From 1448cd80c06b630fdc5d9cf0389472d836c99d59 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Wed, 8 Nov 2023 14:18:31 +0300 Subject: [PATCH 1/2] import cups-2.3.3op2-21.el9 --- ...ing-to-lpd-when-reserved-ports-are-e.patch | 21 ++++ ...tpGetHostname-BEFORE-closing-the-con.patch | 64 ++++++++++ ...stead-of-purge-jobs-when-canceling-a.patch | 48 ++++++++ ...-Set-listen-backlog-size-to-INT_MAX-.patch | 35 ++++++ .../0001-cups-strlcpy-handle-zero-size.patch | 34 ++++++ SOURCES/cups-deprecate-drivers.patch | 6 +- SOURCES/cups-local-negotiate.patch | 115 ++++++++++++++++++ SPECS/cups.spec | 55 ++++++++- 8 files changed, 370 insertions(+), 8 deletions(-) create mode 100644 SOURCES/0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch create mode 100644 SOURCES/0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch create mode 100644 SOURCES/0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch create mode 100644 SOURCES/0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch create mode 100644 SOURCES/0001-cups-strlcpy-handle-zero-size.patch create mode 100644 SOURCES/cups-local-negotiate.patch diff --git a/SOURCES/0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch b/SOURCES/0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch new file mode 100644 index 0000000..fdec951 --- /dev/null +++ b/SOURCES/0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch @@ -0,0 +1,21 @@ +diff -up cups-2.3.3op2/backend/lpd.c.lpd-delay cups-2.3.3op2/backend/lpd.c +--- cups-2.3.3op2/backend/lpd.c.lpd-delay 2021-02-01 22:10:25.000000000 +0100 ++++ cups-2.3.3op2/backend/lpd.c 2023-06-28 17:28:52.465476261 +0200 +@@ -63,7 +63,7 @@ static int abort_job = 0; /* Non-zero i + + #define RESERVE_NONE 0 /* Don't reserve a priviledged port */ + #define RESERVE_RFC1179 1 /* Reserve port 721-731 */ +-#define RESERVE_ANY 2 /* Reserve port 1-1023 */ ++#define RESERVE_ANY 2 /* Reserve port 512-1023 */ + + + /* +@@ -778,7 +778,7 @@ lpd_queue(const char *hostname, /* + + if (lport < 721 && reserve == RESERVE_RFC1179) + lport = 731; +- else if (lport < 1) ++ else if (lport < 512) + lport = 1023; + + #ifdef HAVE_GETEUID diff --git a/SOURCES/0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch b/SOURCES/0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch new file mode 100644 index 0000000..7c647bf --- /dev/null +++ b/SOURCES/0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch @@ -0,0 +1,64 @@ +From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001 +From: Rose <83477269+AtariDreams@users.noreply.github.com> +Date: Thu, 1 Jun 2023 11:33:39 -0400 +Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection + +httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to. + +We have to log the hostname first. +--- + scheduler/client.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/scheduler/client.c b/scheduler/client.c +index 91e441188..327473a4d 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + /* + * Can't have an unresolved IP address with double-lookups enabled... + */ +- +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, +- "Name lookup failed - connection from %s closed!", ++ "Name lookup failed - closing connection from %s!", + httpGetHostname(con->http, NULL, 0)); + ++ httpClose(con->http); + free(con); + return; + } +@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + * with double-lookups enabled... + */ + +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, +- "IP lookup failed - connection from %s closed!", ++ "IP lookup failed - closing connection from %s!", + httpGetHostname(con->http, NULL, 0)); ++ ++ httpClose(con->http); + free(con); + return; + } +@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + + if (!hosts_access(&wrap_req)) + { +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, + "Connection from %s refused by /etc/hosts.allow and " + "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0)); ++ ++ httpClose(con->http); + free(con); + return; + } +-- +2.41.0 + diff --git a/SOURCES/0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch b/SOURCES/0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch new file mode 100644 index 0000000..fe5d29e --- /dev/null +++ b/SOURCES/0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch @@ -0,0 +1,48 @@ +From c5ad7aaf6c8063a39974c6b4a3cf59b7f912daae Mon Sep 17 00:00:00 2001 +From: Bryan Mason +Date: Tue, 27 Jun 2023 04:18:46 -0700 +Subject: [PATCH 1/2] Use "purge-job" instead of "purge-jobs" when canceling a + single job (#742) + +The command "cancel -x " adds "purge-jobs true" to the Cancel-Job +operation; however, the correct attribute to use for Cancel-job is +"purge-job" (singular), not "purge-jobs" (plural). As a result, job +files are not removed from /var/spool/cups when "cancel -x " is +executed. + +This patch resolves the issue by adding "purge-job" when the IPP +operation is Cancel-Job and "purge-jobs" for other IPP operations +(Purge-Jobs, Cancel-Jobs, and Cancel-My-Jobs) +--- + systemv/cancel.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/systemv/cancel.c b/systemv/cancel.c +index 572f413e1..f5b8e12b5 100644 +--- a/systemv/cancel.c ++++ b/systemv/cancel.c +@@ -260,6 +260,7 @@ main(int argc, /* I - Number of command-line arguments */ + * attributes-natural-language + * printer-uri + job-id *or* job-uri + * [requesting-user-name] ++ * [purge-job] or [purge-jobs] + */ + + request = ippNewRequest(op); +@@ -294,7 +295,12 @@ main(int argc, /* I - Number of command-line arguments */ + "requesting-user-name", NULL, cupsUser()); + + if (purge) +- ippAddBoolean(request, IPP_TAG_OPERATION, "purge-jobs", (char)purge); ++ { ++ if (op == IPP_CANCEL_JOB) ++ ippAddBoolean(request, IPP_TAG_OPERATION, "purge-job", (char)purge); ++ else ++ ippAddBoolean(request, IPP_TAG_OPERATION, "purge-jobs", (char)purge); ++ } + + /* + * Do the request and get back a response... +-- +2.41.0 + diff --git a/SOURCES/0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch b/SOURCES/0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch new file mode 100644 index 0000000..2c5daff --- /dev/null +++ b/SOURCES/0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch @@ -0,0 +1,35 @@ +From 876fdc1c90a885a58644c8757bc1283c9fd5bcb7 Mon Sep 17 00:00:00 2001 +From: Vasilis Liaskovitis +Date: Wed, 1 Mar 2023 13:46:28 +0100 +Subject: [PATCH] cups/http-addr.c: Set listen backlog size to INT_MAX (fixes + #308) + +Use a listen queue size of INT_MAX, which should default to the maximum +supported queue size on the system. + +This avoids the problem of the listening backlog queue getting full when +there are too many requests at the same time. The problem was observed +with the previous backlog size (128) by customers when submitting large +batches of print jobs, resulting in some jobs getting lost. + +Signed-off-by: Vasilis Liaskovitis +--- + cups/http-addr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cups/http-addr.c b/cups/http-addr.c +index a61ee0449..6aeeb8074 100644 +--- a/cups/http-addr.c ++++ b/cups/http-addr.c +@@ -249,7 +249,7 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */ + * Listen... + */ + +- if (listen(fd, 128)) ++ if (listen(fd, INT_MAX)) + { + _cupsSetHTTPError(HTTP_STATUS_ERROR); + +-- +2.41.0 + diff --git a/SOURCES/0001-cups-strlcpy-handle-zero-size.patch b/SOURCES/0001-cups-strlcpy-handle-zero-size.patch new file mode 100644 index 0000000..397609c --- /dev/null +++ b/SOURCES/0001-cups-strlcpy-handle-zero-size.patch @@ -0,0 +1,34 @@ +From 5e3107e734f06d410a490e8bc923dc3119f17671 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Wed, 17 May 2023 12:59:57 -0400 +Subject: [PATCH] Consensus fix. + +--- + cups/string.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/cups/string.c b/cups/string.c +index 00454203c..b4fc12050 100644 +--- a/cups/string.c ++++ b/cups/string.c +@@ -1,6 +1,7 @@ + /* + * String functions for CUPS. + * ++ * Copyright © 2023 by OpenPrinting. + * Copyright © 2007-2019 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products. + * +@@ -730,6 +731,9 @@ _cups_strlcpy(char *dst, /* O - Destination string */ + size_t srclen; /* Length of source string */ + + ++ if (size == 0) ++ return (0); ++ + /* + * Figure out how much room is needed... + */ +-- +2.40.1 + diff --git a/SOURCES/cups-deprecate-drivers.patch b/SOURCES/cups-deprecate-drivers.patch index afcfa59..c5a31f7 100644 --- a/SOURCES/cups-deprecate-drivers.patch +++ b/SOURCES/cups-deprecate-drivers.patch @@ -167,11 +167,11 @@ index 4498a8c..8776874 100755 count=`$GREP '^W ' $BASE/log/error_log | $GREP -v CreateProfile | $GREP -v 'libusb error' | $GREP -v ColorManager | $GREP -v 'Avahi client failed' | wc -l | awk '{print $1}'` -if test $count != 8; then - echo "FAIL: $count warning messages, expected 8." -+if test $count != 10; then -+ echo "FAIL: $count warning messages, expected 10." ++if test $count != 9; then ++ echo "FAIL: $count warning messages, expected 9." $GREP '^W ' $BASE/log/error_log - echo "

FAIL: $count warning messages, expected 8.

" >>$strfile -+ echo "

FAIL: $count warning messages, expected 10.

" >>$strfile ++ echo "

FAIL: $count warning messages, expected 9.

" >>$strfile echo "
" >>$strfile
  	$GREP '^W ' $BASE/log/error_log | sed -e '1,$s/&/&/g' -e '1,$s/>$strfile
  	echo "    
" >>$strfile diff --git a/SOURCES/cups-local-negotiate.patch b/SOURCES/cups-local-negotiate.patch new file mode 100644 index 0000000..593d83c --- /dev/null +++ b/SOURCES/cups-local-negotiate.patch @@ -0,0 +1,115 @@ +diff --git a/cups/auth.c b/cups/auth.c +index db45bbb..b6fec6b 100644 +--- a/cups/auth.c ++++ b/cups/auth.c +@@ -90,6 +90,7 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status, + # define cups_gss_printf(major, minor, message) + # endif /* DEBUG */ + #endif /* HAVE_GSSAPI */ ++static int cups_is_local_connection(http_t *http); + static int cups_local_auth(http_t *http); + + +@@ -174,10 +175,10 @@ cupsDoAuthentication( + DEBUG_printf(("2cupsDoAuthentication: Trying scheme \"%s\"...", scheme)); + + #ifdef HAVE_GSSAPI +- if (!_cups_strcasecmp(scheme, "Negotiate")) ++ if (!_cups_strcasecmp(scheme, "Negotiate") && !cups_is_local_connection(http)) + { + /* +- * Kerberos authentication... ++ * Kerberos authentication to remote server... + */ + + int gss_status; /* Auth status */ +@@ -201,7 +202,9 @@ cupsDoAuthentication( + } + else + #endif /* HAVE_GSSAPI */ +- if (_cups_strcasecmp(scheme, "Basic") && _cups_strcasecmp(scheme, "Digest")) ++ if (_cups_strcasecmp(scheme, "Basic") && ++ _cups_strcasecmp(scheme, "Digest") && ++ _cups_strcasecmp(scheme, "Negotiate")) + { + /* + * Other schemes not yet supported... +@@ -215,7 +218,7 @@ cupsDoAuthentication( + * See if we should retry the current username:password... + */ + +- if ((http->digest_tries > 1 || !http->userpass[0]) && (!_cups_strcasecmp(scheme, "Basic") || (!_cups_strcasecmp(scheme, "Digest")))) ++ if (http->digest_tries > 1 || !http->userpass[0]) + { + /* + * Nope - get a new password from the user... +@@ -295,7 +298,7 @@ cupsDoAuthentication( + } + } + +- if (http->authstring) ++ if (http->authstring && http->authstring[0]) + { + DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\".", http->authstring)); + +@@ -916,6 +919,14 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */ + # endif /* DEBUG */ + #endif /* HAVE_GSSAPI */ + ++static int /* O - 0 if not a local connection */ ++ /* 1 if local connection */ ++cups_is_local_connection(http_t *http) /* I - HTTP connection to server */ ++{ ++ if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0) ++ return 0; ++ return 1; ++} + + /* + * 'cups_local_auth()' - Get the local authorization certificate if +@@ -958,7 +969,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ + * See if we are accessing localhost... + */ + +- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0) ++ if (!cups_is_local_connection(http)) + { + DEBUG_puts("8cups_local_auth: Not a local connection!"); + return (1); +@@ -1032,11 +1043,6 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ + } + # endif /* HAVE_AUTHORIZATION_H */ + +-# ifdef HAVE_GSSAPI +- if (cups_auth_find(www_auth, "Negotiate")) +- return (1); +-# endif /* HAVE_GSSAPI */ +- + # if defined(SO_PEERCRED) && defined(AF_LOCAL) + /* + * See if we can authenticate using the peer credentials provided over a +diff --git a/scheduler/client.c b/scheduler/client.c +index 89c76bf..40708d9 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -2244,18 +2244,13 @@ cupsdSendHeader( + } + else if (auth_type == CUPSD_AUTH_NEGOTIATE) + { +-#if defined(SO_PEERCRED) && defined(AF_LOCAL) +- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) +- strlcpy(auth_str, "PeerCred", sizeof(auth_str)); +- else +-#endif /* SO_PEERCRED && AF_LOCAL */ + strlcpy(auth_str, "Negotiate", sizeof(auth_str)); + } + +- if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost")) ++ if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost")) + { + /* +- * Add a "trc" (try root certification) parameter for local non-Kerberos ++ * Add a "trc" (try root certification) parameter for local + * requests when the request requires system group membership - then the + * client knows the root certificate can/should be used. + * diff --git a/SPECS/cups.spec b/SPECS/cups.spec index 37e2a03..6e9cb14 100644 --- a/SPECS/cups.spec +++ b/SPECS/cups.spec @@ -24,7 +24,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 16%{?dist}.1 +Release: 21%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -112,8 +112,20 @@ Patch27: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch # CVE-2022-26691 cups: authorization bypass when using "local" authorization Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch +# 2189919 - CGI scripts don't work with local Negotiate authentication +Patch30: cups-local-negotiate.patch +# 2217177 - Delays printing to lpd when reserved ports are exhausted +Patch31: 0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch +# 2217284 - The command "cancel -x " does not remove job files +Patch32: 0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch +# 2217954 - Enlarge backlog queue for listen() in cupsd +Patch33: 0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch +# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c +Patch34: 0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch +# CVE-2023-32324 cups: heap buffer overflow may lead to DoS +Patch35: 0001-cups-strlcpy-handle-zero-size.patch # CVE-2023-32360 cups: Information leak through Cups-Get-Document operation -Patch30: 0001-Require-authentication-for-CUPS-Get-Document.patch +Patch36: 0001-Require-authentication-for-CUPS-Get-Document.patch ##### Patches removed because IMHO they aren't no longer needed @@ -355,8 +367,20 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch28 -p1 -b .manpage-update # CVE-2022-26691 cups: authorization bypass when using "local" authorization %patch29 -p1 -b .cve26691 +# 2189919 - CGI scripts don't work with local Negotiate authentication +%patch30 -p1 -b .local-negotiate +# 2217177 - Delays printing to lpd when reserved ports are exhausted +%patch31 -p1 -b .lpd-delay +# 2217284 - The command "cancel -x " does not remove job files +%patch32 -p1 -b .purge-job +# 2217954 - Enlarge backlog queue for listen() in cupsd +%patch33 -p1 -b .listen-backlog +# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c +%patch34 -p1 -b .cve34241 +# CVE-2023-32324 cups: heap buffer overflow may lead to DoS +%patch35 -p1 -b .cve32324 # CVE-2023-32360 cups: Information leak through Cups-Get-Document operation -%patch30 -p1 -b .get-document-auth +%patch36 -p1 -b .get-document-auth %if %{lspp} # LSPP support. @@ -791,10 +815,31 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog -* Tue Aug 15 2023 Zdenek Dohnal - 1:2.3.3op2-16.1 +* Tue Aug 29 2023 Zdenek Dohnal - 1:2.3.3op2-21 +- bump the spec because the previous build was made with buildroot 9.2 + +* Tue Aug 29 2023 Zdenek Dohnal - 1:2.3.3op2-20 - CVE-2023-32360 cups: Information leak through Cups-Get-Document operation -* Wed Mar 15 2023 MSVSphere Packaging Team - 2.3.3op2-16 +* Thu Jun 29 2023 Zdenek Dohnal - 1:2.3.3op2-19 +- CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c +- CVE-2023-32324 cups: heap buffer overflow may lead to DoS + +* Wed Jun 28 2023 Zdenek Dohnal - 1:2.3.3op2-19 +- 2217177 - Delays printing to lpd when reserved ports are exhausted +- 2217284 - The command "cancel -x " does not remove job files +- 2217954 - Enlarge backlog queue for listen() in cupsd + +* Wed Apr 26 2023 Zdenek Dohnal - 1:2.3.3op2-18 +- 2189919 - CGI scripts don't work with local Negotiate authentication + +* Mon Apr 03 2023 Zdenek Dohnal - 1:2.3.3op2-17 +- RHEL-314 - Enable fmf tests in centos stream + +* Thu Mar 23 2023 Zdenek Dohnal - 1:2.3.3op2-17 +- RHEL-317 - upstream test suite fails due uncorrect number of expected warnings + +* Wed Mar 15 2023 MSVSphere Packaging Team - 1:2.3.3op2-16 - Rebuilt for MSVSphere 9.1. * Thu Jun 16 2022 Zdenek Dohnal - 1:2.3.3op2-16 From 044eb3fd26893d707f77ff992b652cd1569c3abe Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Wed, 24 Jul 2024 03:34:28 +0300 Subject: [PATCH 2/2] import cups-2.3.3op2-27.el9_4 --- SOURCES/0001-Fix-domain-socket-handling.patch | 86 +++++++++++++++++ ...-Check-for-error-if-POLLHUP-is-in-va.patch | 43 +++++++++ ...-Print-to-stderr-if-we-don-t-open-cu.patch | 36 +++++++ SOURCES/cups-check-for-listeners.patch | 94 +++++++++++++++++++ SOURCES/cups-preservejobfiles-leak.patch | 31 ++++++ SOURCES/cups-socket-remove-on-stop.patch | 12 +++ SPECS/cups.spec | 62 +++++++++++- 7 files changed, 363 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-Fix-domain-socket-handling.patch create mode 100644 SOURCES/0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch create mode 100644 SOURCES/0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch create mode 100644 SOURCES/cups-check-for-listeners.patch create mode 100644 SOURCES/cups-preservejobfiles-leak.patch create mode 100644 SOURCES/cups-socket-remove-on-stop.patch diff --git a/SOURCES/0001-Fix-domain-socket-handling.patch b/SOURCES/0001-Fix-domain-socket-handling.patch new file mode 100644 index 0000000..1b1006c --- /dev/null +++ b/SOURCES/0001-Fix-domain-socket-handling.patch @@ -0,0 +1,86 @@ +diff --git a/cups/http-addr.c b/cups/http-addr.c +index 86749c848..5b035e02b 100644 +--- a/cups/http-addr.c ++++ b/cups/http-addr.c +@@ -196,31 +196,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */ + { + mode_t mask; /* Umask setting */ + +- /* +- * Remove any existing domain socket file... +- */ +- +- unlink(addr->un.sun_path); +- +- /* +- * Save the current umask and set it to 0 so that all users can access +- * the domain socket... +- */ +- +- mask = umask(0); +- +- /* +- * Bind the domain socket... +- */ ++ // Remove any existing domain socket file... ++ if ((status = unlink(addr->un.sun_path)) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ if (errno == ENOENT) ++ status = 0; ++ } + +- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); ++ if (!status) ++ { ++ // Save the current umask and set it to 0 so that all users can access ++ // the domain socket... ++ mask = umask(0); + +- /* +- * Restore the umask and fix permissions... +- */ ++ // Bind the domain socket... ++ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ } + +- umask(mask); +- chmod(addr->un.sun_path, 0140777); ++ // Restore the umask... ++ umask(mask); ++ } + } + else + #endif /* AF_LOCAL */ +diff --git a/scheduler/conf.c b/scheduler/conf.c +index bb6049b2c..4c703c9b9 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -3062,6 +3062,25 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + + cupsd_listener_t *lis; /* New listeners array */ + ++ /* ++ * If we are launched on-demand, do not use domain sockets from the config ++ * file. Also check that the domain socket path is not too long... ++ */ ++ ++#ifdef HAVE_ONDEMAND ++ if (*value == '/' && OnDemand) ++ { ++ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); ++ continue; ++ } ++#endif // HAVE_ONDEMAND ++ ++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); ++ continue; ++ } + + /* + * Get the address list... diff --git a/SOURCES/0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch b/SOURCES/0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch new file mode 100644 index 0000000..a280b4f --- /dev/null +++ b/SOURCES/0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch @@ -0,0 +1,43 @@ +diff -up cups-2.2.6/cups/http-addrlist.c.cupsgetjobs-pollhup cups-2.2.6/cups/http-addrlist.c +--- cups-2.2.6/cups/http-addrlist.c.cupsgetjobs-pollhup 2023-12-19 18:25:15.484637450 +0100 ++++ cups-2.2.6/cups/http-addrlist.c 2023-12-19 18:28:57.129163387 +0100 +@@ -313,6 +313,39 @@ httpAddrConnect2( + { + # ifdef HAVE_POLL + DEBUG_printf(("pfds[%d].revents=%x\n", i, pfds[i].revents)); ++ ++# ifdef _WIN32 ++ if (((WSAGetLastError() == WSAEINPROGRESS) && (pfds[i].revents & POLLIN) && (pfds[i].revents & POLLOUT)) || ++ ((pfds[i].revents & POLLHUP) && (pfds[i].revents & (POLLIN|POLLOUT)))) ++# else ++ if (((errno == EINPROGRESS) && (pfds[i].revents & POLLIN) && (pfds[i].revents & POLLOUT)) || ++ ((pfds[i].revents & POLLHUP) && (pfds[i].revents & (POLLIN|POLLOUT)))) ++# endif /* _WIN32 */ ++ { ++ // Some systems generate POLLIN or POLLOUT together with POLLHUP when doing ++ // asynchronous connections. The solution seems to be to use getsockopt to ++ // check the SO_ERROR value and ignore the POLLHUP if there is no error or ++ // the error is EINPROGRESS. ++ ++ int sres, /* Return value from getsockopt() - 0, or -1 if error */ ++ serr; /* Option SO_ERROR value */ ++ socklen_t slen = sizeof(serr); /* Option value size */ ++ ++ sres = getsockopt(fds[i], SOL_SOCKET, SO_ERROR, &serr, &slen); ++ ++ if (sres || serr) ++ { ++ pfds[i].revents |= POLLERR; ++# ifdef DEBUG ++ DEBUG_printf(("1httpAddrConnect2: getsockopt returned: %d with error: %s", sres, strerror(serr))); ++# endif ++ } ++ else if (pfds[i].revents && (pfds[i].revents & POLLHUP) && (pfds[i].revents & (POLLIN | POLLOUT))) ++ { ++ pfds[i].revents &= ~POLLHUP; ++ } ++ } ++ + if (pfds[i].revents && !(pfds[i].revents & (POLLERR | POLLHUP))) + # else + if (FD_ISSET(fds[i], &input_set) && !FD_ISSET(fds[i], &error_set)) diff --git a/SOURCES/0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch b/SOURCES/0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch new file mode 100644 index 0000000..0c7f8c3 --- /dev/null +++ b/SOURCES/0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch @@ -0,0 +1,36 @@ +From db9cecdd932e58c51d2d659f63415ad47d151717 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Fri, 1 Sep 2023 17:11:54 +0200 +Subject: [PATCH] scheduler/conf.c: Print to stderr if we don't open + cups-files.conf + +In case cupsd can't open the cups-files.conf, the error message is lost +if journal and syslog don't exist or work on system (usually in +containers). + +Log the error into stderr at this place to get the error message if +needed. +--- + scheduler/conf.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/scheduler/conf.c b/scheduler/conf.c +index b18535162..4fa7eb1df 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -811,11 +811,7 @@ cupsdReadConfiguration(void) + cupsdLogMessage(CUPSD_LOG_INFO, "No %s, using defaults.", CupsFilesFile); + else + { +-#ifdef HAVE_SYSTEMD_SD_JOURNAL_H +- sd_journal_print(LOG_ERR, "Unable to open \"%s\" - %s", CupsFilesFile, strerror(errno)); +-#else +- syslog(LOG_LPR, "Unable to open \"%s\" - %s", CupsFilesFile, strerror(errno)); +-#endif /* HAVE_SYSTEMD_SD_JOURNAL_H */ ++ fprintf(stderr, "Unable to read \"%s\" - %s\n", CupsFilesFile, strerror(errno)); + + return (0); + } +-- +2.41.0 + diff --git a/SOURCES/cups-check-for-listeners.patch b/SOURCES/cups-check-for-listeners.patch new file mode 100644 index 0000000..ffbe8d2 --- /dev/null +++ b/SOURCES/cups-check-for-listeners.patch @@ -0,0 +1,94 @@ +diff --git a/scheduler/conf.c b/scheduler/conf.c +index c113eb3..77ce179 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -573,6 +573,18 @@ cupsdReadConfiguration(void) + + cupsdDeleteAllListeners(); + ++ /* ++ * Allocate Listeners array ++ */ ++ ++ Listeners = cupsArrayNew(NULL, NULL); ++ ++ if (!Listeners) ++ { ++ fprintf(stderr, "Unable to allocate memory for array Listeners.\n"); ++ return (0); ++ } ++ + old_remote_port = RemotePort; + RemotePort = 0; + +@@ -1080,28 +1092,6 @@ cupsdReadConfiguration(void) + } + } + +- /* +- * Check that we have at least one listen/port line; if not, report this +- * as an error and exit! +- */ +- +- if (cupsArrayCount(Listeners) == 0) +- { +- /* +- * No listeners! +- */ +- +- cupsdLogMessage(CUPSD_LOG_EMERG, +- "No valid Listen or Port lines were found in the " +- "configuration file."); +- +- /* +- * Commit suicide... +- */ +- +- cupsdEndProcess(getpid(), 0); +- } +- + /* + * Set the default locale using the language and charset... + */ +@@ -3162,17 +3152,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + * Allocate another listener... + */ + +- if (!Listeners) +- Listeners = cupsArrayNew(NULL, NULL); +- +- if (!Listeners) +- { +- cupsdLogMessage(CUPSD_LOG_ERROR, +- "Unable to allocate %s at line %d - %s.", +- line, linenum, strerror(errno)); +- break; +- } +- + if ((lis = calloc(1, sizeof(cupsd_listener_t))) == NULL) + { + cupsdLogMessage(CUPSD_LOG_ERROR, +diff --git a/scheduler/main.c b/scheduler/main.c +index a6e2c3a..b935c52 100644 +--- a/scheduler/main.c ++++ b/scheduler/main.c +@@ -2113,6 +2113,21 @@ service_checkin(void) + service_add_listener(fd, 0); + } + #endif /* HAVE_LAUNCHD */ ++ ++ if (cupsArrayCount(Listeners) == 0) ++ { ++ /* ++ * No listeners! ++ */ ++ ++ cupsdLogMessage(CUPSD_LOG_EMERG, "No listener sockets present."); ++ ++ /* ++ * Commit suicide... ++ */ ++ ++ cupsdEndProcess(getpid(), 0); ++ } + } diff --git a/SOURCES/cups-preservejobfiles-leak.patch b/SOURCES/cups-preservejobfiles-leak.patch new file mode 100644 index 0000000..c1c132d --- /dev/null +++ b/SOURCES/cups-preservejobfiles-leak.patch @@ -0,0 +1,31 @@ +diff --git a/scheduler/colorman.c b/scheduler/colorman.c +index 8af4e5c..9bfdb0c 100644 +--- a/scheduler/colorman.c ++++ b/scheduler/colorman.c +@@ -1083,7 +1083,7 @@ colord_create_profile( + + dbus_message_iter_get_basic(&args, &profile_path); + cupsdLogMessage(CUPSD_LOG_DEBUG, "Created profile \"%s\".", profile_path); +- cupsArrayAdd(profiles, strdup(profile_path)); ++ cupsArrayAdd(profiles, profile_path); + + out: + +diff --git a/scheduler/job.c b/scheduler/job.c +index 0223bee..47d4c72 100644 +--- a/scheduler/job.c ++++ b/scheduler/job.c +@@ -1496,11 +1496,11 @@ cupsdDeleteJob(cupsd_job_t *job, /* I - Job */ + job->num_files = 0; + } + ++ unload_job(job); ++ + if (job->history) + free_job_history(job); + +- unload_job(job); +- + cupsArrayRemove(Jobs, job); + cupsArrayRemove(ActiveJobs, job); + cupsArrayRemove(PrintingJobs, job); diff --git a/SOURCES/cups-socket-remove-on-stop.patch b/SOURCES/cups-socket-remove-on-stop.patch new file mode 100644 index 0000000..0987774 --- /dev/null +++ b/SOURCES/cups-socket-remove-on-stop.patch @@ -0,0 +1,12 @@ +diff --git a/scheduler/cups.socket.in b/scheduler/cups.socket.in +index 613b977a6..1deee826a 100644 +--- a/scheduler/cups.socket.in ++++ b/scheduler/cups.socket.in +@@ -4,6 +4,7 @@ PartOf=org.cups.cupsd.service + + [Socket] + ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@ ++RemoveOnStop=on + + [Install] + WantedBy=sockets.target diff --git a/SPECS/cups.spec b/SPECS/cups.spec index 6e9cb14..7131d94 100644 --- a/SPECS/cups.spec +++ b/SPECS/cups.spec @@ -24,7 +24,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 21%{?dist} +Release: 27%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -126,6 +126,25 @@ Patch34: 0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch Patch35: 0001-cups-strlcpy-handle-zero-size.patch # CVE-2023-32360 cups: Information leak through Cups-Get-Document operation Patch36: 0001-Require-authentication-for-CUPS-Get-Document.patch +# RHEL-14931 cupsd memory leak in cupsdDeleteJob() with "PreserveJobHistory Off" +Patch37: cups-preservejobfiles-leak.patch +# RHEL-15308 cupsd fails to open cups-files.conf and the resulting error message is lost +Patch38: 0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch +# RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents +Patch39: 0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch +# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/a436956 +Patch40: 0001-Fix-domain-socket-handling.patch +# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/3448c52 +Patch41: cups-socket-remove-on-stop.patch +# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/7adb508 +# https://github.com/OpenPrinting/cups/commit/824f49f +# https://github.com/OpenPrinting/cups/commit/56b9728 +# https://github.com/OpenPrinting/cups/commit/74f437b +# https://github.com/OpenPrinting/cups/commit/fb0c914 +Patch42: cups-check-for-listeners.patch ##### Patches removed because IMHO they aren't no longer needed @@ -381,6 +400,25 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch35 -p1 -b .cve32324 # CVE-2023-32360 cups: Information leak through Cups-Get-Document operation %patch36 -p1 -b .get-document-auth +# RHEL-14931 cupsd memory leak in cupsdDeleteJob() with "PreserveJobHistory Off" +%patch37 -p1 -b .preservejobfiles-leak +# RHEL-15308 cupsd fails to open cups-files.conf and the resulting error message is lost +%patch38 -p1 -b .log-stderr +# RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents +%patch39 -p1 -b .cupsgetjobs-pollhup +# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/a436956 +%patch40 -p1 -b .cve2024-35235 +# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/3448c52 +%patch41 -p1 -b .cups-socket-remove-on-stop.patch +# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 +# https://github.com/OpenPrinting/cups/commit/7adb508 +# https://github.com/OpenPrinting/cups/commit/824f49f +# https://github.com/OpenPrinting/cups/commit/56b9728 +# https://github.com/OpenPrinting/cups/commit/74f437b +# https://github.com/OpenPrinting/cups/commit/fb0c914 +%patch42 -p1 -b .cups-check-for-listeners.patch %if %{lspp} # LSPP support. @@ -815,6 +853,28 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Wed Jun 19 2024 Pavol Zacik - 1:2.3.3op2-27 +- Revert the cups-libs license identifier to the "legacy" format + +* Tue Jun 18 2024 Pavol Zacik - 1:2.3.3op2-26 +- RHEL-40388 cups: Cupsd Listen arbitrary chmod 0140777 +- Delete the domain socket file after stopping the cups.socket service +- Fix cupsd Listener checks + +* Mon Jun 10 2024 Pavol Zacik - 1:2.3.3op2-25 +- CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 + +* Mon Feb 26 2024 Zdenek Dohnal - 1:2.3.3op2-24 +- revert RHEL-19205 - new packages are not needed + +* Wed Dec 20 2023 Zdenek Dohnal - 1:2.3.3op2-23 +- RHEL-19205 Recommend new cups-filters subpackages with weak dep for better upgrade exp +- RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents + +* Thu Nov 02 2023 Zdenek Dohnal - 1:2.3.3op2-22 +- RHEL-14931 cupsd memory leak in cupsdDeleteJob() with "PreserveJobHistory Off" +- RHEL-15308 cupsd fails to open cups-files.conf and the resulting error message is lost + * Tue Aug 29 2023 Zdenek Dohnal - 1:2.3.3op2-21 - bump the spec because the previous build was made with buildroot 9.2