import UBI cups-2.3.3op2-33.el9

2025-05-13 14:24:14 +00:00 · 2025-05-13 14:24:14 +00:00 · f9a32cb824
commit f9a32cb824
parent 781f45c635
3 changed files with 250 additions and 1 deletions
--- a/SOURCES/0001-Add-NoSystem-SSLOptions-value.patch
+++ b/SOURCES/0001-Add-NoSystem-SSLOptions-value.patch
@ -0,0 +1,174 @@
+From 40e62848ab3aa94b98dfaf1334e1c478c266bc73 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Tue, 7 Jan 2025 15:12:15 +0100
+Subject: [PATCH] Add `NoSystem` SSLOptions value
+
+In case using system crypto policy breaks communication with device
+irreversibly (f.e. if device does not support better key exchange
+algorithm), the new option value gives a way how to opt-out from crypto
+policy if user do not want to change default system crypto policy for
+the whole machine.
+---
+ CHANGES.md                    | 1 +
+ cups/http-private.h           | 3 ++-
+ cups/tls-gnutls.c             | 7 ++++++-
+ cups/usersys.c                | 2 ++
+ doc/help/man-client.conf.html | 3 ++-
+ doc/help/man-cupsd.conf.html  | 5 +++--
+ man/client.conf.5             | 3 ++-
+ man/cupsd.conf.5              | 3 ++-
+ scheduler/conf.c              | 2 ++
+ 9 files changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/cups/http-private.h b/cups/http-private.h
+index 5f77b8ef0..f248bbb8d 100644
+--- a/cups/http-private.h
+++ b/cups/http-private.h
+@@ -131,7 +131,8 @@ extern "C" {
+ #  define _HTTP_TLS_ALLOW_RC4	1	/* Allow RC4 cipher suites */
+ #  define _HTTP_TLS_ALLOW_DH	2	/* Allow DH/DHE key negotiation */
+ #  define _HTTP_TLS_DENY_CBC	4	/* Deny CBC cipher suites */
+-#  define _HTTP_TLS_SET_DEFAULT 128     /* Setting the default TLS options */
+#  define _HTTP_TLS_NO_SYSTEM	8	/* No system crypto policy */
+#  define _HTTP_TLS_SET_DEFAULT 128	/* Setting the default TLS options */
+ 
+ #  define _HTTP_TLS_SSL3	0	/* Min/max version is SSL/3.0 */
+ #  define _HTTP_TLS_1_0		1	/* Min/max version is TLS/1.0 */
+diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
+index 719161da7..e8224b217 100644
+--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
+@@ -1285,6 +1285,8 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
+ 
+   DEBUG_printf(("3_httpTLSStart(http=%p)", http));
+ 
+  priority_string[0] = '\0';
+
+   if (tls_options < 0)
+   {
+     DEBUG_puts("4_httpTLSStart: Setting defaults.");
+@@ -1504,7 +1506,10 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
+     return (-1);
+   }
+ 
+-  strlcpy(priority_string, "@SYSTEM,NORMAL", sizeof(priority_string));
+  if (!(tls_options & _HTTP_TLS_NO_SYSTEM))
+    strlcpy(priority_string, "@SYSTEM,", sizeof(priority_string));
+
+  strlcat(priority_string, "NORMAL", sizeof(priority_string));
+ 
+   if (tls_max_version < _HTTP_TLS_MAX)
+   {
+diff --git a/cups/usersys.c b/cups/usersys.c
+index f752159b0..607587307 100644
+--- a/cups/usersys.c
+++ b/cups/usersys.c
+@@ -1608,6 +1608,8 @@ cups_set_ssl_options(
+       min_version = _HTTP_TLS_1_3;
+     else if (!_cups_strcasecmp(start, "None"))
+       options = _HTTP_TLS_NONE;
+    else if (!_cups_strcasecmp(start, "NoSystem"))
+      options |= _HTTP_TLS_NO_SYSTEM;
+   }
+ 
+   cc->ssl_options     = options;
+diff --git a/doc/help/man-client.conf.html b/doc/help/man-client.conf.html
+index 81cd73a1a..9194481bb 100644
+--- a/doc/help/man-client.conf.html
+++ b/doc/help/man-client.conf.html
+@@ -44,7 +44,7 @@ CUPS adds the remote hostname ("name@server.example.com") for you. The default n
+ <b>Note: This directive is not supported on macOS 10.7 or later.</b>
+ <dt><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>]<b>/version=1.1</b>
+ <dd style="margin-left: 5.0em">Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
+-<dt><a name="SSLOptions"></a><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>]
+<dt><a name="SSLOptions"></a><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>] [<i>NoSystem</i>]
+ <dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
+ <dd style="margin-left: 5.0em">Sets encryption options (only in /etc/cups/client.conf).
+ By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
+@@ -57,6 +57,7 @@ The <i>DenyCBC</i> option disables all CBC cipher suites.
+ The <i>DenyTLS1.0</i> option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
+ The <i>MinTLS</i> options set the minimum TLS version to support.
+ The <i>MaxTLS</i> options set the maximum TLS version to support.
+The <i>NoSystem</i> option disables applying system cryptographic policy.
+ Not all operating systems support TLS 1.3 at this time.
+ <dt><a name="TrustOnFirstUse"></a><b>TrustOnFirstUse Yes</b>
+ <dd style="margin-left: 5.0em"><dt><b>TrustOnFirstUse No</b>
+diff --git a/doc/help/man-cupsd.conf.html b/doc/help/man-cupsd.conf.html
+index 4fd42f314..4a5395387 100644
+--- a/doc/help/man-cupsd.conf.html
+++ b/doc/help/man-cupsd.conf.html
+@@ -285,7 +285,7 @@ The default is "Minimal".
+ <dd style="margin-left: 5.0em"><dt><b>SSLListen [</b><i>ipv6-address</i><b>]:</b><i>port</i>
+ <dd style="margin-left: 5.0em"><dt><b>SSLListen *:</b><i>port</i>
+ <dd style="margin-left: 5.0em">Listens on the specified address and port for encrypted connections.
+-<dt><a name="SSLOptions"></a><dt><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>]
+<dt><a name="SSLOptions"></a><dt><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>] [<i>NoSystem</i>]
+ <dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
+ <dd style="margin-left: 5.0em">Sets encryption options (only in /etc/cups/client.conf).
+ By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
+@@ -298,6 +298,7 @@ The <i>DenyCBC</i> option disables all CBC cipher suites.
+ The <i>DenyTLS1.0</i> option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
+ The <i>MinTLS</i> options set the minimum TLS version to support.
+ The <i>MaxTLS</i> options set the maximum TLS version to support.
+The <i>NoSystem</i> option disables applying system cryptographic policy.
+ Not all operating systems support TLS 1.3 at this time.
+ <dt><a name="SSLPort"></a><b>SSLPort </b><i>port</i>
+ <dd style="margin-left: 5.0em">Listens on the specified port for encrypted connections.
+diff --git a/man/client.conf.5 b/man/client.conf.5
+index 54808c09f..56d6ec3ec 100644
+--- a/man/client.conf.5
+++ b/man/client.conf.5
+@@ -67,7 +67,7 @@ Specifies the address and optionally the port to use when connecting to the serv
+ Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
+ .\"#SSLOptions
+ .TP 5
+-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] [\fINoSystem\fR]
+ .TP 5
+ \fBSSLOptions None\fR
+ Sets encryption options (only in /etc/cups/client.conf).
+@@ -81,6 +81,7 @@ The \fIDenyCBC\fR option disables all CBC cipher suites.
+ The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
+ The \fIMinTLS\fR options set the minimum TLS version to support.
+ The \fIMaxTLS\fR options set the maximum TLS version to support.
+The \fINoSystem\fR option disables applying system cryptographic policy.
+ Not all operating systems support TLS 1.3 at this time.
+ .\"#TrustOnFirstUse
+ .TP 5
+diff --git a/man/cupsd.conf.5 b/man/cupsd.conf.5
+index fd5762dfd..4e1a7ca81 100644
+--- a/man/cupsd.conf.5
+++ b/man/cupsd.conf.5
+@@ -447,7 +447,7 @@ Listens on the specified address and port for encrypted connections.
+ .\"#SSLOptions
+ .TP 5
+ .TP 5
+-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] [\fINoSystem\fR]
+ .TP 5
+ \fBSSLOptions None\fR
+ Sets encryption options (only in /etc/cups/client.conf).
+@@ -461,6 +461,7 @@ The \fIDenyCBC\fR option disables all CBC cipher suites.
+ The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
+ The \fIMinTLS\fR options set the minimum TLS version to support.
+ The \fIMaxTLS\fR options set the maximum TLS version to support.
+The \fINoSystem\fR option disables applying system cryptographic policy.
+ Not all operating systems support TLS 1.3 at this time.
+ .\"#SSLPort
+ .TP 5
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index 3184d72f0..3bf176479 100644
+--- a/scheduler/conf.c
+++ b/scheduler/conf.c
+@@ -3054,6 +3054,8 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
+ 	    min_version = _HTTP_TLS_1_3;
+ 	  else if (!_cups_strcasecmp(start, "None"))
+ 	    options = _HTTP_TLS_NONE;
+	  else if (!_cups_strcasecmp(start, "NoSystem"))
+	    options |= _HTTP_TLS_NO_SYSTEM;
+ 	  else if (_cups_strcasecmp(start, "NoEmptyFragments"))
+ 	    cupsdLogMessage(CUPSD_LOG_WARN, "Unknown SSL option %s at line %d.", start, linenum);
+         }
+-- 
+2.47.1
+
--- a/SOURCES/0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch
+++ b/SOURCES/0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch
@ -0,0 +1,31 @@
+From 331a202a87db30b5d1d5386ccc99de6843eef03e Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Fri, 6 Dec 2024 07:59:16 +0100
+Subject: [PATCH] tls-gnutls.c: Use system crypto policy if available
+
+Some Linux systems provide a way how to control cryptography on system or service level via cryptographic policies. OpenSSL implementation reflects system changes to some degree, however GnuTLS implementation does not take system policy into account.
+
+GnuTLS supports fallback mechanism, so we can fallback to NORMAL if @System is not defined on the system.
+
+Fortunately, the current GnuTLS implementation allows overrides via priority strings (so no "this cipher/hash is disabled" if we enabled them in our application by priority string), so allowing to honor system policy can save us work if someone wants to disable a specific cipher, so we don't have to implement it in libcups.
+---
+ CHANGES.md        | 2 ++
+ cups/tls-gnutls.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
+index f3f71a055..719161da7 100644
+--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
+@@ -1504,7 +1504,7 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
+     return (-1);
+   }
+ 
+-  strlcpy(priority_string, "NORMAL", sizeof(priority_string));
+  strlcpy(priority_string, "@SYSTEM,NORMAL", sizeof(priority_string));
+ 
+   if (tls_max_version < _HTTP_TLS_MAX)
+   {
+-- 
+2.47.1
+
--- a/SPECS/cups.spec
+++ b/SPECS/cups.spec
@ -24,7 +24,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.3.3%{OP_VER}
-Release: 31%{?dist}
+Release: 33%{?dist}
 License: ASL 2.0
 Url: http://www.cups.org/
 # Apple stopped uploading the new versions into github, use OpenPrinting fork
@ -156,6 +156,11 @@ Patch46: 0001-refactor-make-and-model-code.patch
 Patch47: 0001-ppdize-preset-and-template-names.patch
 Patch48: 0001-quote-ppd-localized-strings.patch
 Patch49: 0001-fix-warnings-for-unused-vars.patch
+# RHEL-68414 Inability to disable weak ciphers in CUPS configuration
+# patches: 0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch
+#          0001-Add-NoSystem-SSLOptions-value.patch
+Patch50: 0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch
+Patch51: 0001-Add-NoSystem-SSLOptions-value.patch


 ##### Patches removed because IMHO they aren't no longer needed
@ -440,6 +445,9 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 %patch47 -p1 -b .ppdize-presets
 %patch48 -p1 -b .quote-ppd-strings
 %patch49 -p1 -b .fix-warn
+# RHEL-68414 Inability to disable weak ciphers in CUPS configuration
+%patch50 -p1 -b .tls-system
+%patch51 -p1 -b .ssl-nosystem


 %if %{lspp}
@ -662,6 +670,36 @@ done

 %{_sbindir}/upgrade_get_document

+# to prevent possible breakage due starting following system crypto policy
+# within minor releases
+# SSLOptions in cupsd.conf influences what SSL cupsd daemon will offer to clients,
+# SSLOptions in client.conf influences what SSL clients using libcups will use to
+# connect with destionation (destination can be other cupsd or printer)
+for conf in %{_sysconfdir}/cups/cupsd.conf %{_sysconfdir}/cups/client.conf
+do
+  # do not update anything if we already put changes into the file
+  if ! grep -q "# RHEL-68414 Fix" ${conf}
+  then
+    # backup the file if there is no rpmsave already
+    if ! test -f ${conf}.rpmsave
+    then
+      cp ${conf}{,.rpmsave}
+    fi
+
+    # two situations can happen:
+    # - no SSLOptions in the file - just put the new lines into file
+    # - SSLOptions already exists in the file - we append NoSystem to the
+    #   directive
+    if ! grep -q "^\s*SSLOptions" ${conf}
+    then
+      echo -e "# RHEL-68414 Fix\nSSLOptions NoSystem\n" >> ${conf}
+    else
+      # captures the group into \1, which can be later used
+      sed -i 's,^\s*SSLOptions \(.*\)$,# RHEL-68414 Fix\nSSLOptions \1 NoSystem,' ${conf}
+    fi
+  fi
+done
+
 exit 0

 %post client
@ -875,6 +913,12 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz

 %changelog
+* Wed Jan 08 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-33
+- Add NoSystem SSLOptions value
+
+* Mon Dec 09 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-32
+- RHEL-68414 Inability to disable weak ciphers in CUPS configuration
+
 * Tue Oct 01 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-31
 - RHEL-60343 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file