diff --git a/SOURCES/0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch b/SOURCES/0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch new file mode 100644 index 0000000..fdec951 --- /dev/null +++ b/SOURCES/0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch @@ -0,0 +1,21 @@ +diff -up cups-2.3.3op2/backend/lpd.c.lpd-delay cups-2.3.3op2/backend/lpd.c +--- cups-2.3.3op2/backend/lpd.c.lpd-delay 2021-02-01 22:10:25.000000000 +0100 ++++ cups-2.3.3op2/backend/lpd.c 2023-06-28 17:28:52.465476261 +0200 +@@ -63,7 +63,7 @@ static int abort_job = 0; /* Non-zero i + + #define RESERVE_NONE 0 /* Don't reserve a priviledged port */ + #define RESERVE_RFC1179 1 /* Reserve port 721-731 */ +-#define RESERVE_ANY 2 /* Reserve port 1-1023 */ ++#define RESERVE_ANY 2 /* Reserve port 512-1023 */ + + + /* +@@ -778,7 +778,7 @@ lpd_queue(const char *hostname, /* + + if (lport < 721 && reserve == RESERVE_RFC1179) + lport = 731; +- else if (lport < 1) ++ else if (lport < 512) + lport = 1023; + + #ifdef HAVE_GETEUID diff --git a/SOURCES/0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch b/SOURCES/0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch new file mode 100644 index 0000000..7c647bf --- /dev/null +++ b/SOURCES/0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch @@ -0,0 +1,64 @@ +From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001 +From: Rose <83477269+AtariDreams@users.noreply.github.com> +Date: Thu, 1 Jun 2023 11:33:39 -0400 +Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection + +httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to. + +We have to log the hostname first. +--- + scheduler/client.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/scheduler/client.c b/scheduler/client.c +index 91e441188..327473a4d 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + /* + * Can't have an unresolved IP address with double-lookups enabled... + */ +- +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, +- "Name lookup failed - connection from %s closed!", ++ "Name lookup failed - closing connection from %s!", + httpGetHostname(con->http, NULL, 0)); + ++ httpClose(con->http); + free(con); + return; + } +@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + * with double-lookups enabled... + */ + +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, +- "IP lookup failed - connection from %s closed!", ++ "IP lookup failed - closing connection from %s!", + httpGetHostname(con->http, NULL, 0)); ++ ++ httpClose(con->http); + free(con); + return; + } +@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + + if (!hosts_access(&wrap_req)) + { +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, + "Connection from %s refused by /etc/hosts.allow and " + "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0)); ++ ++ httpClose(con->http); + free(con); + return; + } +-- +2.41.0 + diff --git a/SOURCES/0001-Require-authentication-for-CUPS-Get-Document.patch b/SOURCES/0001-Require-authentication-for-CUPS-Get-Document.patch new file mode 100644 index 0000000..e2852e1 --- /dev/null +++ b/SOURCES/0001-Require-authentication-for-CUPS-Get-Document.patch @@ -0,0 +1,31 @@ +From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 6 Dec 2022 09:04:01 -0500 +Subject: [PATCH] Require authentication for CUPS-Get-Document. + +--- + conf/cupsd.conf.in | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in +index b25884907..a07536f3e 100644 +--- a/conf/cupsd.conf.in ++++ b/conf/cupsd.conf.in +@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@ + Order deny,allow + + +- ++ ++ Require user @OWNER @SYSTEM ++ Order deny,allow ++ ++ ++ ++ AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + +-- +2.41.0 + diff --git a/SOURCES/0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch b/SOURCES/0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch new file mode 100644 index 0000000..fe5d29e --- /dev/null +++ b/SOURCES/0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch @@ -0,0 +1,48 @@ +From c5ad7aaf6c8063a39974c6b4a3cf59b7f912daae Mon Sep 17 00:00:00 2001 +From: Bryan Mason +Date: Tue, 27 Jun 2023 04:18:46 -0700 +Subject: [PATCH 1/2] Use "purge-job" instead of "purge-jobs" when canceling a + single job (#742) + +The command "cancel -x " adds "purge-jobs true" to the Cancel-Job +operation; however, the correct attribute to use for Cancel-job is +"purge-job" (singular), not "purge-jobs" (plural). As a result, job +files are not removed from /var/spool/cups when "cancel -x " is +executed. + +This patch resolves the issue by adding "purge-job" when the IPP +operation is Cancel-Job and "purge-jobs" for other IPP operations +(Purge-Jobs, Cancel-Jobs, and Cancel-My-Jobs) +--- + systemv/cancel.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/systemv/cancel.c b/systemv/cancel.c +index 572f413e1..f5b8e12b5 100644 +--- a/systemv/cancel.c ++++ b/systemv/cancel.c +@@ -260,6 +260,7 @@ main(int argc, /* I - Number of command-line arguments */ + * attributes-natural-language + * printer-uri + job-id *or* job-uri + * [requesting-user-name] ++ * [purge-job] or [purge-jobs] + */ + + request = ippNewRequest(op); +@@ -294,7 +295,12 @@ main(int argc, /* I - Number of command-line arguments */ + "requesting-user-name", NULL, cupsUser()); + + if (purge) +- ippAddBoolean(request, IPP_TAG_OPERATION, "purge-jobs", (char)purge); ++ { ++ if (op == IPP_CANCEL_JOB) ++ ippAddBoolean(request, IPP_TAG_OPERATION, "purge-job", (char)purge); ++ else ++ ippAddBoolean(request, IPP_TAG_OPERATION, "purge-jobs", (char)purge); ++ } + + /* + * Do the request and get back a response... +-- +2.41.0 + diff --git a/SOURCES/0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch b/SOURCES/0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch new file mode 100644 index 0000000..d30c243 --- /dev/null +++ b/SOURCES/0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch @@ -0,0 +1,35 @@ +From 876fdc1c90a885a58644c8757bc1283c9fd5bcb7 Mon Sep 17 00:00:00 2001 +From: Vasilis Liaskovitis +Date: Wed, 1 Mar 2023 13:46:28 +0100 +Subject: [PATCH] cups/http-addr.c: Set listen backlog size to INT_MAX (fixes + #308) + +Use a listen queue size of INT_MAX, which should default to the maximum +supported queue size on the system. + +This avoids the problem of the listening backlog queue getting full when +there are too many requests at the same time. The problem was observed +with the previous backlog size (128) by customers when submitting large +batches of print jobs, resulting in some jobs getting lost. + +Signed-off-by: Vasilis Liaskovitis +--- + cups/http-addr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cups/http-addr.c b/cups/http-addr.c +index a61ee0449..6aeeb8074 100644 +--- a/cups/http-addr.c ++++ b/cups/http-addr.c +@@ -249,7 +249,7 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */ + * Listen... + */ + +- if (listen(fd, 5)) ++ if (listen(fd, INT_MAX)) + { + _cupsSetHTTPError(HTTP_STATUS_ERROR); + +-- +2.41.0 + diff --git a/SOURCES/0001-cups-strlcpy-handle-zero-size.patch b/SOURCES/0001-cups-strlcpy-handle-zero-size.patch new file mode 100644 index 0000000..45d36ad --- /dev/null +++ b/SOURCES/0001-cups-strlcpy-handle-zero-size.patch @@ -0,0 +1,26 @@ +From 5e3107e734f06d410a490e8bc923dc3119f17671 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Wed, 17 May 2023 12:59:57 -0400 +Subject: [PATCH] Consensus fix. + +--- + cups/string.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/cups/string.c b/cups/string.c +index 00454203c..b4fc12050 100644 +--- a/cups/string.c ++++ b/cups/string.c +@@ -730,6 +731,9 @@ _cups_strlcpy(char *dst, /* O - Destination string */ + size_t srclen; /* Length of source string */ + + ++ if (size == 0) ++ return (0); ++ + /* + * Figure out how much room is needed... + */ +-- +2.40.1 + diff --git a/SOURCES/upgrade_get_document.py.in b/SOURCES/upgrade_get_document.py.in new file mode 100755 index 0000000..91d393f --- /dev/null +++ b/SOURCES/upgrade_get_document.py.in @@ -0,0 +1,171 @@ +@PYTHON_SHEBANG@ + +""" +Upgrade script to enable authentication for CUPS-Get-Document in +default policy +""" + +import os +import sys +from shutil import copy + + +def get_cupsd_conf(): + """ + Get all lines from cupsd.conf + """ + if not os.path.exists('/etc/cups/cupsd.conf'): + return None + + lines = [] + with open('/etc/cups/cupsd.conf', 'r') as conf: + lines = conf.readlines() + + return lines + + +def get_default_policy(lines): + """ + Get the default policy lines + + :param list lines: lines from cupsd.conf + """ + default_policy = [] + in_policy = False + + for line in lines: + if not in_policy and not line.lstrip().startswith(''): + continue + + default_policy.append(line) + + if line.lstrip().startswith(''): + return default_policy + + in_policy = True + + return default_policy + + +def get_limit_with_document(lines): + """ + Get scope which defines CUPS-Get-Document operation + + :param list lines: Lines containing the default policy + """ + limit = [] + in_limit = False + + for line in lines: + if not in_limit and not line.lstrip().startswith(''): + return limit + + in_limit = True + + return limit + + +def check_for_authtype(lines): + """ + Check if defining CUPS-Get-Document defines + any authentication + + :param list lines: Lines of scope which defines CUPS-Get-Document + """ + for line in lines: + if line.lstrip().startswith('AuthType'): + return True + return False + + +def migrate_cupsd_conf(lines): + """ + Make changes to cupsd.conf contents to use authentication + for CUPS-Get-Document + + :param list lines: Lines from cupsd.conf + """ + new_lines = [] + in_policy = False + create_document_limit = False + + for line in lines: + if (in_policy and line.lstrip().startswith('') and + 'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]): + line = line.replace(' CUPS-Get-Document', '') + create_document_limit = True + + if in_policy and line.lstrip().startswith('') and create_document_limit: + new_lines.append('\n') + new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' + + '# added during upgrade\n') + new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' + + '\n') + new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' + + 'AuthType Default\n') + new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' + + 'Require user @OWNER @SYSTEM\n') + new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' + + 'Order deny,allow\n') + new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' + + '\n') + create_document_limit = False + + new_lines.append(line) + + if not in_policy: + if line.lstrip().startswith(''): + in_policy = True + continue + + if line.lstrip().startswith(''): + new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' + + '# added during upgrade\n') + new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' + + 'AuthType Default\n') + continue + + if line.lstrip().startswith(''): + in_policy = False + continue + + return new_lines + + +def apply_changes(lines): + """ + Backup the original file if there is no .rpmsave already and + apply changes to the actual cupsd.conf + + :param list lines: New lines for cupsd.conf + """ + if not os.path.exists('/etc/cups/cupsd.conf.rpmsave'): + copy('/etc/cups/cupsd.conf', '/etc/cups/cupsd.conf.rpmsave') + + with open('/etc/cups/cupsd.conf', 'w') as conf: + conf.writelines(lines) + + + +content = get_cupsd_conf() +if content is None: + sys.exit(1) + +if check_for_authtype(get_limit_with_document(get_default_policy(content))): + sys.exit(0) + +new_content = migrate_cupsd_conf(content) + +apply_changes(new_content) + +sys.exit(0) diff --git a/SPECS/cups.spec b/SPECS/cups.spec index 8a2c264..f51dff1 100644 --- a/SPECS/cups.spec +++ b/SPECS/cups.spec @@ -7,6 +7,13 @@ # but we use lib for compatibility with 3rd party drivers (at upstream request). %global cups_serverbin %{_exec_prefix}/lib/cups +# we still need something for python2... +%if 0%{?rhel} >= 8 || 0%{?fedora} +%global __python %{__python3} +%else +%global __python /usr/bin/python2 +%endif + #%%global prever rc1 #%%global VERSION %%{version}%%{prever} %global VERSION %{version} @@ -15,7 +22,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.2.6 -Release: 51%{?dist} +Release: 54%{?dist} License: GPLv2+ and LGPLv2 with exceptions and AML Url: http://www.cups.org/ Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz @@ -26,6 +33,8 @@ Source6: cups.logrotate # Backend for NCP protocol Source7: ncp.backend Source8: macros.cups +# CVE-2023-32360 migration script +Source9: upgrade_get_document.py.in Patch1: cups-no-gzip-man.patch Patch2: cups-system-auth.patch @@ -143,6 +152,18 @@ Patch77: cups-retry-current-job-man.patch Patch78: 0001-Update-man-pages-for-h-option-Issue-357.patch # 2130391 - Kerberized IPP Printing Fails Patch79: cups-kerberos.patch +# 2217178 - Delays printing to lpd when reserved ports are exhausted +Patch80: 0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch +# 2217283 - The command "cancel -x " does not remove job files +Patch81: 0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch +# 2217955 - Enlarge backlog queue for listen() in cupsd +Patch82: 0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch +# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c +Patch83: 0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch +# CVE-2023-32324 cups: heap buffer overflow may lead to DoS +Patch84: 0001-cups-strlcpy-handle-zero-size.patch +# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation +Patch85: 0001-Require-authentication-for-CUPS-Get-Document.patch Patch1000: cups-lspp.patch @@ -189,6 +210,9 @@ Requires(post): grep, sed Requires(preun): systemd Requires(postun): systemd +# for upgrade-get-document script +Requires(post): %{__python} + # We ship udev rules which use setfacl. Requires: systemd Requires: acl @@ -429,6 +453,18 @@ Sends IPP requests to the specified URI and tests and/or displays the results. %patch78 -p1 -b .manpage-update # 2130391 - Kerberized IPP Printing Fails %patch79 -p1 -b .kerberos +# 2217178 - Delays printing to lpd when reserved ports are exhausted +%patch80 -p1 -b .lpd-delay +# 2217283 - The command "cancel -x " does not remove job files +%patch81 -p1 -b .purge-job +# 2217955 - Enlarge backlog queue for listen() in cupsd +%patch82 -p1 -b .listen-backlog +# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c +%patch83 -p1 -b .cve34241 +# CVE-2023-32324 cups: heap buffer overflow may lead to DoS +%patch84 -p1 -b .cve32324 +# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation +%patch85 -p1 -b .get-document-auth sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in @@ -578,6 +614,11 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3: /^\([^%].*\)/d ' > %{name}.lang +# install get-document upgrade script +install -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/upgrade_get_document + +sed -i 's,@PYTHON_SHEBANG@,#!%{__python},' %{buildroot}%{_sbindir}/upgrade_get_document + %post %systemd_post %{name}.path %{name}.socket %{name}.service @@ -640,6 +681,8 @@ fi grep '^\s*IdleExitTimeout' %{_sysconfdir}/cups/cupsd.conf &> /dev/null || echo -e '\nIdleExitTimeout 0' \ >> %{_sysconfdir}/cups/cupsd.conf +%{_sbindir}/upgrade_get_document + exit 0 %post client @@ -848,6 +891,22 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Tue Sep 12 2023 Zdenek Dohnal - 1:2.2.6-54 +- RHEL-2612 - cups pulls an unneeded dependency on python3 + +* Tue Aug 29 2023 Zdenek Dohnal - 1:2.2.6-53 +- CVE-2023-32360 cups: Information leak through Cups-Get-Document operation + +* Thu Jun 29 2023 Zdenek Dohnal - 1:2.2.6-52 +- 2217178 - Delays printing to lpd when reserved ports are exhausted +- 2217283 - The command "cancel -x " does not remove job files +- 2217955 - Enlarge backlog queue for listen() in cupsd +- CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c +- CVE-2023-32324 cups: heap buffer overflow may lead to DoS + +* Mon Apr 03 2023 Zdenek Dohnal - 1:2.2.6-51 +- RHEL-316 - Enable fmf tests in centos stream + * Wed Dec 14 2022 Zdenek Dohnal - 1:2.2.6-51 - 2130391 - Kerberized IPP Printing Fails