Compare commits
No commits in common. "imports/c8s/cups-2.2.6-51.el8" and "c8" have entirely different histories.
imports/c8
...
c8
@ -0,0 +1,21 @@
|
||||
diff -up cups-2.3.3op2/backend/lpd.c.lpd-delay cups-2.3.3op2/backend/lpd.c
|
||||
--- cups-2.3.3op2/backend/lpd.c.lpd-delay 2021-02-01 22:10:25.000000000 +0100
|
||||
+++ cups-2.3.3op2/backend/lpd.c 2023-06-28 17:28:52.465476261 +0200
|
||||
@@ -63,7 +63,7 @@ static int abort_job = 0; /* Non-zero i
|
||||
|
||||
#define RESERVE_NONE 0 /* Don't reserve a priviledged port */
|
||||
#define RESERVE_RFC1179 1 /* Reserve port 721-731 */
|
||||
-#define RESERVE_ANY 2 /* Reserve port 1-1023 */
|
||||
+#define RESERVE_ANY 2 /* Reserve port 512-1023 */
|
||||
|
||||
|
||||
/*
|
||||
@@ -778,7 +778,7 @@ lpd_queue(const char *hostname, /*
|
||||
|
||||
if (lport < 721 && reserve == RESERVE_RFC1179)
|
||||
lport = 731;
|
||||
- else if (lport < 1)
|
||||
+ else if (lport < 512)
|
||||
lport = 1023;
|
||||
|
||||
#ifdef HAVE_GETEUID
|
86
SOURCES/0001-Fix-domain-socket-handling.patch
Normal file
86
SOURCES/0001-Fix-domain-socket-handling.patch
Normal file
@ -0,0 +1,86 @@
|
||||
diff --git a/cups/http-addr.c b/cups/http-addr.c
|
||||
index 61c86384b..e86dcb622 100644
|
||||
--- a/cups/http-addr.c
|
||||
+++ b/cups/http-addr.c
|
||||
@@ -198,31 +198,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
|
||||
{
|
||||
mode_t mask; /* Umask setting */
|
||||
|
||||
- /*
|
||||
- * Remove any existing domain socket file...
|
||||
- */
|
||||
-
|
||||
- unlink(addr->un.sun_path);
|
||||
-
|
||||
- /*
|
||||
- * Save the current umask and set it to 0 so that all users can access
|
||||
- * the domain socket...
|
||||
- */
|
||||
-
|
||||
- mask = umask(0);
|
||||
-
|
||||
- /*
|
||||
- * Bind the domain socket...
|
||||
- */
|
||||
+ // Remove any existing domain socket file...
|
||||
+ if ((status = unlink(addr->un.sun_path)) < 0)
|
||||
+ {
|
||||
+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
|
||||
+ if (errno == ENOENT)
|
||||
+ status = 0;
|
||||
+ }
|
||||
|
||||
- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
|
||||
+ if (!status)
|
||||
+ {
|
||||
+ // Save the current umask and set it to 0 so that all users can access
|
||||
+ // the domain socket...
|
||||
+ mask = umask(0);
|
||||
|
||||
- /*
|
||||
- * Restore the umask and fix permissions...
|
||||
- */
|
||||
+ // Bind the domain socket...
|
||||
+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
|
||||
+ {
|
||||
+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
|
||||
+ }
|
||||
|
||||
- umask(mask);
|
||||
- chmod(addr->un.sun_path, 0140777);
|
||||
+ // Restore the umask...
|
||||
+ umask(mask);
|
||||
+ }
|
||||
}
|
||||
else
|
||||
#endif /* AF_LOCAL */
|
||||
diff --git a/scheduler/conf.c b/scheduler/conf.c
|
||||
index bc52d2add..93de8cf77 100644
|
||||
--- a/scheduler/conf.c
|
||||
+++ b/scheduler/conf.c
|
||||
@@ -3055,6 +3055,25 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
|
||||
|
||||
cupsd_listener_t *lis; /* New listeners array */
|
||||
|
||||
+ /*
|
||||
+ * If we are launched on-demand, do not use domain sockets from the config
|
||||
+ * file. Also check that the domain socket path is not too long...
|
||||
+ */
|
||||
+
|
||||
+#ifdef HAVE_ONDEMAND
|
||||
+ if (*value == '/' && OnDemand)
|
||||
+ {
|
||||
+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
|
||||
+ continue;
|
||||
+ }
|
||||
+#endif // HAVE_ONDEMAND
|
||||
+
|
||||
+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
|
||||
+ continue;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Get the address list...
|
@ -0,0 +1,64 @@
|
||||
From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
|
||||
From: Rose <83477269+AtariDreams@users.noreply.github.com>
|
||||
Date: Thu, 1 Jun 2023 11:33:39 -0400
|
||||
Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
|
||||
|
||||
httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
|
||||
|
||||
We have to log the hostname first.
|
||||
---
|
||||
scheduler/client.c | 16 +++++++---------
|
||||
1 file changed, 7 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/scheduler/client.c b/scheduler/client.c
|
||||
index 91e441188..327473a4d 100644
|
||||
--- a/scheduler/client.c
|
||||
+++ b/scheduler/client.c
|
||||
@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
|
||||
/*
|
||||
* Can't have an unresolved IP address with double-lookups enabled...
|
||||
*/
|
||||
-
|
||||
- httpClose(con->http);
|
||||
-
|
||||
cupsdLogClient(con, CUPSD_LOG_WARN,
|
||||
- "Name lookup failed - connection from %s closed!",
|
||||
+ "Name lookup failed - closing connection from %s!",
|
||||
httpGetHostname(con->http, NULL, 0));
|
||||
|
||||
+ httpClose(con->http);
|
||||
free(con);
|
||||
return;
|
||||
}
|
||||
@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
|
||||
* with double-lookups enabled...
|
||||
*/
|
||||
|
||||
- httpClose(con->http);
|
||||
-
|
||||
cupsdLogClient(con, CUPSD_LOG_WARN,
|
||||
- "IP lookup failed - connection from %s closed!",
|
||||
+ "IP lookup failed - closing connection from %s!",
|
||||
httpGetHostname(con->http, NULL, 0));
|
||||
+
|
||||
+ httpClose(con->http);
|
||||
free(con);
|
||||
return;
|
||||
}
|
||||
@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
|
||||
|
||||
if (!hosts_access(&wrap_req))
|
||||
{
|
||||
- httpClose(con->http);
|
||||
-
|
||||
cupsdLogClient(con, CUPSD_LOG_WARN,
|
||||
"Connection from %s refused by /etc/hosts.allow and "
|
||||
"/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
|
||||
+
|
||||
+ httpClose(con->http);
|
||||
free(con);
|
||||
return;
|
||||
}
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,31 @@
|
||||
From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
|
||||
From: Michael R Sweet <michael.r.sweet@gmail.com>
|
||||
Date: Tue, 6 Dec 2022 09:04:01 -0500
|
||||
Subject: [PATCH] Require authentication for CUPS-Get-Document.
|
||||
|
||||
---
|
||||
conf/cupsd.conf.in | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
|
||||
index b25884907..a07536f3e 100644
|
||||
--- a/conf/cupsd.conf.in
|
||||
+++ b/conf/cupsd.conf.in
|
||||
@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
|
||||
- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
||||
+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
|
||||
+ Require user @OWNER @SYSTEM
|
||||
+ Order deny,allow
|
||||
+ </Limit>
|
||||
+
|
||||
+ <Limit CUPS-Get-Document>
|
||||
+ AuthType Default
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,48 @@
|
||||
From c5ad7aaf6c8063a39974c6b4a3cf59b7f912daae Mon Sep 17 00:00:00 2001
|
||||
From: Bryan Mason <bmason@redhat.com>
|
||||
Date: Tue, 27 Jun 2023 04:18:46 -0700
|
||||
Subject: [PATCH 1/2] Use "purge-job" instead of "purge-jobs" when canceling a
|
||||
single job (#742)
|
||||
|
||||
The command "cancel -x <job>" adds "purge-jobs true" to the Cancel-Job
|
||||
operation; however, the correct attribute to use for Cancel-job is
|
||||
"purge-job" (singular), not "purge-jobs" (plural). As a result, job
|
||||
files are not removed from /var/spool/cups when "cancel -x <job>" is
|
||||
executed.
|
||||
|
||||
This patch resolves the issue by adding "purge-job" when the IPP
|
||||
operation is Cancel-Job and "purge-jobs" for other IPP operations
|
||||
(Purge-Jobs, Cancel-Jobs, and Cancel-My-Jobs)
|
||||
---
|
||||
systemv/cancel.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/systemv/cancel.c b/systemv/cancel.c
|
||||
index 572f413e1..f5b8e12b5 100644
|
||||
--- a/systemv/cancel.c
|
||||
+++ b/systemv/cancel.c
|
||||
@@ -260,6 +260,7 @@ main(int argc, /* I - Number of command-line arguments */
|
||||
* attributes-natural-language
|
||||
* printer-uri + job-id *or* job-uri
|
||||
* [requesting-user-name]
|
||||
+ * [purge-job] or [purge-jobs]
|
||||
*/
|
||||
|
||||
request = ippNewRequest(op);
|
||||
@@ -294,7 +295,12 @@ main(int argc, /* I - Number of command-line arguments */
|
||||
"requesting-user-name", NULL, cupsUser());
|
||||
|
||||
if (purge)
|
||||
- ippAddBoolean(request, IPP_TAG_OPERATION, "purge-jobs", (char)purge);
|
||||
+ {
|
||||
+ if (op == IPP_CANCEL_JOB)
|
||||
+ ippAddBoolean(request, IPP_TAG_OPERATION, "purge-job", (char)purge);
|
||||
+ else
|
||||
+ ippAddBoolean(request, IPP_TAG_OPERATION, "purge-jobs", (char)purge);
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Do the request and get back a response...
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,35 @@
|
||||
From 876fdc1c90a885a58644c8757bc1283c9fd5bcb7 Mon Sep 17 00:00:00 2001
|
||||
From: Vasilis Liaskovitis <vliaskovitis@suse.com>
|
||||
Date: Wed, 1 Mar 2023 13:46:28 +0100
|
||||
Subject: [PATCH] cups/http-addr.c: Set listen backlog size to INT_MAX (fixes
|
||||
#308)
|
||||
|
||||
Use a listen queue size of INT_MAX, which should default to the maximum
|
||||
supported queue size on the system.
|
||||
|
||||
This avoids the problem of the listening backlog queue getting full when
|
||||
there are too many requests at the same time. The problem was observed
|
||||
with the previous backlog size (128) by customers when submitting large
|
||||
batches of print jobs, resulting in some jobs getting lost.
|
||||
|
||||
Signed-off-by: Vasilis Liaskovitis <vliaskovitis@suse.com>
|
||||
---
|
||||
cups/http-addr.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/cups/http-addr.c b/cups/http-addr.c
|
||||
index a61ee0449..6aeeb8074 100644
|
||||
--- a/cups/http-addr.c
|
||||
+++ b/cups/http-addr.c
|
||||
@@ -249,7 +249,7 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
|
||||
* Listen...
|
||||
*/
|
||||
|
||||
- if (listen(fd, 5))
|
||||
+ if (listen(fd, INT_MAX))
|
||||
{
|
||||
_cupsSetHTTPError(HTTP_STATUS_ERROR);
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
26
SOURCES/0001-cups-strlcpy-handle-zero-size.patch
Normal file
26
SOURCES/0001-cups-strlcpy-handle-zero-size.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 5e3107e734f06d410a490e8bc923dc3119f17671 Mon Sep 17 00:00:00 2001
|
||||
From: Michael R Sweet <michael.r.sweet@gmail.com>
|
||||
Date: Wed, 17 May 2023 12:59:57 -0400
|
||||
Subject: [PATCH] Consensus fix.
|
||||
|
||||
---
|
||||
cups/string.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/cups/string.c b/cups/string.c
|
||||
index 00454203c..b4fc12050 100644
|
||||
--- a/cups/string.c
|
||||
+++ b/cups/string.c
|
||||
@@ -730,6 +731,9 @@ _cups_strlcpy(char *dst, /* O - Destination string */
|
||||
size_t srclen; /* Length of source string */
|
||||
|
||||
|
||||
+ if (size == 0)
|
||||
+ return (0);
|
||||
+
|
||||
/*
|
||||
* Figure out how much room is needed...
|
||||
*/
|
||||
--
|
||||
2.40.1
|
||||
|
@ -0,0 +1,43 @@
|
||||
diff -up cups-2.2.6/cups/http-addrlist.c.cupsgetjobs-pollhup cups-2.2.6/cups/http-addrlist.c
|
||||
--- cups-2.2.6/cups/http-addrlist.c.cupsgetjobs-pollhup 2023-12-19 18:25:15.484637450 +0100
|
||||
+++ cups-2.2.6/cups/http-addrlist.c 2023-12-19 18:28:57.129163387 +0100
|
||||
@@ -313,6 +313,39 @@ httpAddrConnect2(
|
||||
{
|
||||
# ifdef HAVE_POLL
|
||||
DEBUG_printf(("pfds[%d].revents=%x\n", i, pfds[i].revents));
|
||||
+
|
||||
+# ifdef _WIN32
|
||||
+ if (((WSAGetLastError() == WSAEINPROGRESS) && (pfds[i].revents & POLLIN) && (pfds[i].revents & POLLOUT)) ||
|
||||
+ ((pfds[i].revents & POLLHUP) && (pfds[i].revents & (POLLIN|POLLOUT))))
|
||||
+# else
|
||||
+ if (((errno == EINPROGRESS) && (pfds[i].revents & POLLIN) && (pfds[i].revents & POLLOUT)) ||
|
||||
+ ((pfds[i].revents & POLLHUP) && (pfds[i].revents & (POLLIN|POLLOUT))))
|
||||
+# endif /* _WIN32 */
|
||||
+ {
|
||||
+ // Some systems generate POLLIN or POLLOUT together with POLLHUP when doing
|
||||
+ // asynchronous connections. The solution seems to be to use getsockopt to
|
||||
+ // check the SO_ERROR value and ignore the POLLHUP if there is no error or
|
||||
+ // the error is EINPROGRESS.
|
||||
+
|
||||
+ int sres, /* Return value from getsockopt() - 0, or -1 if error */
|
||||
+ serr; /* Option SO_ERROR value */
|
||||
+ socklen_t slen = sizeof(serr); /* Option value size */
|
||||
+
|
||||
+ sres = getsockopt(fds[i], SOL_SOCKET, SO_ERROR, &serr, &slen);
|
||||
+
|
||||
+ if (sres || serr)
|
||||
+ {
|
||||
+ pfds[i].revents |= POLLERR;
|
||||
+# ifdef DEBUG
|
||||
+ DEBUG_printf(("1httpAddrConnect2: getsockopt returned: %d with error: %s", sres, strerror(serr)));
|
||||
+# endif
|
||||
+ }
|
||||
+ else if (pfds[i].revents && (pfds[i].revents & POLLHUP) && (pfds[i].revents & (POLLIN | POLLOUT)))
|
||||
+ {
|
||||
+ pfds[i].revents &= ~POLLHUP;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (pfds[i].revents && !(pfds[i].revents & (POLLERR | POLLHUP)))
|
||||
# else
|
||||
if (FD_ISSET(fds[i], &input_set) && !FD_ISSET(fds[i], &error_set))
|
@ -0,0 +1,36 @@
|
||||
From db9cecdd932e58c51d2d659f63415ad47d151717 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Dohnal <zdohnal@redhat.com>
|
||||
Date: Fri, 1 Sep 2023 17:11:54 +0200
|
||||
Subject: [PATCH] scheduler/conf.c: Print to stderr if we don't open
|
||||
cups-files.conf
|
||||
|
||||
In case cupsd can't open the cups-files.conf, the error message is lost
|
||||
if journal and syslog don't exist or work on system (usually in
|
||||
containers).
|
||||
|
||||
Log the error into stderr at this place to get the error message if
|
||||
needed.
|
||||
---
|
||||
scheduler/conf.c | 6 +-----
|
||||
1 file changed, 1 insertion(+), 5 deletions(-)
|
||||
|
||||
diff --git a/scheduler/conf.c b/scheduler/conf.c
|
||||
index b18535162..4fa7eb1df 100644
|
||||
--- a/scheduler/conf.c
|
||||
+++ b/scheduler/conf.c
|
||||
@@ -811,11 +811,7 @@ cupsdReadConfiguration(void)
|
||||
cupsdLogMessage(CUPSD_LOG_INFO, "No %s, using defaults.", CupsFilesFile);
|
||||
else
|
||||
{
|
||||
-#ifdef HAVE_SYSTEMD_SD_JOURNAL_H
|
||||
- sd_journal_print(LOG_ERR, "Unable to open \"%s\" - %s", CupsFilesFile, strerror(errno));
|
||||
-#else
|
||||
- syslog(LOG_LPR, "Unable to open \"%s\" - %s", CupsFilesFile, strerror(errno));
|
||||
-#endif /* HAVE_SYSTEMD_SD_JOURNAL_H */
|
||||
+ fprintf(stderr, "Unable to read \"%s\" - %s\n", CupsFilesFile, strerror(errno));
|
||||
|
||||
return (0);
|
||||
}
|
||||
--
|
||||
2.41.0
|
||||
|
94
SOURCES/cups-check-for-listeners.patch
Normal file
94
SOURCES/cups-check-for-listeners.patch
Normal file
@ -0,0 +1,94 @@
|
||||
diff --git a/scheduler/conf.c b/scheduler/conf.c
|
||||
index c113eb3..77ce179 100644
|
||||
--- a/scheduler/conf.c
|
||||
+++ b/scheduler/conf.c
|
||||
@@ -573,6 +573,18 @@ cupsdReadConfiguration(void)
|
||||
|
||||
cupsdDeleteAllListeners();
|
||||
|
||||
+ /*
|
||||
+ * Allocate Listeners array
|
||||
+ */
|
||||
+
|
||||
+ Listeners = cupsArrayNew(NULL, NULL);
|
||||
+
|
||||
+ if (!Listeners)
|
||||
+ {
|
||||
+ fprintf(stderr, "Unable to allocate memory for array Listeners.\n");
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
old_remote_port = RemotePort;
|
||||
RemotePort = 0;
|
||||
|
||||
@@ -1080,28 +1092,6 @@ cupsdReadConfiguration(void)
|
||||
}
|
||||
}
|
||||
|
||||
- /*
|
||||
- * Check that we have at least one listen/port line; if not, report this
|
||||
- * as an error and exit!
|
||||
- */
|
||||
-
|
||||
- if (cupsArrayCount(Listeners) == 0)
|
||||
- {
|
||||
- /*
|
||||
- * No listeners!
|
||||
- */
|
||||
-
|
||||
- cupsdLogMessage(CUPSD_LOG_EMERG,
|
||||
- "No valid Listen or Port lines were found in the "
|
||||
- "configuration file.");
|
||||
-
|
||||
- /*
|
||||
- * Commit suicide...
|
||||
- */
|
||||
-
|
||||
- cupsdEndProcess(getpid(), 0);
|
||||
- }
|
||||
-
|
||||
/*
|
||||
* Set the default locale using the language and charset...
|
||||
*/
|
||||
@@ -3162,17 +3152,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
|
||||
* Allocate another listener...
|
||||
*/
|
||||
|
||||
- if (!Listeners)
|
||||
- Listeners = cupsArrayNew(NULL, NULL);
|
||||
-
|
||||
- if (!Listeners)
|
||||
- {
|
||||
- cupsdLogMessage(CUPSD_LOG_ERROR,
|
||||
- "Unable to allocate %s at line %d - %s.",
|
||||
- line, linenum, strerror(errno));
|
||||
- break;
|
||||
- }
|
||||
-
|
||||
if ((lis = calloc(1, sizeof(cupsd_listener_t))) == NULL)
|
||||
{
|
||||
cupsdLogMessage(CUPSD_LOG_ERROR,
|
||||
diff --git a/scheduler/main.c b/scheduler/main.c
|
||||
index a6e2c3a..b935c52 100644
|
||||
--- a/scheduler/main.c
|
||||
+++ b/scheduler/main.c
|
||||
@@ -2113,6 +2113,21 @@ service_checkin(void)
|
||||
service_add_listener(fd, 0);
|
||||
}
|
||||
#endif /* HAVE_LAUNCHD */
|
||||
+
|
||||
+ if (cupsArrayCount(Listeners) == 0)
|
||||
+ {
|
||||
+ /*
|
||||
+ * No listeners!
|
||||
+ */
|
||||
+
|
||||
+ cupsdLogMessage(CUPSD_LOG_EMERG, "No listener sockets present.");
|
||||
+
|
||||
+ /*
|
||||
+ * Commit suicide...
|
||||
+ */
|
||||
+
|
||||
+ cupsdEndProcess(getpid(), 0);
|
||||
+ }
|
||||
}
|
31
SOURCES/cups-preservejob-leak.patch
Normal file
31
SOURCES/cups-preservejob-leak.patch
Normal file
@ -0,0 +1,31 @@
|
||||
diff --git a/scheduler/colorman.c b/scheduler/colorman.c
|
||||
index 8af4e5c..9bfdb0c 100644
|
||||
--- a/scheduler/colorman.c
|
||||
+++ b/scheduler/colorman.c
|
||||
@@ -1083,7 +1083,7 @@ colord_create_profile(
|
||||
|
||||
dbus_message_iter_get_basic(&args, &profile_path);
|
||||
cupsdLogMessage(CUPSD_LOG_DEBUG, "Created profile \"%s\".", profile_path);
|
||||
- cupsArrayAdd(profiles, strdup(profile_path));
|
||||
+ cupsArrayAdd(profiles, profile_path);
|
||||
|
||||
out:
|
||||
|
||||
diff --git a/scheduler/job.c b/scheduler/job.c
|
||||
index 0223bee..47d4c72 100644
|
||||
--- a/scheduler/job.c
|
||||
+++ b/scheduler/job.c
|
||||
@@ -1496,11 +1496,11 @@ cupsdDeleteJob(cupsd_job_t *job, /* I - Job */
|
||||
job->num_files = 0;
|
||||
}
|
||||
|
||||
+ unload_job(job);
|
||||
+
|
||||
if (job->history)
|
||||
free_job_history(job);
|
||||
|
||||
- unload_job(job);
|
||||
-
|
||||
cupsArrayRemove(Jobs, job);
|
||||
cupsArrayRemove(ActiveJobs, job);
|
||||
cupsArrayRemove(PrintingJobs, job);
|
12
SOURCES/cups-require-cups-socket.patch
Normal file
12
SOURCES/cups-require-cups-socket.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff --git a/scheduler/org.cups.cupsd.service.in b/scheduler/org.cups.cupsd.service.in
|
||||
index c02412fb0..18b5e0386 100644
|
||||
--- a/scheduler/org.cups.cupsd.service.in
|
||||
+++ b/scheduler/org.cups.cupsd.service.in
|
||||
@@ -2,6 +2,7 @@
|
||||
Description=CUPS Scheduler
|
||||
Documentation=man:cupsd(8)
|
||||
After=network.target nss-user-lookup.target
|
||||
+Requires=cups.socket
|
||||
|
||||
[Service]
|
||||
ExecStart=@sbindir@/cupsd -l
|
12
SOURCES/cups-socket-remove-on-stop.patch
Normal file
12
SOURCES/cups-socket-remove-on-stop.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff --git a/scheduler/org.cups.cupsd.socket.in b/scheduler/org.cups.cupsd.socket.in
|
||||
index 613b977a6..1deee826a 100644
|
||||
--- a/scheduler/org.cups.cupsd.socket.in
|
||||
+++ b/scheduler/org.cups.cupsd.socket.in
|
||||
@@ -4,6 +4,7 @@ PartOf=org.cups.cupsd.service
|
||||
|
||||
[Socket]
|
||||
ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@
|
||||
+RemoveOnStop=on
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
171
SOURCES/upgrade_get_document.py.in
Executable file
171
SOURCES/upgrade_get_document.py.in
Executable file
@ -0,0 +1,171 @@
|
||||
@PYTHON_SHEBANG@
|
||||
|
||||
"""
|
||||
Upgrade script to enable authentication for CUPS-Get-Document in
|
||||
default policy
|
||||
"""
|
||||
|
||||
import os
|
||||
import sys
|
||||
from shutil import copy
|
||||
|
||||
|
||||
def get_cupsd_conf():
|
||||
"""
|
||||
Get all lines from cupsd.conf
|
||||
"""
|
||||
if not os.path.exists('/etc/cups/cupsd.conf'):
|
||||
return None
|
||||
|
||||
lines = []
|
||||
with open('/etc/cups/cupsd.conf', 'r') as conf:
|
||||
lines = conf.readlines()
|
||||
|
||||
return lines
|
||||
|
||||
|
||||
def get_default_policy(lines):
|
||||
"""
|
||||
Get the default policy lines
|
||||
|
||||
:param list lines: lines from cupsd.conf
|
||||
"""
|
||||
default_policy = []
|
||||
in_policy = False
|
||||
|
||||
for line in lines:
|
||||
if not in_policy and not line.lstrip().startswith('<Policy default>'):
|
||||
continue
|
||||
|
||||
default_policy.append(line)
|
||||
|
||||
if line.lstrip().startswith('</Policy>'):
|
||||
return default_policy
|
||||
|
||||
in_policy = True
|
||||
|
||||
return default_policy
|
||||
|
||||
|
||||
def get_limit_with_document(lines):
|
||||
"""
|
||||
Get <Limit> scope which defines CUPS-Get-Document operation
|
||||
|
||||
:param list lines: Lines containing the default policy
|
||||
"""
|
||||
limit = []
|
||||
in_limit = False
|
||||
|
||||
for line in lines:
|
||||
if not in_limit and not line.lstrip().startswith('<Limit'):
|
||||
continue
|
||||
|
||||
if (not in_limit and line.lstrip().startswith('<Limit') and
|
||||
not 'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
|
||||
continue
|
||||
|
||||
limit.append(line)
|
||||
|
||||
if line.lstrip().startswith('</Limit>'):
|
||||
return limit
|
||||
|
||||
in_limit = True
|
||||
|
||||
return limit
|
||||
|
||||
|
||||
def check_for_authtype(lines):
|
||||
"""
|
||||
Check if <Limit> defining CUPS-Get-Document defines
|
||||
any authentication
|
||||
|
||||
:param list lines: Lines of <Limit> scope which defines CUPS-Get-Document
|
||||
"""
|
||||
for line in lines:
|
||||
if line.lstrip().startswith('AuthType'):
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def migrate_cupsd_conf(lines):
|
||||
"""
|
||||
Make changes to cupsd.conf contents to use authentication
|
||||
for CUPS-Get-Document
|
||||
|
||||
:param list lines: Lines from cupsd.conf
|
||||
"""
|
||||
new_lines = []
|
||||
in_policy = False
|
||||
create_document_limit = False
|
||||
|
||||
for line in lines:
|
||||
if (in_policy and line.lstrip().startswith('<Limit') and
|
||||
not line.lstrip().startswith('<Limit CUPS-Get-Document>') and
|
||||
'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
|
||||
line = line.replace(' CUPS-Get-Document', '')
|
||||
create_document_limit = True
|
||||
|
||||
if in_policy and line.lstrip().startswith('</Policy>') and create_document_limit:
|
||||
new_lines.append('\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'# added during upgrade\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'<Limit CUPS-Get-Document>\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||
'AuthType Default\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||
'Require user @OWNER @SYSTEM\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||
'Order deny,allow\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'</Limit>\n')
|
||||
create_document_limit = False
|
||||
|
||||
new_lines.append(line)
|
||||
|
||||
if not in_policy:
|
||||
if line.lstrip().startswith('<Policy default>'):
|
||||
in_policy = True
|
||||
continue
|
||||
|
||||
if line.lstrip().startswith('<Limit CUPS-Get-Document>'):
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'# added during upgrade\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'AuthType Default\n')
|
||||
continue
|
||||
|
||||
if line.lstrip().startswith('</Policy>'):
|
||||
in_policy = False
|
||||
continue
|
||||
|
||||
return new_lines
|
||||
|
||||
|
||||
def apply_changes(lines):
|
||||
"""
|
||||
Backup the original file if there is no .rpmsave already and
|
||||
apply changes to the actual cupsd.conf
|
||||
|
||||
:param list lines: New lines for cupsd.conf
|
||||
"""
|
||||
if not os.path.exists('/etc/cups/cupsd.conf.rpmsave'):
|
||||
copy('/etc/cups/cupsd.conf', '/etc/cups/cupsd.conf.rpmsave')
|
||||
|
||||
with open('/etc/cups/cupsd.conf', 'w') as conf:
|
||||
conf.writelines(lines)
|
||||
|
||||
|
||||
|
||||
content = get_cupsd_conf()
|
||||
if content is None:
|
||||
sys.exit(1)
|
||||
|
||||
if check_for_authtype(get_limit_with_document(get_default_policy(content))):
|
||||
sys.exit(0)
|
||||
|
||||
new_content = migrate_cupsd_conf(content)
|
||||
|
||||
apply_changes(new_content)
|
||||
|
||||
sys.exit(0)
|
128
SPECS/cups.spec
128
SPECS/cups.spec
@ -7,6 +7,13 @@
|
||||
# but we use lib for compatibility with 3rd party drivers (at upstream request).
|
||||
%global cups_serverbin %{_exec_prefix}/lib/cups
|
||||
|
||||
# we still need something for python2...
|
||||
%if 0%{?rhel} >= 8 || 0%{?fedora}
|
||||
%global __python %{__python3}
|
||||
%else
|
||||
%global __python /usr/bin/python2
|
||||
%endif
|
||||
|
||||
#%%global prever rc1
|
||||
#%%global VERSION %%{version}%%{prever}
|
||||
%global VERSION %{version}
|
||||
@ -15,7 +22,7 @@ Summary: CUPS printing system
|
||||
Name: cups
|
||||
Epoch: 1
|
||||
Version: 2.2.6
|
||||
Release: 51%{?dist}
|
||||
Release: 60%{?dist}
|
||||
License: GPLv2+ and LGPLv2 with exceptions and AML
|
||||
Url: http://www.cups.org/
|
||||
Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
|
||||
@ -26,6 +33,8 @@ Source6: cups.logrotate
|
||||
# Backend for NCP protocol
|
||||
Source7: ncp.backend
|
||||
Source8: macros.cups
|
||||
# CVE-2023-32360 migration script
|
||||
Source9: upgrade_get_document.py.in
|
||||
|
||||
Patch1: cups-no-gzip-man.patch
|
||||
Patch2: cups-system-auth.patch
|
||||
@ -143,6 +152,40 @@ Patch77: cups-retry-current-job-man.patch
|
||||
Patch78: 0001-Update-man-pages-for-h-option-Issue-357.patch
|
||||
# 2130391 - Kerberized IPP Printing Fails
|
||||
Patch79: cups-kerberos.patch
|
||||
# 2217178 - Delays printing to lpd when reserved ports are exhausted
|
||||
Patch80: 0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch
|
||||
# 2217283 - The command "cancel -x <job>" does not remove job files
|
||||
Patch81: 0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch
|
||||
# 2217955 - Enlarge backlog queue for listen() in cupsd
|
||||
Patch82: 0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch
|
||||
# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
|
||||
Patch83: 0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch
|
||||
# CVE-2023-32324 cups: heap buffer overflow may lead to DoS
|
||||
Patch84: 0001-cups-strlcpy-handle-zero-size.patch
|
||||
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
|
||||
Patch85: 0001-Require-authentication-for-CUPS-Get-Document.patch
|
||||
# RHEL-14933 cupsd memory leak in cupsdDeleteJob() with "PreserveJobHistory Off"
|
||||
Patch86: cups-preservejob-leak.patch
|
||||
# RHEL-15309 cupsd fails to open cups-files.conf and the resulting error message is lost
|
||||
Patch87: 0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch
|
||||
# RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
|
||||
Patch88: 0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch
|
||||
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
# https://github.com/OpenPrinting/cups/commit/a436956
|
||||
Patch89: 0001-Fix-domain-socket-handling.patch
|
||||
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
# https://github.com/OpenPrinting/cups/pull/31
|
||||
Patch90: cups-require-cups-socket.patch
|
||||
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
# https://github.com/OpenPrinting/cups/commit/3448c52
|
||||
Patch91: cups-socket-remove-on-stop.patch
|
||||
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
# https://github.com/OpenPrinting/cups/commit/7adb508
|
||||
# https://github.com/OpenPrinting/cups/commit/824f49f
|
||||
# https://github.com/OpenPrinting/cups/commit/56b9728
|
||||
# https://github.com/OpenPrinting/cups/commit/74f437b
|
||||
# https://github.com/OpenPrinting/cups/commit/fb0c914
|
||||
Patch92: cups-check-for-listeners.patch
|
||||
|
||||
Patch1000: cups-lspp.patch
|
||||
|
||||
@ -189,6 +232,9 @@ Requires(post): grep, sed
|
||||
Requires(preun): systemd
|
||||
Requires(postun): systemd
|
||||
|
||||
# for upgrade-get-document script
|
||||
Requires(post): %{__python}
|
||||
|
||||
# We ship udev rules which use setfacl.
|
||||
Requires: systemd
|
||||
Requires: acl
|
||||
@ -429,6 +475,40 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
|
||||
%patch78 -p1 -b .manpage-update
|
||||
# 2130391 - Kerberized IPP Printing Fails
|
||||
%patch79 -p1 -b .kerberos
|
||||
# 2217178 - Delays printing to lpd when reserved ports are exhausted
|
||||
%patch80 -p1 -b .lpd-delay
|
||||
# 2217283 - The command "cancel -x <job>" does not remove job files
|
||||
%patch81 -p1 -b .purge-job
|
||||
# 2217955 - Enlarge backlog queue for listen() in cupsd
|
||||
%patch82 -p1 -b .listen-backlog
|
||||
# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
|
||||
%patch83 -p1 -b .cve34241
|
||||
# CVE-2023-32324 cups: heap buffer overflow may lead to DoS
|
||||
%patch84 -p1 -b .cve32324
|
||||
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
|
||||
%patch85 -p1 -b .get-document-auth
|
||||
# RHEL-14933 cupsd memory leak in cupsdDeleteJob() with "PreserveJobHistory Off"
|
||||
%patch86 -p1 -b .preservejob-leak
|
||||
# RHEL-15309 cupsd fails to open cups-files.conf and the resulting error message is lost
|
||||
%patch87 -p1 -b .message-stderr
|
||||
# RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
|
||||
%patch88 -p1 -b .cupsgetjobs-pollhup
|
||||
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
# https://github.com/OpenPrinting/cups/commit/a436956
|
||||
%patch89 -p1 -b .cve2024-35235
|
||||
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
# https://github.com/OpenPrinting/cups/pull/31
|
||||
%patch90 -p1 -b .cups-require-cups-socket
|
||||
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
# https://github.com/OpenPrinting/cups/commit/3448c52
|
||||
%patch91 -p1 -b .cups-remove-on-stop
|
||||
# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
# https://github.com/OpenPrinting/cups/commit/7adb508
|
||||
# https://github.com/OpenPrinting/cups/commit/824f49f
|
||||
# https://github.com/OpenPrinting/cups/commit/56b9728
|
||||
# https://github.com/OpenPrinting/cups/commit/74f437b
|
||||
# https://github.com/OpenPrinting/cups/commit/fb0c914
|
||||
%patch92 -p1 -b .cups-check-for-listeners
|
||||
|
||||
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
|
||||
|
||||
@ -578,6 +658,11 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
|
||||
/^\([^%].*\)/d
|
||||
' > %{name}.lang
|
||||
|
||||
# install get-document upgrade script
|
||||
install -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/upgrade_get_document
|
||||
|
||||
sed -i 's,@PYTHON_SHEBANG@,#!%{__python},' %{buildroot}%{_sbindir}/upgrade_get_document
|
||||
|
||||
%post
|
||||
%systemd_post %{name}.path %{name}.socket %{name}.service
|
||||
|
||||
@ -640,6 +725,8 @@ fi
|
||||
grep '^\s*IdleExitTimeout' %{_sysconfdir}/cups/cupsd.conf &> /dev/null || echo -e '\nIdleExitTimeout 0' \
|
||||
>> %{_sysconfdir}/cups/cupsd.conf
|
||||
|
||||
%{_sbindir}/upgrade_get_document
|
||||
|
||||
exit 0
|
||||
|
||||
%post client
|
||||
@ -848,6 +935,45 @@ rm -f %{cups_serverbin}/backend/smb
|
||||
%{_mandir}/man5/ipptoolfile.5.gz
|
||||
|
||||
%changelog
|
||||
* Tue Jun 18 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.2.6-60
|
||||
- RHEL-40386 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
- Delete the domain socket file after stopping the cups.socket service
|
||||
- Fix cupsd Listener checks
|
||||
|
||||
* Fri Jun 14 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.2.6-59
|
||||
- RHEL-40386 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
- Require cups.socket in cupsd service file
|
||||
|
||||
* Mon Jun 10 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.2.6-58
|
||||
- CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
|
||||
|
||||
* Mon Feb 26 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-57
|
||||
- revert RHEL-19200 - no new subpackages are needed
|
||||
|
||||
* Wed Dec 20 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-56
|
||||
- RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
|
||||
- RHEL-19200 Recommend new cups-filters subpackages with weak dep for better upgrade exp
|
||||
|
||||
* Fri Nov 03 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-55
|
||||
- RHEL-14933 cupsd memory leak in cupsdDeleteJob() with "PreserveJobHistory Off"
|
||||
- RHEL-15309 cupsd fails to open cups-files.conf and the resulting error message is lost
|
||||
|
||||
* Tue Sep 12 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-54
|
||||
- RHEL-2612 - cups pulls an unneeded dependency on python3
|
||||
|
||||
* Tue Aug 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-53
|
||||
- CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
|
||||
|
||||
* Thu Jun 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-52
|
||||
- 2217178 - Delays printing to lpd when reserved ports are exhausted
|
||||
- 2217283 - The command "cancel -x <job>" does not remove job files
|
||||
- 2217955 - Enlarge backlog queue for listen() in cupsd
|
||||
- CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
|
||||
- CVE-2023-32324 cups: heap buffer overflow may lead to DoS
|
||||
|
||||
* Mon Apr 03 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-51
|
||||
- RHEL-316 - Enable fmf tests in centos stream
|
||||
|
||||
* Wed Dec 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-51
|
||||
- 2130391 - Kerberized IPP Printing Fails
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user