2218124 - The command "cancel -x <job>" does not remove job files

2218123 - Delays printing to lpd when reserved ports are exhausted

Security fix for CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c

2217043 - cups-2.4.6 is available

.gitignore

@@ -100,3 +100,4 @@ cups-1.4.4-source.tar.bz2
 /cups-2.4.2-source.tar.gz
 /cups-2.4.4-source.tar.gz
 /cups-2.4.5-source.tar.gz
+/cups-2.4.6-source.tar.gz

0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch

@@ -0,0 +1,41 @@
+From d82c43db87ac421ad9830c77342ad68b1d4d20c3 Mon Sep 17 00:00:00 2001
+From: Bryan Mason <bmason@redhat.com>
+Date: Sat, 24 Jun 2023 12:31:23 -0700
+Subject: [PATCH 1/2] Fix delays printing to lpd when reserved ports are
+ exhausted
+
+cups_rresvport() doesn't reserve ports less than 512; however,
+lpd_queue() continues decrementing the port number to 0.  This leads
+to delays of ~511 seconds once all ports between 512-1023 are
+exhausted.  Even when ports become available, lpd_queue() still tries
+calling cups_rresvport() with port numbers less than 512, waiting one
+second between each call.
+---
+ backend/lpd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/backend/lpd.c b/backend/lpd.c
+index a7a44ab20..425b8512a 100644
+--- a/backend/lpd.c
++++ b/backend/lpd.c
+@@ -63,7 +63,7 @@ static int	abort_job = 0;		/* Non-zero if we get SIGTERM */
+ 
+ #define RESERVE_NONE		0	/* Don't reserve a privileged port */
+ #define RESERVE_RFC1179		1	/* Reserve port 721-731 */
+-#define RESERVE_ANY		2	/* Reserve port 1-1023 */
++#define RESERVE_ANY		2	/* Reserve port 512-1023 */
+ 
+ 
+ /*
+@@ -775,7 +775,7 @@ lpd_queue(const char      *hostname,	/* I - Host to connect to */
+ 
+       if (lport < 721 && reserve == RESERVE_RFC1179)
+ 	lport = 731;
+-      else if (lport < 1)
++      else if (lport < 512)
+ 	lport = 1023;
+ 
+ #ifdef HAVE_GETEUID
+-- 
+2.41.0
+

0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch

@@ -0,0 +1,48 @@
+From c5ad7aaf6c8063a39974c6b4a3cf59b7f912daae Mon Sep 17 00:00:00 2001
+From: Bryan Mason <bmason@redhat.com>
+Date: Tue, 27 Jun 2023 04:18:46 -0700
+Subject: [PATCH 1/2] Use "purge-job" instead of "purge-jobs" when canceling a
+ single job (#742)
+
+The command "cancel -x <job>" adds "purge-jobs true" to the Cancel-Job
+operation; however, the correct attribute to use for Cancel-job is
+"purge-job" (singular), not "purge-jobs" (plural).  As a result, job
+files are not removed from /var/spool/cups when "cancel -x <job>" is
+executed.
+
+This patch resolves the issue by adding "purge-job" when the IPP
+operation is Cancel-Job and "purge-jobs" for other IPP operations
+(Purge-Jobs, Cancel-Jobs, and Cancel-My-Jobs)
+---
+ systemv/cancel.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/systemv/cancel.c b/systemv/cancel.c
+index 572f413e1..f5b8e12b5 100644
+--- a/systemv/cancel.c
++++ b/systemv/cancel.c
+@@ -260,6 +260,7 @@ main(int  argc,				/* I - Number of command-line arguments */
+       *    attributes-natural-language
+       *    printer-uri + job-id *or* job-uri
+       *    [requesting-user-name]
++      *    [purge-job] or [purge-jobs]
+       */
+ 
+       request = ippNewRequest(op);
+@@ -294,7 +295,12 @@ main(int  argc,				/* I - Number of command-line arguments */
+                      "requesting-user-name", NULL, cupsUser());
+ 
+       if (purge)
+-	ippAddBoolean(request, IPP_TAG_OPERATION, "purge-jobs", (char)purge);
++      {
++	if (op == IPP_CANCEL_JOB)
++	  ippAddBoolean(request, IPP_TAG_OPERATION, "purge-job", (char)purge);
++	else
++	  ippAddBoolean(request, IPP_TAG_OPERATION, "purge-jobs", (char)purge);
++      }
+ 
+      /*
+       * Do the request and get back a response...
+-- 
+2.41.0
+

cups.spec

@@ -14,7 +14,7 @@
 Summary: CUPS printing system
 Name: cups
 Epoch: 1
-Version: 2.4.5
+Version: 2.4.6
 Release: 1%{?dist}
 # the CUPS exception text is the same as LLVM exception, so using that name with
 # agreement from legal team
@@ -70,6 +70,12 @@ Patch100: cups-lspp.patch
 %endif
 
 #### UPSTREAM PATCHES (starts with 1000) ####
+# https://github.com/OpenPrinting/cups/pull/741
+# 2218123 - Delays printing to lpd when reserved ports are exhausted
+Patch1000: 0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch
+# https://github.com/OpenPrinting/cups/pull/742
+# 2218124 - The command "cancel -x <job>" does not remove job files
+Patch1001: 0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch
 
 
 ##### Patches removed because IMHO they aren't no longer needed
@@ -289,6 +295,10 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 %patch -P 13 -p1 -b .dymo-deviceid
 
 # UPSTREAM PATCHES
+# 2218123 - Delays printing to lpd when reserved ports are exhausted
+%patch -P 1000 -p1 -b .lpd-delay
+# 2218124 - The command "cancel -x <job>" does not remove job files
+%patch -P 1001 -p1 -b .purge-job
 
 
 %if %{lspp}
@@ -749,6 +759,12 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz
 
 %changelog
+* Tue Jun 27 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.4.6-1
+- 2218124 - The command "cancel -x <job>" does not remove job files
+- 2218123 - Delays printing to lpd when reserved ports are exhausted
+- CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
+- 2217043 - cups-2.4.6 is available
+
 * Wed Jun 14 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.4.5-1
 - 2214860 - cups-2.4.5 is available
 

sources

@@ -1 +1 @@
-SHA512 (cups-2.4.5-source.tar.gz) = ffa37468f28c95bd10db45739d1d442c21f9575f5b36543284f0821bae5d78167228543d7714b1a37c5701d31953e97ebd35cfdc8ec915894bce688431291701
+SHA512 (cups-2.4.6-source.tar.gz) = eb748680a748f599e4826c17054a24259d190e6c8e8339f6a7a37ee2a3f4c3fd1829e856b25a854cfdbee1b51279c70a0e847f6142225b8b68f1cd10c4ce4ce4