CVE-2024-47176 cups-browsed: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source

Resolves: RHEL-60309

cups-browsed.spec

@@ -10,7 +10,7 @@
 Name: cups-browsed
 Epoch: 1
 Version: 2.0.0
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: Daemon for local auto-installation of remote printers
 # the CUPS exception text is the same as LLVM exception, so using that name with
 # agreement from legal team
@@ -30,6 +30,8 @@ Patch003: browsed-goto-fail.patch
 # https://github.com/OpenPrinting/cups-browsed/pull/32
 # https://github.com/OpenPrinting/cups-browsed/pull/33
 Patch04: browsed-ignore-NULL-attrs.patch
+# CVE-2024-47176 cups-browsed: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source
+Patch05: 0001-Removed-support-for-legacy-CUPS-browsing-and-for-LDA.patch
 
 
 # remove once CentOS Stream 10 is released, cups-browsed
@@ -160,6 +162,14 @@ do
     fi
 done
 
+# Set BrowseRemoteProtocols to none in light of CVE-2024-47176
+if ! grep -Fxq "# added by post scriptlet" %{_sysconfdir}/cups/cups-browsed.conf
+then
+        cp %{_sysconfdir}/cups/cups-browsed.conf %{_sysconfdir}/cups/cups-browsed.conf.rpmsave
+        sed -i "s/^\s*BrowseRemoteProtocols.*/# added by post scriptlet\nBrowseRemoteProtocols none/" %{_sysconfdir}/cups/cups-browsed.conf
+fi
+
+
 %preun
 %systemd_preun cups-browsed.service
 
@@ -216,6 +226,9 @@ fi
 
 
 %changelog
+* Tue Oct 15 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.0-7
+- CVE-2024-47176 cups-browsed: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source
+
 * Tue Aug 06 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.0-6
 - RHEL-51349 Cups browsing with 'Autoclustering on' cannot find printer clusters for HA due incorrect orientation-requested-default