import cups-2.3.3op2-11.el9

SOURCES/0001-Add-with-idle-exit-timeout-configure-option.patch

@@ -0,0 +1,33 @@
+diff -up cups-2.3.3op2/conf/cupsd.conf.in.idleexittimeout cups-2.3.3op2/conf/cupsd.conf.in
+--- cups-2.3.3op2/conf/cupsd.conf.in.idleexittimeout	2021-02-01 22:10:25.000000000 +0100
++++ cups-2.3.3op2/conf/cupsd.conf.in	2021-11-29 11:37:02.426407322 +0100
+@@ -28,6 +28,9 @@ DefaultAuthType Basic
+ # Web interface setting...
+ WebInterface @CUPS_WEBIF@
+ 
++# Timeout after cupsd exits if idle (applied only if cupsd runs on-demand - with -l)
++IdleExitTimeout @EXIT_TIMEOUT@
++
+ # Restrict access to the server...
+ <Location />
+   Order allow,deny
+diff -up cups-2.3.3op2/config-scripts/cups-defaults.m4.idleexittimeout cups-2.3.3op2/config-scripts/cups-defaults.m4
+--- cups-2.3.3op2/config-scripts/cups-defaults.m4.idleexittimeout	2021-11-29 11:37:02.426407322 +0100
++++ cups-2.3.3op2/config-scripts/cups-defaults.m4	2021-11-29 11:39:16.629262421 +0100
+@@ -461,3 +461,16 @@ esac
+ 
+ AC_SUBST(CUPS_WEBIF)
+ AC_DEFINE_UNQUOTED(CUPS_DEFAULT_WEBIF, $CUPS_DEFAULT_WEBIF)
++
++dnl Set default value of IdleExitTimeout
++AC_ARG_WITH([idle_exit_timeout], AS_HELP_STRING([--with-idle-exit-timeout], [set the default value for IdleExitTimeout, default=60]), [
++    AS_IF([test "x$withval" = "xno"], [
++	EXIT_TIMEOUT=0
++    ], [
++	EXIT_TIMEOUT=$withval
++    ])
++], [
++    EXIT_TIMEOUT=60
++])
++
++AC_SUBST([EXIT_TIMEOUT])

SOURCES/0001-Add-with-systemd-timeoutstartsec-configure-option.patch

@@ -0,0 +1,33 @@
+diff -up cups-2.3.3op2/config-scripts/cups-defaults.m4.conf-timeoutstartsec cups-2.3.3op2/config-scripts/cups-defaults.m4
+--- cups-2.3.3op2/config-scripts/cups-defaults.m4.conf-timeoutstartsec	2021-11-29 13:50:14.568976028 +0100
++++ cups-2.3.3op2/config-scripts/cups-defaults.m4	2021-11-29 13:51:02.785567762 +0100
+@@ -482,3 +482,18 @@ AC_ARG_WITH([idle_exit_timeout], AS_HELP
+ ])
+ 
+ AC_SUBST([EXIT_TIMEOUT])
++
++dnl set TimeoutStartSec for cups.service
++dnl - if used as --without-*, it sets TimeoutStartSec to infinity
++AC_ARG_WITH([systemd-timeoutstartsec],
++    AS_HELP_STRING([--with-systemd-timeoutstartsec],
++	[set TimeoutStartSec value in cups.service, default=default value in systemd]), [
++    AS_IF([ test "x$withval" = "xno" ], [
++	TIMEOUTSTARTSEC="TimeoutStartSec=infinity"
++    ], [
++	TIMEOUTSTARTSEC="TimeoutStartSec=$withval"
++    ])
++], [
++    TIMEOUTSTARTSEC=""
++])
++AC_SUBST([TIMEOUTSTARTSEC])
+diff -up cups-2.3.3op2/scheduler/cups.service.in.conf-timeoutstartsec cups-2.3.3op2/scheduler/cups.service.in
+--- cups-2.3.3op2/scheduler/cups.service.in.conf-timeoutstartsec	2021-11-29 13:50:14.551976172 +0100
++++ cups-2.3.3op2/scheduler/cups.service.in	2021-11-29 13:50:14.568976028 +0100
+@@ -8,6 +8,7 @@ Requires=cups.socket
+ ExecStart=@sbindir@/cupsd -l
+ Type=notify
+ Restart=on-failure
++@TIMEOUTSTARTSEC@
+ 
+ [Install]
+ Also=cups.socket cups.path

SOURCES/cups-deprecate-drivers.patch

@@ -0,0 +1,177 @@
+diff --git a/cgi-bin/admin.c b/cgi-bin/admin.c
+index 02b9d9d..669cb65 100644
+--- a/cgi-bin/admin.c
++++ b/cgi-bin/admin.c
+@@ -619,6 +619,7 @@ do_am_printer(http_t *http,		/* I - HTTP connection */
+ 		*oldinfo;		/* Old printer information */
+   const cgi_file_t *file;		/* Uploaded file, if any */
+   const char	*var;			/* CGI variable */
++  char	*ppd_name = NULL;	/* Pointer to PPD name */
+   char		uri[HTTP_MAX_URI],	/* Device or printer URI */
+ 		*uriptr,		/* Pointer into URI */
+ 		evefile[1024] = "";	/* IPP Everywhere PPD file */
+@@ -1124,12 +1125,12 @@ do_am_printer(http_t *http,		/* I - HTTP connection */
+ 
+     if (!file)
+     {
+-      var = cgiGetVariable("PPD_NAME");
+-      if (!strcmp(var, "everywhere"))
++      ppd_name = cgiGetVariable("PPD_NAME");
++      if (!strcmp(ppd_name, "everywhere"))
+         get_printer_ppd(cgiGetVariable("DEVICE_URI"), evefile, sizeof(evefile));
+-      else if (strcmp(var, "__no_change__"))
++      else if (strcmp(ppd_name, "__no_change__"))
+ 	ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME, "ppd-name",
+-		     NULL, var);
++		     NULL, ppd_name);
+     }
+ 
+     ippAddString(request, IPP_TAG_PRINTER, IPP_TAG_TEXT, "printer-location",
+@@ -1219,7 +1220,7 @@ do_am_printer(http_t *http,		/* I - HTTP connection */
+ 
+       cgiCopyTemplateLang("printer-modified.tmpl");
+     }
+-    else
++    else if (ppd_name && (strcmp(ppd_name, "everywhere") == 0 || strstr(ppd_name, "driverless")))
+     {
+      /*
+       * Set the printer options...
+@@ -1229,6 +1230,16 @@ do_am_printer(http_t *http,		/* I - HTTP connection */
+       do_set_options(http, 0);
+       return;
+     }
++    else
++    {
++     /*
++      * If we don't have an everywhere model, show printer-added
++      * template with warning about drivers going away...
++      */
++
++      cgiStartHTML(title);
++      cgiCopyTemplateLang("printer-added.tmpl");
++    }
+ 
+     cgiEndHTML();
+   }
+diff --git a/scheduler/printers.c b/scheduler/printers.c
+index 3bfe4a8..248bdba 100644
+--- a/scheduler/printers.c
++++ b/scheduler/printers.c
+@@ -950,6 +950,8 @@ cupsdLoadAllPrinters(void)
+ 			*value,		/* Pointer to value */
+ 			*valueptr;	/* Pointer into value */
+   cupsd_printer_t	*p;		/* Current printer */
++  int			found_raw = 0;		/* Flag whether raw queue is installed */
++  int			found_driver = 0;		/* Flag whether queue with classic driver is installed */
+ 
+ 
+  /*
+@@ -1025,6 +1027,30 @@ cupsdLoadAllPrinters(void)
+ 
+         cupsdSetPrinterAttrs(p);
+ 
++	if ((p->device_uri && strncmp(p->device_uri, "ipp:", 4) && strncmp(p->device_uri, "ipps:", 5) && strncmp(p->device_uri, "implicitclass:", 14)) ||
++	    !p->make_model ||
++	    (p->make_model && strstr(p->make_model, "IPP Everywhere") == NULL && strstr(p->make_model, "driverless") == NULL))
++	{
++	 /*
++	  * Warn users about printer drivers and raw queues will be deprecated.
++	  * It will warn users in the following scenarios:
++	  * - the queue doesn't use ipp, ipps or implicitclass backend, which means
++	  *   it doesn't communicate via IPP and is raw or uses a driver for sure
++	  * - the queue doesn't have make_model - it is raw
++	  * - the queue uses a correct backend, but the model is not IPP Everywhere/driverless
++	  */
++	  if (!p->make_model)
++	  {
++	    cupsdLogMessage(CUPSD_LOG_DEBUG, "Queue %s is a raw queue, which is deprecated.", p->name);
++	    found_raw = 1;
++	  }
++	  else
++	  {
++	    cupsdLogMessage(CUPSD_LOG_DEBUG, "Queue %s uses a printer driver, which is deprecated.", p->name);
++	    found_driver = 1;
++	  }
++	}
++
+         if (strncmp(p->device_uri, "file:", 5) && p->state != IPP_PRINTER_STOPPED)
+ 	{
+ 	 /*
+@@ -1415,6 +1441,12 @@ cupsdLoadAllPrinters(void)
+     }
+   }
+ 
++  if (found_raw)
++    cupsdLogMessage(CUPSD_LOG_WARN, "Raw queues are deprecated and will stop working in a future version of CUPS. See https://github.com/OpenPrinting/cups/issues/103");
++
++  if (found_driver)
++    cupsdLogMessage(CUPSD_LOG_WARN, "Printer drivers are deprecated and will stop working in a future version of CUPS. See https://github.com/OpenPrinting/cups/issues/103");
++
+   cupsFileClose(fp);
+ }
+ 
+diff --git a/systemv/lpadmin.c b/systemv/lpadmin.c
+index ca6d386..daf24d5 100644
+--- a/systemv/lpadmin.c
++++ b/systemv/lpadmin.c
+@@ -632,7 +632,7 @@ main(int  argc,				/* I - Number of command-line arguments */
+ 
+     num_options = cupsRemoveOption("ppd-name", num_options, &options);
+   }
+-  else if (ppd_name || file)
++  else if ((ppd_name && strncmp(ppd_name, "driverless:", 11)) || file)
+   {
+     _cupsLangPuts(stderr, _("lpadmin: Printer drivers are deprecated and will stop working in a future version of CUPS."));
+   }
+diff --git a/templates/choose-model.tmpl b/templates/choose-model.tmpl
+index e916cf8..9c9b71f 100644
+--- a/templates/choose-model.tmpl
++++ b/templates/choose-model.tmpl
+@@ -39,7 +39,7 @@
+ <TD>
+ <SELECT NAME="PPD_NAME" SIZE="10">
+ {op=add-printer?:<OPTION VALUE="__no_change__" SELECTED>Current Driver - {current_make_and_model}</OPTION>:}
+-{show_ipp_everywhere?<OPTION VALUE="everywhere" SELECTED>{current_make_and_model} - IPP Everywhere &trade;</OPTION>:}
++{show_ipp_everywhere?<OPTION VALUE="everywhere" SELECTED>{current_make_and_model?{current_make_and_model} -:} IPP Everywhere &trade;</OPTION>:}
+ {[ppd_name]<OPTION VALUE="{ppd_name}" {op=modify-printer?:{?current_make_and_model={ppd_make_and_model}?SELECTED:}}>{ppd_make_and_model} ({ppd_natural_language})
+ }</SELECT>
+ </TD>
+diff --git a/templates/printer-added.tmpl b/templates/printer-added.tmpl
+index 0ccf6d3..9ebc835 100644
+--- a/templates/printer-added.tmpl
++++ b/templates/printer-added.tmpl
+@@ -1,4 +1,15 @@
+-<H2 CLASS="title">Add Printer</H2>
++<H2 CLASS="title">Add Printer {printer_name}</H2>
+ 
+ <P>Printer <A HREF="/printers/{printer_name}">{printer_name}</A> has been added
+ successfully.
++
++<blockquote>
++<b>Note:<b>Printer drivers and raw queues are deprecated and will stop working in a future version of CUPS.
++</blockquote>
++
++<FORM ACTION="admin/" METHOD="POST">
++<INPUT TYPE="HIDDEN" NAME="org.cups.sid" VALUE="{$org.cups.sid}">
++<INPUT TYPE="HIDDEN" NAME="OP" VALUE="set-printer-options">
++<INPUT TYPE="HIDDEN" NAME="printer_name" VALUE="{printer_name}">
++<INPUT TYPE="SUBMIT" VALUE="Set Printer Options">
++</FORM>
+diff --git a/test/run-stp-tests.sh b/test/run-stp-tests.sh
+index 4498a8c..8776874 100755
+--- a/test/run-stp-tests.sh
++++ b/test/run-stp-tests.sh
+@@ -1049,10 +1049,10 @@ fi
+ 
+ # Warning log messages
+ count=`$GREP '^W ' $BASE/log/error_log | $GREP -v CreateProfile | $GREP -v 'libusb error' | $GREP -v ColorManager | $GREP -v 'Avahi client failed' | wc -l | awk '{print $1}'`
+-if test $count != 8; then
+-	echo "FAIL: $count warning messages, expected 8."
++if test $count != 10; then
++	echo "FAIL: $count warning messages, expected 10."
+ 	$GREP '^W ' $BASE/log/error_log
+-	echo "    <p>FAIL: $count warning messages, expected 8.</p>" >>$strfile
++	echo "    <p>FAIL: $count warning messages, expected 10.</p>" >>$strfile
+ 	echo "    <pre>" >>$strfile
+ 	$GREP '^W ' $BASE/log/error_log | sed -e '1,$s/&/&amp;/g' -e '1,$s/</&lt;/g' >>$strfile
+ 	echo "    </pre>" >>$strfile

SOURCES/cups-fips-restrict-md5.patch

@@ -0,0 +1,124 @@
+diff --git a/cups/http-support.c b/cups/http-support.c
+index a4bc079..9ee2309 100644
+--- a/cups/http-support.c
++++ b/cups/http-support.c
+@@ -1430,6 +1430,12 @@ _httpSetDigestAuthString(
+     * Use old RFC 2069 Digest method...
+     */
+ 
++    if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5)
++    {
++      DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled.");
++      return (0);
++    }
++
+     /* H(A1) = H(username:realm:password) */
+     snprintf(temp, sizeof(temp), "%s:%s:%s", username, http->realm, password);
+     hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
+diff --git a/cups/md5passwd.c b/cups/md5passwd.c
+index 9af5de2..5c9a64e 100644
+--- a/cups/md5passwd.c
++++ b/cups/md5passwd.c
+@@ -19,6 +19,9 @@
+ /*
+  * 'httpMD5()' - Compute the MD5 sum of the username:group:password.
+  *
++ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0
++ * it produces an empty string. Please use @link cupsDoAuthentication@ instead.
++ *
+  * @deprecated@
+  */
+ 
+@@ -28,22 +31,13 @@ httpMD5(const char *username,		/* I - User name */
+         const char *passwd,		/* I - Password string */
+ 	char       md5[33])		/* O - MD5 string */
+ {
+-  unsigned char		sum[16];	/* Sum data */
+-  char			line[256];	/* Line to sum */
+-
+-
+- /*
+-  * Compute the MD5 sum of the user name, group name, and password.
+-  */
++  (void)username;
++  (void)realm;
++  (void)passwd;
+ 
+-  snprintf(line, sizeof(line), "%s:%s:%s", username, realm, passwd);
+-  cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum));
++  md5[0] = '\0';
+ 
+- /*
+-  * Return the sum...
+-  */
+-
+-  return ((char *)cupsHashString(sum, sizeof(sum), md5, 33));
++  return (NULL);
+ }
+ 
+ 
+@@ -52,6 +46,9 @@ httpMD5(const char *username,		/* I - User name */
+  *                    with the server-supplied nonce value, method, and
+  *                    request-uri.
+  *
++ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0
++ * it produces an empty string. Please use @link cupsDoAuthentication@ instead.
++ *
+  * @deprecated@
+  */
+ 
+@@ -61,35 +58,22 @@ httpMD5Final(const char *nonce,		/* I - Server nonce value */
+ 	     const char *resource,	/* I - Resource path */
+              char       md5[33])	/* IO - MD5 sum */
+ {
+-  unsigned char		sum[16];	/* Sum data */
+-  char			line[1024];	/* Line of data */
+-  char			a2[33];		/* Hash of method and resource */
+-
++  (void)nonce;
++  (void)method;
++  (void)resource;
+ 
+- /*
+-  * First compute the MD5 sum of the method and resource...
+-  */
++  md5[0] = '\0';
+ 
+-  snprintf(line, sizeof(line), "%s:%s", method, resource);
+-  cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum));
+-  cupsHashString(sum, sizeof(sum), a2, sizeof(a2));
+-
+- /*
+-  * Then combine A1 (MD5 of username, realm, and password) with the nonce
+-  * and A2 (method + resource) values to get the final MD5 sum for the
+-  * request...
+-  */
+-
+-  snprintf(line, sizeof(line), "%s:%s:%s", md5, nonce, a2);
+-  cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum));
+-
+-  return ((char *)cupsHashString(sum, sizeof(sum), md5, 33));
++  return (NULL);
+ }
+ 
+ 
+ /*
+  * 'httpMD5String()' - Convert an MD5 sum to a character string.
+  *
++ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0
++ * it produces an empty string. Please use @link cupsDoAuthentication@ instead.
++ *
+  * @deprecated@
+  */
+ 
+@@ -98,5 +82,9 @@ httpMD5String(const unsigned char *sum,	/* I - MD5 sum data */
+               char                md5[33])
+ 					/* O - MD5 sum in hex */
+ {
+-  return ((char *)cupsHashString(sum, 16, md5, 33));
++  (void)sum;
++
++  md5[0] = '\0';
++
++  return (NULL);
+ }

SPECS/cups.spec

@@ -17,7 +17,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.3.3%{OP_VER}
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: ASL 2.0
 Url: http://www.cups.org/
 # Apple stopped uploading the new versions into github, use OpenPrinting fork
@@ -86,6 +86,15 @@ Patch19: 0001-scheduler-job.c-use-gziptoany-for-raw-files-not-just.patch
 Patch20: cups-restart-job-hold-until.patch
 # 2022365 - Annocheck fails due incorrect flags during compilation/linking
 Patch21: cups-fstack-strong.patch
+# 2019842 - Add more warning messages about drivers going deprecated
+Patch22: cups-deprecate-drivers.patch
+# 2018955 - RFE: Implement IdleExitTimeout configuration during build
+Patch23: 0001-Add-with-idle-exit-timeout-configure-option.patch
+# 2018951 - RFE: Implement TimeoutStartSec configuration during build
+Patch24: 0001-Add-with-systemd-timeoutstartsec-configure-option.patch
+# 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5
+Patch25: cups-fips-restrict-md5.patch
+
 
 ##### Patches removed because IMHO they aren't no longer needed
 ##### but still I'll leave them in git in case their removal
@@ -303,6 +312,14 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 %patch20 -p1 -b .restart-hold-job
 # 2022365 - Annocheck fails due incorrect flags during compilation/linking
 %patch21 -p1 -b .fstack-strong
+# 2019842 - Add more warning messages about drivers going deprecated
+%patch22 -p1 -b .deprecate-warnings
+# 2018955 - RFE: Implement IdleExitTimeout configuration during build
+%patch23 -p1 -b .idleexittimeout
+# 2018951 - RFE: Implement TimeoutStartSec configuration during build
+%patch24 -p1 -b .conf-timeoutstartsec
+# 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5
+%patch25 -p1 -b .restrict-md5
 
 
 %if %{lspp}
@@ -352,6 +369,10 @@ export LDFLAGS="$LDFLAGS $RPM_LD_FLAGS -Wall -fstack-clash-protection -D_FORTIFY
 	--enable-page-logging \
 	--with-rundir=%{_rundir}/cups \
 	--enable-sync-on-close \
+%if 0%{?rhel}
+  --without-idle-exit-timeout \
+  --without-systemd-timeoutstartsec \
+%endif
 	localedir=%{_datadir}/locale
 
 # If we got this far, all prerequisite libraries must be here.
@@ -402,6 +423,18 @@ touch %{buildroot}%{_sysconfdir}/cups/client.conf
 touch %{buildroot}%{_sysconfdir}/cups/subscriptions.conf
 touch %{buildroot}%{_sysconfdir}/cups/lpoptions
 
+# deny MD5 digest authentication by default in client.conf
+cat > %{buildroot}%{_sysconfdir}/cups/client.conf <<EOF
+# MD5 Digest authentication is turned off by default
+# because MD5 is marked as insecure for authentication.
+#
+# If you need MD5 Digest authentication and you are aware of
+# potential security risk, turn MD5 Digest authentication on
+# by changing the directive value to 'None'.
+
+DigestOptions DenyMD5
+EOF
+
 # LSB 3.2 printer driver directory
 mkdir -p %{buildroot}%{_datadir}/ppd
 
@@ -454,6 +487,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
 %post
 %systemd_post %{name}.path %{name}.socket %{name}.service
 
+# remove this after F36 is EOL
+# - previously the file was empty by default, so check whether the directive exists
+#   and if not, add the directive+value
+# - we don't check for directive value in case some users already know they need MD5
+#   Digest authentication, so we won't break their setup with every update
+# - ^\s* prevents matching comments and ignores whitespaces at the beginning
+grep '^\s*DigestOptions' %{_sysconfdir}/cups/client.conf &> /dev/null || echo 'DigestOptions DenyMD5' \
+>> %{_sysconfdir}/cups/client.conf
+
 # Because of moving logs to journal, we need to create placeholder files
 # at /var/log/cups for users, whose are going to install CUPS on new OS
 # machine with info message
@@ -702,6 +744,18 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz
 
 %changelog
+* Mon Dec 06 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-11
+- 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5
+
+* Wed Dec 01 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-11
+- 2018951 - RFE: Implement TimeoutStartSec configuration during build
+
+* Mon Nov 29 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-11
+- 2018955 - RFE: Implement IdleExitTimeout configuration during build
+
+* Fri Nov 12 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-11
+- 2019842 - Add more warning messages about drivers going deprecated
+
 * Fri Nov 12 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-10
 - 2022365 - Annocheck fails due incorrect flags during compilation/linking