

@ -1,18 +0,0 @@
--- scheduler/cups-polld.c.orig 2012-03-02 19:26:30.000000000 +0100
+++ scheduler/cups-polld.c 2013-07-05 14:33:08.000000000 +0200
@@ -169,10 +169,15 @@ main(int argc, /* I - Number of comm
/*
* Sleep for any remaining time...
+ * but in case of unusual issues (if remain <= 0 or if restart_polling)
+ * sleep interval seconds to avoid any possible busy-loop
+ * see for example https://bugzilla.novell.com/show_bug.cgi?id=828228
*/
if (remain > 0 && !restart_polling)
sleep(remain);
+ else
+ sleep(interval);
}
return (1);

11
cups-provides-cupsd-service.patch
View File

@ -1,11 +0,0 @@
Index: cups-1.5.4/data/cups.service.in
===================================================================
--- cups-1.5.4.orig/data/cups.service.in
+++ cups-1.5.4/data/cups.service.in
@@ -5,5 +5,6 @@ Description=CUPS Printing Service
ExecStart=@sbindir@/cupsd -f
[Install]
+Alias=cupsd.service
Also=cups.socket cups.path
WantedBy=printer.target

60
cups-systemd-socket.patch Normal file
View File

@ -0,0 +1,60 @@
diff -up cups-2.0.2/cups/usersys.c.ustTJg cups-2.0.2/cups/usersys.c
--- cups-2.0.2/cups/usersys.c.ustTJg 2015-02-10 13:40:24.294545077 +0100
+++ cups-2.0.2/cups/usersys.c 2015-02-10 13:46:56.763989233 +0100
@@ -1017,7 +1017,7 @@ cups_finalize_client_conf(
struct stat sockinfo; /* Domain socket information */
if (!stat(CUPS_DEFAULT_DOMAINSOCKET, &sockinfo) &&
- (sockinfo.st_mode & S_IRWXO) == S_IRWXO)
+ (sockinfo.st_mode & (S_IROTH | S_IWOTH)) == (S_IROTH | S_IWOTH))
cups_set_server_name(cc, CUPS_DEFAULT_DOMAINSOCKET);
else
#endif /* CUPS_DEFAULT_DOMAINSOCKET */
diff -up cups-2.0.2/scheduler/main.c.ustTJg cups-2.0.2/scheduler/main.c
--- cups-2.0.2/scheduler/main.c.ustTJg 2015-02-10 13:40:24.121547526 +0100
+++ cups-2.0.2/scheduler/main.c 2015-02-10 13:40:24.295545063 +0100
@@ -658,8 +658,15 @@ main(int argc, /* I - Number of comm
#if defined(HAVE_LAUNCHD) || defined(HAVE_SYSTEMD)
if (OnDemand)
+ {
cupsdAddEvent(CUPSD_EVENT_SERVER_STARTED, NULL, NULL, "Scheduler started on demand.");
- else
+# ifdef HAVE_SYSTEMD
+ sd_notifyf(0, "READY=1\n"
+ "STATUS=Scheduler is running...\n"
+ "MAINPID=%lu",
+ (unsigned long) getpid());
+# endif /* HAVE_SYSTEMD */
+ } else
#endif /* HAVE_LAUNCHD || HAVE_SYSTEMD */
if (fg)
cupsdAddEvent(CUPSD_EVENT_SERVER_STARTED, NULL, NULL, "Scheduler started in foreground.");
diff -up cups-2.0.2/scheduler/org.cups.cupsd.path.in.ustTJg cups-2.0.2/scheduler/org.cups.cupsd.path.in
--- cups-2.0.2/scheduler/org.cups.cupsd.path.in.ustTJg 2014-03-21 15:50:24.000000000 +0100
+++ cups-2.0.2/scheduler/org.cups.cupsd.path.in 2015-02-10 13:40:24.295545063 +0100
@@ -2,7 +2,7 @@
Description=CUPS Scheduler
[Path]
-PathExists=@CUPS_CACHEDIR@/org.cups.cupsd
+PathExistsGlob=@CUPS_REQUESTS@/d*
[Install]
WantedBy=multi-user.target
diff -up cups-2.0.2/scheduler/org.cups.cupsd.service.in.ustTJg cups-2.0.2/scheduler/org.cups.cupsd.service.in
--- cups-2.0.2/scheduler/org.cups.cupsd.service.in.ustTJg 2014-10-21 13:55:01.000000000 +0200
+++ cups-2.0.2/scheduler/org.cups.cupsd.service.in 2015-02-10 13:40:24.296545049 +0100
@@ -1,10 +1,11 @@
[Unit]
Description=CUPS Scheduler
Documentation=man:cupsd(8)
+After=network.target
[Service]
ExecStart=@sbindir@/cupsd -l
-Type=simple
+Type=notify
[Install]
Also=org.cups.cupsd.socket org.cups.cupsd.path

622
cups.changes
View File

@ -1,149 +1,255 @@
-------------------------------------------------------------------
Tue Nov 25 16:13:50 CET 2014 - jsmeix@suse.de
Thu Feb 12 13:50:58 UTC 2015 - tchvatal@suse.com
- Refresh and/or clean up the systemd units that belong to CUPS
(cups.service cups.socket cups.path) via RPM posttrans scriplet
in a generic way via "systemctl --force reenable" (bnc#904215).
An enabled systemd unit may need a refresh via
"systemctl --force reenable" after updating a package when
the new package had installed a changed systemd unit file.
A disabled systemd unit also may need a refresh via
"systemctl --force reenable" but then it is again disabled.
A systemd unit may become obsolete by updating a package when
the new package does no longer provide a unit file. In this
case "systemctl --force reenable" removes the unit.
In any case currently running services are not stopped even
when the new package does no longer provide the unit file
because a RPM package update must not automatically disrupt
(stop or restart) running services.
- Add back the posttrans cleanup script as it is needed
-------------------------------------------------------------------
Tue Nov 4 13:26:04 CET 2014 - jsmeix@suse.de
Thu Feb 12 09:22:30 UTC 2015 - tchvatal@suse.com
- Also for SLE12 krb5-devel must be used for build
(cf. the entry below dated "Wed Jun 26 10:39:30 CEST 2013")
because in contrast to IBS where krb5-mini-devel is available
for build in SUSE:SLE-12:GA in OBS it cannot build for SLE_12
with "unresolvable: nothing provides krb5-mini-devel".
- Add patch cups-systemd-socket.patch to fix socket activation
and to match socket approach Fedora has.
-------------------------------------------------------------------
Mon Oct 13 09:30:49 UTC 2014 - gber@opensuse.org
Thu Feb 12 09:12:05 UTC 2015 - tchvatal@suse.com
- use Settings;Printing;HardwareSettings desktop file category
instead of System category in the desktop file
- Version bump to 2.0.2:
* Security: cupsRasterReadPixels buffer overflow with invalid page header and
compressed raster data (STR #4551)
* Mapping of PPD keywords to IPP keywords did not work if the PPD keyword was
already an IPP keyword (<rdar://problem/19121005>)
* cupsGetPPD* sent bad requests (STR #4567)
* For detailed list see CHANGES.txt file
-------------------------------------------------------------------
Tue Sep 2 15:48:23 CEST 2014 - jsmeix@suse.de
Thu Feb 12 09:10:09 UTC 2015 - tchvatal@suse.com
- Enable PIE for build
-------------------------------------------------------------------
Fri Jan 30 10:44:47 UTC 2015 - tchvatal@suse.com
- Remove legacy paralel-port support as it is not really needed
as most do not want it
-------------------------------------------------------------------
Fri Jan 30 10:39:41 UTC 2015 - tchvatal@suse.com
- Update descriptions to just state what changed and let user
find it out.
- Add back comment about %fdupes
- Remove exit 0 on scriptlets as it is provided by the %service bla
ones already
- Fix the comment about openSUSE version on tmpfilesdir declaration
-------------------------------------------------------------------
Fri Jan 16 16:00:20 UTC 2015 - tchvatal@suse.com
- cups-2.0.1 update:
* lengthy list of changes see the upstream CHANGES.txt that is
distributed with the package
* Disabling of sslv3 to mitigate poodle
- Use gnutls to provide SSLOPtions configuration directive
* openssl is no longer supported upstream
* Remove the with-openssl-exception from license
- Remove cups.sysconfig as it is not used with systemd based distros
- Purposely lose support for SLE11 as it doubles size of some of the
sections and keep suppor for openSUSE+SLE12
* even with the conditions we would have to go unencrypted only
as needs newer gnutls, so don't bother with keeping the compat
- Use upstream service and socket files to allow more working tools
-------------------------------------------------------------------
Tue Sep 23 13:57:31 CEST 2014 - ro@suse.de
- change BuildRequires for systemd to pkgconfig(systemd)
and pkgconfig(libsystemd-daemon) to avoid build-cycles
-------------------------------------------------------------------
Mon Aug 25 13:19:19 CEST 2014 - jsmeix@suse.de
- Version upgrade to 1.7.5:
CUPS 1.7.5 addresses some minor issues and expands upon the
symlink security protection. Changes include (excerpt):
* Security: Addressed some more situations where symlinked
files would be served by the web interface (CVE-2014-5029
CVE-2014-5030 CVE-2014-5031 STR #4455 and bnc#887240).
* The LPD backend did not work with some versions
of glibc (STR #4452)
* CGI scripts did not work (STR #4454)
- str4455-1.7.patch (see the previous entry below)
is obsolete because it is fixed upstream since CUPS 1.7.5.
- Let fdupes only create symlinks in /usr/share/cups/templates/ to
avoid a symlink /usr/share/cups/webcontent/images/cups-icon.png
because the cupsd web server does no longer follow symlinks
to avoid the security issues mentioned in the previous entry
below (fixes bnc#892587 a regression of bnc#887240).
because since CUPS 1.7.4/1.7.5 the cupsd web server does
no longer follow symlinks to avoid the security issues
mentioned in the previous two entries below
(fixes bnc#892587 a regression of bnc#887240).
-------------------------------------------------------------------
Tue Sep 2 15:26:36 CEST 2014 - jsmeix@suse.de
Tue Jul 29 16:41:10 CEST 2014 - jsmeix@suse.de
- str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch
fixes that the web interface incorrectly served symlinked files
- str4455-1.7.patch complements the incomplete fix for
CVE-2014-3537 STR#445 in the CUPS 1.7.4 sources
to fix the subsequent CVE-2014-5029 CVE-2014-5030
CVE-2014-5031 STR#4455 (bnc#887240).
-------------------------------------------------------------------
Tue Jul 15 11:13:14 CEST 2014 - jsmeix@suse.de
- Version upgrade to 1.7.4:
CUPS 1.7.4 fixes several networking and build issues,
and addresses a symlink security issue CVE-2014-3537.
Changes since 1.7.3 include (excerpt):
* Security: The web interface incorrectly served symlinked files
and files that were not world-readable, potentially leading to
a disclosure of information (CVE-2014-3537 STR #4450 plus the
subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455
all in bnc#887240).
a disclosure of information (CVE-2014-3537, STR #4450,
and bnc#887240).
* The "snmp" option did not work with the network backends
(STR #4422).
* The User directive in client.conf did not override the USER
environment variable (STR #4426).
* The web interface now properly shows a "Go" button for
all text-based browsers (STR #4425).
* The MaxJobTime directive now properly supports time
values (STR #4434).
* Fixed an "IPP read error" race condition issue (STR #4440).
-------------------------------------------------------------------
Thu May 22 10:16:17 UTC 2014 - werner@suse.de
Mon Jun 2 13:21:31 CEST 2014 - jsmeix@suse.de
- Add build require pkgconfig(libsystemd-daemon) to allow to move
systemd.pc back to systemd package
- Version upgrade to 1.7.3:
CUPS 1.7.3 includes a number of general bug fixes.
Changes since 1.7.2 include (excerpt):
* Fixed mapping of OutputBin values such as "Tray1".
* Several ippGet* functions incorrectly returned -1
instead of 0 on error.
* Fixed an authentication race condition in
cupsSendRequest (STR #4403).
* The scheduler did not add the "job-hold-until-specified"
reason when holding a job using the lp command (STR #4405).
* Auto-typing of PWG Raster files did not work (STR #4417).
* IPP queues using hardcoded credentials would ask
for credentials (STR #4371).
-------------------------------------------------------------------
Fri Apr 11 09:42:30 CEST 2014 - jsmeix@suse.de
Wed Apr 23 14:24:12 CEST 2014 - jsmeix@suse.de
- cups-1.5.4-strftime.patch fixes CUPS upstream STR #4388:
no or malformed output from lpstat in charset other than utf-8
(bnc#873030).
- Version upgrade to 1.7.2:
CUPS 1.7.2 addresses a web interface redirection security issue,
some scheduler crashed on Linux, and other general bug fixes.
Changes since 1.7.1 include (excerpt):
* CVE-2014-2856: The scheduler now blocks URLs containing
embedded HTML (STR #4356 and bnc#873899).
* cupsDoIORequest could miss the server status, causing failed
lpadmin and other administrative commands (STR #4386).
* Fixed a D-BUS threading issue that caused the scheduler
to crash (STR #4347).
* The scheduler now automatically reconnects to Avahi
as needed (STR #4370, STR #4373).
- str4351.patch that fixed STR #4351: cups-lpd hugh jobs (>2G) fail
is obsolete because it is fixed upstream since CUPS 1.7.2.
- Removed the CUPS banner files in /usr/share/cups/banners/ and
the CUPS testpage /usr/share/cups/data/testprint (which is also
a CUPS banner file type) because they do no longer work
since CUPS >= 1.6 (see http://www.cups.org/str.php?L4120)
because there is no longer a filter for Linux that can convert
the CUPS banner files. Since CUPS >= 1.6 only the banner files
and testpage in the cups-filters package work via the
cups-filters PDF workflow and the cups-filters package also
provides the matching bannertopdf filter (bnc#873376).
-------------------------------------------------------------------
Thu Feb 20 13:57:24 CET 2014 - jsmeix@suse.de
Fri Apr 11 14:52:41 CEST 2014 - jsmeix@suse.de
- In case of systemd use --with-rundir=/run/cups
instead of --with-rundir=/run (bnc#871640).
-------------------------------------------------------------------
Thu Feb 27 12:49:42 CET 2014 - jsmeix@suse.de
- Cautious clean up of systemd units via RPM scriptlets
(see the entry below dated "Wed Feb 19 15:05:44 CET 2014")
does not work reliable because it would leave a messsed up
systemd setup for cupsd when YaST was used before
to start/stop/enable/disable the cupsd, see
https://bugzilla.novell.com/show_bug.cgi?id=857372#c115
so that now cups.socket and cups.path are stopped and disabled
in any case to ensure starting/stopping/enabling/disabling
of the cupsd also works with YaST, see
https://bugzilla.novell.com/show_bug.cgi?id=857372#c120
(bnc#857372).
- str4351.patch from CUPS upstream fixes
https://www.cups.org/str.php?L4351
"STR #4351 cups-lpd hugh jobs (>2G) fail"
(bnc#864782).
-------------------------------------------------------------------
Wed Feb 19 15:05:44 CET 2014 - jsmeix@suse.de
- Cautious clean up of systemd units via RPM scriptlets:
* When /usr/lib/systemd/system/cups.path and/or
/usr/lib/systemd/system/cups.socket are in use
stop and disable them because they are no longer provided
but keep manually set up cups.path and/or cups.socket units.
* Enforce systemd to use the cups.service file in this package
by "systemctl reenable cups.service" if it was enabled
(intentionally this does not restart a running cupsd).
For details see "rpm -q --scripts cups" and have a look at
http://lists.opensuse.org/opensuse-packaging/2014-02/msg00096.html
-------------------------------------------------------------------
Wed Feb 12 11:53:45 CET 2014 - jsmeix@suse.de
- Added Begin/End comments in scriptlets for RPM macros
so that it is easier to see in the "rpm -q --scripts cups"
output what each RPM macro actually does.
-------------------------------------------------------------------
Wed Feb 12 10:30:42 CET 2014 - jsmeix@suse.de
Wed Feb 26 15:20:02 CET 2014 - jsmeix@suse.de
- Version upgrade to 1.7.1 (fate#314630):
CUPS >= 1.6 has major incompatible changes compared to CUPS
up to version 1.5.4 in particular when printing via network:
* The IPP protocol default version increased form 1.1 to 2.0.
Older IPP servers like CUPS 1.3.x (e.g. in SLE11)
reject IPP 2.0 requests with "Bad Request" (STR #4231).
By adding '/version=1.1' to ServerName in client.conf
(e.g. ServerName older.server.example.com/version=1.1)
or the CUPS_SERVER environment variable value or by
adding it to the server name value of the '-h' opion
(e.g. lpstat -h older.server.example.com/version=1.1 -p)
the older IPP protocol version for older servers
must be explicitly specified.
* CUPS Browsing is dropped in CUPS but the new package
cups-filters provides the cups-browsed that provides
basic CUPS Browsing and Polling functionality.
The native protocol in CUPS for automatic client discovery
of printers is now DNS-SD.
* Some printing filters and backends are dropped in CUPS
but the new package cups-filters provides them so that
cups-filters is usually needed (recommended by RPM)
but cups-filters is not strictly required.
* The cupsd configuration directives are split into two files
cupsd.conf (can also be modified via HTTP PUT e.g. via cupsctl)
and cups-files.conf (can only be modified manually by root)
to have better default protection against misuse of privileges
by normal users who have been specifically allowed
by root to do cupsd configuration changes
(STR #4223 CVE-2012-5519 bnc#789566).
See the entries below for more information.
For details see the openSUSE Bugzilla bnc#735404 issue.
CUPS 1.7.1 improves network and USB printing, fixes some
scheduler issues, and addresses a minor security issue
in the lppasswd program.
Changes since 1.7.0 include (excerpt):
* Security: the lppasswd program incorrectly used settings
from ~/.cups/client.conf (STR #4319)
* ATTR messages could cause string pool memory corruption
in the scheduler (<rdar://problem/15382819>)
* Printing to a raw queue could result in corrupt output
due to opportunistic compression (<rdar://problem/15008524>)
* Japanese PPDs using with the Shift-JIS encoding
did not work (<rdar://problem/15427759>)
* The libusb-based USB backend incorrectly used write
timeouts (<rdar://problem/15564888>)
* The IPP backend did not wait for a busy printer
to become available before attempting to print
(<rdar://problem/15465667>)
* Using "@IF(name)" in an Allow or Deny rule
did not work (STR #4328)
* The D-BUS notifier did not remove its lockfile (STR #4314)
* CUPS incorrectly used the USER environment variable when
the name did not match the user ID (STR #4327)
For details see the CHANGES.txt file.
- cups-1.7-additional_policies.patch adds the 'allowallforanybody'
policy to cupsd.conf (fate#303515) and replaces
cups-1.6.2-adapt_cupsd.conf_defaults_for_SUSE.patch
- Clean up of systemd unit files (bnc#857372):
Make it working again as simple and secure as it worked
all the time in the past by providing only one single
systemd unit file cups.service. In particular currently YaST
cannot manage services with additional other systemd unit files.
Furthermore systemd socket activation is currently insecure
in case of IPv6 (CVE-2012-6094 bnc#795624).
- Clean up how cupsd is launched (via SysVinit or systemd)
by maintaining strictly separated sections in cups.spec:
Either for launching cupsd via systemd (if have_systemd is set)
or for launching cupsd via SysVinit (if have_systemd is not set).
SysVinit support cannot be removed because CUPS 1.5.4
is provided for SLE11 in the OBS devel project "Printing".
-------------------------------------------------------------------
Wed Feb 5 14:04:42 CET 2014 - jsmeix@suse.de
- cups-1.5.4-CVE-2012-5519.patch adds better default protection
against misuse of privileges by normal users who have been
specifically allowed by root to do cupsd configuration changes
(CUPS STR#4223 CVE-2012-5519 Novell/Suse Bugzilla bnc#789566).
The new ConfigurationChangeRestriction cupsd.conf directive
specifies the level of restriction for cupsd.conf changes
that happen via HTTP/IPP requests to the running cupsd
(e.g. via CUPS web interface or via the cupsctl command).
By default certain cupsd.conf directives that deal with
filenames, paths, and users can no longer be changed via
requests to the running cupsd but only by manual editing
the cupsd.conf file and its default file permissions
permit only root to write the cupsd.conf file.
Those directives are: ConfigurationChangeRestriction,
AccessLog, BrowseLDAPCACertFile, CacheDir, ConfigFilePerm,
DataDir, DocumentRoot, ErrorLog, FatalErrors, FileDevice,
FontPath, Group, JobPrivateAccess, JobPrivateValues,
LogFilePerm, PageLog, Printcap, PrintcapFormat, PrintcapGUI,
RemoteRoot, RequestRoot, ServerBin, ServerCertificate,
ServerKey, ServerRoot, StateDir, SubscriptionPrivateAccess,
SubscriptionPrivateValues, SystemGroup, SystemGroupAuthKey,
TempDir, User, WebInterface.
SysVinit support cannot be removed because CUPS 1.7.1 still
builds and can be used even for SLE11.
- The default group of users who are allowed to do cupsd
configuration changes via requests to the running cupsd
(i.e. the SystemGroup directive in cupsd.conf) is set
to 'root' only.
- In this context a general security advice:
to 'root' only (related to STR #4223 CVE-2012-5519 bnc#789566).
In this context a general security advice:
When root allows normal users to do system administration tasks
(in particular when root allows normal users to administer
system processes - i.e. processes that run as root), then
@ -152,135 +258,197 @@ Wed Feb 5 14:04:42 CET 2014 - jsmeix@suse.de
may get allowed to do specific system administration tasks.
-------------------------------------------------------------------
Wed Jan 29 14:27:52 CET 2014 - jsmeix@suse.de
Wed Oct 30 10:25:24 CET 2013 - jsmeix@suse.de
- cups-0003-systemd-secure-cups.service-unit-file.patch changes
the cups.service systemd unit file to be more secure and
to let the cupsd again work as it did all the time for printing
in a network (bnc#857372 in particular comment #61 therein).
- cups-1.5-additional_policies.patch was updated to avoid
cupsd warning messages of the form "No limit for ... defined
in policy allowallforanybody and no suitable template found"
(bnc#857372 in particular comment #48 therein).
- Version upgrade to 1.7.0
CUPS >= 1.6 has major incompatible changes compared to CUPS 1.5.
See the entries below for more information.
For details see the openSUSE Bugzilla bnc#735404 issue.
Changes since 1.7rc1 include (excerpt):
* The lpadmin command did not send the PPD name from
the "-m" option (<rdar://problem/15264697>).
* The scheduler did not respond using the hostname
specified by the client (<rdar://problem/14583574>).
* Fixed a couple memory leaks in ippfind that were
reported by Clang.
* Fixed a compile issue on 64-bit Linux with Clang - need
to use the -pie option instead of -Wl,-pie now
(<rdar://problem/14480938>).
* The scheduler incorrectly did not pass a FINAL_CONTENT_TYPE
environment variable to the filters or backend
(<rdar://problem/14355011>).
For details see the CHANGES.txt file.
-------------------------------------------------------------------
Fri Jan 10 11:51:41 CET 2014 - jsmeix@suse.de
Tue Jul 16 16:40:56 CEST 2013 - jsmeix@suse.de
- Fix how to use CUPS' own fonts (bnc#856731). In ancient times
(see the below entry dated "Thu Aug 16 17:05:19 CEST 2001")
there was the idea to deviate from CUPS upstream and save
some disk space and do not install CUPS' own fonts.
CUPS' own fonts were removed and the CUPS font
directory was replaced by a symbolic link
/usr/share/cups/fonts -> ../ghostscript/fonts
because at that times the Ghostscript fonts had been the same
as CUPS' own fonts. In any case such a link is a fragile
non-future-proof interference because when either the Ghostscript
fonts or CUPS' own fonts change, linking them as same is wrong.
Since a long time the Ghostscript fonts do no longer work
for CUPS' particular needs but nobody noticed it until now.
But it is not possible with RPM to replace a directory by a
symbolic link or vice versa. This means /usr/share/cups/fonts
must stay forever as a symbolic link and the only way out is
to move CUPS' own fonts to an artificial surrogate directory
/usr/share/cups/CUPSfonts and have the symbolic link now
/usr/share/cups/fonts -> /usr/share/cups/CUPSfonts
- Version upgrade to 1.7rc1 only for testing purpose.
CUPS >= 1.6 has major incompatible changes compared to CUPS 1.5.
After a version upgrade to CUPS >= 1.6 printing in the network
would no longer work as it did up to CUPS 1.5.
For details regarding incompatible changes in CUPS >= 1.6 see
https://bugzilla.novell.com/show_bug.cgi?id=735404
and follow the links therein.
The 1.7 series is primarily a "polish" release with improved
support for paid, PIN, and release printing, expanded support
for IPP Everywhere, automatic support for data compression,
and improved CUPS APIs.
CUPS 1.7rc1 is the first release candidate for CUPS 1.7.0
and includes the fixes from CUPS 1.6.3, adds a new
ippfind utility, fixes some issues in the ipptool utility,
and fixes some general printing bugs.
For details what is new in CUPS 1.7 see the CHANGES.txt file.
Excerpt:
* Printer xxx-default values were not reported by
Get-Printer-Attributes or lpoptions (<rdar://problem/14401795>)
* Added a new ippfind tool for finding IPP printers and
other Bonjour services (<rdar://problem/13876199>)
- Version upgrade to 1.6.3
CUPS 1.6.3 fixes some compatibility issues with servers
running CUPS 1.3.12 or older, fixes some general printing bugs,
and fixes some minor security issues.
For details what is new in CUPS 1.6 see the CHANGES-1.6.txt file.
Excerpt:
* The lp, lpq, lpr, and lpstat now display an error message
advising the use of the /version=1.1 ServerName option
(<rdar://problem/14290628>)
* Added documentation about the /version=1.1 option to ServerName
in client.conf (<rdar://problem/14216262>)
* The lp, lpq, lpr, and lpstat commands incorrectly ignored
the default printer set in the lpoptions file
(<rdar://problem/14216472>)
* Printing using "ipps" URIs was not encrypted.
-------------------------------------------------------------------
Wed Jan 8 16:07:44 CET 2014 - jsmeix@suse.de
Tue Mar 19 10:19:41 CET 2013 - jsmeix@suse.de
- cups-0002-systemd-listen-only-on-localhost-for-socket-activation.patch
fixes the systemd cups.socket file so that systemd listens only
on localhost (bnc#857372).
- Do no longer use the Ghostscript fonts for CUPS. Instead be
in compliance with upstream and use CUPS' own Monospace fonts
in /usr/share/cups/fonts because those fonts are hardcoded
used by the CUPS filters bannertops (for CUPS banner pages and
the CUPS test page that is a special kind of banner page)
and texttops (when printing plain text files). Without CUPS'
own Monospace fonts bannertops and texttops create PostScript
that uses those fonts but without those fonts embedded which
results that PostScript interpreters use a (different) fallback
font or fail to print for some PostScript printers (bnc#856731).
- Version upgrade to 1.6.2.
CUPS 1.6 has major incompatible changes compared to CUPS 1.5.
For details regarding incompatible changes in CUPS 1.6 see
https://bugzilla.novell.com/show_bug.cgi?id=735404
and follow the links therein.
For details what is new in CUPS 1.6 see the CHANGES.txt file.
Excerpt:
* Security: All file, directory, user, and group settings
are now stored in a separate cups-files.conf configuration
file that cannot be set through the CUPS web interface
or APIs (STR #4223).
* The IPP backend could crash if the printer disconnects
early (STR #4284).
* cupsGetPPD did not work with statically-configured CUPS
shared queues (STR #4178).
* Bad IPP responses could crash ipptool (STR #4262).
* Updated USB quirk rules for various printers
(STR #4217, STR #4263, STR #4286).
* Added USB blacklisting for printers that require a custom
backend (STR #4218).
* The CUPS library did not always detect a timed out connection
to the server which could cause temporary loss of printing
from applications (STR #4187).
* The IPP backend now stops queues when the server configuration
prevents successful job submission (STR #4125).
* CUPS 1.6 clients using the ServerName directive in client.conf
did not work with CUPS 1.3.x or older servers
(STR #4231, STR #4291).
* The scheduler could crash when using Avahi
(STR #4183, STR #4192, STR #4200, STR #4213).
* The IPP backend could get stuck in an endless loop on certain
network errors (STR #4194).
* The scheduler no longer allows job-name values that are
not valid network Unicode strings (STR #4072).
* The network backends now support disabling of SNMP supply
level queries via the "snmp" URI option (STR #4106).
* The IPP backend did not specify the compression used
(STR #4181).
* The scheduler did not recognize dnssd: or ipps: URIs as
Bonjour shared queues (STR #4158).
* Applications could not get the PPD file for
statically-configured Bonjour-shared print queues (STR #4159).
* Fixed a USB backend compatibility issue on systems using
libusb (STR #4155, STR #4191).
* Some Bonjour features were not available on systems
with Avahi (STR #4156).
- cups-1.6.1-revertSTR3929_to_default_IPP_1.1_again.patch is
obsolete because it is fixed upstream (STR #4231, STR #4291).
- cups-1.6.2-adapt_cupsd.conf_defaults_for_SUSE.patch
replaces cups-1.6.1-adapt_cupsd.conf_defaults_for_SUSE.patch
- Adapted cups-client.conf template file for CUPS 1.6.
-------------------------------------------------------------------
Wed Oct 9 04:15:45 UTC 2013 - crrodriguez@opensuse.org
Wed Nov 28 15:04:58 CET 2012 - jsmeix@suse.de
- patch cups-move-everything-to-run.patch missed to move
CUPS_STATEDIR to run, so systemd sockets are still created
in /var/run
- Add required tmpfiles.d config snippet to ensure /run/cups
is always available.
- cups-1.6.1-adapt_cupsd.conf_defaults_for_SUSE.patch
adapts the defaults in cupsd.conf for SUSE.
It replaces cups-1.3.6-access_conf.patch that
added 'Allow 127.0.0.2' to cupsd.conf to allow access
for the loopback IP address 127.0.0.2 which is set for
the hostname by SUSE in /etc/hosts at least up to
SLE10 products.
It also replaces cups-1.5-additional_policies.patch
that added the 'allowallforanybody' policy to cupsd.conf
see https://fate.novell.com/303515
Furthermore it fixes some issues with the CUPS upstream
defaults i.e. removal of no longer supported keywords
BrowseOrder BrowseAllow DefaultAuthType (otherwise cupsd
prints error messages of the form "Unknown directive
BrowseOrder on line 22").
- cups-1.6.1-revertSTR3929_to_default_IPP_1.1_again.patch
reverts the incompatible change in CUPS 1.6
that makes IPP version 2.0 default
(see https://www.cups.org/str.php?L3929)
back to using IPP version 1.1 by default.
Otherwise CUPS 1.6 on clients cannot talk to older CUPS
servers in particular not to CUPS 1.3.9 on SLE11.
E.g. on a CUPS 1.6 client "lpstat -h sle11.cups.server -p"
would fail on the client with "lpstat: Bad Request" and
the CUPS 1.3.9 server logs in /var/log/cups/error_log the
lines "E ... cupsdReadClient: ... IPP Read Error!"
and "D ... cupsdSendError: ... code=400 (Bad Request)".
-------------------------------------------------------------------
Fri Jul 5 14:33:53 CEST 2013 - jsmeix@suse.de
Tue Nov 27 15:50:16 CET 2012 - jsmeix@suse.de
- cups-polld_avoid_busy_loop.patch avoids any possible busy loop
in cups-polld in case of unusual issues by sleeping interval
seconds (bnc#828228).
-------------------------------------------------------------------
Fri Jun 28 20:16:52 UTC 2013 - stefan.bruens@rwth-aachen.de
- Fix endless loop if IPP server does not accect job (bnc#827418)
see also https://www.cups.org/str.php?L4190 (STR#4190,
patch str4190.patch).
-------------------------------------------------------------------
Wed Jun 26 15:30:45 CEST 2013 - jsmeix@suse.de
- Changed Source0 URL from
http://ftp.easysw.com/pub/cups/1.5.4/cups-1.5.4-source.tar.bz2
to its currently valid location
http://www.cups.org/software/1.5.4/cups-1.5.4-source.tar.bz2
so that the factory-auto check script does no longer error out
with "Failed to download ... Source URLs are not valid."
-------------------------------------------------------------------
Wed Jun 26 10:39:30 CEST 2013 - jsmeix@suse.de
- Use BuildRequires krb5-mini-devel to avoid this build cycle:
cups -> krb5 -> python-Jinja2 -> vim -> gtk2 -> cups
(according to OBS request 180870).
Because krb5-mini-devel is not available for SLE11
krb5-devel must still be used for SLE11 builds
(required addition to OBS request 180870).
-------------------------------------------------------------------
Fri Mar 22 08:56:10 UTC 2013 - mmeister@suse.com
- Added url as source.
Please see http://en.opensuse.org/SourceUrls
-------------------------------------------------------------------
Wed Jan 30 13:24:43 UTC 2013 - rmilasan@suse.com
- Move everything (pid, lock, socket files) to /run only for 12.3.
Added: cups-move-everything-to-run.patch
See also
http://lists.opensuse.org/opensuse-factory/2013-01/msg00578.html
-------------------------------------------------------------------
Thu Dec 20 12:38:47 CET 2012 - jsmeix@suse.de
- Added "BuildRequires: poppler-tools" which installs
/usr/bin/pdftops for the build-time check in cups-pdf.m4
regarding HAVE_PDFTOPS_WITH_ORIGPAGESIZE that makes sure
that the CUPS filter /usr/lib/cups/filter/pdftops calls
/usr/bin/pdftops with "-origpagesizes" otherwise it would
result wrong PostScript output for poppler > 0.18.0 (bnc#776080)
see also https://www.cups.org/str.php?L3689 (STR #3689).
- Changed 'configure --with-pdftops=/usr/bin/pdftops' back to
the upstream default 'configure --with-pdftops=pdftops'
(compare the entry dated 'Fri Jul 31 15:08:41 CEST 2009').
- Removed leftover and since a longer time obsolete
"BuildRequires: avahi-compat-mDNSResponder-devel".
-------------------------------------------------------------------
Tue Nov 13 13:54:02 UTC 2012 - fcrozat@suse.com
- Add cups-provides-cupsd.service: ensure cupsd.service is provided
by cups.service.
- Version upgrade to 1.6.1.
CUPS 1.6 has major incompatible changes compared to CUPS 1.5.
After a version upgrade to CUPS 1.6 printing in the network
would no longer work as it did up to CUPS 1.5.
For an overview about what is new in CUPS 1.6 see
http://www.cups.org/documentation.php/doc-1.6/whatsnew.html
For details regarding incompatible changes in CUPS 1.6 see
https://bugzilla.novell.com/show_bug.cgi?id=735404
and follow the links therein.
For details what is new in CUPS 1.6 see the CHANGES.txt file.
Excerpt:
* CUPS now supports color management using colord (STR #3808).
* CUPS now supports Bonjour using Avahi (STR #3066).
* The "brightness", "columns", "fitplot", "gamma", "hue",
"natural-scaling", "penwidth", "position", "ppi",
"saturation", and "scaling" options are not longer
supported (STR #4010).
* Added new destination connection and enumeration functions
via new dynamic destination APIs (STR #3924).
* Added new option, localization, and job submission functions
via new APIs that do not depend on PPD files (STR #3925).
* The scheduler now supports a DefaultAuthType of "auto" to
automatically choose between Basic (username/password)
and Negotiate (Kerberos) authentication.
* CUPS no longer supports automatic remote printers or
implicit classes via the CUPS, LDAP, or SLP protocols
(STR #3922, STR #3923).
* The PPD APIs are now deprecated and will be removed
in a future version of CUPS (STR #3927).
* The default IPP version for requests is now 2.0 (STR #3929).
* The IPP APIs no longer expose the ipp_t or ipp_attribute_t
structures and instead provide accessor functions (STR #3928).
* The scheduler will no longer run programs with group write
permission.
* The PHP module has been removed (STR #3932).
* The bannertops, commandtoescpx, commandtopclx, imagetops,
imagetoraster, pdftops, rastertoescpx, rastertopclx,
and texttops filters have been removed (STR #3930).
* The serial and parallel backends have been removed (STR #3935).
- Adapted cups-config-libs.patch for CUPS 1.6.1
(IMGLIBS is no longer present in cups-config.in).
-------------------------------------------------------------------
Thu Oct 18 12:07:09 UTC 2012 - coolo@suse.com
@ -400,12 +568,13 @@ Tue Jan 10 04:58:44 UTC 2012 - crrodriguez@opensuse.org
- Use explicit buildrequires on the needed libraries.
otherwise build will fail after libtiff-devel deps cleanup
- Cleanup requires of -devel package, which only needs glibc-devel
- Fix up, cups-config script, which with option --libs adds:
- cups-config-libs.patch fixes cups-config script,
which with option --libs adds:
LIBS="-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lssl -lcrypto
-lz -lpthread -lm -lcrypt "
IMGLIBS="-ltiff -ljpeg -lpng"
This only makes sense when using static linking but we don't ship
static libraries and will only help bloating dependant packages.
This only makes sense when using static linking but we do not
ship static libraries and it will only bloat dependant packages.
-------------------------------------------------------------------
Sat Dec 17 18:19:14 UTC 2011 - crrodriguez@opensuse.org
@ -425,7 +594,8 @@ Sat Dec 3 20:09:32 UTC 2011 - crrodriguez@opensuse.org
-------------------------------------------------------------------
Sat Dec 3 19:11:36 UTC 2011 - crrodriguez@opensuse.org
- Add complete systemd support, the hardware stuff is handled in
- cups-0001-systemd-add-systemd-socket-activation-and-unit-files.patch
adds complete systemd support, the hardware stuff is handled in
builtin udev rules (see /lib/udev/rules.d/99-systemd.rules).
See also http://0pointer.de/blog/projects/socket-activation2.html

169
cups.init
View File

@ -1,169 +0,0 @@
#! /bin/bash
#
# Copyright (C) 1995-2001 SuSE GmbH Nuernberg, Germany.
# Copyright (C) 2002 SuSE Linux AG, Nuernberg, Germany.
# Copyright (C) 2002--2008 Klaus Singvogel, SUSE / Novell Inc.
# Copyright (C) 2010 Johannes Meixner, SUSE LINUX Products GmbH
#
# Author: Kurt Garloff, 2000
# Klaus Singvogel, 2002--2008
# Johannes Meixner, 2010
#
# /etc/init.d/cups
# and its symbolic link
# /usr/sbin/rccups
#
# System startup script for the CUPS printer daemon
#
### BEGIN INIT INFO
# Provides: cupsd
# Required-Start: $local_fs $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Should-Start: dbus $named $portmap ptal slpd printbill
# Should-Stop: $portmap
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Short-Description: CUPS printer daemon
# Description: Start CUPS to provide spooling and printing files
# functionality for local and remote printers. Also required if
# printers are broadcasted ("Browsing") by remote CUPS servers.
### END INIT INFO
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signalling is not supported) are
# considered a success.
# Source SuSE config, only if exists with size greater zero
test -s /etc/rc.config && . /etc/rc.config
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v ditto but be verbose in local rc status
# rc_status -v -r ditto and clear the local rc status
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num><num>
# rc_reset clear local rc status (overall remains)
# rc_exit exit appropriate to overall rc status
if test -s /etc/rc.status
then . /etc/rc.status
else exit 1
fi
# Reset status of this service:
rc_reset
CUPSD_BIN=/usr/sbin/cupsd
test -x $CUPSD_BIN || exit 5
# Get CUPSD_OPTIONS
test -s /etc/sysconfig/cups && . /etc/sysconfig/cups
# Enforce default umask to avoid problems with wrong file permissions
# for example of /etc/printcap (see Novell/Suse Bugzilla bnc#31567).
umask 022
case "$1" in
start)
echo -n "Starting cupsd"
## Start daemon with startproc(8).
## If this fails the echo return value is set appropriate.
# NOTE: startproc return 0, even if service is
# already running to match LSB spec.
startproc $CUPSD_BIN $CUPSD_OPTIONS
# Remember status and be verbose:
rc_status -v
;;
stop)
echo -n "Shutting down cupsd"
## Stop daemon with killproc(8).
## If this fails the echo return value is set appropriate.
# NOTE: killproc with explicite signal specified
# like "killproc -TERM" sends only SIGTERM and exits
# to match LSB spec. (see Novell/Suse Bugzilla bnc#595796).
# Without explicite signal the default signal SIGTERM is sent
# and afterwards killproc waits by default only up to 5 seconds
# before killproc sends SIGKILL if cupsd has not yet terminated.
# Wait at most 10 seconds until the cupsd does actually no longer run
# so that the cupsd should have sufficient time for its clean up:
killproc -t 10 $CUPSD_BIN
# Remember status and be verbose:
rc_status -v
;;
try-restart)
## Stop the service and if this succeeds (i.e. the
## service was running before), start it again.
## Note: try-restart is not (yet) part of LSB (as of 0.7.5)
$0 status >/dev/null && $0 restart
# Remember status and be quiet:
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
# The above waits at most 10 seconds until the cupsd does actually no longer run
# otherwise "startproc $CUPSD_BIN" would not start a new cupsd
# (see Novell/Suse Bugzilla bnc#622058).
# Start a new cupsd:
$0 start
# Remember status and be quiet:
rc_status
;;
force-reload)
## Signal the daemon to reload its config.
## Most daemons do this on signal 1 (SIGHUP).
## If it does not support it, restart.
if ps -C cupsd -o user | grep -q '^root$'
then echo -n "Reload service cupsd"
killproc -HUP $CUPSD_BIN
rc_status -v
else $0 restart
fi
;;
reload)
## Like force-reload, but if daemon does not support
## signalling, do nothing.
# If it supports signalling:
if ps -C cupsd -o user | grep -q '^root$'
then echo -n "Reload service cupsd"
killproc -HUP $CUPSD_BIN
rc_status -v
else echo -n '"reload" not possible (cupsd does not run as user root) use "restart" instead'
rc_status -s
fi
;;
status)
echo -n "Checking for cupsd: "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Status has a slightly different for the status command:
# 0 - service running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running
# NOTE: checkproc returns LSB compliant status values.
checkproc $CUPSD_BIN
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload,
## give out the argument which is required for a reload.
rc_failed 3
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit

805
cups.spec
View File

File diff suppressed because it is too large Load Diff

17
cups.sysconfig
View File

@ -1,17 +0,0 @@
## Path: System/Printing/CUPS
## Description: Cups options
## Type: string
## Default: cups
## ServiceReload: cups
## ServiceRestart: cups
#
IDENT="cups"
## Type: string
## Default: "CUPS printer daemon"
DESCRIPTIVE="CUPS printer daemon"
## Type: string
## Default: ""
#
# change CUPSD_OPTIONS for arguments of start of cupsd
# e.g. CUPSD_OPTIONS="-c /etc/cups/cupsd.conf"
CUPSD_OPTIONS=""

11
cups.xinetd
View File

@ -1,11 +0,0 @@
service printer
{
disable = yes
flags = NAMEINARGS
socket_type = stream
protocol = tcp
wait = no
user = lp
server = /usr/lib/cups/daemon/cups-lpd
server_args = cups-lpd -o document-format=application/octet-stream
}

3
postscript.ppd.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d3be50ca7f9dc699b9dfd3cbe1d655b4934547ba2e3ce0c5cc1560844829237e
size 1913

72
str4190.patch
View File

@ -1,72 +0,0 @@
Index: backend/ipp.c
===================================================================
--- backend/ipp.c (revision 10611)
+++ backend/ipp.c (working copy)
@@ -1279,6 +1279,16 @@
}
/*
+ * If the printer only claims to support IPP/1.0, or if the user specifically
+ * included version=1.0 in the URI, then do not try to use Create-Job or
+ * Send-Document. This is another dreaded compatibility hack, but unfortunately
+ * there are enough broken printers out there that we need this for now...
+ */
+
+ if (version == 10)
+ create_job = send_document = 0;
+
+ /*
* Start monitoring the printer in the background...
*/
@@ -1494,10 +1504,9 @@
goto cleanup;
}
}
- else if (ipp_status == IPP_ERROR_JOB_CANCELED)
+ else if (ipp_status == IPP_ERROR_JOB_CANCELED ||
+ ipp_status == IPP_NOT_AUTHORIZED)
goto cleanup;
- else if (ipp_status == IPP_NOT_AUTHORIZED)
- continue;
else
{
/*
@@ -1678,14 +1687,35 @@
ipp_status == IPP_NOT_POSSIBLE ||
ipp_status == IPP_PRINTER_BUSY)
continue;
- else if (ipp_status == IPP_REQUEST_VALUE)
+ else if (ipp_status == IPP_REQUEST_VALUE ||
+ ipp_status == IPP_ERROR_JOB_CANCELED ||
+ ipp_status == IPP_NOT_AUTHORIZED)
{
/*
- * Print file is too large, abort this job...
+ * Print file is too large, job was canceled, or we need new
+ * authentication data...
*/
goto cleanup;
}
+ else if (ipp_status == IPP_NOT_FOUND)
+ {
+ /*
+ * Printer does not actually implement support for Create-Job/
+ * Send-Document, so log the conformance issue and stop the printer.
+ */
+
+ fputs("DEBUG: This printer claims to support Create-Job and "
+ "Send-Document, but those operations failed.\n", stderr);
+ fputs("DEBUG: Add '?version=1.0' to the device URI to use legacy "
+ "compatibility mode.\n", stderr);
+ update_reasons(NULL, "+cups-ipp-conformance-failure-report,"
+ "cups-ipp-missing-send-document");
+
+ ipp_status = IPP_INTERNAL_ERROR; /* Force queue to stop */
+
+ goto cleanup;
+ }
else
copies_remaining --;

36
str4351.patch
View File

@ -1,36 +0,0 @@
Index: scheduler/cups-lpd.c
===================================================================
--- scheduler/cups-lpd.c (revision 11557)
+++ scheduler/cups-lpd.c (revision 11558)
@@ -781,7 +770,8 @@
int fd; /* Temporary file */
FILE *fp; /* File pointer */
char filename[1024]; /* Temporary filename */
- int bytes; /* Bytes received */
+ ssize_t bytes; /* Bytes received */
+ size_t total; /* Total bytes */
char line[256], /* Line from file/stdin */
command, /* Command from line */
*count, /* Number of bytes */
@@ -965,15 +955,15 @@
* Copy the data or control file from the client...
*/
- for (i = atoi(count); i > 0; i -= bytes)
+ for (total = (size_t)strtoll(count, NULL, 10); total > 0; total -= (size_t)bytes)
{
- if (i > sizeof(line))
- bytes = sizeof(line);
+ if (total > sizeof(line))
+ bytes = (ssize_t)sizeof(line);
else
- bytes = i;
+ bytes = (ssize_t)total;
- if ((bytes = fread(line, 1, bytes, stdin)) > 0)
- bytes = write(fd, line, bytes);
+ if ((bytes = (ssize_t)fread(line, 1, (size_t)bytes, stdin)) > 0)
+ bytes = write(fd, line, (size_t)bytes);
if (bytes < 1)
{

164
str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch
View File

@ -1,164 +0,0 @@
--- scheduler/client.c.orig 2014-09-02 11:26:57.000000000 +0200
+++ scheduler/client.c 2014-09-02 12:35:05.000000000 +0200
@@ -3672,51 +3672,72 @@ get_file(cupsd_client_t *con, /* I - C
if ((ptr = strchr(filename, '?')) != NULL)
*ptr = '\0';
/*
* Grab the status for this language; if there isn't a language-specific file
* then fallback to the default one...
*/
- if ((status = stat(filename, filestats)) != 0 && language[0] &&
+ if ((status = lstat(filename, filestats)) != 0 && language[0] &&
strncmp(con->uri, "/icons/", 7) &&
strncmp(con->uri, "/ppd/", 5) &&
strncmp(con->uri, "/rss/", 5) &&
strncmp(con->uri, "/admin/conf/", 12) &&
strncmp(con->uri, "/admin/log/", 11))
{
/*
* Drop the country code...
*/
language[3] = '\0';
snprintf(filename, len, "%s%s%s", DocumentRoot, language, con->uri);
if ((ptr = strchr(filename, '?')) != NULL)
*ptr = '\0';
- if ((status = stat(filename, filestats)) != 0)
+ if ((status = lstat(filename, filestats)) != 0)
{
/*
* Drop the language prefix and try the root directory...
*/
language[0] = '\0';
snprintf(filename, len, "%s%s", DocumentRoot, con->uri);
if ((ptr = strchr(filename, '?')) != NULL)
*ptr = '\0';
- status = stat(filename, filestats);
+ status = lstat(filename, filestats);
}
}
/*
- * If we're found a directory, get the index.html file instead...
+ * If we've found a symlink, 404 the sucker to avoid disclosing information.
+ */
+
+ if (!status && S_ISLNK(filestats->st_mode))
+ {
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
+ return (NULL);
+ }
+
+ /*
+ * Similarly, if the file/directory does not have world read permissions, do
+ * not allow access...
+ */
+
+ if (!status && !(filestats->st_mode & S_IROTH))
+ {
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
+ return (NULL);
+ }
+
+ /*
+ * If we've found a directory, get the index.html file instead...
*/
if (!status && S_ISDIR(filestats->st_mode))
{
/*
* Make sure the URI ends with a slash...
*/
@@ -3749,58 +3770,79 @@ get_file(cupsd_client_t *con, /* I - C
if ((ptr = strchr(filename, '?')) != NULL)
*ptr = '\0';
ptr = filename + strlen(filename);
plen = len - (ptr - filename);
strlcpy(ptr, "index.html", plen);
- status = stat(filename, filestats);
+ status = lstat(filename, filestats);
#ifdef HAVE_JAVA
if (status)
{
strlcpy(ptr, "index.class", plen);
- status = stat(filename, filestats);
+ status = lstat(filename, filestats);
}
#endif /* HAVE_JAVA */
#ifdef HAVE_PERL
if (status)
{
strlcpy(ptr, "index.pl", plen);
- status = stat(filename, filestats);
+ status = lstat(filename, filestats);
}
#endif /* HAVE_PERL */
#ifdef HAVE_PHP
if (status)
{
strlcpy(ptr, "index.php", plen);
- status = stat(filename, filestats);
+ status = lstat(filename, filestats);
}
#endif /* HAVE_PHP */
#ifdef HAVE_PYTHON
if (status)
{
strlcpy(ptr, "index.pyc", plen);
- status = stat(filename, filestats);
+ status = lstat(filename, filestats);
}
if (status)
{
strlcpy(ptr, "index.py", plen);
status = stat(filename, filestats);
}
#endif /* HAVE_PYTHON */
}
while (status && language[0]);
+
+ /*
+ * If we've found a symlink, 404 the sucker to avoid disclosing information.
+ */
+
+ if (!status && S_ISLNK(filestats->st_mode))
+ {
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Symlinks such as \"%s\" are not allowed.", con->http.fd, filename);
+ return (NULL);
+ }
+
+ /*
+ * Similarly, if the file/directory does not have world read permissions, do
+ * not allow access...
+ */
+
+ if (!status && !(filestats->st_mode & S_IROTH))
+ {
+ cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);
+ return (NULL);
+ }
}
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"get_file(con=%p(%d), filestats=%p, filename=%p, len=%d) = "
"%s", con, con->http.fd, filestats, filename, len,
status ? "(null)" : filename);
if (status)