Compare commits

..

No commits in common. "c8" and "c8-beta" have entirely different histories.
c8 ... c8-beta

10 changed files with 182 additions and 675 deletions

View File

@ -1,86 +0,0 @@
diff --git a/cups/http-addr.c b/cups/http-addr.c
index 61c86384b..e86dcb622 100644
--- a/cups/http-addr.c
+++ b/cups/http-addr.c
@@ -198,31 +198,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
{
mode_t mask; /* Umask setting */
- /*
- * Remove any existing domain socket file...
- */
-
- unlink(addr->un.sun_path);
-
- /*
- * Save the current umask and set it to 0 so that all users can access
- * the domain socket...
- */
-
- mask = umask(0);
-
- /*
- * Bind the domain socket...
- */
+ // Remove any existing domain socket file...
+ if ((status = unlink(addr->un.sun_path)) < 0)
+ {
+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
+ if (errno == ENOENT)
+ status = 0;
+ }
- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
+ if (!status)
+ {
+ // Save the current umask and set it to 0 so that all users can access
+ // the domain socket...
+ mask = umask(0);
- /*
- * Restore the umask and fix permissions...
- */
+ // Bind the domain socket...
+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
+ {
+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
+ }
- umask(mask);
- chmod(addr->un.sun_path, 0140777);
+ // Restore the umask...
+ umask(mask);
+ }
}
else
#endif /* AF_LOCAL */
diff --git a/scheduler/conf.c b/scheduler/conf.c
index bc52d2add..93de8cf77 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -3055,6 +3055,25 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
cupsd_listener_t *lis; /* New listeners array */
+ /*
+ * If we are launched on-demand, do not use domain sockets from the config
+ * file. Also check that the domain socket path is not too long...
+ */
+
+#ifdef HAVE_ONDEMAND
+ if (*value == '/' && OnDemand)
+ {
+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
+ continue;
+ }
+#endif // HAVE_ONDEMAND
+
+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
+ {
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
+ continue;
+ }
/*
* Get the address list...

View File

@ -1,26 +0,0 @@
From 5cc470c8d95df40f32e8a401b2946886c91b03d1 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <msweet@msweet.org>
Date: Fri, 15 Nov 2024 11:55:07 -0500
Subject: [PATCH] Fix make-and-model whitespace trimming (Issue #1096)
---
CHANGES.md | 1 +
cups/ppd-cache.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
index a6163a0e1..a3198a795 100644
--- a/cups/ppd-cache.c
+++ b/cups/ppd-cache.c
@@ -3293,6 +3293,8 @@ _ppdCreateFromIPP2(
mptr --;
if (*mptr == ' ')
*mptr = '\0';
+ else
+ break;
}
if (!make[0])
--
2.47.0

View File

@ -1,40 +0,0 @@
diff --git a/scheduler/ipp.c b/scheduler/ipp.c
index 728d164..5089172 100644
--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
@@ -5773,6 +5773,18 @@ create_local_bg_thread(
cupsdLogMessage(CUPSD_LOG_DEBUG, "%s: IPP/1.1 Get-Printer-Attributes returned %s (%s)", printer->name, ippErrorString(cupsLastError()), cupsLastErrorString());
}
+ // Validate response from printer...
+ if (!ippValidateAttributes(response))
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR, "%s: The printer contains invalid attributes.", printer->name);
+
+ if (response)
+ ippDelete(response);
+
+ httpClose(http);
+ return (NULL);
+ }
+
// TODO: Grab printer icon file...
httpClose(http);
diff --git a/systemv/lpadmin.c b/systemv/lpadmin.c
index daf24d5..eba7551 100644
--- a/systemv/lpadmin.c
+++ b/systemv/lpadmin.c
@@ -1226,6 +1226,12 @@ get_printer_ppd(
ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD, "requested-attributes", sizeof(pattrs) / sizeof(pattrs[0]), NULL, pattrs);
response = cupsDoRequest(http, request, resource);
+ if (response && !ippValidateAttributes(response))
+ {
+ _cupsLangPrintf(stderr, _("%s: The printer \"%s\" contains invalid IPP attributes."), "lpadmin", uri);
+ return (NULL);
+ }
+
if (cupsLastError() >= IPP_STATUS_REDIRECTION_OTHER_SITE)
{
_cupsLangPrintf(stderr, _("%s: Unable to query printer: %s"), "lpadmin", cupsLastErrorString());

View File

@ -1,41 +0,0 @@
From e0630cd18f76340d302000f2bf6516e99602b844 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <msweet@msweet.org>
Date: Mon, 9 Sep 2024 15:59:57 -0400
Subject: [PATCH] PPDize preset and template names.
---
cups/ppd-cache.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)
diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
index 986c64f73..18c38d0ee 100644
--- a/cups/ppd-cache.c
+++ b/cups/ppd-cache.c
@@ -5543,7 +5552,7 @@ pwg_ppdize_name(const char *ipp, /* I - IPP keyword */
*end; /* End of name buffer */
- if (!ipp)
+ if (!ipp || !_cups_isalnum(*ipp))
{
*name = '\0';
return;
@@ -5558,8 +5567,14 @@ pwg_ppdize_name(const char *ipp, /* I - IPP keyword */
ipp ++;
*ptr++ = (char)toupper(*ipp++ & 255);
}
- else
+ else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || _cups_isalnum(*ipp))
+ {
*ptr++ = *ipp++;
+ }
+ else
+ {
+ ipp ++;
+ }
}
*ptr = '\0';
--
2.46.1

View File

@ -1,136 +0,0 @@
diff -up cups-2.2.6/cups/ppd-cache.c.make-model-refact cups-2.2.6/cups/ppd-cache.c
--- cups-2.2.6/cups/ppd-cache.c.make-model-refact 2024-10-25 09:50:04.894056025 +0200
+++ cups-2.2.6/cups/ppd-cache.c 2024-10-25 09:51:15.832552712 +0200
@@ -2937,9 +2937,10 @@ _ppdCreateFromIPP(char *buffer, /* I -
*x_dim, *y_dim; /* Media dimensions */
ipp_t *media_size; /* Media size collection */
char make[256], /* Make and model */
- *model, /* Model name */
+ *mptr, /* Pointer into make and model */
ppdname[PPD_MAX_NAME];
/* PPD keyword */
+ const char *model; /* Model name */
int i, j, /* Looping vars */
count, /* Number of values */
bottom, /* Largest bottom margin */
@@ -3057,35 +3058,105 @@ _ppdCreateFromIPP(char *buffer, /* I -
}
/*
- * Standard stuff for PPD file...
+ * Get a sanitized make and model...
*/
- cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n");
- cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n");
- cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
- cupsFilePuts(fp, "*LanguageVersion: English\n");
- cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n");
- cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n");
- cupsFilePuts(fp, "*LanguageLevel: \"3\"\n");
- cupsFilePuts(fp, "*FileSystem: False\n");
- cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n");
+ if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr))
+ {
+ /*
+ * Sanitize the model name to only contain PPD-safe characters.
+ */
- if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL)
strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make));
+
+ for (mptr = make; *mptr; mptr ++)
+ {
+ if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"')
+ {
+ /*
+ * Truncate the make and model on the first bad character...
+ */
+
+ *mptr = '\0';
+ break;
+ }
+ }
+
+ while (mptr > make)
+ {
+ /*
+ * Strip trailing whitespace...
+ */
+
+ mptr --;
+ if (*mptr == ' ')
+ *mptr = '\0';
+ }
+
+ if (!make[0])
+ {
+ /*
+ * Use a default make and model if nothing remains...
+ */
+
+ strlcpy(make, "Unknown", sizeof(make));
+ }
+ }
else
- strlcpy(make, "Unknown Printer", sizeof(make));
+ {
+ /*
+ * Use a default make and model...
+ */
+
+ strlcpy(make, "Unknown", sizeof(make));
+ }
if (!_cups_strncasecmp(make, "Hewlett Packard ", 16) ||
!_cups_strncasecmp(make, "Hewlett-Packard ", 16))
{
+ /*
+ * Normalize HP printer make and model...
+ */
+
model = make + 16;
strlcpy(make, "HP", sizeof(make));
+
+ if (!_cups_strncasecmp(model, "HP ", 3))
+ model += 3;
+ }
+ else if ((mptr = strchr(make, ' ')) != NULL)
+ {
+ /*
+ * Separate "MAKE MODEL"...
+ */
+
+ while (*mptr && *mptr == ' ')
+ *mptr++ = '\0';
+
+ model = mptr;
}
- else if ((model = strchr(make, ' ')) != NULL)
- *model++ = '\0';
else
- model = make;
+ {
+ /*
+ * No separate model name...
+ */
+
+ model = "Printer";
+ }
+
+ /*
+ * Standard stuff for PPD file...
+ */
+ cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n");
+ cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n");
+ cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
+ cupsFilePuts(fp, "*LanguageVersion: English\n");
+ cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n");
+ cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n");
+ cupsFilePuts(fp, "*LanguageLevel: \"3\"\n");
+ cupsFilePuts(fp, "*FileSystem: False\n");
+ cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n");
cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make);
cupsFilePrintf(fp, "*ModelName: \"%s\"\n", model);
cupsFilePrintf(fp, "*Product: \"(%s)\"\n", model);

View File

@ -1,94 +0,0 @@
diff --git a/scheduler/conf.c b/scheduler/conf.c
index c113eb3..77ce179 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -573,6 +573,18 @@ cupsdReadConfiguration(void)
cupsdDeleteAllListeners();
+ /*
+ * Allocate Listeners array
+ */
+
+ Listeners = cupsArrayNew(NULL, NULL);
+
+ if (!Listeners)
+ {
+ fprintf(stderr, "Unable to allocate memory for array Listeners.\n");
+ return (0);
+ }
+
old_remote_port = RemotePort;
RemotePort = 0;
@@ -1080,28 +1092,6 @@ cupsdReadConfiguration(void)
}
}
- /*
- * Check that we have at least one listen/port line; if not, report this
- * as an error and exit!
- */
-
- if (cupsArrayCount(Listeners) == 0)
- {
- /*
- * No listeners!
- */
-
- cupsdLogMessage(CUPSD_LOG_EMERG,
- "No valid Listen or Port lines were found in the "
- "configuration file.");
-
- /*
- * Commit suicide...
- */
-
- cupsdEndProcess(getpid(), 0);
- }
-
/*
* Set the default locale using the language and charset...
*/
@@ -3162,17 +3152,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
* Allocate another listener...
*/
- if (!Listeners)
- Listeners = cupsArrayNew(NULL, NULL);
-
- if (!Listeners)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to allocate %s at line %d - %s.",
- line, linenum, strerror(errno));
- break;
- }
-
if ((lis = calloc(1, sizeof(cupsd_listener_t))) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
diff --git a/scheduler/main.c b/scheduler/main.c
index a6e2c3a..b935c52 100644
--- a/scheduler/main.c
+++ b/scheduler/main.c
@@ -2113,6 +2113,21 @@ service_checkin(void)
service_add_listener(fd, 0);
}
#endif /* HAVE_LAUNCHD */
+
+ if (cupsArrayCount(Listeners) == 0)
+ {
+ /*
+ * No listeners!
+ */
+
+ cupsdLogMessage(CUPSD_LOG_EMERG, "No listener sockets present.");
+
+ /*
+ * Commit suicide...
+ */
+
+ cupsdEndProcess(getpid(), 0);
+ }
}

View File

@ -1,11 +1,10 @@
diff -up cups-2.2.6/config.h.in.lspp cups-2.2.6/config.h.in diff -up cups-2.2.5/config.h.in.lspp cups-2.2.5/config.h.in
--- cups-2.2.6/config.h.in.lspp 2017-11-01 15:57:53.000000000 +0100 --- cups-2.2.5/config.h.in.lspp 2017-10-13 20:22:26.000000000 +0200
+++ cups-2.2.6/config.h.in 2024-08-15 14:55:07.310818870 +0200 +++ cups-2.2.5/config.h.in 2017-10-17 19:06:19.640228964 +0200
@@ -730,4 +730,12 @@ static __inline int _cups_abs(int i) { r @@ -730,4 +730,11 @@ static __inline int _cups_abs(int i) { r
# endif /* __GNUC__ || __STDC_VERSION__ */ # endif /* __GNUC__ || __STDC_VERSION__ */
#endif /* !HAVE_ABS && !abs */ #endif /* !HAVE_ABS && !abs */
+
+/* +/*
+ * Are we trying to meet LSPP requirements? + * Are we trying to meet LSPP requirements?
+ */ + */
@ -14,9 +13,9 @@ diff -up cups-2.2.6/config.h.in.lspp cups-2.2.6/config.h.in
+ +
+ +
#endif /* !_CUPS_CONFIG_H_ */ #endif /* !_CUPS_CONFIG_H_ */
diff -up cups-2.2.6/config-scripts/cups-lspp.m4.lspp cups-2.2.6/config-scripts/cups-lspp.m4 diff -up cups-2.2.5/config-scripts/cups-lspp.m4.lspp cups-2.2.5/config-scripts/cups-lspp.m4
--- cups-2.2.6/config-scripts/cups-lspp.m4.lspp 2024-08-15 14:55:07.310818870 +0200 --- cups-2.2.5/config-scripts/cups-lspp.m4.lspp 2017-10-17 19:06:19.640228964 +0200
+++ cups-2.2.6/config-scripts/cups-lspp.m4 2024-08-15 14:55:07.310818870 +0200 +++ cups-2.2.5/config-scripts/cups-lspp.m4 2017-10-17 19:06:19.640228964 +0200
@@ -0,0 +1,36 @@ @@ -0,0 +1,36 @@
+dnl +dnl
+dnl LSPP code for the Common UNIX Printing System (CUPS). +dnl LSPP code for the Common UNIX Printing System (CUPS).
@ -41,7 +40,7 @@ diff -up cups-2.2.6/config-scripts/cups-lspp.m4.lspp cups-2.2.6/config-scripts/c
+AC_ARG_ENABLE(lspp, [ --enable-lspp turn on auditing and label support, default=no]) +AC_ARG_ENABLE(lspp, [ --enable-lspp turn on auditing and label support, default=no])
+ +
+if test x"$enable_lspp" != xno; then +if test x"$enable_lspp" != xno; then
+ case "$(uname)" in + case "$uname" in
+ Linux) + Linux)
+ AC_CHECK_LIB(audit,audit_log_user_message, [LIBAUDIT="-laudit" AC_SUBST(LIBAUDIT)]) + AC_CHECK_LIB(audit,audit_log_user_message, [LIBAUDIT="-laudit" AC_SUBST(LIBAUDIT)])
+ AC_CHECK_HEADER(libaudit.h) + AC_CHECK_HEADER(libaudit.h)
@ -54,9 +53,9 @@ diff -up cups-2.2.6/config-scripts/cups-lspp.m4.lspp cups-2.2.6/config-scripts/c
+ ;; + ;;
+ esac + esac
+fi +fi
diff -up cups-2.2.6/configure.ac.lspp cups-2.2.6/configure.ac diff -up cups-2.2.5/configure.ac.lspp cups-2.2.5/configure.ac
--- cups-2.2.6/configure.ac.lspp 2017-11-01 15:57:53.000000000 +0100 --- cups-2.2.5/configure.ac.lspp 2017-10-13 20:22:26.000000000 +0200
+++ cups-2.2.6/configure.ac 2024-08-15 14:55:07.310818870 +0200 +++ cups-2.2.5/configure.ac 2017-10-17 19:06:19.640228964 +0200
@@ -38,6 +38,8 @@ sinclude(config-scripts/cups-startup.m4) @@ -38,6 +38,8 @@ sinclude(config-scripts/cups-startup.m4)
sinclude(config-scripts/cups-defaults.m4) sinclude(config-scripts/cups-defaults.m4)
sinclude(config-scripts/cups-scripting.m4) sinclude(config-scripts/cups-scripting.m4)
@ -66,9 +65,9 @@ diff -up cups-2.2.6/configure.ac.lspp cups-2.2.6/configure.ac
INSTALL_LANGUAGES="" INSTALL_LANGUAGES=""
UNINSTALL_LANGUAGES="" UNINSTALL_LANGUAGES=""
LANGFILES="" LANGFILES=""
diff -up cups-2.2.6/filter/common.c.lspp cups-2.2.6/filter/common.c diff -up cups-2.2.5/filter/common.c.lspp cups-2.2.5/filter/common.c
--- cups-2.2.6/filter/common.c.lspp 2017-11-01 15:57:53.000000000 +0100 --- cups-2.2.5/filter/common.c.lspp 2017-10-13 20:22:26.000000000 +0200
+++ cups-2.2.6/filter/common.c 2024-08-15 14:55:07.310818870 +0200 +++ cups-2.2.5/filter/common.c 2017-10-17 19:06:19.640228964 +0200
@@ -17,6 +17,12 @@ @@ -17,6 +17,12 @@
* Include necessary headers... * Include necessary headers...
*/ */
@ -222,7 +221,7 @@ diff -up cups-2.2.6/filter/common.c.lspp cups-2.2.6/filter/common.c
+ else + else
+ { + {
+#endif /* !WITH_LSPP */ +#endif /* !WITH_LSPP */
+ +
/* /*
* Set the classification + page label string... * Set the classification + page label string...
*/ */
@ -237,9 +236,9 @@ diff -up cups-2.2.6/filter/common.c.lspp cups-2.2.6/filter/common.c
/* /*
diff -up cups-2.2.6/filter/pstops.c.lspp cups-2.2.6/filter/pstops.c diff -up cups-2.2.5/filter/pstops.c.lspp cups-2.2.5/filter/pstops.c
--- cups-2.2.6/filter/pstops.c.lspp 2017-11-01 15:57:53.000000000 +0100 --- cups-2.2.5/filter/pstops.c.lspp 2017-10-13 20:22:26.000000000 +0200
+++ cups-2.2.6/filter/pstops.c 2024-08-15 14:55:07.311818856 +0200 +++ cups-2.2.5/filter/pstops.c 2017-10-17 19:06:19.641228955 +0200
@@ -3176,6 +3176,18 @@ write_label_prolog(pstops_doc_t *doc, /* @@ -3176,6 +3176,18 @@ write_label_prolog(pstops_doc_t *doc, /*
{ {
const char *classification; /* CLASSIFICATION environment variable */ const char *classification; /* CLASSIFICATION environment variable */
@ -395,21 +394,21 @@ diff -up cups-2.2.6/filter/pstops.c.lspp cups-2.2.6/filter/pstops.c
/* /*
diff -up cups-2.2.6/Makedefs.in.lspp cups-2.2.6/Makedefs.in diff -up cups-2.2.5/Makedefs.in.lspp cups-2.2.5/Makedefs.in
--- cups-2.2.6/Makedefs.in.lspp 2017-11-01 15:57:53.000000000 +0100 --- cups-2.2.5/Makedefs.in.lspp 2017-10-13 20:22:26.000000000 +0200
+++ cups-2.2.6/Makedefs.in 2024-08-15 14:55:07.310818870 +0200 +++ cups-2.2.5/Makedefs.in 2017-10-17 19:06:19.641228955 +0200
@@ -145,7 +145,7 @@ ARFLAGS = @ARFLAGS@ @@ -161,7 +161,7 @@ LDFLAGS = -L../cgi-bin -L../cups -L../f
BACKLIBS = @BACKLIBS@ @LDFLAGS@ @RELROFLAGS@ @PIEFLAGS@ $(OPTIM)
BUILDDIRS = @BUILDDIRS@ LINKCUPS = @LINKCUPS@ $(LIBGSSAPI) $(DNSSDLIBS) $(SSLLIBS) $(LIBZ)
CFLAGS = @CPPFLAGS@ @CFLAGS@ LINKCUPSIMAGE = @LINKCUPSIMAGE@
-COMMONLIBS = @LIBS@ -LIBS = $(LINKCUPS) $(COMMONLIBS)
+COMMONLIBS = @LIBS@ @LIBAUDIT@ @LIBSELINUX@ +LIBS = $(LINKCUPS) $(COMMONLIBS) @LIBAUDIT@ @LIBSELINUX@
CXXFLAGS = @CPPFLAGS@ @CXXFLAGS@ ONDEMANDFLAGS = @ONDEMANDFLAGS@
CXXLIBS = @CXXLIBS@ ONDEMANDLIBS = @ONDEMANDLIBS@
DBUS_NOTIFIER = @DBUS_NOTIFIER@ OPTIM = @OPTIM@
diff -up cups-2.2.6/scheduler/client.c.lspp cups-2.2.6/scheduler/client.c diff -up cups-2.2.5/scheduler/client.c.lspp cups-2.2.5/scheduler/client.c
--- cups-2.2.6/scheduler/client.c.lspp 2017-11-01 15:57:53.000000000 +0100 --- cups-2.2.5/scheduler/client.c.lspp 2017-10-13 20:22:26.000000000 +0200
+++ cups-2.2.6/scheduler/client.c 2024-08-15 14:55:07.311818856 +0200 +++ cups-2.2.5/scheduler/client.c 2017-10-17 19:06:19.689228556 +0200
@@ -22,12 +22,20 @@ @@ -22,12 +22,20 @@
#define _HTTP_NO_PRIVATE #define _HTTP_NO_PRIVATE
#include "cupsd.h" #include "cupsd.h"
@ -465,7 +464,7 @@ diff -up cups-2.2.6/scheduler/client.c.lspp cups-2.2.6/scheduler/client.c
+ httpClose(con->http); + httpClose(con->http);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "getsockopt() failed"); + cupsdLogClient(con, CUPSD_LOG_ERROR, "getsockopt() failed");
+ free(con); + free(con);
+ return; + return;
+ } + }
+ +
+ /* + /*
@ -476,7 +475,7 @@ diff -up cups-2.2.6/scheduler/client.c.lspp cups-2.2.6/scheduler/client.c
+ httpClose(con->http); + httpClose(con->http);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "getpeercon() failed"); + cupsdLogClient(con, CUPSD_LOG_ERROR, "getpeercon() failed");
+ free(con); + free(con);
+ return; + return;
+ } + }
+ +
+ cupsdLogClient(con, CUPSD_LOG_INFO, "client context=%s", con->scon); + cupsdLogClient(con, CUPSD_LOG_INFO, "client context=%s", con->scon);
@ -491,19 +490,7 @@ diff -up cups-2.2.6/scheduler/client.c.lspp cups-2.2.6/scheduler/client.c
#ifdef AF_LOCAL #ifdef AF_LOCAL
if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
{ {
@@ -522,6 +583,11 @@ cupsdCloseClient(cupsd_client_t *con) /* @@ -562,6 +623,13 @@ cupsdReadClient(cupsd_client_t *con) /*
}
#endif /* HAVE_AUTHORIZATION_H */
+#ifdef WITH_LSPP
+ if (con->scon)
+ cupsdClearString(&con->scon);
+#endif /* WITH_LSPP */
+
/*
* Re-enable new client connections if we are going back under the
* limit...
@@ -562,6 +628,13 @@ cupsdReadClient(cupsd_client_t *con) /*
mime_type_t *type; /* MIME type of file */ mime_type_t *type; /* MIME type of file */
cupsd_printer_t *p; /* Printer */ cupsd_printer_t *p; /* Printer */
static unsigned request_id = 0; /* Request ID for temp files */ static unsigned request_id = 0; /* Request ID for temp files */
@ -517,10 +504,10 @@ diff -up cups-2.2.6/scheduler/client.c.lspp cups-2.2.6/scheduler/client.c
status = HTTP_STATUS_CONTINUE; status = HTTP_STATUS_CONTINUE;
@@ -1924,7 +1997,73 @@ cupsdReadClient(cupsd_client_t *con) /* @@ -1926,6 +1994,73 @@ cupsdReadClient(cupsd_client_t *con) /*
fchmod(con->file, 0640);
fchown(con->file, RunUser, Group);
fcntl(con->file, F_SETFD, fcntl(con->file, F_GETFD) | FD_CLOEXEC); fcntl(con->file, F_SETFD, fcntl(con->file, F_GETFD) | FD_CLOEXEC);
}
+#ifdef WITH_LSPP +#ifdef WITH_LSPP
+ if (strncmp(con->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0) + if (strncmp(con->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0)
+ { + {
@ -581,17 +568,17 @@ diff -up cups-2.2.6/scheduler/client.c.lspp cups-2.2.6/scheduler/client.c
+ cupsdCloseClient(con); + cupsdCloseClient(con);
+ return; + return;
+ } + }
+ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "%s set to %s", + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "%s set to %s",
+ con->filename, context_str(tmpcon)); + con->filename, context_str(tmpcon));
+ context_free(tmpcon); + context_free(tmpcon);
+ context_free(clicon); + context_free(clicon);
} + }
+#endif /* WITH_LSPP */ +#endif /* WITH_LSPP */
+ } +
if (httpGetState(con->http) != HTTP_STATE_POST_SEND) if (httpGetState(con->http) != HTTP_STATE_POST_SEND)
{ {
@@ -3456,6 +3595,49 @@ is_path_absolute(const char *path) /* I if (!httpWait(con->http, 0))
@@ -3456,6 +3591,49 @@ is_path_absolute(const char *path) /* I
return (1); return (1);
} }
@ -641,9 +628,9 @@ diff -up cups-2.2.6/scheduler/client.c.lspp cups-2.2.6/scheduler/client.c
/* /*
* 'pipe_command()' - Pipe the output of a command to the remote client. * 'pipe_command()' - Pipe the output of a command to the remote client.
diff -up cups-2.2.6/scheduler/client.h.lspp cups-2.2.6/scheduler/client.h diff -up cups-2.2.5/scheduler/client.h.lspp cups-2.2.5/scheduler/client.h
--- cups-2.2.6/scheduler/client.h.lspp 2017-11-01 15:57:53.000000000 +0100 --- cups-2.2.5/scheduler/client.h.lspp 2017-10-13 20:22:26.000000000 +0200
+++ cups-2.2.6/scheduler/client.h 2024-08-15 14:55:07.312818843 +0200 +++ cups-2.2.5/scheduler/client.h 2017-10-17 19:06:19.690228548 +0200
@@ -16,6 +16,13 @@ @@ -16,6 +16,13 @@
#endif /* HAVE_AUTHORIZATION_H */ #endif /* HAVE_AUTHORIZATION_H */
@ -669,20 +656,19 @@ diff -up cups-2.2.6/scheduler/client.h.lspp cups-2.2.6/scheduler/client.h
}; };
#define HTTP(con) ((con)->http) #define HTTP(con) ((con)->http)
@@ -139,6 +150,10 @@ extern void cupsdStopListening(void); @@ -138,6 +149,9 @@ extern void cupsdStartListening(void);
extern void cupsdStopListening(void);
extern void cupsdUpdateCGI(void); extern void cupsdUpdateCGI(void);
extern void cupsdWriteClient(cupsd_client_t *con); extern void cupsdWriteClient(cupsd_client_t *con);
+#ifdef WITH_LSPP +#ifdef WITH_LSPP
+extern uid_t client_pid_to_auid(pid_t clipid); +extern uid_t client_pid_to_auid(pid_t clipid);
+#endif /* WITH_LSPP */ +#endif /* WITH_LSPP */
+
#ifdef HAVE_SSL #ifdef HAVE_SSL
extern int cupsdEndTLS(cupsd_client_t *con); extern int cupsdEndTLS(cupsd_client_t *con);
extern int cupsdStartTLS(cupsd_client_t *con); diff -up cups-2.2.5/scheduler/conf.c.lspp cups-2.2.5/scheduler/conf.c
diff -up cups-2.2.6/scheduler/conf.c.lspp cups-2.2.6/scheduler/conf.c --- cups-2.2.5/scheduler/conf.c.lspp 2017-10-17 19:06:19.637228989 +0200
--- cups-2.2.6/scheduler/conf.c.lspp 2024-08-15 14:55:07.306818923 +0200 +++ cups-2.2.5/scheduler/conf.c 2017-10-17 19:06:19.691228540 +0200
+++ cups-2.2.6/scheduler/conf.c 2024-08-15 14:55:07.312818843 +0200
@@ -40,6 +40,9 @@ @@ -40,6 +40,9 @@
# define INADDR_NONE 0xffffffff # define INADDR_NONE 0xffffffff
#endif /* !INADDR_NONE */ #endif /* !INADDR_NONE */
@ -740,7 +726,7 @@ diff -up cups-2.2.6/scheduler/conf.c.lspp cups-2.2.6/scheduler/conf.c
cupsdLogMessage(CUPSD_LOG_INFO, "Remote access is %s.", cupsdLogMessage(CUPSD_LOG_INFO, "Remote access is %s.",
RemotePort ? "enabled" : "disabled"); RemotePort ? "enabled" : "disabled");
@@ -1277,7 +1306,19 @@ cupsdReadConfiguration(void) @@ -1286,7 +1315,19 @@ cupsdReadConfiguration(void)
cupsdClearString(&Classification); cupsdClearString(&Classification);
if (Classification) if (Classification)
@ -760,7 +746,7 @@ diff -up cups-2.2.6/scheduler/conf.c.lspp cups-2.2.6/scheduler/conf.c
/* /*
* Check the MaxClients setting, and then allocate memory for it... * Check the MaxClients setting, and then allocate memory for it...
@@ -3761,6 +3802,18 @@ read_location(cups_file_t *fp, /* I - C @@ -3770,6 +3811,18 @@ read_location(cups_file_t *fp, /* I - C
return ((FatalErrors & CUPSD_FATAL_CONFIG) ? 0 : linenum); return ((FatalErrors & CUPSD_FATAL_CONFIG) ? 0 : linenum);
} }
@ -779,9 +765,9 @@ diff -up cups-2.2.6/scheduler/conf.c.lspp cups-2.2.6/scheduler/conf.c
/* /*
* 'read_policy()' - Read a <Policy name> definition. * 'read_policy()' - Read a <Policy name> definition.
diff -up cups-2.2.6/scheduler/conf.h.lspp cups-2.2.6/scheduler/conf.h diff -up cups-2.2.5/scheduler/conf.h.lspp cups-2.2.5/scheduler/conf.h
--- cups-2.2.6/scheduler/conf.h.lspp 2024-08-15 14:55:07.250819672 +0200 --- cups-2.2.5/scheduler/conf.h.lspp 2017-10-17 19:06:19.585229421 +0200
+++ cups-2.2.6/scheduler/conf.h 2024-08-15 14:55:07.312818843 +0200 +++ cups-2.2.5/scheduler/conf.h 2017-10-17 19:06:19.691228540 +0200
@@ -250,6 +250,13 @@ VAR char *ServerKeychain VALUE(NULL); @@ -250,6 +250,13 @@ VAR char *ServerKeychain VALUE(NULL);
/* Keychain holding cert + key */ /* Keychain holding cert + key */
#endif /* HAVE_SSL */ #endif /* HAVE_SSL */
@ -806,10 +792,19 @@ diff -up cups-2.2.6/scheduler/conf.h.lspp cups-2.2.6/scheduler/conf.h
/* /*
* Prototypes... * Prototypes...
diff -up cups-2.2.6/scheduler/cupsd.h.lspp cups-2.2.6/scheduler/cupsd.h diff -up cups-2.2.5/scheduler/cupsd.h.lspp cups-2.2.5/scheduler/cupsd.h
--- cups-2.2.6/scheduler/cupsd.h.lspp 2024-08-15 14:55:07.298819030 +0200 --- cups-2.2.5/scheduler/cupsd.h.lspp 2017-10-17 19:06:19.626229080 +0200
+++ cups-2.2.6/scheduler/cupsd.h 2024-08-15 14:55:07.312818843 +0200 +++ cups-2.2.5/scheduler/cupsd.h 2017-10-17 19:06:19.691228540 +0200
@@ -36,6 +36,14 @@ @@ -11,6 +11,8 @@
* file is missing or damaged, see the license at "http://www.cups.org/".
*/
+/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
+/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
/*
* Include necessary headers.
@@ -36,13 +38,20 @@
# include <unistd.h> # include <unistd.h>
#endif /* WIN32 */ #endif /* WIN32 */
@ -824,17 +819,27 @@ diff -up cups-2.2.6/scheduler/cupsd.h.lspp cups-2.2.6/scheduler/cupsd.h
#include "mime.h" #include "mime.h"
#if defined(HAVE_CDSASSL) #if defined(HAVE_CDSASSL)
@@ -248,4 +256,4 @@ extern void cupsdRunTimeout (cupsd_t # include <CoreFoundation/CoreFoundation.h>
extern void cupsdUpdateTimeout (cupsd_timeout_t *timeout, #endif /* HAVE_CDSASSL */
const struct timeval *tv);
extern void cupsdRemoveTimeout (cupsd_timeout_t *timeout); -
-#endif /* HAVE_AVAHI */ /*
\ No newline at end of file * Some OS's don't have hstrerror(), most notably Solaris...
+#endif /* HAVE_AVAHI */ */
diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c diff -up cups-2.2.5/scheduler/ipp.c.lspp cups-2.2.5/scheduler/ipp.c
--- cups-2.2.6/scheduler/ipp.c.lspp 2024-08-15 14:55:07.268819431 +0200 --- cups-2.2.5/scheduler/ipp.c.lspp 2017-10-17 19:06:19.599229305 +0200
+++ cups-2.2.6/scheduler/ipp.c 2024-08-15 14:56:15.961900807 +0200 +++ cups-2.2.5/scheduler/ipp.c 2017-10-17 19:06:19.695228506 +0200
@@ -37,6 +37,12 @@ extern int mbr_check_membership_by_id(uu @@ -14,6 +14,9 @@
* missing or damaged, see the license at "http://www.cups.org/".
*/
+/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
+/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
+
/*
* Include necessary headers...
*/
@@ -37,6 +40,14 @@ extern int mbr_check_membership_by_id(uu
# endif /* HAVE_MEMBERSHIPPRIV_H */ # endif /* HAVE_MEMBERSHIPPRIV_H */
#endif /* __APPLE__ */ #endif /* __APPLE__ */
@ -843,11 +848,13 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
+#include <selinux/selinux.h> +#include <selinux/selinux.h>
+#include <selinux/context.h> +#include <selinux/context.h>
+#include <selinux/avc.h> +#include <selinux/avc.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#endif /* WITH_LSPP */ +#endif /* WITH_LSPP */
/* /*
* Local functions... * Local functions...
@@ -61,6 +67,9 @@ static void cancel_all_jobs(cupsd_client @@ -61,6 +72,9 @@ static void cancel_all_jobs(cupsd_client
static void cancel_job(cupsd_client_t *con, ipp_attribute_t *uri); static void cancel_job(cupsd_client_t *con, ipp_attribute_t *uri);
static void cancel_subscription(cupsd_client_t *con, int id); static void cancel_subscription(cupsd_client_t *con, int id);
static int check_rss_recipient(const char *recipient); static int check_rss_recipient(const char *recipient);
@ -857,7 +864,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
static int check_quotas(cupsd_client_t *con, cupsd_printer_t *p); static int check_quotas(cupsd_client_t *con, cupsd_printer_t *p);
static void close_job(cupsd_client_t *con, ipp_attribute_t *uri); static void close_job(cupsd_client_t *con, ipp_attribute_t *uri);
static void copy_attrs(ipp_t *to, ipp_t *from, cups_array_t *ra, static void copy_attrs(ipp_t *to, ipp_t *from, cups_array_t *ra,
@@ -1286,6 +1295,21 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1286,6 +1300,21 @@ add_job(cupsd_client_t *con, /* I - Cl
"time-at-creation", "time-at-creation",
"time-at-processing" "time-at-processing"
}; };
@ -879,7 +886,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
cupsdLogMessage(CUPSD_LOG_DEBUG2, "add_job(%p[%d], %p(%s), %p(%s/%s))", cupsdLogMessage(CUPSD_LOG_DEBUG2, "add_job(%p[%d], %p(%s), %p(%s/%s))",
@@ -1607,6 +1631,106 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1597,6 +1626,106 @@ add_job(cupsd_client_t *con, /* I - Cl
return (NULL); return (NULL);
} }
@ -916,18 +923,18 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
+ /* + /*
+ * The printer does not exist, so for now assume it's a FileDevice + * The printer does not exist, so for now assume it's a FileDevice
+ */ + */
+ tclass = string_to_security_class("file"); + tclass = SECCLASS_FILE;
+ avr = string_to_av_perm(tclass, "write"); + avr = FILE__WRITE;
+ } + }
+ else if (S_ISCHR(printerstat.st_mode)) + else if (S_ISCHR(printerstat.st_mode))
+ { + {
+ tclass = string_to_security_class("chr_file"); + tclass = SECCLASS_CHR_FILE;
+ avr = string_to_av_perm(tclass, "write"); + avr = CHR_FILE__WRITE;
+ } + }
+ else if (S_ISREG(printerstat.st_mode)) + else if (S_ISREG(printerstat.st_mode))
+ { + {
+ tclass = string_to_security_class("file"); + tclass = SECCLASS_FILE;
+ avr = string_to_av_perm(tclass, "write"); + avr = FILE__WRITE;
+ } + }
+ else + else
+ { + {
@ -986,7 +993,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
if ((job = cupsdAddJob(priority, printer->name)) == NULL) if ((job = cupsdAddJob(priority, printer->name)) == NULL)
{ {
send_ipp_status(con, IPP_INTERNAL_ERROR, send_ipp_status(con, IPP_INTERNAL_ERROR,
@@ -1615,6 +1739,32 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1605,6 +1734,32 @@ add_job(cupsd_client_t *con, /* I - Cl
return (NULL); return (NULL);
} }
@ -1019,7 +1026,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
job->dtype = printer->type & (CUPS_PRINTER_CLASS | CUPS_PRINTER_REMOTE); job->dtype = printer->type & (CUPS_PRINTER_CLASS | CUPS_PRINTER_REMOTE);
job->attrs = con->request; job->attrs = con->request;
job->dirty = 1; job->dirty = 1;
@@ -1802,6 +1952,29 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1794,6 +1949,29 @@ add_job(cupsd_client_t *con, /* I - Cl
ippSetString(job->attrs, &attr, 0, printer->job_sheets[0]); ippSetString(job->attrs, &attr, 0, printer->job_sheets[0]);
ippSetString(job->attrs, &attr, 1, printer->job_sheets[1]); ippSetString(job->attrs, &attr, 1, printer->job_sheets[1]);
} }
@ -1049,7 +1056,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
job->job_sheets = attr; job->job_sheets = attr;
@@ -1832,6 +2005,9 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1824,6 +2002,9 @@ add_job(cupsd_client_t *con, /* I - Cl
"job-sheets=\"%s,none\", " "job-sheets=\"%s,none\", "
"job-originating-user-name=\"%s\"", "job-originating-user-name=\"%s\"",
Classification, job->username); Classification, job->username);
@ -1059,7 +1066,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
} }
else if (attr->num_values == 2 && else if (attr->num_values == 2 &&
strcmp(attr->values[0].string.text, strcmp(attr->values[0].string.text,
@@ -1850,6 +2026,9 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1842,6 +2023,9 @@ add_job(cupsd_client_t *con, /* I - Cl
"job-originating-user-name=\"%s\"", "job-originating-user-name=\"%s\"",
attr->values[0].string.text, attr->values[0].string.text,
attr->values[1].string.text, job->username); attr->values[1].string.text, job->username);
@ -1069,7 +1076,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
} }
else if (strcmp(attr->values[0].string.text, Classification) && else if (strcmp(attr->values[0].string.text, Classification) &&
strcmp(attr->values[0].string.text, "none") && strcmp(attr->values[0].string.text, "none") &&
@@ -1870,6 +2049,9 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1862,6 +2046,9 @@ add_job(cupsd_client_t *con, /* I - Cl
"job-originating-user-name=\"%s\"", "job-originating-user-name=\"%s\"",
attr->values[0].string.text, attr->values[0].string.text,
attr->values[1].string.text, job->username); attr->values[1].string.text, job->username);
@ -1079,14 +1086,14 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
} }
} }
else if (strcmp(attr->values[0].string.text, Classification) && else if (strcmp(attr->values[0].string.text, Classification) &&
@@ -1910,9 +2092,55 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1902,8 +2089,52 @@ add_job(cupsd_client_t *con, /* I - Cl
"job-sheets=\"%s\", " "job-sheets=\"%s\", "
"job-originating-user-name=\"%s\"", "job-originating-user-name=\"%s\"",
Classification, job->username); Classification, job->username);
+#ifdef WITH_LSPP +#ifdef WITH_LSPP
+ override = 1; + override = 1;
+#endif /* WITH_LSPP */ +#endif /* WITH_LSPP */
+ } }
+#ifdef WITH_LSPP +#ifdef WITH_LSPP
+ if (is_lspp_config() && AuditLog != -1) + if (is_lspp_config() && AuditLog != -1)
+ { + {
@ -1120,22 +1127,19 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
+ } + }
+ cupsdClearString(&audit_message); + cupsdClearString(&audit_message);
+ } + }
} + }
+
+ if (userheader)
+ free(userheader);
+ if (userfooter)
+ free(userfooter);
+#endif /* WITH_LSPP */ +#endif /* WITH_LSPP */
} }
+
+#ifdef WITH_LSPP
+ if (userheader)
+ free(userheader);
+ if (userfooter)
+ free(userfooter);
+#endif /* WITH_LSPP */
+
+
/* /*
* See if we need to add the starting sheet... * See if we need to add the starting sheet...
*/ @@ -3686,6 +3917,128 @@ check_rss_recipient(
@@ -3694,6 +3922,128 @@ check_rss_recipient(
} }
@ -1190,8 +1194,8 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
+ { + {
+ cupsdLogJob(job, CUPSD_LOG_ERROR, "check_context: unable avc_init"); + cupsdLogJob(job, CUPSD_LOG_ERROR, "check_context: unable avc_init");
+ return -1; + return -1;
+ } + }
+ } + }
+ if (avc_context_to_sid(con->scon, &clisid) != 0) + if (avc_context_to_sid(con->scon, &clisid) != 0)
+ { + {
+ cupsdLogJob(job, CUPSD_LOG_ERROR, + cupsdLogJob(job, CUPSD_LOG_ERROR,
@ -1207,8 +1211,8 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
+ return -1; + return -1;
+ } + }
+ avc_entry_ref_init(&avcref); + avc_entry_ref_init(&avcref);
+ tclass = string_to_security_class("file"); + tclass = SECCLASS_FILE;
+ avr = string_to_av_perm(tclass, "read"); + avr = FILE__READ;
+ +
+ /* + /*
+ * Perform the check with the client as the subject, first with the job as the object + * Perform the check with the client as the subject, first with the job as the object
@ -1264,7 +1268,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
/* /*
* 'check_quotas()' - Check quotas for a printer and user. * 'check_quotas()' - Check quotas for a printer and user.
*/ */
@@ -4150,6 +4500,15 @@ copy_banner(cupsd_client_t *con, /* I - @@ -4142,6 +4495,15 @@ copy_banner(cupsd_client_t *con, /* I -
char attrname[255], /* Name of attribute */ char attrname[255], /* Name of attribute */
*s; /* Pointer into name */ *s; /* Pointer into name */
ipp_attribute_t *attr; /* Attribute */ ipp_attribute_t *attr; /* Attribute */
@ -1280,7 +1284,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
cupsdLogMessage(CUPSD_LOG_DEBUG2, cupsdLogMessage(CUPSD_LOG_DEBUG2,
@@ -4185,6 +4544,85 @@ copy_banner(cupsd_client_t *con, /* I - @@ -4177,6 +4539,85 @@ copy_banner(cupsd_client_t *con, /* I -
fchmod(cupsFileNumber(out), 0640); fchmod(cupsFileNumber(out), 0640);
fchown(cupsFileNumber(out), RunUser, Group); fchown(cupsFileNumber(out), RunUser, Group);
@ -1366,7 +1370,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
/* /*
* Try the localized banner file under the subdirectory... * Try the localized banner file under the subdirectory...
@@ -4279,6 +4717,24 @@ copy_banner(cupsd_client_t *con, /* I - @@ -4271,6 +4712,24 @@ copy_banner(cupsd_client_t *con, /* I -
else else
s = attrname; s = attrname;
@ -1391,7 +1395,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
if (!strcmp(s, "printer-name")) if (!strcmp(s, "printer-name"))
{ {
cupsFilePuts(out, job->dest); cupsFilePuts(out, job->dest);
@@ -6467,6 +6923,22 @@ get_job_attrs(cupsd_client_t *con, /* I @@ -6459,6 +6918,22 @@ get_job_attrs(cupsd_client_t *con, /* I
exclude = cupsdGetPrivateAttrs(policy, con, printer, job->username); exclude = cupsdGetPrivateAttrs(policy, con, printer, job->username);
@ -1414,7 +1418,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
/* /*
* Copy attributes... * Copy attributes...
*/ */
@@ -6864,6 +7336,11 @@ get_jobs(cupsd_client_t *con, /* I - C @@ -6856,6 +7331,11 @@ get_jobs(cupsd_client_t *con, /* I - C
if (username[0] && _cups_strcasecmp(username, job->username)) if (username[0] && _cups_strcasecmp(username, job->username))
continue; continue;
@ -1426,7 +1430,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
if (count > 0) if (count > 0)
ippAddSeparator(con->response); ippAddSeparator(con->response);
@@ -11495,6 +11972,11 @@ validate_user(cupsd_job_t *job, /* I @@ -11487,6 +11967,11 @@ validate_user(cupsd_job_t *job, /* I
strlcpy(username, get_username(con), userlen); strlcpy(username, get_username(con), userlen);
@ -1438,10 +1442,20 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
/* /*
* Check the username against the owner... * Check the username against the owner...
*/ */
diff -up cups-2.2.6/scheduler/job.c.lspp cups-2.2.6/scheduler/job.c diff -up cups-2.2.5/scheduler/job.c.lspp cups-2.2.5/scheduler/job.c
--- cups-2.2.6/scheduler/job.c.lspp 2024-08-15 14:55:07.278819298 +0200 --- cups-2.2.5/scheduler/job.c.lspp 2017-10-17 19:06:19.607229238 +0200
+++ cups-2.2.6/scheduler/job.c 2024-08-15 14:55:07.316818790 +0200 +++ cups-2.2.5/scheduler/job.c 2017-10-17 19:06:19.696228498 +0200
@@ -26,6 +26,12 @@ @@ -11,6 +11,9 @@
* missing or damaged, see the license at "http://www.cups.org/".
*/
+/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
+/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
+
/*
* Include necessary headers...
*/
@@ -26,6 +29,14 @@
# endif /* HAVE_IOKIT_PWR_MGT_IOPMLIBPRIVATE_H */ # endif /* HAVE_IOKIT_PWR_MGT_IOPMLIBPRIVATE_H */
#endif /* __APPLE__ */ #endif /* __APPLE__ */
@ -1450,11 +1464,13 @@ diff -up cups-2.2.6/scheduler/job.c.lspp cups-2.2.6/scheduler/job.c
+#include <selinux/selinux.h> +#include <selinux/selinux.h>
+#include <selinux/context.h> +#include <selinux/context.h>
+#include <selinux/avc.h> +#include <selinux/avc.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#endif /* WITH_LSPP */ +#endif /* WITH_LSPP */
/* /*
* Design Notes for Job Management * Design Notes for Job Management
@@ -547,6 +553,14 @@ cupsdContinueJob(cupsd_job_t *job) /* I @@ -547,6 +558,14 @@ cupsdContinueJob(cupsd_job_t *job) /* I
/* PRINTER_STATE_REASONS env var */ /* PRINTER_STATE_REASONS env var */
rip_max_cache[255]; rip_max_cache[255];
/* RIP_MAX_CACHE env variable */ /* RIP_MAX_CACHE env variable */
@ -1469,7 +1485,7 @@ diff -up cups-2.2.6/scheduler/job.c.lspp cups-2.2.6/scheduler/job.c
cupsdLogMessage(CUPSD_LOG_DEBUG2, cupsdLogMessage(CUPSD_LOG_DEBUG2,
@@ -1083,6 +1097,67 @@ cupsdContinueJob(cupsd_job_t *job) /* I @@ -1083,6 +1102,67 @@ cupsdContinueJob(cupsd_job_t *job) /* I
if (final_content_type[0]) if (final_content_type[0])
envp[envc ++] = final_content_type; envp[envc ++] = final_content_type;
@ -1488,7 +1504,7 @@ diff -up cups-2.2.6/scheduler/job.c.lspp cups-2.2.6/scheduler/job.c
+ cupsdClearString(&audit_message); + cupsdClearString(&audit_message);
+ } + }
+ } + }
+ else + else
+ { + {
+ jobcon = context_new(job->scon); + jobcon = context_new(job->scon);
+ +
@ -1537,18 +1553,6 @@ diff -up cups-2.2.6/scheduler/job.c.lspp cups-2.2.6/scheduler/job.c
if (Classification && !banner_page) if (Classification && !banner_page)
{ {
if ((attr = ippFindAttribute(job->attrs, "job-sheets", if ((attr = ippFindAttribute(job->attrs, "job-sheets",
@@ -1464,6 +1539,11 @@ cupsdDeleteJob(cupsd_job_t *job, /
cupsdClearString(&job->username);
cupsdClearString(&job->dest);
+
+#ifdef WITH_LSPP
+ cupsdClearString(&job->scon);
+#endif
+
for (i = 0;
i < (int)(sizeof(job->auth_env) / sizeof(job->auth_env[0]));
i ++)
@@ -1908,6 +1988,22 @@ cupsdLoadJob(cupsd_job_t *job) /* I - J @@ -1908,6 +1988,22 @@ cupsdLoadJob(cupsd_job_t *job) /* I - J
ippSetString(job->attrs, &job->reasons, 0, "none"); ippSetString(job->attrs, &job->reasons, 0, "none");
} }
@ -1736,18 +1740,18 @@ diff -up cups-2.2.6/scheduler/job.c.lspp cups-2.2.6/scheduler/job.c
+ /* + /*
+ * The printer does not exist, so for now assume it's a FileDevice + * The printer does not exist, so for now assume it's a FileDevice
+ */ + */
+ tclass = string_to_security_class("file"); + tclass = SECCLASS_FILE;
+ avr = string_to_av_perm(tclass, "write"); + avr = FILE__WRITE;
+ } + }
+ else if (S_ISCHR(printerstat.st_mode)) + else if (S_ISCHR(printerstat.st_mode))
+ { + {
+ tclass = string_to_security_class("chr_file"); + tclass = SECCLASS_CHR_FILE;
+ avr = string_to_av_perm(tclass, "write"); + avr = CHR_FILE__WRITE;
+ } + }
+ else if (S_ISREG(printerstat.st_mode)) + else if (S_ISREG(printerstat.st_mode))
+ { + {
+ tclass = string_to_security_class("file"); + tclass = SECCLASS_FILE;
+ avr = string_to_av_perm(tclass, "write"); + avr = FILE__WRITE;
+ } + }
+ else + else
+ { + {
@ -1819,13 +1823,16 @@ diff -up cups-2.2.6/scheduler/job.c.lspp cups-2.2.6/scheduler/job.c
/* /*
* Now start the first file in the job... * Now start the first file in the job...
*/ */
diff -up cups-2.2.6/scheduler/job.h.lspp cups-2.2.6/scheduler/job.h diff -up cups-2.2.5/scheduler/job.h.lspp cups-2.2.5/scheduler/job.h
--- cups-2.2.6/scheduler/job.h.lspp 2017-11-01 15:57:53.000000000 +0100 --- cups-2.2.5/scheduler/job.h.lspp 2017-10-13 20:22:26.000000000 +0200
+++ cups-2.2.6/scheduler/job.h 2024-08-15 14:55:07.316818790 +0200 +++ cups-2.2.5/scheduler/job.h 2017-10-17 19:06:19.696228498 +0200
@@ -11,6 +11,10 @@ @@ -11,6 +11,13 @@
* missing or damaged, see the license at "http://www.cups.org/". * missing or damaged, see the license at "http://www.cups.org/".
*/ */
+/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
+/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
+
+#ifdef WITH_LSPP +#ifdef WITH_LSPP
+#include <selinux/selinux.h> +#include <selinux/selinux.h>
+#endif /* WITH_LSPP */ +#endif /* WITH_LSPP */
@ -1833,7 +1840,7 @@ diff -up cups-2.2.6/scheduler/job.h.lspp cups-2.2.6/scheduler/job.h
/* /*
* Constants... * Constants...
*/ */
@@ -88,6 +92,10 @@ struct cupsd_job_s /**** Job request * @@ -88,6 +95,10 @@ struct cupsd_job_s /**** Job request *
int progress; /* Printing progress */ int progress; /* Printing progress */
int num_keywords; /* Number of PPD keywords */ int num_keywords; /* Number of PPD keywords */
cups_option_t *keywords; /* PPD keywords */ cups_option_t *keywords; /* PPD keywords */
@ -1844,9 +1851,9 @@ diff -up cups-2.2.6/scheduler/job.h.lspp cups-2.2.6/scheduler/job.h
}; };
typedef struct cupsd_joblog_s /**** Job log message ****/ typedef struct cupsd_joblog_s /**** Job log message ****/
diff -up cups-2.2.6/scheduler/main.c.lspp cups-2.2.6/scheduler/main.c diff -up cups-2.2.5/scheduler/main.c.lspp cups-2.2.5/scheduler/main.c
--- cups-2.2.6/scheduler/main.c.lspp 2024-08-15 14:55:07.299819017 +0200 --- cups-2.2.5/scheduler/main.c.lspp 2017-10-17 19:06:19.637228989 +0200
+++ cups-2.2.6/scheduler/main.c 2024-08-15 14:55:07.316818790 +0200 +++ cups-2.2.5/scheduler/main.c 2017-10-17 19:08:26.642173026 +0200
@@ -56,6 +56,9 @@ @@ -56,6 +56,9 @@
# include <sys/param.h> # include <sys/param.h>
#endif /* HAVE_SYS_PARAM_H */ #endif /* HAVE_SYS_PARAM_H */
@ -1867,7 +1874,7 @@ diff -up cups-2.2.6/scheduler/main.c.lspp cups-2.2.6/scheduler/main.c
#ifdef __APPLE__ #ifdef __APPLE__
int use_sysman = 1; /* Use system management functions? */ int use_sysman = 1; /* Use system management functions? */
#else #else
@@ -508,6 +514,25 @@ main(int argc, /* I - Number of comm @@ -516,6 +522,25 @@ main(int argc, /* I - Number of comm
exit(errno); exit(errno);
} }
@ -1893,7 +1900,7 @@ diff -up cups-2.2.6/scheduler/main.c.lspp cups-2.2.6/scheduler/main.c
/* /*
* Let the system know we are busy while we bring up cupsd... * Let the system know we are busy while we bring up cupsd...
*/ */
@@ -1219,6 +1244,11 @@ main(int argc, /* I - Number of comm @@ -1227,6 +1252,11 @@ main(int argc, /* I - Number of comm
cupsdStopSelect(); cupsdStopSelect();
@ -1905,10 +1912,19 @@ diff -up cups-2.2.6/scheduler/main.c.lspp cups-2.2.6/scheduler/main.c
return (!stop_scheduler); return (!stop_scheduler);
} }
diff -up cups-2.2.6/scheduler/printers.c.lspp cups-2.2.6/scheduler/printers.c diff -up cups-2.2.5/scheduler/printers.c.lspp cups-2.2.5/scheduler/printers.c
--- cups-2.2.6/scheduler/printers.c.lspp 2024-08-15 14:55:07.253819632 +0200 --- cups-2.2.5/scheduler/printers.c.lspp 2017-10-17 19:06:19.587229404 +0200
+++ cups-2.2.6/scheduler/printers.c 2024-08-15 14:55:07.317818776 +0200 +++ cups-2.2.5/scheduler/printers.c 2017-10-17 19:06:19.697228490 +0200
@@ -35,6 +35,10 @@ @@ -11,6 +11,8 @@
* missing or damaged, see the license at "http://www.cups.org/".
*/
+/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
+
/*
* Include necessary headers...
*/
@@ -35,6 +37,10 @@
# include <asl.h> # include <asl.h>
#endif /* __APPLE__ */ #endif /* __APPLE__ */
@ -1919,7 +1935,7 @@ diff -up cups-2.2.6/scheduler/printers.c.lspp cups-2.2.6/scheduler/printers.c
/* /*
* Local functions... * Local functions...
@@ -2212,6 +2216,13 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p) @@ -2212,6 +2218,13 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p)
ipp_attribute_t *attr; /* Attribute data */ ipp_attribute_t *attr; /* Attribute data */
char *name, /* Current user/group name */ char *name, /* Current user/group name */
*filter; /* Current filter */ *filter; /* Current filter */
@ -1933,7 +1949,7 @@ diff -up cups-2.2.6/scheduler/printers.c.lspp cups-2.2.6/scheduler/printers.c
DEBUG_printf(("cupsdSetPrinterAttrs: entering name = %s, type = %x\n", p->name, DEBUG_printf(("cupsdSetPrinterAttrs: entering name = %s, type = %x\n", p->name,
@@ -2339,6 +2350,45 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p) @@ -2339,6 +2352,45 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p)
attr->values[1].string.text = _cupsStrAlloc(Classification ? attr->values[1].string.text = _cupsStrAlloc(Classification ?
Classification : p->job_sheets[1]); Classification : p->job_sheets[1]);
} }

View File

@ -1,12 +0,0 @@
diff --git a/scheduler/org.cups.cupsd.service.in b/scheduler/org.cups.cupsd.service.in
index c02412fb0..18b5e0386 100644
--- a/scheduler/org.cups.cupsd.service.in
+++ b/scheduler/org.cups.cupsd.service.in
@@ -2,6 +2,7 @@
Description=CUPS Scheduler
Documentation=man:cupsd(8)
After=network.target nss-user-lookup.target
+Requires=cups.socket
[Service]
ExecStart=@sbindir@/cupsd -l

View File

@ -1,12 +0,0 @@
diff --git a/scheduler/org.cups.cupsd.socket.in b/scheduler/org.cups.cupsd.socket.in
index 613b977a6..1deee826a 100644
--- a/scheduler/org.cups.cupsd.socket.in
+++ b/scheduler/org.cups.cupsd.socket.in
@@ -4,6 +4,7 @@ PartOf=org.cups.cupsd.service
[Socket]
ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@
+RemoveOnStop=on
[Install]
WantedBy=sockets.target

View File

@ -22,7 +22,7 @@ Summary: CUPS printing system
Name: cups Name: cups
Epoch: 1 Epoch: 1
Version: 2.2.6 Version: 2.2.6
Release: 62%{?dist} Release: 57%{?dist}
License: GPLv2+ and LGPLv2 with exceptions and AML License: GPLv2+ and LGPLv2 with exceptions and AML
Url: http://www.cups.org/ Url: http://www.cups.org/
Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@ -170,27 +170,6 @@ Patch86: cups-preservejob-leak.patch
Patch87: 0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch Patch87: 0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch
# RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents # RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
Patch88: 0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch Patch88: 0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/a436956
Patch89: 0001-Fix-domain-socket-handling.patch
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/pull/31
Patch90: cups-require-cups-socket.patch
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/3448c52
Patch91: cups-socket-remove-on-stop.patch
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/7adb508
# https://github.com/OpenPrinting/cups/commit/824f49f
# https://github.com/OpenPrinting/cups/commit/56b9728
# https://github.com/OpenPrinting/cups/commit/74f437b
# https://github.com/OpenPrinting/cups/commit/fb0c914
Patch92: cups-check-for-listeners.patch
# RHEL-60338 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
Patch93: 0001-mirror-ipp-everywhere-printer-changes-from-master.patch
Patch94: 0001-refactor-make-and-model-code.patch
Patch95: 0001-ppdize-preset-and-template-names.patch
Patch96: 0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch
Patch1000: cups-lspp.patch Patch1000: cups-lspp.patch
@ -498,28 +477,6 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
%patch87 -p1 -b .message-stderr %patch87 -p1 -b .message-stderr
# RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents # RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
%patch88 -p1 -b .cupsgetjobs-pollhup %patch88 -p1 -b .cupsgetjobs-pollhup
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/a436956
%patch89 -p1 -b .cve2024-35235
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/pull/31
%patch90 -p1 -b .cups-require-cups-socket
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/3448c52
%patch91 -p1 -b .cups-remove-on-stop
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/7adb508
# https://github.com/OpenPrinting/cups/commit/824f49f
# https://github.com/OpenPrinting/cups/commit/56b9728
# https://github.com/OpenPrinting/cups/commit/74f437b
# https://github.com/OpenPrinting/cups/commit/fb0c914
%patch92 -p1 -b .cups-check-for-listeners
# RHEL-60338 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
%patch93 -p1 -b .ippeve-validate
%patch94 -p1 -b .make-model-refact
%patch95 -p1 -b .ppdize-presets
%patch96 -p1 -b .make-model-trim
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
@ -946,25 +903,6 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man5/ipptoolfile.5.gz %{_mandir}/man5/ipptoolfile.5.gz
%changelog %changelog
* Fri Oct 25 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-62
- RHEL-60338 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
* Thu Aug 15 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-61
- RHEL-54038 cups source rpm doesn't actually build lspp support
- fix memory leaks caused by lspp
* Tue Jun 18 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.2.6-60
- RHEL-40386 cups: Cupsd Listen arbitrary chmod 0140777
- Delete the domain socket file after stopping the cups.socket service
- Fix cupsd Listener checks
* Fri Jun 14 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.2.6-59
- RHEL-40386 cups: Cupsd Listen arbitrary chmod 0140777
- Require cups.socket in cupsd service file
* Mon Jun 10 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.2.6-58
- CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
* Mon Feb 26 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-57 * Mon Feb 26 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-57
- revert RHEL-19200 - no new subpackages are needed - revert RHEL-19200 - no new subpackages are needed