Merge branch 'i9c' into i9

i9 changed/i9/cups-2.3.3op2-27.el9_4.inferit
Arkady L. Shane 4 months ago
commit d5c9899d81
Signed by: tigro
GPG Key ID: 1EC08A25C9DB2503

@ -0,0 +1,21 @@
diff -up cups-2.3.3op2/backend/lpd.c.lpd-delay cups-2.3.3op2/backend/lpd.c
--- cups-2.3.3op2/backend/lpd.c.lpd-delay 2021-02-01 22:10:25.000000000 +0100
+++ cups-2.3.3op2/backend/lpd.c 2023-06-28 17:28:52.465476261 +0200
@@ -63,7 +63,7 @@ static int abort_job = 0; /* Non-zero i
#define RESERVE_NONE 0 /* Don't reserve a priviledged port */
#define RESERVE_RFC1179 1 /* Reserve port 721-731 */
-#define RESERVE_ANY 2 /* Reserve port 1-1023 */
+#define RESERVE_ANY 2 /* Reserve port 512-1023 */
/*
@@ -778,7 +778,7 @@ lpd_queue(const char *hostname, /*
if (lport < 721 && reserve == RESERVE_RFC1179)
lport = 731;
- else if (lport < 1)
+ else if (lport < 512)
lport = 1023;
#ifdef HAVE_GETEUID

@ -0,0 +1,86 @@
diff --git a/cups/http-addr.c b/cups/http-addr.c
index 86749c848..5b035e02b 100644
--- a/cups/http-addr.c
+++ b/cups/http-addr.c
@@ -196,31 +196,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
{
mode_t mask; /* Umask setting */
- /*
- * Remove any existing domain socket file...
- */
-
- unlink(addr->un.sun_path);
-
- /*
- * Save the current umask and set it to 0 so that all users can access
- * the domain socket...
- */
-
- mask = umask(0);
-
- /*
- * Bind the domain socket...
- */
+ // Remove any existing domain socket file...
+ if ((status = unlink(addr->un.sun_path)) < 0)
+ {
+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
+ if (errno == ENOENT)
+ status = 0;
+ }
- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
+ if (!status)
+ {
+ // Save the current umask and set it to 0 so that all users can access
+ // the domain socket...
+ mask = umask(0);
- /*
- * Restore the umask and fix permissions...
- */
+ // Bind the domain socket...
+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
+ {
+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
+ }
- umask(mask);
- chmod(addr->un.sun_path, 0140777);
+ // Restore the umask...
+ umask(mask);
+ }
}
else
#endif /* AF_LOCAL */
diff --git a/scheduler/conf.c b/scheduler/conf.c
index bb6049b2c..4c703c9b9 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -3062,6 +3062,25 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
cupsd_listener_t *lis; /* New listeners array */
+ /*
+ * If we are launched on-demand, do not use domain sockets from the config
+ * file. Also check that the domain socket path is not too long...
+ */
+
+#ifdef HAVE_ONDEMAND
+ if (*value == '/' && OnDemand)
+ {
+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
+ continue;
+ }
+#endif // HAVE_ONDEMAND
+
+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
+ {
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
+ continue;
+ }
/*
* Get the address list...

@ -0,0 +1,64 @@
From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
From: Rose <83477269+AtariDreams@users.noreply.github.com>
Date: Thu, 1 Jun 2023 11:33:39 -0400
Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
We have to log the hostname first.
---
scheduler/client.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/scheduler/client.c b/scheduler/client.c
index 91e441188..327473a4d 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
/*
* Can't have an unresolved IP address with double-lookups enabled...
*/
-
- httpClose(con->http);
-
cupsdLogClient(con, CUPSD_LOG_WARN,
- "Name lookup failed - connection from %s closed!",
+ "Name lookup failed - closing connection from %s!",
httpGetHostname(con->http, NULL, 0));
+ httpClose(con->http);
free(con);
return;
}
@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
* with double-lookups enabled...
*/
- httpClose(con->http);
-
cupsdLogClient(con, CUPSD_LOG_WARN,
- "IP lookup failed - connection from %s closed!",
+ "IP lookup failed - closing connection from %s!",
httpGetHostname(con->http, NULL, 0));
+
+ httpClose(con->http);
free(con);
return;
}
@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
if (!hosts_access(&wrap_req))
{
- httpClose(con->http);
-
cupsdLogClient(con, CUPSD_LOG_WARN,
"Connection from %s refused by /etc/hosts.allow and "
"/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
+
+ httpClose(con->http);
free(con);
return;
}
--
2.41.0

@ -0,0 +1,48 @@
From c5ad7aaf6c8063a39974c6b4a3cf59b7f912daae Mon Sep 17 00:00:00 2001
From: Bryan Mason <bmason@redhat.com>
Date: Tue, 27 Jun 2023 04:18:46 -0700
Subject: [PATCH 1/2] Use "purge-job" instead of "purge-jobs" when canceling a
single job (#742)
The command "cancel -x <job>" adds "purge-jobs true" to the Cancel-Job
operation; however, the correct attribute to use for Cancel-job is
"purge-job" (singular), not "purge-jobs" (plural). As a result, job
files are not removed from /var/spool/cups when "cancel -x <job>" is
executed.
This patch resolves the issue by adding "purge-job" when the IPP
operation is Cancel-Job and "purge-jobs" for other IPP operations
(Purge-Jobs, Cancel-Jobs, and Cancel-My-Jobs)
---
systemv/cancel.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/systemv/cancel.c b/systemv/cancel.c
index 572f413e1..f5b8e12b5 100644
--- a/systemv/cancel.c
+++ b/systemv/cancel.c
@@ -260,6 +260,7 @@ main(int argc, /* I - Number of command-line arguments */
* attributes-natural-language
* printer-uri + job-id *or* job-uri
* [requesting-user-name]
+ * [purge-job] or [purge-jobs]
*/
request = ippNewRequest(op);
@@ -294,7 +295,12 @@ main(int argc, /* I - Number of command-line arguments */
"requesting-user-name", NULL, cupsUser());
if (purge)
- ippAddBoolean(request, IPP_TAG_OPERATION, "purge-jobs", (char)purge);
+ {
+ if (op == IPP_CANCEL_JOB)
+ ippAddBoolean(request, IPP_TAG_OPERATION, "purge-job", (char)purge);
+ else
+ ippAddBoolean(request, IPP_TAG_OPERATION, "purge-jobs", (char)purge);
+ }
/*
* Do the request and get back a response...
--
2.41.0

@ -0,0 +1,35 @@
From 876fdc1c90a885a58644c8757bc1283c9fd5bcb7 Mon Sep 17 00:00:00 2001
From: Vasilis Liaskovitis <vliaskovitis@suse.com>
Date: Wed, 1 Mar 2023 13:46:28 +0100
Subject: [PATCH] cups/http-addr.c: Set listen backlog size to INT_MAX (fixes
#308)
Use a listen queue size of INT_MAX, which should default to the maximum
supported queue size on the system.
This avoids the problem of the listening backlog queue getting full when
there are too many requests at the same time. The problem was observed
with the previous backlog size (128) by customers when submitting large
batches of print jobs, resulting in some jobs getting lost.
Signed-off-by: Vasilis Liaskovitis <vliaskovitis@suse.com>
---
cups/http-addr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cups/http-addr.c b/cups/http-addr.c
index a61ee0449..6aeeb8074 100644
--- a/cups/http-addr.c
+++ b/cups/http-addr.c
@@ -249,7 +249,7 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
* Listen...
*/
- if (listen(fd, 128))
+ if (listen(fd, INT_MAX))
{
_cupsSetHTTPError(HTTP_STATUS_ERROR);
--
2.41.0

@ -0,0 +1,34 @@
From 5e3107e734f06d410a490e8bc923dc3119f17671 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Wed, 17 May 2023 12:59:57 -0400
Subject: [PATCH] Consensus fix.
---
cups/string.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/cups/string.c b/cups/string.c
index 00454203c..b4fc12050 100644
--- a/cups/string.c
+++ b/cups/string.c
@@ -1,6 +1,7 @@
/*
* String functions for CUPS.
*
+ * Copyright © 2023 by OpenPrinting.
* Copyright © 2007-2019 by Apple Inc.
* Copyright © 1997-2007 by Easy Software Products.
*
@@ -730,6 +731,9 @@ _cups_strlcpy(char *dst, /* O - Destination string */
size_t srclen; /* Length of source string */
+ if (size == 0)
+ return (0);
+
/*
* Figure out how much room is needed...
*/
--
2.40.1

@ -0,0 +1,43 @@
diff -up cups-2.2.6/cups/http-addrlist.c.cupsgetjobs-pollhup cups-2.2.6/cups/http-addrlist.c
--- cups-2.2.6/cups/http-addrlist.c.cupsgetjobs-pollhup 2023-12-19 18:25:15.484637450 +0100
+++ cups-2.2.6/cups/http-addrlist.c 2023-12-19 18:28:57.129163387 +0100
@@ -313,6 +313,39 @@ httpAddrConnect2(
{
# ifdef HAVE_POLL
DEBUG_printf(("pfds[%d].revents=%x\n", i, pfds[i].revents));
+
+# ifdef _WIN32
+ if (((WSAGetLastError() == WSAEINPROGRESS) && (pfds[i].revents & POLLIN) && (pfds[i].revents & POLLOUT)) ||
+ ((pfds[i].revents & POLLHUP) && (pfds[i].revents & (POLLIN|POLLOUT))))
+# else
+ if (((errno == EINPROGRESS) && (pfds[i].revents & POLLIN) && (pfds[i].revents & POLLOUT)) ||
+ ((pfds[i].revents & POLLHUP) && (pfds[i].revents & (POLLIN|POLLOUT))))
+# endif /* _WIN32 */
+ {
+ // Some systems generate POLLIN or POLLOUT together with POLLHUP when doing
+ // asynchronous connections. The solution seems to be to use getsockopt to
+ // check the SO_ERROR value and ignore the POLLHUP if there is no error or
+ // the error is EINPROGRESS.
+
+ int sres, /* Return value from getsockopt() - 0, or -1 if error */
+ serr; /* Option SO_ERROR value */
+ socklen_t slen = sizeof(serr); /* Option value size */
+
+ sres = getsockopt(fds[i], SOL_SOCKET, SO_ERROR, &serr, &slen);
+
+ if (sres || serr)
+ {
+ pfds[i].revents |= POLLERR;
+# ifdef DEBUG
+ DEBUG_printf(("1httpAddrConnect2: getsockopt returned: %d with error: %s", sres, strerror(serr)));
+# endif
+ }
+ else if (pfds[i].revents && (pfds[i].revents & POLLHUP) && (pfds[i].revents & (POLLIN | POLLOUT)))
+ {
+ pfds[i].revents &= ~POLLHUP;
+ }
+ }
+
if (pfds[i].revents && !(pfds[i].revents & (POLLERR | POLLHUP)))
# else
if (FD_ISSET(fds[i], &input_set) && !FD_ISSET(fds[i], &error_set))

@ -0,0 +1,36 @@
From db9cecdd932e58c51d2d659f63415ad47d151717 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Fri, 1 Sep 2023 17:11:54 +0200
Subject: [PATCH] scheduler/conf.c: Print to stderr if we don't open
cups-files.conf
In case cupsd can't open the cups-files.conf, the error message is lost
if journal and syslog don't exist or work on system (usually in
containers).
Log the error into stderr at this place to get the error message if
needed.
---
scheduler/conf.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/scheduler/conf.c b/scheduler/conf.c
index b18535162..4fa7eb1df 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -811,11 +811,7 @@ cupsdReadConfiguration(void)
cupsdLogMessage(CUPSD_LOG_INFO, "No %s, using defaults.", CupsFilesFile);
else
{
-#ifdef HAVE_SYSTEMD_SD_JOURNAL_H
- sd_journal_print(LOG_ERR, "Unable to open \"%s\" - %s", CupsFilesFile, strerror(errno));
-#else
- syslog(LOG_LPR, "Unable to open \"%s\" - %s", CupsFilesFile, strerror(errno));
-#endif /* HAVE_SYSTEMD_SD_JOURNAL_H */
+ fprintf(stderr, "Unable to read \"%s\" - %s\n", CupsFilesFile, strerror(errno));
return (0);
}
--
2.41.0

@ -0,0 +1,94 @@
diff --git a/scheduler/conf.c b/scheduler/conf.c
index c113eb3..77ce179 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -573,6 +573,18 @@ cupsdReadConfiguration(void)
cupsdDeleteAllListeners();
+ /*
+ * Allocate Listeners array
+ */
+
+ Listeners = cupsArrayNew(NULL, NULL);
+
+ if (!Listeners)
+ {
+ fprintf(stderr, "Unable to allocate memory for array Listeners.\n");
+ return (0);
+ }
+
old_remote_port = RemotePort;
RemotePort = 0;
@@ -1080,28 +1092,6 @@ cupsdReadConfiguration(void)
}
}
- /*
- * Check that we have at least one listen/port line; if not, report this
- * as an error and exit!
- */
-
- if (cupsArrayCount(Listeners) == 0)
- {
- /*
- * No listeners!
- */
-
- cupsdLogMessage(CUPSD_LOG_EMERG,
- "No valid Listen or Port lines were found in the "
- "configuration file.");
-
- /*
- * Commit suicide...
- */
-
- cupsdEndProcess(getpid(), 0);
- }
-
/*
* Set the default locale using the language and charset...
*/
@@ -3162,17 +3152,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
* Allocate another listener...
*/
- if (!Listeners)
- Listeners = cupsArrayNew(NULL, NULL);
-
- if (!Listeners)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to allocate %s at line %d - %s.",
- line, linenum, strerror(errno));
- break;
- }
-
if ((lis = calloc(1, sizeof(cupsd_listener_t))) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
diff --git a/scheduler/main.c b/scheduler/main.c
index a6e2c3a..b935c52 100644
--- a/scheduler/main.c
+++ b/scheduler/main.c
@@ -2113,6 +2113,21 @@ service_checkin(void)
service_add_listener(fd, 0);
}
#endif /* HAVE_LAUNCHD */
+
+ if (cupsArrayCount(Listeners) == 0)
+ {
+ /*
+ * No listeners!
+ */
+
+ cupsdLogMessage(CUPSD_LOG_EMERG, "No listener sockets present.");
+
+ /*
+ * Commit suicide...
+ */
+
+ cupsdEndProcess(getpid(), 0);
+ }
}

@ -167,11 +167,11 @@ index 4498a8c..8776874 100755
count=`$GREP '^W ' $BASE/log/error_log | $GREP -v CreateProfile | $GREP -v 'libusb error' | $GREP -v ColorManager | $GREP -v 'Avahi client failed' | wc -l | awk '{print $1}'`
-if test $count != 8; then
- echo "FAIL: $count warning messages, expected 8."
+if test $count != 10; then
+ echo "FAIL: $count warning messages, expected 10."
+if test $count != 9; then
+ echo "FAIL: $count warning messages, expected 9."
$GREP '^W ' $BASE/log/error_log
- echo " <p>FAIL: $count warning messages, expected 8.</p>" >>$strfile
+ echo " <p>FAIL: $count warning messages, expected 10.</p>" >>$strfile
+ echo " <p>FAIL: $count warning messages, expected 9.</p>" >>$strfile
echo " <pre>" >>$strfile
$GREP '^W ' $BASE/log/error_log | sed -e '1,$s/&/&amp;/g' -e '1,$s/</&lt;/g' >>$strfile
echo " </pre>" >>$strfile

@ -0,0 +1,115 @@
diff --git a/cups/auth.c b/cups/auth.c
index db45bbb..b6fec6b 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -90,6 +90,7 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status,
# define cups_gss_printf(major, minor, message)
# endif /* DEBUG */
#endif /* HAVE_GSSAPI */
+static int cups_is_local_connection(http_t *http);
static int cups_local_auth(http_t *http);
@@ -174,10 +175,10 @@ cupsDoAuthentication(
DEBUG_printf(("2cupsDoAuthentication: Trying scheme \"%s\"...", scheme));
#ifdef HAVE_GSSAPI
- if (!_cups_strcasecmp(scheme, "Negotiate"))
+ if (!_cups_strcasecmp(scheme, "Negotiate") && !cups_is_local_connection(http))
{
/*
- * Kerberos authentication...
+ * Kerberos authentication to remote server...
*/
int gss_status; /* Auth status */
@@ -201,7 +202,9 @@ cupsDoAuthentication(
}
else
#endif /* HAVE_GSSAPI */
- if (_cups_strcasecmp(scheme, "Basic") && _cups_strcasecmp(scheme, "Digest"))
+ if (_cups_strcasecmp(scheme, "Basic") &&
+ _cups_strcasecmp(scheme, "Digest") &&
+ _cups_strcasecmp(scheme, "Negotiate"))
{
/*
* Other schemes not yet supported...
@@ -215,7 +218,7 @@ cupsDoAuthentication(
* See if we should retry the current username:password...
*/
- if ((http->digest_tries > 1 || !http->userpass[0]) && (!_cups_strcasecmp(scheme, "Basic") || (!_cups_strcasecmp(scheme, "Digest"))))
+ if (http->digest_tries > 1 || !http->userpass[0])
{
/*
* Nope - get a new password from the user...
@@ -295,7 +298,7 @@ cupsDoAuthentication(
}
}
- if (http->authstring)
+ if (http->authstring && http->authstring[0])
{
DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\".", http->authstring));
@@ -916,6 +919,14 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */
# endif /* DEBUG */
#endif /* HAVE_GSSAPI */
+static int /* O - 0 if not a local connection */
+ /* 1 if local connection */
+cups_is_local_connection(http_t *http) /* I - HTTP connection to server */
+{
+ if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
+ return 0;
+ return 1;
+}
/*
* 'cups_local_auth()' - Get the local authorization certificate if
@@ -958,7 +969,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
* See if we are accessing localhost...
*/
- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
+ if (!cups_is_local_connection(http))
{
DEBUG_puts("8cups_local_auth: Not a local connection!");
return (1);
@@ -1032,11 +1043,6 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
}
# endif /* HAVE_AUTHORIZATION_H */
-# ifdef HAVE_GSSAPI
- if (cups_auth_find(www_auth, "Negotiate"))
- return (1);
-# endif /* HAVE_GSSAPI */
-
# if defined(SO_PEERCRED) && defined(AF_LOCAL)
/*
* See if we can authenticate using the peer credentials provided over a
diff --git a/scheduler/client.c b/scheduler/client.c
index 89c76bf..40708d9 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -2244,18 +2244,13 @@ cupsdSendHeader(
}
else if (auth_type == CUPSD_AUTH_NEGOTIATE)
{
-#if defined(SO_PEERCRED) && defined(AF_LOCAL)
- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
- strlcpy(auth_str, "PeerCred", sizeof(auth_str));
- else
-#endif /* SO_PEERCRED && AF_LOCAL */
strlcpy(auth_str, "Negotiate", sizeof(auth_str));
}
- if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
+ if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
{
/*
- * Add a "trc" (try root certification) parameter for local non-Kerberos
+ * Add a "trc" (try root certification) parameter for local
* requests when the request requires system group membership - then the
* client knows the root certificate can/should be used.
*

@ -0,0 +1,31 @@
diff --git a/scheduler/colorman.c b/scheduler/colorman.c
index 8af4e5c..9bfdb0c 100644
--- a/scheduler/colorman.c
+++ b/scheduler/colorman.c
@@ -1083,7 +1083,7 @@ colord_create_profile(
dbus_message_iter_get_basic(&args, &profile_path);
cupsdLogMessage(CUPSD_LOG_DEBUG, "Created profile \"%s\".", profile_path);
- cupsArrayAdd(profiles, strdup(profile_path));
+ cupsArrayAdd(profiles, profile_path);
out:
diff --git a/scheduler/job.c b/scheduler/job.c
index 0223bee..47d4c72 100644
--- a/scheduler/job.c
+++ b/scheduler/job.c
@@ -1496,11 +1496,11 @@ cupsdDeleteJob(cupsd_job_t *job, /* I - Job */
job->num_files = 0;
}
+ unload_job(job);
+
if (job->history)
free_job_history(job);
- unload_job(job);
-
cupsArrayRemove(Jobs, job);
cupsArrayRemove(ActiveJobs, job);
cupsArrayRemove(PrintingJobs, job);

@ -0,0 +1,12 @@
diff --git a/scheduler/cups.socket.in b/scheduler/cups.socket.in
index 613b977a6..1deee826a 100644
--- a/scheduler/cups.socket.in
+++ b/scheduler/cups.socket.in
@@ -4,6 +4,7 @@ PartOf=org.cups.cupsd.service
[Socket]
ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@
+RemoveOnStop=on
[Install]
WantedBy=sockets.target

@ -24,7 +24,7 @@ Summary: CUPS printing system
Name: cups
Epoch: 1
Version: 2.3.3%{OP_VER}
Release: 16%{?dist}.1.inferit.1
Release: 27%{?dist}.inferit
License: ASL 2.0
Url: http://www.cups.org/
# Apple stopped uploading the new versions into github, use OpenPrinting fork
@ -112,8 +112,39 @@ Patch27: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
# 2189919 - CGI scripts don't work with local Negotiate authentication
Patch30: cups-local-negotiate.patch
# 2217177 - Delays printing to lpd when reserved ports are exhausted
Patch31: 0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch
# 2217284 - The command "cancel -x <job>" does not remove job files
Patch32: 0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch
# 2217954 - Enlarge backlog queue for listen() in cupsd
Patch33: 0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch
# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
Patch34: 0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch
# CVE-2023-32324 cups: heap buffer overflow may lead to DoS
Patch35: 0001-cups-strlcpy-handle-zero-size.patch
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
Patch30: 0001-Require-authentication-for-CUPS-Get-Document.patch
Patch36: 0001-Require-authentication-for-CUPS-Get-Document.patch
# RHEL-14931 cupsd memory leak in cupsdDeleteJob() with "PreserveJobHistory Off"
Patch37: cups-preservejobfiles-leak.patch
# RHEL-15308 cupsd fails to open cups-files.conf and the resulting error message is lost
Patch38: 0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch
# RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
Patch39: 0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch
# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/a436956
Patch40: 0001-Fix-domain-socket-handling.patch
# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/3448c52
Patch41: cups-socket-remove-on-stop.patch
# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/7adb508
# https://github.com/OpenPrinting/cups/commit/824f49f
# https://github.com/OpenPrinting/cups/commit/56b9728
# https://github.com/OpenPrinting/cups/commit/74f437b
# https://github.com/OpenPrinting/cups/commit/fb0c914
Patch42: cups-check-for-listeners.patch
Patch101: 0001-Fixed-case-when-no-username-request-on-printing.patch
@ -356,8 +387,39 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
%patch28 -p1 -b .manpage-update
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
%patch29 -p1 -b .cve26691
# 2189919 - CGI scripts don't work with local Negotiate authentication
%patch30 -p1 -b .local-negotiate
# 2217177 - Delays printing to lpd when reserved ports are exhausted
%patch31 -p1 -b .lpd-delay
# 2217284 - The command "cancel -x <job>" does not remove job files
%patch32 -p1 -b .purge-job
# 2217954 - Enlarge backlog queue for listen() in cupsd
%patch33 -p1 -b .listen-backlog
# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
%patch34 -p1 -b .cve34241
# CVE-2023-32324 cups: heap buffer overflow may lead to DoS
%patch35 -p1 -b .cve32324
# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
%patch30 -p1 -b .get-document-auth
%patch36 -p1 -b .get-document-auth
# RHEL-14931 cupsd memory leak in cupsdDeleteJob() with "PreserveJobHistory Off"
%patch37 -p1 -b .preservejobfiles-leak
# RHEL-15308 cupsd fails to open cups-files.conf and the resulting error message is lost
%patch38 -p1 -b .log-stderr
# RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
%patch39 -p1 -b .cupsgetjobs-pollhup
# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/a436956
%patch40 -p1 -b .cve2024-35235
# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/3448c52
%patch41 -p1 -b .cups-socket-remove-on-stop.patch
# RHEL-40388 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/7adb508
# https://github.com/OpenPrinting/cups/commit/824f49f
# https://github.com/OpenPrinting/cups/commit/56b9728
# https://github.com/OpenPrinting/cups/commit/74f437b
# https://github.com/OpenPrinting/cups/commit/fb0c914
%patch42 -p1 -b .cups-check-for-listeners.patch
%if %{lspp}
# LSPP support.
@ -794,13 +856,56 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man7/ippeveps.7.gz
%changelog
* Wed Sep 13 2023 Alexey Berezhok <alexey.berezhok@msvsphere-os.ru> - 1:2.3.3op2-16.1.inferit.1
- Fixed case when no username request on printing
* Wed Jun 19 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.3.3op2-27
- Revert the cups-libs license identifier to the "legacy" format
* Tue Jun 18 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.3.3op2-26
- RHEL-40388 cups: Cupsd Listen arbitrary chmod 0140777
- Delete the domain socket file after stopping the cups.socket service
- Fix cupsd Listener checks
* Mon Jun 10 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.3.3op2-25
- CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
* Mon Feb 26 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-24
- revert RHEL-19205 - new packages are not needed
* Wed Dec 20 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-23
- RHEL-19205 Recommend new cups-filters subpackages with weak dep for better upgrade exp
- RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
* Thu Nov 02 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-22
- RHEL-14931 cupsd memory leak in cupsdDeleteJob() with "PreserveJobHistory Off"
- RHEL-15308 cupsd fails to open cups-files.conf and the resulting error message is lost
* Tue Aug 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-21
- bump the spec because the previous build was made with buildroot 9.2
* Tue Aug 15 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16.1
* Tue Aug 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-20
- CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2.3.3op2-16
* Thu Jun 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-19
- CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
- CVE-2023-32324 cups: heap buffer overflow may lead to DoS
* Wed Jun 28 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-19
- 2217177 - Delays printing to lpd when reserved ports are exhausted
- 2217284 - The command "cancel -x <job>" does not remove job files
- 2217954 - Enlarge backlog queue for listen() in cupsd
* Wed Apr 26 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-18
- 2189919 - CGI scripts don't work with local Negotiate authentication
* Mon Apr 03 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-17
- RHEL-314 - Enable fmf tests in centos stream
* Thu Mar 23 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-17
- RHEL-317 - upstream test suite fails due uncorrect number of expected warnings
* Thu Mar 16 2023 Alexey Berezhok <alexey.berezhok@msvsphere-os.ru> - 1:2.3.3op2-16.1.inferit.1
- Fixed case when no username request on printing
* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 1:2.3.3op2-16
- Rebuilt for MSVSphere 9.1.
* Thu Jun 16 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-16

Loading…
Cancel
Save