.cups.metadata

@@ -1,2 +0,0 @@
-b5e3389fb9450bfed377c95c0230c029c053acc4 SOURCES/cups-2.2.6-source.tar.gz
-79ee155bed4c18088be472a6e364f37ad6e410a6 SOURCES/cupsprinter.png

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1,2 +1,4 @@
 SOURCES/cups-2.2.6-source.tar.gz
 SOURCES/cupsprinter.png
+/cups-2.2.6-source.tar.gz
+/cupsprinter.png

0001-Fix-domain-socket-handling.patch

@@ -0,0 +1,86 @@
+diff --git a/cups/http-addr.c b/cups/http-addr.c
+index 61c86384b..e86dcb622 100644
+--- a/cups/http-addr.c
++++ b/cups/http-addr.c
+@@ -198,31 +198,29 @@ httpAddrListen(http_addr_t *addr,	/* I - Address to bind to */
+   {
+     mode_t	mask;			/* Umask setting */
+ 
+-   /*
+-    * Remove any existing domain socket file...
+-    */
+-
+-    unlink(addr->un.sun_path);
+-
+-   /*
+-    * Save the current umask and set it to 0 so that all users can access
+-    * the domain socket...
+-    */
+-
+-    mask = umask(0);
+-
+-   /*
+-    * Bind the domain socket...
+-    */
++    // Remove any existing domain socket file...
++    if ((status = unlink(addr->un.sun_path)) < 0)
++    {
++      DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
++      if (errno == ENOENT)
++       status = 0;
++    }
+ 
+-    status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
++    if (!status)
++    {
++      // Save the current umask and set it to 0 so that all users can access
++      // the domain socket...
++      mask = umask(0);
+ 
+-   /*
+-    * Restore the umask and fix permissions...
+-    */
++      // Bind the domain socket...
++      if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
++      {
++        DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
++      }
+ 
+-    umask(mask);
+-    chmod(addr->un.sun_path, 0140777);
++      // Restore the umask...
++      umask(mask);
++    }
+   }
+   else
+ #endif /* AF_LOCAL */
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index bc52d2add..93de8cf77 100644
+--- a/scheduler/conf.c
++++ b/scheduler/conf.c
+@@ -3055,6 +3055,25 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
+ 
+       cupsd_listener_t	*lis;		/* New listeners array */
+ 
++     /*
++      * If we are launched on-demand, do not use domain sockets from the config
++      * file.  Also check that the domain socket path is not too long...
++      */
++
++#ifdef HAVE_ONDEMAND
++      if (*value == '/' && OnDemand)
++      {
++        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
++          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
++        continue;
++      }
++#endif // HAVE_ONDEMAND
++
++      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
++      {
++        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
++        continue;
++      }
+ 
+      /*
+       * Get the address list...

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

cups-require-cups-socket.patch

@@ -0,0 +1,12 @@
+diff --git a/scheduler/org.cups.cupsd.service.in b/scheduler/org.cups.cupsd.service.in
+index c02412fb0..18b5e0386 100644
+--- a/scheduler/org.cups.cupsd.service.in
++++ b/scheduler/org.cups.cupsd.service.in
+@@ -2,6 +2,7 @@
+ Description=CUPS Scheduler
+ Documentation=man:cupsd(8)
+ After=network.target nss-user-lookup.target
++Requires=cups.socket
+ 
+ [Service]
+ ExecStart=@sbindir@/cupsd -l

cups.spec

@@ -22,7 +22,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.2.6
-Release: 57%{?dist}
+Release: 59%{?dist}
 License: GPLv2+ and LGPLv2 with exceptions and AML
 Url: http://www.cups.org/
 Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@@ -170,6 +170,10 @@ Patch86: cups-preservejob-leak.patch
 Patch87: 0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch
 # RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
 Patch88: 0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch
+# CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
+Patch89: 0001-Fix-domain-socket-handling.patch
+# https://github.com/OpenPrinting/cups/pull/31
+Patch90: cups-require-cups-socket.patch
 
 Patch1000: cups-lspp.patch
 
@@ -477,6 +481,10 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 %patch87 -p1 -b .message-stderr
 # RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
 %patch88 -p1 -b .cupsgetjobs-pollhup
+# CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
+%patch89 -p1 -b .cve2024-35235
+# https://github.com/OpenPrinting/cups/pull/31
+%patch90 -p1 -b .cups-require-cups-socket
 
 sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
 
@@ -903,6 +911,13 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man5/ipptoolfile.5.gz
 
 %changelog
+* Fri Jun 14 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.2.6-59
+- RHEL-40386 cups: Cupsd Listen arbitrary chmod 0140777
+- Require cups.socket in cupsd service file
+
+* Mon Jun 10 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.2.6-58
+- CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
+
 * Mon Feb 26 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-57
 - revert RHEL-19200 - no new subpackages are needed
 

gating.yaml

@@ -0,0 +1,28 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional}
+
+#Rawhide
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional}
+
+#gating rhel
+--- !Policy
+product_versions:
+  - rhel-*
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/public.functional}

plans/public.fmf

@@ -0,0 +1,6 @@
+summary: Test plan that runs all tests from cups tests repo.
+discover:
+    how: fmf
+    url: https://src.fedoraproject.org/tests/cups.git
+execute:
+    how: tmt

plans/tier1-internal.fmf

@@ -0,0 +1,12 @@
+summary: CI plan, picks internal Tier1 tests, runs in beakerlib.
+discover:
+  - name: rhel
+    how: fmf
+    filter: 'tier: 1'
+    url: git://pkgs.devel.redhat.com/tests/cups
+execute:
+    how: tmt
+adjust:
+    enabled: false
+    when: distro == centos-stream or distro == fedora
+    because: They don't have access to internal repos.

sources

@@ -0,0 +1,2 @@
+SHA512 (cups-2.2.6-source.tar.gz) = 52aa26acf5d38de5a4867c70f5b3006cb84fe5b362876c2f907872107bbac3d95fb249389546745249ad24d032963ac2d70f98a0884427a974c5bc4edc199c45
+SHA512 (cupsprinter.png) = 8f6c832577e0b9ad90560ecebdba7398fa46fc1e923068d9fe425f09e409f90afa30e8083d390d524693db52fb310bdad2f13f51e46c10be6825407fe2943811