import CS cups-2.3.3op2-21.el9

This commit is contained in:
eabdullin 2023-09-21 18:15:26 +00:00
parent a809b1476b
commit 8c32f132c0
10 changed files with 602 additions and 4 deletions

View File

@ -0,0 +1,21 @@
diff -up cups-2.3.3op2/backend/lpd.c.lpd-delay cups-2.3.3op2/backend/lpd.c
--- cups-2.3.3op2/backend/lpd.c.lpd-delay 2021-02-01 22:10:25.000000000 +0100
+++ cups-2.3.3op2/backend/lpd.c 2023-06-28 17:28:52.465476261 +0200
@@ -63,7 +63,7 @@ static int abort_job = 0; /* Non-zero i
#define RESERVE_NONE 0 /* Don't reserve a priviledged port */
#define RESERVE_RFC1179 1 /* Reserve port 721-731 */
-#define RESERVE_ANY 2 /* Reserve port 1-1023 */
+#define RESERVE_ANY 2 /* Reserve port 512-1023 */
/*
@@ -778,7 +778,7 @@ lpd_queue(const char *hostname, /*
if (lport < 721 && reserve == RESERVE_RFC1179)
lport = 731;
- else if (lport < 1)
+ else if (lport < 512)
lport = 1023;
#ifdef HAVE_GETEUID

View File

@ -0,0 +1,64 @@
From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
From: Rose <83477269+AtariDreams@users.noreply.github.com>
Date: Thu, 1 Jun 2023 11:33:39 -0400
Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
We have to log the hostname first.
---
scheduler/client.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/scheduler/client.c b/scheduler/client.c
index 91e441188..327473a4d 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
/*
* Can't have an unresolved IP address with double-lookups enabled...
*/
-
- httpClose(con->http);
-
cupsdLogClient(con, CUPSD_LOG_WARN,
- "Name lookup failed - connection from %s closed!",
+ "Name lookup failed - closing connection from %s!",
httpGetHostname(con->http, NULL, 0));
+ httpClose(con->http);
free(con);
return;
}
@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
* with double-lookups enabled...
*/
- httpClose(con->http);
-
cupsdLogClient(con, CUPSD_LOG_WARN,
- "IP lookup failed - connection from %s closed!",
+ "IP lookup failed - closing connection from %s!",
httpGetHostname(con->http, NULL, 0));
+
+ httpClose(con->http);
free(con);
return;
}
@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
if (!hosts_access(&wrap_req))
{
- httpClose(con->http);
-
cupsdLogClient(con, CUPSD_LOG_WARN,
"Connection from %s refused by /etc/hosts.allow and "
"/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
+
+ httpClose(con->http);
free(con);
return;
}
--
2.41.0

View File

@ -0,0 +1,31 @@
From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Tue, 6 Dec 2022 09:04:01 -0500
Subject: [PATCH] Require authentication for CUPS-Get-Document.
---
conf/cupsd.conf.in | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
index b25884907..a07536f3e 100644
--- a/conf/cupsd.conf.in
+++ b/conf/cupsd.conf.in
@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
Order deny,allow
</Limit>
- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+ </Limit>
+
+ <Limit CUPS-Get-Document>
+ AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
--
2.41.0

View File

@ -0,0 +1,48 @@
From c5ad7aaf6c8063a39974c6b4a3cf59b7f912daae Mon Sep 17 00:00:00 2001
From: Bryan Mason <bmason@redhat.com>
Date: Tue, 27 Jun 2023 04:18:46 -0700
Subject: [PATCH 1/2] Use "purge-job" instead of "purge-jobs" when canceling a
single job (#742)
The command "cancel -x <job>" adds "purge-jobs true" to the Cancel-Job
operation; however, the correct attribute to use for Cancel-job is
"purge-job" (singular), not "purge-jobs" (plural). As a result, job
files are not removed from /var/spool/cups when "cancel -x <job>" is
executed.
This patch resolves the issue by adding "purge-job" when the IPP
operation is Cancel-Job and "purge-jobs" for other IPP operations
(Purge-Jobs, Cancel-Jobs, and Cancel-My-Jobs)
---
systemv/cancel.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/systemv/cancel.c b/systemv/cancel.c
index 572f413e1..f5b8e12b5 100644
--- a/systemv/cancel.c
+++ b/systemv/cancel.c
@@ -260,6 +260,7 @@ main(int argc, /* I - Number of command-line arguments */
* attributes-natural-language
* printer-uri + job-id *or* job-uri
* [requesting-user-name]
+ * [purge-job] or [purge-jobs]
*/
request = ippNewRequest(op);
@@ -294,7 +295,12 @@ main(int argc, /* I - Number of command-line arguments */
"requesting-user-name", NULL, cupsUser());
if (purge)
- ippAddBoolean(request, IPP_TAG_OPERATION, "purge-jobs", (char)purge);
+ {
+ if (op == IPP_CANCEL_JOB)
+ ippAddBoolean(request, IPP_TAG_OPERATION, "purge-job", (char)purge);
+ else
+ ippAddBoolean(request, IPP_TAG_OPERATION, "purge-jobs", (char)purge);
+ }
/*
* Do the request and get back a response...
--
2.41.0

View File

@ -0,0 +1,35 @@
From 876fdc1c90a885a58644c8757bc1283c9fd5bcb7 Mon Sep 17 00:00:00 2001
From: Vasilis Liaskovitis <vliaskovitis@suse.com>
Date: Wed, 1 Mar 2023 13:46:28 +0100
Subject: [PATCH] cups/http-addr.c: Set listen backlog size to INT_MAX (fixes
#308)
Use a listen queue size of INT_MAX, which should default to the maximum
supported queue size on the system.
This avoids the problem of the listening backlog queue getting full when
there are too many requests at the same time. The problem was observed
with the previous backlog size (128) by customers when submitting large
batches of print jobs, resulting in some jobs getting lost.
Signed-off-by: Vasilis Liaskovitis <vliaskovitis@suse.com>
---
cups/http-addr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cups/http-addr.c b/cups/http-addr.c
index a61ee0449..6aeeb8074 100644
--- a/cups/http-addr.c
+++ b/cups/http-addr.c
@@ -249,7 +249,7 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
* Listen...
*/
- if (listen(fd, 128))
+ if (listen(fd, INT_MAX))
{
_cupsSetHTTPError(HTTP_STATUS_ERROR);
--
2.41.0

View File

@ -0,0 +1,34 @@
From 5e3107e734f06d410a490e8bc923dc3119f17671 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Wed, 17 May 2023 12:59:57 -0400
Subject: [PATCH] Consensus fix.
---
cups/string.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/cups/string.c b/cups/string.c
index 00454203c..b4fc12050 100644
--- a/cups/string.c
+++ b/cups/string.c
@@ -1,6 +1,7 @@
/*
* String functions for CUPS.
*
+ * Copyright © 2023 by OpenPrinting.
* Copyright © 2007-2019 by Apple Inc.
* Copyright © 1997-2007 by Easy Software Products.
*
@@ -730,6 +731,9 @@ _cups_strlcpy(char *dst, /* O - Destination string */
size_t srclen; /* Length of source string */
+ if (size == 0)
+ return (0);
+
/*
* Figure out how much room is needed...
*/
--
2.40.1

View File

@ -167,11 +167,11 @@ index 4498a8c..8776874 100755
count=`$GREP '^W ' $BASE/log/error_log | $GREP -v CreateProfile | $GREP -v 'libusb error' | $GREP -v ColorManager | $GREP -v 'Avahi client failed' | wc -l | awk '{print $1}'` count=`$GREP '^W ' $BASE/log/error_log | $GREP -v CreateProfile | $GREP -v 'libusb error' | $GREP -v ColorManager | $GREP -v 'Avahi client failed' | wc -l | awk '{print $1}'`
-if test $count != 8; then -if test $count != 8; then
- echo "FAIL: $count warning messages, expected 8." - echo "FAIL: $count warning messages, expected 8."
+if test $count != 10; then +if test $count != 9; then
+ echo "FAIL: $count warning messages, expected 10." + echo "FAIL: $count warning messages, expected 9."
$GREP '^W ' $BASE/log/error_log $GREP '^W ' $BASE/log/error_log
- echo " <p>FAIL: $count warning messages, expected 8.</p>" >>$strfile - echo " <p>FAIL: $count warning messages, expected 8.</p>" >>$strfile
+ echo " <p>FAIL: $count warning messages, expected 10.</p>" >>$strfile + echo " <p>FAIL: $count warning messages, expected 9.</p>" >>$strfile
echo " <pre>" >>$strfile echo " <pre>" >>$strfile
$GREP '^W ' $BASE/log/error_log | sed -e '1,$s/&/&amp;/g' -e '1,$s/</&lt;/g' >>$strfile $GREP '^W ' $BASE/log/error_log | sed -e '1,$s/&/&amp;/g' -e '1,$s/</&lt;/g' >>$strfile
echo " </pre>" >>$strfile echo " </pre>" >>$strfile

View File

@ -0,0 +1,115 @@
diff --git a/cups/auth.c b/cups/auth.c
index db45bbb..b6fec6b 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -90,6 +90,7 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status,
# define cups_gss_printf(major, minor, message)
# endif /* DEBUG */
#endif /* HAVE_GSSAPI */
+static int cups_is_local_connection(http_t *http);
static int cups_local_auth(http_t *http);
@@ -174,10 +175,10 @@ cupsDoAuthentication(
DEBUG_printf(("2cupsDoAuthentication: Trying scheme \"%s\"...", scheme));
#ifdef HAVE_GSSAPI
- if (!_cups_strcasecmp(scheme, "Negotiate"))
+ if (!_cups_strcasecmp(scheme, "Negotiate") && !cups_is_local_connection(http))
{
/*
- * Kerberos authentication...
+ * Kerberos authentication to remote server...
*/
int gss_status; /* Auth status */
@@ -201,7 +202,9 @@ cupsDoAuthentication(
}
else
#endif /* HAVE_GSSAPI */
- if (_cups_strcasecmp(scheme, "Basic") && _cups_strcasecmp(scheme, "Digest"))
+ if (_cups_strcasecmp(scheme, "Basic") &&
+ _cups_strcasecmp(scheme, "Digest") &&
+ _cups_strcasecmp(scheme, "Negotiate"))
{
/*
* Other schemes not yet supported...
@@ -215,7 +218,7 @@ cupsDoAuthentication(
* See if we should retry the current username:password...
*/
- if ((http->digest_tries > 1 || !http->userpass[0]) && (!_cups_strcasecmp(scheme, "Basic") || (!_cups_strcasecmp(scheme, "Digest"))))
+ if (http->digest_tries > 1 || !http->userpass[0])
{
/*
* Nope - get a new password from the user...
@@ -295,7 +298,7 @@ cupsDoAuthentication(
}
}
- if (http->authstring)
+ if (http->authstring && http->authstring[0])
{
DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\".", http->authstring));
@@ -916,6 +919,14 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */
# endif /* DEBUG */
#endif /* HAVE_GSSAPI */
+static int /* O - 0 if not a local connection */
+ /* 1 if local connection */
+cups_is_local_connection(http_t *http) /* I - HTTP connection to server */
+{
+ if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
+ return 0;
+ return 1;
+}
/*
* 'cups_local_auth()' - Get the local authorization certificate if
@@ -958,7 +969,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
* See if we are accessing localhost...
*/
- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
+ if (!cups_is_local_connection(http))
{
DEBUG_puts("8cups_local_auth: Not a local connection!");
return (1);
@@ -1032,11 +1043,6 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
}
# endif /* HAVE_AUTHORIZATION_H */
-# ifdef HAVE_GSSAPI
- if (cups_auth_find(www_auth, "Negotiate"))
- return (1);
-# endif /* HAVE_GSSAPI */
-
# if defined(SO_PEERCRED) && defined(AF_LOCAL)
/*
* See if we can authenticate using the peer credentials provided over a
diff --git a/scheduler/client.c b/scheduler/client.c
index 89c76bf..40708d9 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -2244,18 +2244,13 @@ cupsdSendHeader(
}
else if (auth_type == CUPSD_AUTH_NEGOTIATE)
{
-#if defined(SO_PEERCRED) && defined(AF_LOCAL)
- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
- strlcpy(auth_str, "PeerCred", sizeof(auth_str));
- else
-#endif /* SO_PEERCRED && AF_LOCAL */
strlcpy(auth_str, "Negotiate", sizeof(auth_str));
}
- if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
+ if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
{
/*
- * Add a "trc" (try root certification) parameter for local non-Kerberos
+ * Add a "trc" (try root certification) parameter for local
* requests when the request requires system group membership - then the
* client knows the root certificate can/should be used.
*

View File

@ -0,0 +1,171 @@
@PYTHON_SHEBANG@
"""
Upgrade script to enable authentication for CUPS-Get-Document in
default policy
"""
import os
import sys
from shutil import copy
def get_cupsd_conf():
"""
Get all lines from cupsd.conf
"""
if not os.path.exists('/etc/cups/cupsd.conf'):
return None
lines = []
with open('/etc/cups/cupsd.conf', 'r') as conf:
lines = conf.readlines()
return lines
def get_default_policy(lines):
"""
Get the default policy lines
:param list lines: lines from cupsd.conf
"""
default_policy = []
in_policy = False
for line in lines:
if not in_policy and not line.lstrip().startswith('<Policy default>'):
continue
default_policy.append(line)
if line.lstrip().startswith('</Policy>'):
return default_policy
in_policy = True
return default_policy
def get_limit_with_document(lines):
"""
Get <Limit> scope which defines CUPS-Get-Document operation
:param list lines: Lines containing the default policy
"""
limit = []
in_limit = False
for line in lines:
if not in_limit and not line.lstrip().startswith('<Limit'):
continue
if (not in_limit and line.lstrip().startswith('<Limit') and
not 'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
continue
limit.append(line)
if line.lstrip().startswith('</Limit>'):
return limit
in_limit = True
return limit
def check_for_authtype(lines):
"""
Check if <Limit> defining CUPS-Get-Document defines
any authentication
:param list lines: Lines of <Limit> scope which defines CUPS-Get-Document
"""
for line in lines:
if line.lstrip().startswith('AuthType'):
return True
return False
def migrate_cupsd_conf(lines):
"""
Make changes to cupsd.conf contents to use authentication
for CUPS-Get-Document
:param list lines: Lines from cupsd.conf
"""
new_lines = []
in_policy = False
create_document_limit = False
for line in lines:
if (in_policy and line.lstrip().startswith('<Limit') and
not line.lstrip().startswith('<Limit CUPS-Get-Document>') and
'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
line = line.replace(' CUPS-Get-Document', '')
create_document_limit = True
if in_policy and line.lstrip().startswith('</Policy>') and create_document_limit:
new_lines.append('\n')
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'# added during upgrade\n')
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'<Limit CUPS-Get-Document>\n')
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
'AuthType Default\n')
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
'Require user @OWNER @SYSTEM\n')
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
'Order deny,allow\n')
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'</Limit>\n')
create_document_limit = False
new_lines.append(line)
if not in_policy:
if line.lstrip().startswith('<Policy default>'):
in_policy = True
continue
if line.lstrip().startswith('<Limit CUPS-Get-Document>'):
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'# added during upgrade\n')
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
'AuthType Default\n')
continue
if line.lstrip().startswith('</Policy>'):
in_policy = False
continue
return new_lines
def apply_changes(lines):
"""
Backup the original file if there is no .rpmsave already and
apply changes to the actual cupsd.conf
:param list lines: New lines for cupsd.conf
"""
if not os.path.exists('/etc/cups/cupsd.conf.rpmsave'):
copy('/etc/cups/cupsd.conf', '/etc/cups/cupsd.conf.rpmsave')
with open('/etc/cups/cupsd.conf', 'w') as conf:
conf.writelines(lines)
content = get_cupsd_conf()
if content is None:
sys.exit(1)
if check_for_authtype(get_limit_with_document(get_default_policy(content))):
sys.exit(0)
new_content = migrate_cupsd_conf(content)
apply_changes(new_content)
sys.exit(0)

View File

@ -7,6 +7,13 @@
# but we use lib for compatibility with 3rd party drivers (at upstream request). # but we use lib for compatibility with 3rd party drivers (at upstream request).
%global cups_serverbin %{_exec_prefix}/lib/cups %global cups_serverbin %{_exec_prefix}/lib/cups
# we still need something for python2...
%if 0%{?rhel} >= 8 || 0%{?fedora}
%bcond_without python3
%else
%bcond_with python3
%endif
#%%global prever rc1 #%%global prever rc1
#%%global VERSION %%{version}%%{prever} #%%global VERSION %%{version}%%{prever}
%global VERSION %{version} %global VERSION %{version}
@ -17,7 +24,7 @@ Summary: CUPS printing system
Name: cups Name: cups
Epoch: 1 Epoch: 1
Version: 2.3.3%{OP_VER} Version: 2.3.3%{OP_VER}
Release: 16%{?dist} Release: 21%{?dist}
License: ASL 2.0 License: ASL 2.0
Url: http://www.cups.org/ Url: http://www.cups.org/
# Apple stopped uploading the new versions into github, use OpenPrinting fork # Apple stopped uploading the new versions into github, use OpenPrinting fork
@ -26,6 +33,8 @@ Source0: https://github.com/OpenPrinting/cups/releases/download/v%{VERSION}/cups
Source1: cupsprinter.png Source1: cupsprinter.png
# cups_serverbin macro definition for use during builds # cups_serverbin macro definition for use during builds
Source2: macros.cups Source2: macros.cups
# CVE-2023-32360 migration script
Source3: upgrade_get_document.py.in
# PAM enablement, very old patch, not even git can track when or why # PAM enablement, very old patch, not even git can track when or why
# the patch was added. # the patch was added.
@ -103,6 +112,20 @@ Patch27: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch
# CVE-2022-26691 cups: authorization bypass when using "local" authorization # CVE-2022-26691 cups: authorization bypass when using "local" authorization
Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
# 2189919 - CGI scripts don't work with local Negotiate authentication
Patch30: cups-local-negotiate.patch
# 2217177 - Delays printing to lpd when reserved ports are exhausted
Patch31: 0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch
# 2217284 - The command "cancel -x <job>" does not remove job files
Patch32: 0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch
# 2217954 - Enlarge backlog queue for listen() in cupsd
Patch33: 0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch
# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
Patch34: 0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch
# CVE-2023-32324 cups: heap buffer overflow may lead to DoS
Patch35: 0001-cups-strlcpy-handle-zero-size.patch
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
Patch36: 0001-Require-authentication-for-CUPS-Get-Document.patch
##### Patches removed because IMHO they aren't no longer needed ##### Patches removed because IMHO they aren't no longer needed
@ -169,6 +192,13 @@ Requires(post): grep, sed
Requires(preun): systemd Requires(preun): systemd
Requires(postun): systemd Requires(postun): systemd
# for upgrade-get-document script
%if %{with python3}
Requires(post): python3
%else
Requires(post): python
%endif
%package client %package client
Summary: CUPS printing system - client programs Summary: CUPS printing system - client programs
@ -337,6 +367,20 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
%patch28 -p1 -b .manpage-update %patch28 -p1 -b .manpage-update
# CVE-2022-26691 cups: authorization bypass when using "local" authorization # CVE-2022-26691 cups: authorization bypass when using "local" authorization
%patch29 -p1 -b .cve26691 %patch29 -p1 -b .cve26691
# 2189919 - CGI scripts don't work with local Negotiate authentication
%patch30 -p1 -b .local-negotiate
# 2217177 - Delays printing to lpd when reserved ports are exhausted
%patch31 -p1 -b .lpd-delay
# 2217284 - The command "cancel -x <job>" does not remove job files
%patch32 -p1 -b .purge-job
# 2217954 - Enlarge backlog queue for listen() in cupsd
%patch33 -p1 -b .listen-backlog
# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
%patch34 -p1 -b .cve34241
# CVE-2023-32324 cups: heap buffer overflow may lead to DoS
%patch35 -p1 -b .cve32324
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
%patch36 -p1 -b .get-document-auth
%if %{lspp} %if %{lspp}
# LSPP support. # LSPP support.
@ -500,6 +544,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
/^\([^%].*\)/d /^\([^%].*\)/d
' > %{name}.lang ' > %{name}.lang
# install get-document upgrade script
install -m 0755 %{SOURCE3} %{buildroot}%{_sbindir}/upgrade_get_document
%if %{with python3}
sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python3,' %{buildroot}%{_sbindir}/upgrade_get_document
%else
sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python,' %{buildroot}%{_sbindir}/upgrade_get_document
%endif
%post %post
%systemd_post %{name}.path %{name}.socket %{name}.service %systemd_post %{name}.path %{name}.socket %{name}.service
@ -547,6 +600,8 @@ do
done done
%endif %endif
%{_sbindir}/upgrade_get_document
exit 0 exit 0
%post client %post client
@ -760,6 +815,30 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man7/ippeveps.7.gz %{_mandir}/man7/ippeveps.7.gz
%changelog %changelog
* Tue Aug 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-21
- bump the spec because the previous build was made with buildroot 9.2
* Tue Aug 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-20
- CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
* Thu Jun 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-19
- CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
- CVE-2023-32324 cups: heap buffer overflow may lead to DoS
* Wed Jun 28 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-19
- 2217177 - Delays printing to lpd when reserved ports are exhausted
- 2217284 - The command "cancel -x <job>" does not remove job files
- 2217954 - Enlarge backlog queue for listen() in cupsd
* Wed Apr 26 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-18
- 2189919 - CGI scripts don't work with local Negotiate authentication
* Mon Apr 03 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-17
- RHEL-314 - Enable fmf tests in centos stream
* Thu Mar 23 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-17
- RHEL-317 - upstream test suite fails due uncorrect number of expected warnings
* Thu Jun 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16 * Thu Jun 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16
- CVE-2022-26691 cups: authorization bypass when using "local" authorization - CVE-2022-26691 cups: authorization bypass when using "local" authorization