import CS cups-2.3.3op2-21.el9
This commit is contained in:
parent
a809b1476b
commit
8c32f132c0
@ -0,0 +1,21 @@
|
|||||||
|
diff -up cups-2.3.3op2/backend/lpd.c.lpd-delay cups-2.3.3op2/backend/lpd.c
|
||||||
|
--- cups-2.3.3op2/backend/lpd.c.lpd-delay 2021-02-01 22:10:25.000000000 +0100
|
||||||
|
+++ cups-2.3.3op2/backend/lpd.c 2023-06-28 17:28:52.465476261 +0200
|
||||||
|
@@ -63,7 +63,7 @@ static int abort_job = 0; /* Non-zero i
|
||||||
|
|
||||||
|
#define RESERVE_NONE 0 /* Don't reserve a priviledged port */
|
||||||
|
#define RESERVE_RFC1179 1 /* Reserve port 721-731 */
|
||||||
|
-#define RESERVE_ANY 2 /* Reserve port 1-1023 */
|
||||||
|
+#define RESERVE_ANY 2 /* Reserve port 512-1023 */
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -778,7 +778,7 @@ lpd_queue(const char *hostname, /*
|
||||||
|
|
||||||
|
if (lport < 721 && reserve == RESERVE_RFC1179)
|
||||||
|
lport = 731;
|
||||||
|
- else if (lport < 1)
|
||||||
|
+ else if (lport < 512)
|
||||||
|
lport = 1023;
|
||||||
|
|
||||||
|
#ifdef HAVE_GETEUID
|
@ -0,0 +1,64 @@
|
|||||||
|
From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rose <83477269+AtariDreams@users.noreply.github.com>
|
||||||
|
Date: Thu, 1 Jun 2023 11:33:39 -0400
|
||||||
|
Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
|
||||||
|
|
||||||
|
httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
|
||||||
|
|
||||||
|
We have to log the hostname first.
|
||||||
|
---
|
||||||
|
scheduler/client.c | 16 +++++++---------
|
||||||
|
1 file changed, 7 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/scheduler/client.c b/scheduler/client.c
|
||||||
|
index 91e441188..327473a4d 100644
|
||||||
|
--- a/scheduler/client.c
|
||||||
|
+++ b/scheduler/client.c
|
||||||
|
@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
|
||||||
|
/*
|
||||||
|
* Can't have an unresolved IP address with double-lookups enabled...
|
||||||
|
*/
|
||||||
|
-
|
||||||
|
- httpClose(con->http);
|
||||||
|
-
|
||||||
|
cupsdLogClient(con, CUPSD_LOG_WARN,
|
||||||
|
- "Name lookup failed - connection from %s closed!",
|
||||||
|
+ "Name lookup failed - closing connection from %s!",
|
||||||
|
httpGetHostname(con->http, NULL, 0));
|
||||||
|
|
||||||
|
+ httpClose(con->http);
|
||||||
|
free(con);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
|
||||||
|
* with double-lookups enabled...
|
||||||
|
*/
|
||||||
|
|
||||||
|
- httpClose(con->http);
|
||||||
|
-
|
||||||
|
cupsdLogClient(con, CUPSD_LOG_WARN,
|
||||||
|
- "IP lookup failed - connection from %s closed!",
|
||||||
|
+ "IP lookup failed - closing connection from %s!",
|
||||||
|
httpGetHostname(con->http, NULL, 0));
|
||||||
|
+
|
||||||
|
+ httpClose(con->http);
|
||||||
|
free(con);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
|
||||||
|
|
||||||
|
if (!hosts_access(&wrap_req))
|
||||||
|
{
|
||||||
|
- httpClose(con->http);
|
||||||
|
-
|
||||||
|
cupsdLogClient(con, CUPSD_LOG_WARN,
|
||||||
|
"Connection from %s refused by /etc/hosts.allow and "
|
||||||
|
"/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
|
||||||
|
+
|
||||||
|
+ httpClose(con->http);
|
||||||
|
free(con);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,31 @@
|
|||||||
|
From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael R Sweet <michael.r.sweet@gmail.com>
|
||||||
|
Date: Tue, 6 Dec 2022 09:04:01 -0500
|
||||||
|
Subject: [PATCH] Require authentication for CUPS-Get-Document.
|
||||||
|
|
||||||
|
---
|
||||||
|
conf/cupsd.conf.in | 8 +++++++-
|
||||||
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
|
||||||
|
index b25884907..a07536f3e 100644
|
||||||
|
--- a/conf/cupsd.conf.in
|
||||||
|
+++ b/conf/cupsd.conf.in
|
||||||
|
@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
|
||||||
|
Order deny,allow
|
||||||
|
</Limit>
|
||||||
|
|
||||||
|
- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
||||||
|
+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
|
||||||
|
+ Require user @OWNER @SYSTEM
|
||||||
|
+ Order deny,allow
|
||||||
|
+ </Limit>
|
||||||
|
+
|
||||||
|
+ <Limit CUPS-Get-Document>
|
||||||
|
+ AuthType Default
|
||||||
|
Require user @OWNER @SYSTEM
|
||||||
|
Order deny,allow
|
||||||
|
</Limit>
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,48 @@
|
|||||||
|
From c5ad7aaf6c8063a39974c6b4a3cf59b7f912daae Mon Sep 17 00:00:00 2001
|
||||||
|
From: Bryan Mason <bmason@redhat.com>
|
||||||
|
Date: Tue, 27 Jun 2023 04:18:46 -0700
|
||||||
|
Subject: [PATCH 1/2] Use "purge-job" instead of "purge-jobs" when canceling a
|
||||||
|
single job (#742)
|
||||||
|
|
||||||
|
The command "cancel -x <job>" adds "purge-jobs true" to the Cancel-Job
|
||||||
|
operation; however, the correct attribute to use for Cancel-job is
|
||||||
|
"purge-job" (singular), not "purge-jobs" (plural). As a result, job
|
||||||
|
files are not removed from /var/spool/cups when "cancel -x <job>" is
|
||||||
|
executed.
|
||||||
|
|
||||||
|
This patch resolves the issue by adding "purge-job" when the IPP
|
||||||
|
operation is Cancel-Job and "purge-jobs" for other IPP operations
|
||||||
|
(Purge-Jobs, Cancel-Jobs, and Cancel-My-Jobs)
|
||||||
|
---
|
||||||
|
systemv/cancel.c | 8 +++++++-
|
||||||
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/systemv/cancel.c b/systemv/cancel.c
|
||||||
|
index 572f413e1..f5b8e12b5 100644
|
||||||
|
--- a/systemv/cancel.c
|
||||||
|
+++ b/systemv/cancel.c
|
||||||
|
@@ -260,6 +260,7 @@ main(int argc, /* I - Number of command-line arguments */
|
||||||
|
* attributes-natural-language
|
||||||
|
* printer-uri + job-id *or* job-uri
|
||||||
|
* [requesting-user-name]
|
||||||
|
+ * [purge-job] or [purge-jobs]
|
||||||
|
*/
|
||||||
|
|
||||||
|
request = ippNewRequest(op);
|
||||||
|
@@ -294,7 +295,12 @@ main(int argc, /* I - Number of command-line arguments */
|
||||||
|
"requesting-user-name", NULL, cupsUser());
|
||||||
|
|
||||||
|
if (purge)
|
||||||
|
- ippAddBoolean(request, IPP_TAG_OPERATION, "purge-jobs", (char)purge);
|
||||||
|
+ {
|
||||||
|
+ if (op == IPP_CANCEL_JOB)
|
||||||
|
+ ippAddBoolean(request, IPP_TAG_OPERATION, "purge-job", (char)purge);
|
||||||
|
+ else
|
||||||
|
+ ippAddBoolean(request, IPP_TAG_OPERATION, "purge-jobs", (char)purge);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Do the request and get back a response...
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,35 @@
|
|||||||
|
From 876fdc1c90a885a58644c8757bc1283c9fd5bcb7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vasilis Liaskovitis <vliaskovitis@suse.com>
|
||||||
|
Date: Wed, 1 Mar 2023 13:46:28 +0100
|
||||||
|
Subject: [PATCH] cups/http-addr.c: Set listen backlog size to INT_MAX (fixes
|
||||||
|
#308)
|
||||||
|
|
||||||
|
Use a listen queue size of INT_MAX, which should default to the maximum
|
||||||
|
supported queue size on the system.
|
||||||
|
|
||||||
|
This avoids the problem of the listening backlog queue getting full when
|
||||||
|
there are too many requests at the same time. The problem was observed
|
||||||
|
with the previous backlog size (128) by customers when submitting large
|
||||||
|
batches of print jobs, resulting in some jobs getting lost.
|
||||||
|
|
||||||
|
Signed-off-by: Vasilis Liaskovitis <vliaskovitis@suse.com>
|
||||||
|
---
|
||||||
|
cups/http-addr.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/cups/http-addr.c b/cups/http-addr.c
|
||||||
|
index a61ee0449..6aeeb8074 100644
|
||||||
|
--- a/cups/http-addr.c
|
||||||
|
+++ b/cups/http-addr.c
|
||||||
|
@@ -249,7 +249,7 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
|
||||||
|
* Listen...
|
||||||
|
*/
|
||||||
|
|
||||||
|
- if (listen(fd, 128))
|
||||||
|
+ if (listen(fd, INT_MAX))
|
||||||
|
{
|
||||||
|
_cupsSetHTTPError(HTTP_STATUS_ERROR);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
34
SOURCES/0001-cups-strlcpy-handle-zero-size.patch
Normal file
34
SOURCES/0001-cups-strlcpy-handle-zero-size.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
From 5e3107e734f06d410a490e8bc923dc3119f17671 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael R Sweet <michael.r.sweet@gmail.com>
|
||||||
|
Date: Wed, 17 May 2023 12:59:57 -0400
|
||||||
|
Subject: [PATCH] Consensus fix.
|
||||||
|
|
||||||
|
---
|
||||||
|
cups/string.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/cups/string.c b/cups/string.c
|
||||||
|
index 00454203c..b4fc12050 100644
|
||||||
|
--- a/cups/string.c
|
||||||
|
+++ b/cups/string.c
|
||||||
|
@@ -1,6 +1,7 @@
|
||||||
|
/*
|
||||||
|
* String functions for CUPS.
|
||||||
|
*
|
||||||
|
+ * Copyright © 2023 by OpenPrinting.
|
||||||
|
* Copyright © 2007-2019 by Apple Inc.
|
||||||
|
* Copyright © 1997-2007 by Easy Software Products.
|
||||||
|
*
|
||||||
|
@@ -730,6 +731,9 @@ _cups_strlcpy(char *dst, /* O - Destination string */
|
||||||
|
size_t srclen; /* Length of source string */
|
||||||
|
|
||||||
|
|
||||||
|
+ if (size == 0)
|
||||||
|
+ return (0);
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Figure out how much room is needed...
|
||||||
|
*/
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
@ -167,11 +167,11 @@ index 4498a8c..8776874 100755
|
|||||||
count=`$GREP '^W ' $BASE/log/error_log | $GREP -v CreateProfile | $GREP -v 'libusb error' | $GREP -v ColorManager | $GREP -v 'Avahi client failed' | wc -l | awk '{print $1}'`
|
count=`$GREP '^W ' $BASE/log/error_log | $GREP -v CreateProfile | $GREP -v 'libusb error' | $GREP -v ColorManager | $GREP -v 'Avahi client failed' | wc -l | awk '{print $1}'`
|
||||||
-if test $count != 8; then
|
-if test $count != 8; then
|
||||||
- echo "FAIL: $count warning messages, expected 8."
|
- echo "FAIL: $count warning messages, expected 8."
|
||||||
+if test $count != 10; then
|
+if test $count != 9; then
|
||||||
+ echo "FAIL: $count warning messages, expected 10."
|
+ echo "FAIL: $count warning messages, expected 9."
|
||||||
$GREP '^W ' $BASE/log/error_log
|
$GREP '^W ' $BASE/log/error_log
|
||||||
- echo " <p>FAIL: $count warning messages, expected 8.</p>" >>$strfile
|
- echo " <p>FAIL: $count warning messages, expected 8.</p>" >>$strfile
|
||||||
+ echo " <p>FAIL: $count warning messages, expected 10.</p>" >>$strfile
|
+ echo " <p>FAIL: $count warning messages, expected 9.</p>" >>$strfile
|
||||||
echo " <pre>" >>$strfile
|
echo " <pre>" >>$strfile
|
||||||
$GREP '^W ' $BASE/log/error_log | sed -e '1,$s/&/&/g' -e '1,$s/</</g' >>$strfile
|
$GREP '^W ' $BASE/log/error_log | sed -e '1,$s/&/&/g' -e '1,$s/</</g' >>$strfile
|
||||||
echo " </pre>" >>$strfile
|
echo " </pre>" >>$strfile
|
||||||
|
115
SOURCES/cups-local-negotiate.patch
Normal file
115
SOURCES/cups-local-negotiate.patch
Normal file
@ -0,0 +1,115 @@
|
|||||||
|
diff --git a/cups/auth.c b/cups/auth.c
|
||||||
|
index db45bbb..b6fec6b 100644
|
||||||
|
--- a/cups/auth.c
|
||||||
|
+++ b/cups/auth.c
|
||||||
|
@@ -90,6 +90,7 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status,
|
||||||
|
# define cups_gss_printf(major, minor, message)
|
||||||
|
# endif /* DEBUG */
|
||||||
|
#endif /* HAVE_GSSAPI */
|
||||||
|
+static int cups_is_local_connection(http_t *http);
|
||||||
|
static int cups_local_auth(http_t *http);
|
||||||
|
|
||||||
|
|
||||||
|
@@ -174,10 +175,10 @@ cupsDoAuthentication(
|
||||||
|
DEBUG_printf(("2cupsDoAuthentication: Trying scheme \"%s\"...", scheme));
|
||||||
|
|
||||||
|
#ifdef HAVE_GSSAPI
|
||||||
|
- if (!_cups_strcasecmp(scheme, "Negotiate"))
|
||||||
|
+ if (!_cups_strcasecmp(scheme, "Negotiate") && !cups_is_local_connection(http))
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
- * Kerberos authentication...
|
||||||
|
+ * Kerberos authentication to remote server...
|
||||||
|
*/
|
||||||
|
|
||||||
|
int gss_status; /* Auth status */
|
||||||
|
@@ -201,7 +202,9 @@ cupsDoAuthentication(
|
||||||
|
}
|
||||||
|
else
|
||||||
|
#endif /* HAVE_GSSAPI */
|
||||||
|
- if (_cups_strcasecmp(scheme, "Basic") && _cups_strcasecmp(scheme, "Digest"))
|
||||||
|
+ if (_cups_strcasecmp(scheme, "Basic") &&
|
||||||
|
+ _cups_strcasecmp(scheme, "Digest") &&
|
||||||
|
+ _cups_strcasecmp(scheme, "Negotiate"))
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Other schemes not yet supported...
|
||||||
|
@@ -215,7 +218,7 @@ cupsDoAuthentication(
|
||||||
|
* See if we should retry the current username:password...
|
||||||
|
*/
|
||||||
|
|
||||||
|
- if ((http->digest_tries > 1 || !http->userpass[0]) && (!_cups_strcasecmp(scheme, "Basic") || (!_cups_strcasecmp(scheme, "Digest"))))
|
||||||
|
+ if (http->digest_tries > 1 || !http->userpass[0])
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Nope - get a new password from the user...
|
||||||
|
@@ -295,7 +298,7 @@ cupsDoAuthentication(
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (http->authstring)
|
||||||
|
+ if (http->authstring && http->authstring[0])
|
||||||
|
{
|
||||||
|
DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\".", http->authstring));
|
||||||
|
|
||||||
|
@@ -916,6 +919,14 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */
|
||||||
|
# endif /* DEBUG */
|
||||||
|
#endif /* HAVE_GSSAPI */
|
||||||
|
|
||||||
|
+static int /* O - 0 if not a local connection */
|
||||||
|
+ /* 1 if local connection */
|
||||||
|
+cups_is_local_connection(http_t *http) /* I - HTTP connection to server */
|
||||||
|
+{
|
||||||
|
+ if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
|
||||||
|
+ return 0;
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* 'cups_local_auth()' - Get the local authorization certificate if
|
||||||
|
@@ -958,7 +969,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
|
||||||
|
* See if we are accessing localhost...
|
||||||
|
*/
|
||||||
|
|
||||||
|
- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
|
||||||
|
+ if (!cups_is_local_connection(http))
|
||||||
|
{
|
||||||
|
DEBUG_puts("8cups_local_auth: Not a local connection!");
|
||||||
|
return (1);
|
||||||
|
@@ -1032,11 +1043,6 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
|
||||||
|
}
|
||||||
|
# endif /* HAVE_AUTHORIZATION_H */
|
||||||
|
|
||||||
|
-# ifdef HAVE_GSSAPI
|
||||||
|
- if (cups_auth_find(www_auth, "Negotiate"))
|
||||||
|
- return (1);
|
||||||
|
-# endif /* HAVE_GSSAPI */
|
||||||
|
-
|
||||||
|
# if defined(SO_PEERCRED) && defined(AF_LOCAL)
|
||||||
|
/*
|
||||||
|
* See if we can authenticate using the peer credentials provided over a
|
||||||
|
diff --git a/scheduler/client.c b/scheduler/client.c
|
||||||
|
index 89c76bf..40708d9 100644
|
||||||
|
--- a/scheduler/client.c
|
||||||
|
+++ b/scheduler/client.c
|
||||||
|
@@ -2244,18 +2244,13 @@ cupsdSendHeader(
|
||||||
|
}
|
||||||
|
else if (auth_type == CUPSD_AUTH_NEGOTIATE)
|
||||||
|
{
|
||||||
|
-#if defined(SO_PEERCRED) && defined(AF_LOCAL)
|
||||||
|
- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
|
||||||
|
- strlcpy(auth_str, "PeerCred", sizeof(auth_str));
|
||||||
|
- else
|
||||||
|
-#endif /* SO_PEERCRED && AF_LOCAL */
|
||||||
|
strlcpy(auth_str, "Negotiate", sizeof(auth_str));
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
|
||||||
|
+ if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
- * Add a "trc" (try root certification) parameter for local non-Kerberos
|
||||||
|
+ * Add a "trc" (try root certification) parameter for local
|
||||||
|
* requests when the request requires system group membership - then the
|
||||||
|
* client knows the root certificate can/should be used.
|
||||||
|
*
|
171
SOURCES/upgrade_get_document.py.in
Executable file
171
SOURCES/upgrade_get_document.py.in
Executable file
@ -0,0 +1,171 @@
|
|||||||
|
@PYTHON_SHEBANG@
|
||||||
|
|
||||||
|
"""
|
||||||
|
Upgrade script to enable authentication for CUPS-Get-Document in
|
||||||
|
default policy
|
||||||
|
"""
|
||||||
|
|
||||||
|
import os
|
||||||
|
import sys
|
||||||
|
from shutil import copy
|
||||||
|
|
||||||
|
|
||||||
|
def get_cupsd_conf():
|
||||||
|
"""
|
||||||
|
Get all lines from cupsd.conf
|
||||||
|
"""
|
||||||
|
if not os.path.exists('/etc/cups/cupsd.conf'):
|
||||||
|
return None
|
||||||
|
|
||||||
|
lines = []
|
||||||
|
with open('/etc/cups/cupsd.conf', 'r') as conf:
|
||||||
|
lines = conf.readlines()
|
||||||
|
|
||||||
|
return lines
|
||||||
|
|
||||||
|
|
||||||
|
def get_default_policy(lines):
|
||||||
|
"""
|
||||||
|
Get the default policy lines
|
||||||
|
|
||||||
|
:param list lines: lines from cupsd.conf
|
||||||
|
"""
|
||||||
|
default_policy = []
|
||||||
|
in_policy = False
|
||||||
|
|
||||||
|
for line in lines:
|
||||||
|
if not in_policy and not line.lstrip().startswith('<Policy default>'):
|
||||||
|
continue
|
||||||
|
|
||||||
|
default_policy.append(line)
|
||||||
|
|
||||||
|
if line.lstrip().startswith('</Policy>'):
|
||||||
|
return default_policy
|
||||||
|
|
||||||
|
in_policy = True
|
||||||
|
|
||||||
|
return default_policy
|
||||||
|
|
||||||
|
|
||||||
|
def get_limit_with_document(lines):
|
||||||
|
"""
|
||||||
|
Get <Limit> scope which defines CUPS-Get-Document operation
|
||||||
|
|
||||||
|
:param list lines: Lines containing the default policy
|
||||||
|
"""
|
||||||
|
limit = []
|
||||||
|
in_limit = False
|
||||||
|
|
||||||
|
for line in lines:
|
||||||
|
if not in_limit and not line.lstrip().startswith('<Limit'):
|
||||||
|
continue
|
||||||
|
|
||||||
|
if (not in_limit and line.lstrip().startswith('<Limit') and
|
||||||
|
not 'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
|
||||||
|
continue
|
||||||
|
|
||||||
|
limit.append(line)
|
||||||
|
|
||||||
|
if line.lstrip().startswith('</Limit>'):
|
||||||
|
return limit
|
||||||
|
|
||||||
|
in_limit = True
|
||||||
|
|
||||||
|
return limit
|
||||||
|
|
||||||
|
|
||||||
|
def check_for_authtype(lines):
|
||||||
|
"""
|
||||||
|
Check if <Limit> defining CUPS-Get-Document defines
|
||||||
|
any authentication
|
||||||
|
|
||||||
|
:param list lines: Lines of <Limit> scope which defines CUPS-Get-Document
|
||||||
|
"""
|
||||||
|
for line in lines:
|
||||||
|
if line.lstrip().startswith('AuthType'):
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
def migrate_cupsd_conf(lines):
|
||||||
|
"""
|
||||||
|
Make changes to cupsd.conf contents to use authentication
|
||||||
|
for CUPS-Get-Document
|
||||||
|
|
||||||
|
:param list lines: Lines from cupsd.conf
|
||||||
|
"""
|
||||||
|
new_lines = []
|
||||||
|
in_policy = False
|
||||||
|
create_document_limit = False
|
||||||
|
|
||||||
|
for line in lines:
|
||||||
|
if (in_policy and line.lstrip().startswith('<Limit') and
|
||||||
|
not line.lstrip().startswith('<Limit CUPS-Get-Document>') and
|
||||||
|
'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
|
||||||
|
line = line.replace(' CUPS-Get-Document', '')
|
||||||
|
create_document_limit = True
|
||||||
|
|
||||||
|
if in_policy and line.lstrip().startswith('</Policy>') and create_document_limit:
|
||||||
|
new_lines.append('\n')
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||||
|
'# added during upgrade\n')
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||||
|
'<Limit CUPS-Get-Document>\n')
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||||
|
'AuthType Default\n')
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||||
|
'Require user @OWNER @SYSTEM\n')
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||||
|
'Order deny,allow\n')
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||||
|
'</Limit>\n')
|
||||||
|
create_document_limit = False
|
||||||
|
|
||||||
|
new_lines.append(line)
|
||||||
|
|
||||||
|
if not in_policy:
|
||||||
|
if line.lstrip().startswith('<Policy default>'):
|
||||||
|
in_policy = True
|
||||||
|
continue
|
||||||
|
|
||||||
|
if line.lstrip().startswith('<Limit CUPS-Get-Document>'):
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||||
|
'# added during upgrade\n')
|
||||||
|
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||||
|
'AuthType Default\n')
|
||||||
|
continue
|
||||||
|
|
||||||
|
if line.lstrip().startswith('</Policy>'):
|
||||||
|
in_policy = False
|
||||||
|
continue
|
||||||
|
|
||||||
|
return new_lines
|
||||||
|
|
||||||
|
|
||||||
|
def apply_changes(lines):
|
||||||
|
"""
|
||||||
|
Backup the original file if there is no .rpmsave already and
|
||||||
|
apply changes to the actual cupsd.conf
|
||||||
|
|
||||||
|
:param list lines: New lines for cupsd.conf
|
||||||
|
"""
|
||||||
|
if not os.path.exists('/etc/cups/cupsd.conf.rpmsave'):
|
||||||
|
copy('/etc/cups/cupsd.conf', '/etc/cups/cupsd.conf.rpmsave')
|
||||||
|
|
||||||
|
with open('/etc/cups/cupsd.conf', 'w') as conf:
|
||||||
|
conf.writelines(lines)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
content = get_cupsd_conf()
|
||||||
|
if content is None:
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
if check_for_authtype(get_limit_with_document(get_default_policy(content))):
|
||||||
|
sys.exit(0)
|
||||||
|
|
||||||
|
new_content = migrate_cupsd_conf(content)
|
||||||
|
|
||||||
|
apply_changes(new_content)
|
||||||
|
|
||||||
|
sys.exit(0)
|
@ -7,6 +7,13 @@
|
|||||||
# but we use lib for compatibility with 3rd party drivers (at upstream request).
|
# but we use lib for compatibility with 3rd party drivers (at upstream request).
|
||||||
%global cups_serverbin %{_exec_prefix}/lib/cups
|
%global cups_serverbin %{_exec_prefix}/lib/cups
|
||||||
|
|
||||||
|
# we still need something for python2...
|
||||||
|
%if 0%{?rhel} >= 8 || 0%{?fedora}
|
||||||
|
%bcond_without python3
|
||||||
|
%else
|
||||||
|
%bcond_with python3
|
||||||
|
%endif
|
||||||
|
|
||||||
#%%global prever rc1
|
#%%global prever rc1
|
||||||
#%%global VERSION %%{version}%%{prever}
|
#%%global VERSION %%{version}%%{prever}
|
||||||
%global VERSION %{version}
|
%global VERSION %{version}
|
||||||
@ -17,7 +24,7 @@ Summary: CUPS printing system
|
|||||||
Name: cups
|
Name: cups
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 2.3.3%{OP_VER}
|
Version: 2.3.3%{OP_VER}
|
||||||
Release: 16%{?dist}
|
Release: 21%{?dist}
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
Url: http://www.cups.org/
|
Url: http://www.cups.org/
|
||||||
# Apple stopped uploading the new versions into github, use OpenPrinting fork
|
# Apple stopped uploading the new versions into github, use OpenPrinting fork
|
||||||
@ -26,6 +33,8 @@ Source0: https://github.com/OpenPrinting/cups/releases/download/v%{VERSION}/cups
|
|||||||
Source1: cupsprinter.png
|
Source1: cupsprinter.png
|
||||||
# cups_serverbin macro definition for use during builds
|
# cups_serverbin macro definition for use during builds
|
||||||
Source2: macros.cups
|
Source2: macros.cups
|
||||||
|
# CVE-2023-32360 migration script
|
||||||
|
Source3: upgrade_get_document.py.in
|
||||||
|
|
||||||
# PAM enablement, very old patch, not even git can track when or why
|
# PAM enablement, very old patch, not even git can track when or why
|
||||||
# the patch was added.
|
# the patch was added.
|
||||||
@ -103,6 +112,20 @@ Patch27: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
|
|||||||
Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch
|
Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch
|
||||||
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
||||||
Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
|
Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
|
||||||
|
# 2189919 - CGI scripts don't work with local Negotiate authentication
|
||||||
|
Patch30: cups-local-negotiate.patch
|
||||||
|
# 2217177 - Delays printing to lpd when reserved ports are exhausted
|
||||||
|
Patch31: 0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch
|
||||||
|
# 2217284 - The command "cancel -x <job>" does not remove job files
|
||||||
|
Patch32: 0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch
|
||||||
|
# 2217954 - Enlarge backlog queue for listen() in cupsd
|
||||||
|
Patch33: 0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch
|
||||||
|
# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
|
||||||
|
Patch34: 0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch
|
||||||
|
# CVE-2023-32324 cups: heap buffer overflow may lead to DoS
|
||||||
|
Patch35: 0001-cups-strlcpy-handle-zero-size.patch
|
||||||
|
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
|
||||||
|
Patch36: 0001-Require-authentication-for-CUPS-Get-Document.patch
|
||||||
|
|
||||||
|
|
||||||
##### Patches removed because IMHO they aren't no longer needed
|
##### Patches removed because IMHO they aren't no longer needed
|
||||||
@ -169,6 +192,13 @@ Requires(post): grep, sed
|
|||||||
Requires(preun): systemd
|
Requires(preun): systemd
|
||||||
Requires(postun): systemd
|
Requires(postun): systemd
|
||||||
|
|
||||||
|
# for upgrade-get-document script
|
||||||
|
%if %{with python3}
|
||||||
|
Requires(post): python3
|
||||||
|
%else
|
||||||
|
Requires(post): python
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%package client
|
%package client
|
||||||
Summary: CUPS printing system - client programs
|
Summary: CUPS printing system - client programs
|
||||||
@ -337,6 +367,20 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
|
|||||||
%patch28 -p1 -b .manpage-update
|
%patch28 -p1 -b .manpage-update
|
||||||
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
||||||
%patch29 -p1 -b .cve26691
|
%patch29 -p1 -b .cve26691
|
||||||
|
# 2189919 - CGI scripts don't work with local Negotiate authentication
|
||||||
|
%patch30 -p1 -b .local-negotiate
|
||||||
|
# 2217177 - Delays printing to lpd when reserved ports are exhausted
|
||||||
|
%patch31 -p1 -b .lpd-delay
|
||||||
|
# 2217284 - The command "cancel -x <job>" does not remove job files
|
||||||
|
%patch32 -p1 -b .purge-job
|
||||||
|
# 2217954 - Enlarge backlog queue for listen() in cupsd
|
||||||
|
%patch33 -p1 -b .listen-backlog
|
||||||
|
# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
|
||||||
|
%patch34 -p1 -b .cve34241
|
||||||
|
# CVE-2023-32324 cups: heap buffer overflow may lead to DoS
|
||||||
|
%patch35 -p1 -b .cve32324
|
||||||
|
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
|
||||||
|
%patch36 -p1 -b .get-document-auth
|
||||||
|
|
||||||
%if %{lspp}
|
%if %{lspp}
|
||||||
# LSPP support.
|
# LSPP support.
|
||||||
@ -500,6 +544,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
|
|||||||
/^\([^%].*\)/d
|
/^\([^%].*\)/d
|
||||||
' > %{name}.lang
|
' > %{name}.lang
|
||||||
|
|
||||||
|
# install get-document upgrade script
|
||||||
|
install -m 0755 %{SOURCE3} %{buildroot}%{_sbindir}/upgrade_get_document
|
||||||
|
|
||||||
|
%if %{with python3}
|
||||||
|
sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python3,' %{buildroot}%{_sbindir}/upgrade_get_document
|
||||||
|
%else
|
||||||
|
sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python,' %{buildroot}%{_sbindir}/upgrade_get_document
|
||||||
|
%endif
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%systemd_post %{name}.path %{name}.socket %{name}.service
|
%systemd_post %{name}.path %{name}.socket %{name}.service
|
||||||
|
|
||||||
@ -547,6 +600,8 @@ do
|
|||||||
done
|
done
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%{_sbindir}/upgrade_get_document
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
%post client
|
%post client
|
||||||
@ -760,6 +815,30 @@ rm -f %{cups_serverbin}/backend/smb
|
|||||||
%{_mandir}/man7/ippeveps.7.gz
|
%{_mandir}/man7/ippeveps.7.gz
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-21
|
||||||
|
- bump the spec because the previous build was made with buildroot 9.2
|
||||||
|
|
||||||
|
* Tue Aug 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-20
|
||||||
|
- CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
|
||||||
|
|
||||||
|
* Thu Jun 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-19
|
||||||
|
- CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
|
||||||
|
- CVE-2023-32324 cups: heap buffer overflow may lead to DoS
|
||||||
|
|
||||||
|
* Wed Jun 28 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-19
|
||||||
|
- 2217177 - Delays printing to lpd when reserved ports are exhausted
|
||||||
|
- 2217284 - The command "cancel -x <job>" does not remove job files
|
||||||
|
- 2217954 - Enlarge backlog queue for listen() in cupsd
|
||||||
|
|
||||||
|
* Wed Apr 26 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-18
|
||||||
|
- 2189919 - CGI scripts don't work with local Negotiate authentication
|
||||||
|
|
||||||
|
* Mon Apr 03 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-17
|
||||||
|
- RHEL-314 - Enable fmf tests in centos stream
|
||||||
|
|
||||||
|
* Thu Mar 23 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-17
|
||||||
|
- RHEL-317 - upstream test suite fails due uncorrect number of expected warnings
|
||||||
|
|
||||||
* Thu Jun 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16
|
* Thu Jun 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16
|
||||||
- CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
- CVE-2022-26691 cups: authorization bypass when using "local" authorization
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user