Accepting request 78629 from home:jsmeix:branches:Printing

Version upgrade to HPLIP 3.11.7 and avoid CVE-2011-2697 (bnc#698451) plus CVE-2004-0801 (bnc#59233) by no longer installing foomatic-rip-hplip and using foomatic-rip from the foomatic-filters RPM instead

OBS-URL: https://build.opensuse.org/request/show/78629
OBS-URL: https://build.opensuse.org/package/show/Printing/hplip?expand=0&rev=33

hplip.spec

@@ -19,7 +19,10 @@
 
 
 Name:           hplip
-BuildRequires:  cups cups-devel dbus-1-devel fdupes libdrm-devel libgphoto2-devel libjpeg-devel libqt4-devel libusb-devel net-snmp-devel pkgconfig python-devel python-openssl python-qt4 python-xml readline-devel update-desktop-files
+# BuildRequires foomatic-filters to avoid /usr/lib/rpm/brp-symlink ERROR:
+# link target doesn't exist (neither in build root nor in installed system):
+# /usr/lib/cups/filter/foomatic-rip-hplip -> /usr/bin/foomatic-rip
+BuildRequires:  cups cups-devel dbus-1-devel fdupes foomatic-filters libdrm-devel libgphoto2-devel libjpeg-devel libqt4-devel libusb-devel net-snmp-devel pkgconfig python-devel python-openssl python-qt4 python-xml readline-devel update-desktop-files
 %if 0%{?suse_version} > 1130
 BuildRequires:  sane-backends-devel
 %else
@@ -29,19 +32,19 @@ Summary:        HP's Printing, Scanning, and Faxing Software
 # HPLIP has reached 1.0 status. With this release a date encoded revision number is used:
 # x.y.m : x = major release number, y = year (eg: 6 = 2006), m = month (eg: 6a = second release in June)
 # Official releases have a 3 digit number and release candidates have a 4 digit number: x.y.m.rc
-Version:        3.11.5
+Version:        3.11.7
 Release:        1
 Group:          Hardware/Printing
 License:        BSD3c(or similar) ; GPLv2+ ; MIT License (or similar)
 Url:            http://hplipopensource.com
 # Source0...Source9 is for sources from HP:
-# URL for Source0: http://prdownloads.sourceforge.net/hplip/hplip-3.11.5.tar.gz
-# URL to verify Source0: http://prdownloads.sourceforge.net/hplip/hplip-3.11.5.tar.gz.asc
+# URL for Source0: http://prdownloads.sourceforge.net/hplip/hplip-3.11.7.tar.gz
+# URL to verify Source0: http://prdownloads.sourceforge.net/hplip/hplip-3.11.7.tar.gz.asc
 # How to verify Source0 see: http://hplipopensource.com/node/327
 # For example: /usr/bin/gpg --keyserver pgp.mit.edu --recv-keys 0xA59047B9
-#              /usr/bin/gpg --verify hplip-3.11.5.tar.gz.asc hplip-3.11.5.tar.gz
+#              /usr/bin/gpg --verify hplip-3.11.7.tar.gz.asc hplip-3.11.7.tar.gz
 # must result: Good signature from "HPLIP (HP Linux Imaging and Printing) <hplip@hp.com>"
-Source0:        %{name}-%{version}.tar.bz2
+Source0:        %{name}-%{version}.tar.gz
 # Patch0...Patch9 is for patches from HP:
 # Patch10...Patch99 is for Suse patches for the sources from HP:
 # Patch10 fixes "... is used uninitialized ..." warnings:
@@ -87,6 +90,26 @@ PreReq:         coreutils, /bin/grep, /bin/sed, /usr/bin/find
 # which lets the whole scanning stack frontend<->libsane-dll<->libsane-backend crash
 # also for any other backend when the hpaio backend is enabled (e.g. "scanimage -L"):
 Requires:       %{name}-hpijs = %{version}-%{release}
+# Because foomatic-rip-hplip has CVE-2011-2697 (bnc#698451)
+# plus a leftover in CVE-2004-0801 (bnc#59233)
+# foomatic-rip-hplip is no longer installed and foomatic-rip
+# from the foomatic-filters RPM is used instead.
+# The RPM requirement for foomatic-filters should actually be 
+# in the hplip-hpijs sub-package but this would bloat a minimalist system
+# (see the comment for the hplip-hpijs sub-package below).
+# Therefore the hplip main package which is intended
+# to get "all the HPLIP stuff" installed has the RPM requirement:
+Requires:       foomatic-filters
+# foomatic-filters does not require Ghostscript because depending on the PPD
+# (e.g. some PPDs for PostScript printers in OpenPrintingPPDs-postscript)
+# foomatic-rip can also be used without Ghostscript but for the drivers
+# HPIJS and HPCUPS Ghostscript is needed.
+# The RPM requirement for ghostscript-library should actually be 
+# in the hplip-hpijs sub-package but this would bloat a minimalist system
+# (see the comment for the hplip-hpijs sub-package below).
+# Therefore the hplip main package which is intended
+# to get "all the HPLIP stuff" installed has the RPM requirement:
+Requires:       ghostscript-library
 # Require special Python stuff (which pulls in Python base stuff).
 # At least since openSUSE 11.1 and SLE11 pyxml is no longer required
 # (pyxml was required in particular for openSUSE 10.3 and SLE10,
@@ -106,6 +129,9 @@ Requires:       dbus-1-python >= 0.80, python-gobject2
 # see https://bugzilla.novell.com/show_bug.cgi?id=251830#c20
 # for the full story why there is this unversioned Obsoletes:
 Obsoletes:      hplip17
+# Obsolete the hplip3 copy that was introduced for older SLED11-GA HP preloads:
+Provides:       hplip3 = 3.9.5
+Obsoletes:      hplip3 < 3.9.5
 # Skip testing devel dependencies required by libtool .la files by the following comment:
 # skip-check-libtool-deps
 
@@ -184,6 +210,9 @@ Obsoletes:      hpijs-standalone
 # see https://bugzilla.novell.com/show_bug.cgi?id=251830#c20
 # for the full story why there is this unversioned Obsoletes:
 Obsoletes:      hplip17-hpijs
+# Obsolete the hplip3 copy that was introduced for older SLED11-GA HP preloads:
+Provides:       hplip3-hpijs = 3.9.5
+Obsoletes:      hplip3-hpijs < 3.9.5
 # PackMan provides HPLIP in the packages hplip and hplip-hpcups.
 # HPLIP does not work if the openSUSE packages hplip and hplip-hpijs
 # are installed together with a leftover PackMan package hplip-hpcups
@@ -210,7 +239,6 @@ This sub-package includes in particular:
 
 The hpijs binary and the libraries libhpip and libhpmud
 which are needed to run it.
-The HPIJS CUPS filter foomatic-rip-hplip.
 
 The HPCUPS driver (/usr/lib[64]/cups/filter/hpcups).
 
@@ -252,6 +280,8 @@ export CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
 # According to http://hplipopensource.com/hplip-web/release_notes.html
 # all drv installs require CUPSDDK 1.2.3 or higher.
 # Otherwise a static PPD install must be performed.
+# Furthermore dynamic PPDs will be deprecated in the future in CUPS,
+# see http://www.cups.org/str.php?L3772
 # For hpcups static PPD install one needs:
 # --enable-hpcups-install enable hpcups install (default=yes)
 # --disable-cups-drv-install enable cups dynamic ppd install (default=yes)
@@ -261,6 +291,11 @@ export CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
 # --disable-foomatic-drv-install enable foomatic dynamic ppd install (default=no), uses drvdir and hpppddir
 # --enable-foomatic-ppd-install enable foomatic static ppd install (default=no), uses hpppddir
 # --enable-foomatic-rip-hplip-install enable foomatic-rip-hplip install (default=no), uses cupsfilterdir
+# Because foomatic-rip-hplip has CVE-2011-2697 (bnc#698451) plus a leftover in CVE-2004-0801 (bnc#59233)
+# which are fixed up to openSUSE 11.4 with patches, after openSUSE 11.4 (i.e. since openSUSE 12.1)
+# foomatic-rip-hplip is no longer installed and foomatic-rip from foomatic-filters is used instead so that 
+# --disable-foomatic-rip-hplip-install is explicitly set and as a consequence the "cupsFilter" entries
+# in the static PPDs are changed in the install section to use foomatic-rip.
 ./configure --prefix=/usr \
             --libdir=%_libdir \
             --disable-qt3 \
@@ -279,7 +314,7 @@ export CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
             --enable-hpijs-install \
             --disable-foomatic-drv-install \
             --enable-foomatic-ppd-install \
-            --enable-foomatic-rip-hplip-install \
+            --disable-foomatic-rip-hplip-install \
             --with-hpppddir=%{_datadir}/cups/model/manufacturer-PPDs/%{name} \
             --with-cupsbackenddir=/usr/lib/cups/backend \
             --with-cupsfilterdir=/usr/lib/cups/filter \
@@ -309,36 +344,12 @@ echo "Adding a line-feed to the end of all PPDs to fix those PPDs where it is mi
 for p in *.ppd
 do echo -en '\n' >>$p
 done
-# Correct or remove non-working PPDs:
-# Several HP PPDs contain "600x600x2dpi" which is not allowed
-# according to the Adobe PPD specification section 5.9
-# and which can be simply replaced by "600x1200dpi"
-# because "600x1200dpi" is not used elsewhere in the PPD.
-# Some PPDs contain a "*cupsFilter: ... hppostprocessing" line
-# which cannot work because there is no "hppostprocessing" filter.
-# Some PPDs contain "1284DeviceId" which must be "1284DeviceID".
-# Some PPDs contain "* PageRegion" which must be "*PageRegion".
-# Some HPIJS PPDs contain a too long ShortNickName (longer than 31 chars)
-# therefore from all ShortNickName entries " Foomatic/hpijs" is simply removed
-# but they still exists in the NickName entries which are shown to the user
-# when the user selects a PPD to set up a print queue:
-echo "Correcting or removing non-working PPDs..."
+# Because foomatic-rip-hplip has CVE-2011-2697 (bnc#698451) plus a leftover in CVE-2004-0801 (bnc#59233)
+# foomatic-rip-hplip is no longer installed and foomatic-rip from foomatic-filters is used instead so that 
+# the "cupsFilter" entries in the static PPDs must be changed accordingly:
+echo "Replacing insecure foomatic-rip-hplip with foomatic-rip everywhere in in the PPDs..."
 for p in *.ppd
-do perl -pi -e 's/600x600x2dpi/600x1200dpi/;' $p
-   grep -q '^\*cupsFilter:.*hppostprocessing' $p && rm -v $p
-   perl -pi -e 's/1284DeviceId/1284DeviceID/;' $p
-   perl -pi -e 's/\* PageRegion/*PageRegion/;' $p
-   sed -i -e '/^\*ShortNickName:/s/ Foomatic\/hpijs//;' $p
-done
-# Change default media size to A4 if this is an available choice in the PPD and then
-# set DefaultPageSize, DefaultPageRegion, DefaultImageableArea, DefaultPaperDimension to A4:
-echo "Changing default media size to A4 if this is an available choice in the PPD..."
-for p in *.ppd
-do for i in PageSize PageRegion ImageableArea PaperDimension
-   do if grep -q "^\*$i[[:space:]]*A4[:/]" $p
-      then grep -q "^\*Default$i:[[:space:]]*A4\$" $p || perl -pi -e "s/^\*Default$i:.*/\*Default$i: A4/" $p
-      fi
-   done
+do sed -i -e 's/foomatic-rip-hplip/foomatic-rip/' $p
 done
 # Final test by cupstestppd:
 # To save disk space gzip the files (gzipped PPDs can also be used by CUPS).
@@ -352,7 +363,7 @@ done
 # let those PPDs pass even if they are not strictly compliant.
 # Ignore FAILs because of missing cupsFilter programs because
 # in the package build environment the usual HPLIP filters
-# like "foomatic-rip-hplip", "hpcups" and "hpcupsfax" are
+# like "hpcups" and "hpcupsfax" are
 # installed at an unusual place (in the BuildRoot directory).
 # For now keep all PPDs even if cupstestppd FAILs.
 # Reason:
@@ -373,6 +384,15 @@ echo "End of general tests and adjustments for all PPDs."
 set -x
 # End of "General tests and adjustments for all PPDs":
 popd
+# Because foomatic-rip-hplip has CVE-2011-2697 (bnc#698451)
+# plus a leftover in CVE-2004-0801 (bnc#59233)
+# foomatic-rip-hplip is no longer installed and foomatic-rip
+# from the foomatic-filters RPM must be used instead.
+# To be backward compatible with PPDs in /etc/cups/ppd/
+# for existing print queues a compatibility link
+# /usr/lib/cups/filter/foomatic-rip-hplip
+# which points to foomatic-rip is installed:
+ln -s ../../../bin/foomatic-rip %{buildroot}/usr/lib/cups/filter/foomatic-rip-hplip
 # Begin "Desktop menue entry stuff":
 # Install the wrapper for hp-toolbox:
 install -m 755 %{SOURCE101} %{buildroot}%{_bindir}/hp-toolbox.wrapper