diff --git a/change-udev-rules.diff b/change-udev-rules.diff index abc3ceb..d4a6ffe 100644 --- a/change-udev-rules.diff +++ b/change-udev-rules.diff @@ -1,21 +1,16 @@ ---- data/rules/56-hpmud.rules.change-udev-rules.orig 2013-08-07 08:02:33.000000000 +0200 -+++ data/rules/56-hpmud.rules 2013-09-10 13:24:09.000000000 +0200 -@@ -1,18 +1,50 @@ +--- data/rules/56-hpmud.rules.change-udev-rules.orig 2013-10-11 11:38:53.000000000 +0200 ++++ data/rules/56-hpmud.rules 2013-10-16 16:04:54.000000000 +0200 +@@ -1,18 +1,43 @@ # HPLIP udev rules file. Notify console user if plugin support is required for this device. +# SUSE changed: +# -+# MODE="0660" to MODE="0664" -+# because it is sufficiently secure to let any user read the device nodes -+# because HPLIP opens the device nodes exclusively so that sniffing -+# of print jobs or scanner image data should not be possible. -+# +# Exchanged the rule to GOTO hpmud_usb_rules if SUBSYSTEM is "usb" +# with the rule if SUBSYSTEM is "ppdev" to avoid that the "ppdev" rule +# is needlessly processed when SUBSYSTEM is "usb". +# -+# Added rules to skip the hpmud_usb_rules rules via GOTO hpmud_rules_end -+# if SUBSYSTEM is not "usb" or if ENV{DEVTYPE} is not "usb_device" ++# Added GOTO hpmud_rules_end rule to skip the hpmud_usb_rules ++# if SUBSYSTEM is not "usb" or if ENV{DEVTYPE} is not "usb_device" or if SUBSYSTEM is not "ppdev" +# to avoid that the hpmud_usb_rules are needlessly processed. +# +# The rule to automatically "add the printer and install plugin" is disabled @@ -32,20 +27,18 @@ +# a rule that only uploads firmware into printers that need it is added. + ACTION!="add", GOTO="hpmud_rules_end" --SUBSYSTEM=="ppdev", OWNER="root", GROUP="lp", MODE="0660" +-SUBSYSTEM=="ppdev", OWNER="root", GROUP="lp", MODE="0664" SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", GOTO="hpmud_usb_rules" - +SUBSYSTEM=="ppdev", OWNER="root", GROUP="lp", MODE="0664" -+SUBSYSTEM!="usb", GOTO="hpmud_rules_end" -+ENV{DEVTYPE}!="usb_device", GOTO="hpmud_rules_end" ++GOTO="hpmud_rules_end" LABEL="hpmud_usb_rules" # ENV{ID_HPLIP}="1" is for Ubuntu udev-acl --ATTR{idVendor}=="03f0", ATTR{idProduct}=="????", OWNER="root", GROUP="lp", MODE="0660", ENV{sane_hpaio}="yes", ENV{libsane_matched}="yes", ENV{hp_test}="yes", ENV{ID_HPLIP}="1" -+ATTR{idVendor}=="03f0", ATTR{idProduct}=="????", OWNER="root", GROUP="lp", MODE="0664", ENV{sane_hpaio}="yes", ENV{libsane_matched}="yes", ENV{hp_test}="yes", ENV{ID_HPLIP}="1" - + ATTR{idVendor}=="03f0", ATTR{idProduct}=="????", OWNER="root", GROUP="lp", MODE="0664", ENV{sane_hpaio}="yes", ENV{libsane_matched}="yes", ENV{hp_test}="yes", ENV{ID_HPLIP}="1" +- # This rule will add the printer and install plugin -ENV{hp_test}=="yes", PROGRAM="/bin/sh -c 'logger -p user.info loading HP Device $env{BUSNUM} $env{DEVNUM}'", RUN+="/bin/sh -c 'if [ -f /usr/bin/systemctl ]; then /usr/bin/systemctl --no-block start hplip-printer@$env{BUSNUM}:$env{DEVNUM}.service; else /usr/bin/nohup /usr/bin/hp-config_usb_printer $env{BUSNUM}:$env{DEVNUM} ; fi'" +# ENV{hp_test}=="yes", PROGRAM="/bin/sh -c 'logger -p user.info loading HP Device $env{BUSNUM} $env{DEVNUM}'", RUN+="/bin/sh -c 'if [ -f /usr/bin/systemctl ]; then /usr/bin/systemctl --no-block start hplip-printer@$env{BUSNUM}:$env{DEVNUM}.service; else /usr/bin/nohup /usr/bin/hp-config_usb_printer $env{BUSNUM}:$env{DEVNUM} ; fi'" @@ -55,8 +48,10 @@ # If sane-bankends is installed add hpaio backend support to dll.conf if needed. ENV{sane_hpaio}=="yes", RUN+="/bin/sh -c 'grep -q ^#hpaio /etc/sane.d/dll.conf;if [ $$? -eq 0 ];then sed -i -e s/^#hpaio/hpaio/ /etc/sane.d/dll.conf;else grep -q ^hpaio /etc/sane.d/dll.conf;if [ $$? -ne 0 ];then echo hpaio >>/etc/sane.d/dll.conf;fi;fi'" -@@ -22,3 +54,4 @@ ENV{libsane_matched}=="yes", RUN+="/bin/ - +@@ -20,5 +45,5 @@ ENV{sane_hpaio}=="yes", RUN+="/bin/sh -c + # The following rule will disable USB autosuspend for the device + ENV{libsane_matched}=="yes", RUN+="/bin/sh -c 'test -e /sys/$env{DEVPATH}/power/level && echo on > /sys/$env{DEVPATH}/power/level'" +- LABEL="hpmud_rules_end" + diff --git a/deactivate-add_group-function.diff b/deactivate-add_group-function.diff deleted file mode 100644 index 44e7bd3..0000000 --- a/deactivate-add_group-function.diff +++ /dev/null @@ -1,12 +0,0 @@ ---- base/queues.py.orig 2013-06-21 08:57:55.000000000 +0200 -+++ base/queues.py 2013-07-09 16:05:04.000000000 +0200 -@@ -87,6 +87,9 @@ def check_user_groups(): - - # This function adds the groups ('lp') to user - def add_group(core, mode, passwordObj): -+# Deactivated via "return True" because it causes security issues -+# see https://bugs.launchpad.net/bugs/1197416 -+ return True - result = False - add_user_to_group = core.get_distro_ver_data('add_user_to_group', '') - if add_user_to_group: diff --git a/disable-chgrp_lp.diff b/disable-chgrp_lp.diff deleted file mode 100644 index 21c503b..0000000 --- a/disable-chgrp_lp.diff +++ /dev/null @@ -1,31 +0,0 @@ ---- Makefile.am.orig 2013-06-21 08:57:55.000000000 +0200 -+++ Makefile.am 2013-06-26 16:09:47.000000000 +0200 -@@ -546,24 +546,24 @@ endif - install-dist_hplip_LogDATA: - if FULL_BUILD - test -z "$(DESTDIR)$(hplip_Logdir)" || mkdir -p $(DESTDIR)$(hplip_Logdir) -- chgrp "lp" -R $(DESTDIR)$(hplip_Logdir) -+# chgrp "lp" -R $(DESTDIR)$(hplip_Logdir) - chmod 775 $(DESTDIR)$(hplip_Logdir) - endif #FULL_BUILD - if HPLIP_BUILD - test -z "$(DESTDIR)$(hplip_Logdir)" || mkdir -p $(DESTDIR)$(hplip_Logdir) -- chgrp "lp" -R $(DESTDIR)$(hplip_Logdir) -+# chgrp "lp" -R $(DESTDIR)$(hplip_Logdir) - chmod 775 $(DESTDIR)$(hplip_Logdir) - endif #FULL_BUILD - - install-dist_hplip_tmpDATA: - if FULL_BUILD - test -z "$(DESTDIR)$(hplip_tmpdir)" || mkdir -p $(DESTDIR)$(hplip_tmpdir) -- chgrp "lp" -R $(DESTDIR)$(hplip_tmpdir) -+# chgrp "lp" -R $(DESTDIR)$(hplip_tmpdir) - chmod 0775 $(DESTDIR)$(hplip_tmpdir) - endif #FULL_BUILD - if HPLIP_BUILD - test -z "$(DESTDIR)$(hplip_tmpdir)" || mkdir -p $(DESTDIR)$(hplip_tmpdir) -- chgrp "lp" -R $(DESTDIR)$(hplip_tmpdir) -+# chgrp "lp" -R $(DESTDIR)$(hplip_tmpdir) - chmod 0775 $(DESTDIR)$(hplip_tmpdir) - endif #FULL_BUILD - diff --git a/neither-add_user_to_group-nor-open_mdns_port.diff b/do_not_open_mdns_port.diff similarity index 75% rename from neither-add_user_to_group-nor-open_mdns_port.diff rename to do_not_open_mdns_port.diff index 2b0633f..30aaf88 100644 --- a/neither-add_user_to_group-nor-open_mdns_port.diff +++ b/do_not_open_mdns_port.diff @@ -1,5 +1,5 @@ ---- installer/distros.dat.orig 2013-06-21 08:54:15.000000000 +0200 -+++ installer/distros.dat 2013-07-04 16:51:55.000000000 +0200 +--- installer/distros.dat.orig 2013-10-11 11:36:44.000000000 +0200 ++++ installer/distros.dat 2013-10-16 16:25:27.000000000 +0200 @@ -141,7 +141,7 @@ parallel_supported=0 usb_supported=1 packaged_version=3.11.6 @@ -9,18 +9,16 @@ ppd_install=drv udev_mode_fix=1 ppd_dir=/usr/share/cups/model/HP -@@ -150,8 +150,8 @@ drv_dir=/usr/share/cups/drv/HP +@@ -150,7 +150,7 @@ drv_dir=/usr/share/cups/drv/HP cups_path_with_bitness=0 ui_toolkit=qt4 native_cups=1 --add_user_to_group= -Asys,lp -open_mdns_port=/bin/bash ./init-suse-firewall -+add_user_to_group= +open_mdns_port=/bin/true pre_depend_cmd=su -c "zypper refresh" [suse:12.2:cups] -@@ -260,7 +260,7 @@ parallel_supported=0 +@@ -261,7 +261,7 @@ parallel_supported=0 usb_supported=1 packaged_version=3.12.11 release_date=2013-03-13 @@ -29,13 +27,11 @@ ppd_install=drv udev_mode_fix=1 ppd_dir=/usr/share/cups/model/HP -@@ -269,8 +269,8 @@ drv_dir=/usr/share/cups/drv/HP +@@ -270,7 +270,7 @@ drv_dir=/usr/share/cups/drv/HP cups_path_with_bitness=0 ui_toolkit=qt4 native_cups=1 --add_user_to_group= -a -G sys,lp -open_mdns_port=/bin/bash ./init-suse-firewall -+add_user_to_group= +open_mdns_port=/bin/true pre_depend_cmd=su -c "zypper refresh" diff --git a/hplip-3.13.10.tar.gz b/hplip-3.13.10.tar.gz new file mode 100644 index 0000000..742f325 --- /dev/null +++ b/hplip-3.13.10.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a8122cd824398ac6374154f86152e24fdf5c0100b5c1d6518e853308362e627d +size 20951136 diff --git a/hplip-3.13.10.tar.gz.asc b/hplip-3.13.10.tar.gz.asc new file mode 100644 index 0000000..eb76891 --- /dev/null +++ b/hplip-3.13.10.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iEYEABECAAYFAlJXyTYACgkQc9dwzaWQR7lU3gCfUPYc+L4OhHfT6FyDR+p6Cc3f +nTQAoKVRl9zN6A2FEfuevhyXKvbvxS5X +=rBTR +-----END PGP SIGNATURE----- diff --git a/hplip-3.13.9.tar.gz b/hplip-3.13.9.tar.gz deleted file mode 100644 index 6a9a0b9..0000000 --- a/hplip-3.13.9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d95c729a79b0d28be3ecb6cba6df5a931b0788484c4d323963abc36d514bb120 -size 20878480 diff --git a/hplip-3.13.9.tar.gz.asc b/hplip-3.13.9.tar.gz.asc deleted file mode 100644 index d592c6a..0000000 --- a/hplip-3.13.9.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.11 (GNU/Linux) - -iEYEABECAAYFAlIoR1sACgkQc9dwzaWQR7lohwCfaoxhATOoQn1B2kcsDZrx5FB5 -tMYAn35uKn+H5/feIApEUN+DKjeam1/x -=75MO ------END PGP SIGNATURE----- diff --git a/hplip.changes b/hplip.changes index ad4edff..54b9bbe 100644 --- a/hplip.changes +++ b/hplip.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Wed Oct 16 15:36:08 CEST 2013 - jsmeix@suse.de + +- Version upgrade to 3.13.10: + Several more supported printers and all-in-one devices. + Fix for CVE-2013-4325i (insecure Polkit use). + Users will not be added to "lp" group, users will be prompted + to provide necessary authentication (see the entry + dated "Tue Jul 9 16:18:35 CEST 2013" below). + Added firmware upload functionality during 'hp-setup'. + Some other bug fixes. + For details see + http://hplipopensource.com/hplip-web/release_notes.html +- change-udev-rules.diff: Adapted for HPLIP 3.13.10. +- disable-chgrp_lp.diff is obsolete since version 3.13.10 + because it is fixed in the source. +- neither-add_user_to_group-nor-open_mdns_port.diff is replaced by + do_not_open_mdns_port.diff because the "add_user_to_group" issue + is fixed in the source since version 3.13.10 but the + "open_mdns_port" issue still exists. +- deactivate-add_group-function.diff is obsolete since 3.13.10 + because there is no longer that "chgrp" stuff in HPLIP. + ------------------------------------------------------------------- Thu Sep 12 10:47:40 CEST 2013 - jsmeix@suse.de diff --git a/hplip.spec b/hplip.spec index 9a46e72..67c6d6d 100644 --- a/hplip.spec +++ b/hplip.spec @@ -58,7 +58,7 @@ Group: Hardware/Printing # where 'a' or 'b' do not mean 'alpha' or 'beta' but 'second' or 'third' release in the month # (usually bugfix releases have the suffix like 3.12.10a = first bugfix release for 3.12.10). # Official releases have a 3 digit number and release candidates have a 4 digit number: x.y.m.rc -Version: 3.13.9 +Version: 3.13.10 Release: 0 Url: http://hplipopensource.com # Source0...Source9 is for sources from HP: @@ -98,28 +98,21 @@ Source102: hpijs.1.gz # Source106 hp-systray.wrapper was a wrapper for hp-systray which is no longer needed # see https://bugzilla.novell.com/show_bug.cgi?id=649280 # Patch100... is for special Suse patches: -# Patch101 changes the udev rules file 56-hpmud.rules +# Patch101 change-udev-rules.diff changes the udev rules file 56-hpmud.rules Patch101: change-udev-rules.diff -# Patch102 disable-chgrp_lp.diff deactivates the "chgrp lp" in Makefile.am -# because during build this results "Operation not permitted". -# Instead it is done in the files section via attr(0775,root,lp) -# where mode 0775 is used instead of mode 0777 as in Makefile.am -# because a public writable directory /var/log/hp/ is not allowed -# to avoid security issues: -Patch102: disable-chgrp_lp.diff +# Patch102 was disable-chgrp_lp.diff that deactivated the "chgrp lp" in Makefile.am +# because during build this results "Operation not permitted" which +# is no longer needed because there is no longer that "chgrp" stuff in HPLIP version 3.13.10. # Patch103 was no-hplip_cron.diff that deactivated the "cron" stuff in Makefile.am which # is no longer needed because there is no longer any "cron" stuff in HPLIP version 3.13.6 -# Patch104 removes add_user_to_group and open_mdns_port.diff from distros.dat for SUSE distros -# to avoid security issues when normal users get added to system groups 'lp' and 'sys' -# see https://bugs.launchpad.net/bugs/1197416 and https://bugs.launchpad.net/bugs/1112306 -# and to avoid security issues when ports in the firewall get opened -# see https://bugs.launchpad.net/bugs/426161 -Patch104: neither-add_user_to_group-nor-open_mdns_port.diff -# Patch105 deactivates the add_group function that would add the groups ('lp') to user -# which would cause security issues see https://bugs.launchpad.net/bugs/1197416 -# that would happen in any case via a fallback command in an "else" clause -# even if this functionality was explicitly disabled in distros.dat -Patch105: deactivate-add_group-function.diff +# Patch104 do_not_open_mdns_port.diff deactivates the open_mdns_port functionality +# in distros.dat for SUSE distros to avoid security issues when ports in the firewall +# get opened. see https://bugs.launchpad.net/bugs/426161 +Patch104: do_not_open_mdns_port.diff +# Patch105 was deactivate-add_group-function.diff that deactivated +# the add_group function that would add the groups ('lp') to user which +# would cause security issues see https://bugs.launchpad.net/bugs/1197416 +# which is no longer needed because there is no longer that "chgrp" stuff in HPLIP version 3.13.10. # Install into this non-root directory (required when norootforbuild is used): BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: coreutils @@ -328,29 +321,12 @@ with the scan drivers in HPLIP for standard HP all-in-one printers. %endif # Be quiet when unpacking: %setup -q -# Patch101 change-udev-rules.diff -# changes the udev rules file 56-hpmud.rules +# Patch101 change-udev-rules.diff changes the udev rules file 56-hpmud.rules %patch101 -b .change-udev-rules.orig -# Patch102 disable-chgrp_lp.diff deactivates the "chgrp lp" in Makefile.am -# because during build this results "Operation not permitted". -# Instead it is done in the files section via attr(0775,root,lp) -# where mode 0775 is used instead of mode 0777 as in Makefile.am -# because a public writable directory /var/log/hp/ is not allowed -# to avoid security issues: -%patch102 -b .disable-chgrp_lp.orig -# Patch104 neither-add_user_to_group-nor-open_mdns_port.diff -# removes add_user_to_group and open_mdns_port.diff from distros.dat for SUSE distros -# to avoid security issues when normal users get added to system groups 'lp' and 'sys' -# see https://bugs.launchpad.net/bugs/1197416 and https://bugs.launchpad.net/bugs/1112306 -# and to avoid security issues when ports in the firewall get opened -# see https://bugs.launchpad.net/bugs/426161 -%patch104 -b .neither-add_user_to_group-nor-open_mdns_port.orig -# Patch105 deactivate-add_group-function.diff -# deactivates the add_group function that would add the groups ('lp') to user -# which would cause security issues see https://bugs.launchpad.net/bugs/1197416 -# that would happen in any case via a fallback command in an "else" clause -# even if this functionality was explicitly disabled in distros.dat -%patch105 -b .deactivate-add_group-function.orig +# Patch104 do_not_open_mdns_port.diff deactivates the open_mdns_port functionality +# in distros.dat for SUSE distros to avoid security issues when ports in the firewall +# get opened. see https://bugs.launchpad.net/bugs/426161 +%patch104 -b .do_not_open_mdns_port.orig %build # If AUTOMAKE='automake --foreign' is not set, autoreconf (in fact automake) @@ -383,6 +359,8 @@ export CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" # foomatic-rip-hplip is no longer installed and foomatic-rip from foomatic-filters is used instead so that # --disable-foomatic-rip-hplip-install is explicitly set and as a consequence the "cupsFilter" entries # in the static PPDs are changed in the install section to use foomatic-rip. +# Since HPLIP 3.13.10 --with-htmldir is new but it does not inhertit its value from --with-docdir +# so that --with-htmldir must be explicitly set. ./configure --prefix=/usr \ --libdir=%{_libdir} \ --disable-qt3 \ @@ -407,7 +385,8 @@ export CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" --with-cupsfilterdir=/usr/lib/cups/filter \ --with-drvdir=/usr/lib/cups/driver \ --with-mimedir=%{_sysconfdir}/cups \ - --with-docdir=%{_defaultdocdir}/%{name} + --with-docdir=%{_defaultdocdir}/%{name} \ + --with-htmldir==%{_defaultdocdir}/%{name} make %install @@ -629,7 +608,6 @@ exit 0 %{_bindir}/hp-logcapture %{_bindir}/hp-makecopies %{_bindir}/hp-makeuri -%{_bindir}/hp-mkuri %{_bindir}/hp-pkservice %{_bindir}/hp-plugin %{_bindir}/hp-pqdiag @@ -686,7 +664,7 @@ exit 0 %{_datadir}/cups/model/manufacturer-PPDs/%{name}/ %{_datadir}/%{name}/data/models/models.dat # Use fixed "/var/log/hp" because this is hardcoded in the HPLIP sources. -# Regarding attr(0775,root,lp) see disable-chgrp_lp.diff (Patch102): +# Regarding attr(0775,root,lp) see the comment for /var/log/hp/tmp below: %dir %attr(0775,root,lp) /var/log/hp # Regarding attr(0775,root,lp) for /var/log/hp/tmp # see https://bugzilla.novell.com/show_bug.cgi?id=800312#c0