Revisions of cups
buildservice-autocommit
accepted
request 980461
from
Johannes Meixner (jsmeix)
(revision 388)
Johannes Meixner (jsmeix)
(revision 388)
baserev update by copy to link target
Johannes Meixner (jsmeix)
accepted
request 979802
from
Johannes Meixner (jsmeix)
(revision 387)
CUPS version upgrade to 2.4.2 which includes a fix for CVE-2022-26691 (#bsc1199474)
buildservice-autocommit
accepted
request 969223
from
Factory Maintainer (factory-maintainer)
(revision 386)
Factory Maintainer (factory-maintainer)
(revision 386)
baserev update by copy to link target
Johannes Meixner (jsmeix)
accepted
request 966839
from
Johannes Meixner (jsmeix)
(revision 385)
Move cups.pc to %{_libdir} if it is not yet there because cups.pc is arch dependent
Johannes Meixner (jsmeix)
accepted
request 963969
from
Johannes Meixner (jsmeix)
(revision 384)
Added changelog entries for missing info about removed and added patches
Johannes Meixner (jsmeix)
accepted
request 959438
from
Johannes Meixner (jsmeix)
(revision 383)
Do not error out when make test fails
Johannes Meixner (jsmeix)
accepted
request 959347
from
Johannes Meixner (jsmeix)
(revision 382)
Improved comments and have cups.keyring in ASCII armored format
Johannes Meixner (jsmeix)
accepted
request 958348
from
Aurélien Joga (ajoga)
(revision 381)
- Version upgrade to 2.4.1
- Dropped patch upstream_pull_174 because it it is included in this release
- Dropped patch cups-2.1.0-cups-systemd-socket.patch because it it is included in this release (https://github.com/OpenPrinting/cups/commit/e96e96b4bd0d4e6f634bbb66b95d6e475501541c)
- Changed upstream source packages signing key (https://github.com/OpenPrinting/cups/discussions/327#discussioncomment-2060579)
- Re-enabled testsuite
* Also removed make check because since upstream change the two target are identical (https://github.com/OpenPrinting/cups/commit/96ba46ebc818b610b0e40cbc9d62ef1dcd3ec9b6#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52R239)
- Changed cups-2.1.0-cups-systemd-socket.patch to accomodate new coding style
- Changed cups-config-libs.orig to accommodate recent code changes (SSL->TLS)
- Changed cups-2.1.0-default-webcontent-path.patch to accommodate code changes
old: Printing/cups
new: home:ajoga:branches:openSUSE:Factory/cups rev None
Index: cups-2.1.0-default-webcontent-path.patch
===================================================================
--- cups-2.1.0-default-webcontent-path.patch (revision 380)
+++ cups-2.1.0-default-webcontent-path.patch (revision 2)
@@ -1,17 +1,21 @@
---- config-scripts/cups-directories.m4.orig 2014-03-21 17:42:53.000000000 +0100
-+++ config-scripts/cups-directories.m4 2015-09-01 11:08:43.000000000 +0200
-@@ -206,11 +206,11 @@ fi
- AC_SUBST(MENUDIR)
+--- config-scripts/cups-directories.m4
++++ config-scripts/cups-directories.m4.orig
+@@ -166,15 +166,15 @@ AS_IF([test "x$menudir" = x], [
+ AC_SUBST([MENUDIR])
# Documentation files
--AC_ARG_WITH(docdir, [ --with-docdir set path for documentation],docdir="$withval",docdir="")
-+AC_ARG_WITH(docdir, [ --with-docdir set path and DocumentRoot directive for web content, default=datadir/cups/webcontent],docdir="$withval",docdir="")
+-AC_ARG_WITH([docdir], AS_HELP_STRING([--with-docdir], [set path for documentation]), [
++AC_ARG_WITH([docdir], AS_HELP_STRING([--with-docdir], [set path and DocumentRoot directive for web content, default=datadir/cups/webcontent]), [
+ docdir="$withval"
+ ], [
+ docdir=""
+ ])
- if test x$docdir = x; then
-- CUPS_DOCROOT="$datadir/doc/cups"
-- docdir="$datadir/doc/cups"
-+ CUPS_DOCROOT="$datadir/cups/webcontent"
-+ docdir="$datadir/cups/webcontent"
- else
- CUPS_DOCROOT="$docdir"
- fi
+ AS_IF([test x$docdir = x], [
+- CUPS_DOCROOT="$datadir/doc/cups"
+- docdir="$datadir/doc/cups"
++ CUPS_DOCROOT="$datadir/cups/webcontent"
++ docdir="$datadir/cups/webcontent"
+ ], [
+ CUPS_DOCROOT="$docdir"
+ ])
Index: cups-config-libs.patch
===================================================================
--- cups-config-libs.patch (revision 380)
+++ cups-config-libs.patch (revision 2)
@@ -4,7 +4,7 @@
# flags for compiler and linker...
CFLAGS=""
LDFLAGS="@EXPORT_LDFLAGS@"
--LIBS="@LIBGSSAPI@ @DNSSDLIBS@ @EXPORT_SSLLIBS@ @LIBZ@ @LIBS@"
+-LIBS="@LIBGSSAPI@ @DNSSDLIBS@ @EXPORT_TLSLIBS@ @LIBZ@ @LIBS@"
+LIBS=""
# Check for local invocation...
Index: cups.changes
===================================================================
--- cups.changes (revision 380)
+++ cups.changes (revision 2)
@@ -1,4 +1,88 @@
-------------------------------------------------------------------
+Tue Mar 1 18:16:11 UTC 2022 - Aurélien Joga <aurelienjoga@gmail.com>
+
+- Version upgrade to 2.4.1:
+ * The default color mode now is now configurable and defaults to the printer's reported default mode (Issue #277)
+ * Configuration script now checks linking for -Wl,-pie flags (Issue #303)
+ * Fixed memory leaks - in testi18n (Issue #313), in cups_enum_dests() (Issue #317), in _cupsEncodeOption() and http_tls_upgrade() (Issue #322)
+ * Fixed missing bracket in de/index.html (Issue #299)
+ * Fixed typos in configuration scripts (Issues #304, #316)
+ * Removed remaining legacy code for RIP_MAX_CACHE environment variable (Issue #323)
+ * Removed deprecated directives from cupsctl and cups-files.conf (Issue #300)
+ * Removed purge-jobs legacy code from CGI scripts and templates (Issue #325)
+ * Added configure option --with-idle-exit-timeout (Issue #294)
+ * Added --with-systemd-timeoutstartsec configure option (Issue #298)
+ * DigestOptions now are applied for MD5 Digest authentication defined by RFC 2069 as well (Issue #287)
+ * Fixed compilation on Solaris (Issue #293)
+ * Fixed and improved German translations (Issue #296, Issue #297)
+ * Added warning and debug messages when loading printers if the queue is raw or with driver (Issue #286)
+ * Compilation now uses -fstack-protector-strong if available (Issue #285)
+ * Added support for CUPS running in a Snapcraft snap.
+ * Added basic OAuth 2.0 client support (Issue #100)
+ * Added support for AirPrint and Mopria clients (Issue #105)
+ * Added configure support for specifying systemd dependencies in the CUPS service file (Issue #144)
+ * Added several features and improvements to ipptool (Issue #153)
+ * Added a JSON output mode for ipptool.
+ * The ipptool command now correctly reports an error when a test file cannot be found.
+ * CUPS library now uses thread safe getpwnam_r and getpwuid_r functions (Issue #274)
+ * Fixed Kerberos authentication for the web interface (Issue #19)
+ * The ZPL sample driver now supports more "standard" label sizes (Issue #70)
+ * Fixed reporting of printer instances when enumerating and when no options are set for the main instance (Issue #71)
+ * Reverted USB read limit enforcement change from CUPS 2.2.12 (Issue #72)
+ * The IPP backend did not return the correct status code when a job was canceled at the printer/server (Issue #74)
+ * The testlang unit test program now loops over all of the available locales by default (Issue #85)
+ * The cupsfilter command now shows error messages when options are used incorrectly (Issue #88)
+ * The PPD functions now treat boolean values as case-insensitive (Issue #106)
+ * Temporary queue names no longer end with an underscore (Issue #110)
+ * The USB backend now runs as root (Issue #121)
+ * Added pkg-config file for libcups (Issue #122)
+ * Fixed a PPD memory leak caused by emulator definitions (Issue #124)
+ * Fixed a DISPLAY bug in ipptool (Issue #139)
+ * The scheduler now includes the [Job N] prefix for job log messages, even when using syslog logging (Issue #154)
+ * Added support for locales using the GB18030 character set (Issue #159)
+ * httpReconnect2 did not reset the socket file descriptor when the TLS negotiation failed (Apple #5907)
+ * httpUpdate did not reset the socket file descriptor when the TLS negotiation failed (Apple #5915)
+ * The IPP backend now retries Validate-Job requests (Issue #132)
+ * Now show better error messages when a driver interface program fails to provide a PPD file (Issue #148)
+ * Added dark mode support to the CUPS web interface (Issue #152)
+ * Added a workaround for Solaris in httpAddrConnect2 (Issue #156)
+ * Fixed an interaction between --remote-admin and --remote-any for the cupsctl command (Issue #158)
+ * Now use a 60 second timeout for reading USB backchannel data (Issue #160)
+ * The USB backend now tries harder to find a serial number (Issue #170)
+ * Fixed @IF(name) handling in cupsd.conf (Apple #5918)
+ * Fixed documentation and added examples for CUPS' limited CGI support (Apple #5940)
+ * Fixed the lpc command prompt (Apple #5946)
+ * Now always pass "localhost" in the Host: header when talking over a domain socket or the loopback interface (Issue #185)
+ * Fixed a job history update issue in the scheduler (Issue #187)
+ * Fixed job-pages-per-set value for duplex print jobs.
+ * Fixed an edge case in ippReadIO to make sure that only complete attributes and values are retained on an error (Issue #195)
+ * Hardened ippReadIO to prevent invalid IPP messages from being propagated (Issue #195, Issue #196)
+ * The scheduler now supports the "everywhere" model directly (Issue #201)
+ * Fixed some IPP Everywhere option mapping problems (Issue #238)
+ * Fixed support for "job-hold-until" with the Restart-Job operation (Issue #250)
+ * Fixed the default color/grayscale presets for IPP Everywhere PPDs (Issue #262)
+ * Fixed support for the 'offline-report' state for all USB backends (Issue #264)
+ * Documentation fixes (Issue #92, Issue #163, Issue #177, Issue #184)
+ * Localization updates (Issue #123, Issue #129, Issue #134, Issue #146, Issue #164)
+ * USB quirk updates (Issue #192, Issue #270, Apple #5766, Apple #5838, Apple #5843, Apple #5867)
+ * Web interface updates (Issue #142, Issue #218)
+ * The ippeveprinter tool now automatically uses an available port.
+ * Fixed several Windows TLS and hashing issues.
+ * Deprecated cups-config (Issue #97)
+ * Deprecated Kerberos (AuthType Negotiate) authentication (Issue #98)
+ * Removed support for the (long deprecated and unused) FontPath, ListenBackLog, LPDConfigFile, KeepAliveTimeout, RIPCache, and SMBConfigFile directives in cupsd.conf and cups-files.conf.
+ * Stubbed out deprecated httpMD5 functions.
+ * Add test for undefined page ranges during printing.
+- Dropped patch upstream_pull_174 because it it is included in this release
+- Dropped patch cups-2.1.0-cups-systemd-socket.patch because it it is included in this release (https://github.com/OpenPrinting/cups/commit/e96e96b4bd0d4e6f634bbb66b95d6e475501541c)
+- Changed upstream source packages signing key (https://github.com/OpenPrinting/cups/discussions/327#discussioncomment-2060579)
+- Re-enabled testsuite
+ * Also removed make check because since upstream change the two target are identical (https://github.com/OpenPrinting/cups/commit/96ba46ebc818b610b0e40cbc9d62ef1dcd3ec9b6#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52R239)
+- Changed cups-2.1.0-cups-systemd-socket.patch to accomodate new coding style
+- Changed cups-config-libs.orig to accommodate recent code changes (SSL->TLS)
+- Changed cups-2.1.0-default-webcontent-path.patch to accommodate code changes
+
+-------------------------------------------------------------------
Tue Feb 1 09:18:27 UTC 2022 - jsmeix@suse.de
- Enhanced harden_cups.service.patch by adding
Index: cups.keyring
===================================================================
Binary files cups.keyring (revision 380) and cups.keyring (revision 2) differ
Index: cups.spec
===================================================================
--- cups.spec (revision 380)
+++ cups.spec (revision 2)
@@ -18,9 +18,7 @@
# Cf. https://rpm.org/user_doc/conditional_builds.html
# by default enable testsuite (i.e. in the 'check' section run make check and make test)
-#bcond_without testsuite
-# disable testsuite for now until https://github.com/OpenPrinting/cups/issues/155 is fixed
-%bcond_with testsuite
+%bcond_without testsuite
# _tmpfilesdir is not defined in systemd macros up to openSUSE 13.2
%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d }
@@ -29,34 +27,32 @@
# "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
# "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
# version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
-Version: 2.3.3op2
+Version: 2.4.1
Release: 0
Summary: The Common UNIX Printing System
License: Apache-2.0
Group: Hardware/Printing
URL: https://openprinting.github.io/cups
# To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
-# wget --no-check-certificate -O cups-2.3.3op2-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.3.3op2/cups-2.3.3op2-source.tar.gz
-Source0: https://github.com/OpenPrinting/cups/releases/download/v2.3.3op2/cups-2.3.3op2-source.tar.gz
+# wget --no-check-certificate -O cups-2.4.1-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.1/cups-2.4.1-source.tar.gz
+Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.1/cups-2.4.1-source.tar.gz
# To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
-# wget --no-check-certificate -O cups-2.3.3op2-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.3.3op2/cups-2.3.3op2-source.tar.gz.sig
-Source1: https://github.com/OpenPrinting/cups/releases/download/v2.3.3op2/cups-2.3.3op2-source.tar.gz.sig
-# To get Source2 go to https://www.msweet.org/pgp.html
-# PGP Fingerprint: 845464660B686AAB36540B6F999559A027815955
+# wget --no-check-certificate -O cups-2.4.1-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.1/cups-2.4.1-source.tar.gz.sig
+Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.1/cups-2.4.1-source.tar.gz.sig
+# To get Source2 use gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
+# See https://github.com/OpenPrinting/cups/discussions/327#discussioncomment-2060579
+# PGP Fingerprint: 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
Source2: cups.keyring
# To manually verify Source0 with Source1 and Source2 do e.g.
# gpg --import cups.keyring
-# gpg --list-keys | grep -1 'Michael R Sweet' | grep -v 'expired'
-# gpg --verify cups-2.3.3op2-source.tar.gz.sig cups-2.3.3op2-source.tar.gz
+# gpg --list-keys | grep -1 'Zdenek Dohnal'
+# gpg --verify cups-2.4.1-source.tar.gz.sig cups-2.4.1-source.tar.gz
Source102: Postscript.ppd.gz
Source105: Postscript-level1.ppd.gz
Source106: Postscript-level2.ppd.gz
Source108: cups-client.conf
Source109: baselibs.conf
# Patch0...Patch9 is for patches from upstream:
-# Patch1 upstream_pull_174.patch is https://github.com/OpenPrinting/cups/pull/174
-# Use 60s timeout for read_thread, revert read limits
-Patch1: upstream_pull_174.patch
# Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Patch10 cups-2.1.0-choose-uri-template.patch adds 'smb://...' URIs to templates/choose-uri.tmpl:
@@ -66,8 +62,6 @@
# because the files of the CUPS web content are no documentation, see CUPS STR #3578
# and http://bugzilla.novell.com/show_bug.cgi?id=546023#c6 and subsequent comments:
Patch11: cups-2.1.0-default-webcontent-path.patch
-# Patch12 cups-2.1.0-cups-systemd-socket.patch Use systemd socket activation properly:
-Patch12: cups-2.1.0-cups-systemd-socket.patch
# Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
# Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
Patch100: cups-pam.diff
@@ -83,9 +77,9 @@
Patch103: cups-1.4-do_not_strip_recommended_from_PPDs.patch
# Patch104 cups-config-libs.patch fixes option --libs in cups-config script:
Patch104: cups-config-libs.patch
-# Patch106 Fixes web UI Kerberos authentication (bsc#1175960)
-Patch106: fix-negotiate-authentication-between-CGIs-and-scheduler.patch
Patch107: harden_cups.service.patch
+# Patch108 downgrades the autoconf requirement to the autoconf available in tumbleweed as of writing
+Patch108: downgrade-autoconf-requirement.patch
# Build Requirements:
BuildRequires: dbus-1-devel
BuildRequires: fdupes
@@ -280,9 +274,6 @@
%prep
%setup -q
# Patch0...Patch9 is for patches from upstream:
-# Patch1 upstream_pull_174.patch is https://github.com/OpenPrinting/cups/pull/174
-# Use 60s timeout for read_thread, revert read limits
-%patch1 -p1
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Patch10 cups-2.1.0-choose-uri-template.patch adds 'smb://...' URIs to templates/choose-uri.tmpl:
%patch10 -b choose-uri-template.orig
@@ -291,8 +282,6 @@
# because the files of the CUPS web content are no documentation, see CUPS STR #3578
# and http://bugzilla.novell.com/show_bug.cgi?id=546023#c6 and subsequent comments:
%patch11 -b default-webcontent-path.orig
-# Patch12 cups-2.1.0-cups-systemd-socket.patch Use systemd socket activation properly:
-#patch12 -b cups-systemd-socket.orig
# Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
# Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
%patch100 -b cups-pam.orig
@@ -308,9 +297,8 @@
%patch103 -b do_not_strip_recommended_from_PPDs.orig
# Patch104 cups-config-libs.patch fixes option --libs in cups-config script:
%patch104 -b cups-config-libs.orig
-# Patch106 Fixes web UI Kerberos authentication (bsc#1175960)
-%patch106 -p1
%patch107 -p1
+%patch108 -p1
%build
# Remove ".SILENT" rule for verbose build output
@@ -439,8 +427,6 @@
# There appears to be some kind of race condition when running make check and make test
# cf. https://github.com/OpenPrinting/cups/issues/155
# We print all logs for debugging purposes if either testsuite fails
-echo "DEBUG: running make check"
-bash -c 'make %{?_smp_mflags} check; EXIT=$?; if [ $EXIT -ne 0 ]; then cat test/*_log*-$(whoami); fi; exit $EXIT'
echo "DEBUG: running make test"
bash -c 'make %{?_smp_mflags} test; EXIT=$?; if [ $EXIT -ne 0 ]; then cat test/*_log*-$(whoami); fi; exit $EXIT'
%else
@@ -681,6 +667,7 @@
%files devel
%defattr(-,root,root)
+/usr/lib/pkgconfig/cups.pc
%{_includedir}/cups/
%{_libdir}/libcups.so
%{_libdir}/libcupsimage.so
Index: cups-2.4.1-source.tar.gz
===================================================================
Binary file cups-2.4.1-source.tar.gz (revision 2) added
Index: cups-2.4.1-source.tar.gz.sig
===================================================================
Binary file cups-2.4.1-source.tar.gz.sig (revision 2) added
Index: downgrade-autoconf-requirement.patch
===================================================================
--- downgrade-autoconf-requirement.patch (added)
+++ downgrade-autoconf-requirement.patch (revision 2)
@@ -0,0 +1,15 @@
+diff --git a/configure.ac b/configure.ac
+index a8c6c1040..6ace74a8d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0. See the file "LICENSE" for more
+ dnl information.
+ dnl
+
+-dnl We need at least autoconf 2.71...
+-AC_PREREQ([2.71])
++dnl We need at least autoconf 2.69...
++AC_PREREQ([2.69])
+
+ dnl Package name and version...
+ AC_INIT([CUPS],[2.4.1],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
Index: cups-2.1.0-cups-systemd-socket.patch
===================================================================
--- cups-2.1.0-cups-systemd-socket.patch (revision 380)
+++ cups-2.1.0-cups-systemd-socket.patch (deleted)
@@ -1,43 +0,0 @@
---- scheduler/main.c.orig 2015-06-08 20:32:35.000000000 +0200
-+++ scheduler/main.c 2015-09-01 11:19:36.000000000 +0200
-@@ -656,7 +656,15 @@ main(int argc, /* I - Number of comm
-
- #if defined(HAVE_LAUNCHD) || defined(HAVE_SYSTEMD)
- if (OnDemand)
-+ {
- cupsdAddEvent(CUPSD_EVENT_SERVER_STARTED, NULL, NULL, "Scheduler started on demand.");
-+# ifdef HAVE_SYSTEMD
-+ sd_notifyf(0, "READY=1\n"
-+ "STATUS=Scheduler is running...\n"
-+ "MAINPID=%lu",
-+ (unsigned long) getpid());
-+# endif /* HAVE_SYSTEMD */
-+ }
- else
- #endif /* HAVE_LAUNCHD || HAVE_SYSTEMD */
- if (fg)
---- scheduler/org.cups.cupsd.path.in.orig 2014-03-21 15:50:24.000000000 +0100
-+++ scheduler/org.cups.cupsd.path.in 2015-09-01 11:20:37.000000000 +0200
-@@ -3,6 +3,7 @@ Description=CUPS Scheduler
-
- [Path]
- PathExists=@CUPS_CACHEDIR@/org.cups.cupsd
-+PathExistsGlob=@CUPS_REQUESTS@/d*
-
- [Install]
- WantedBy=multi-user.target
---- scheduler/org.cups.cupsd.service.in.orig 2014-10-21 13:54:05.000000000 +0200
-+++ scheduler/org.cups.cupsd.service.in 2015-09-01 11:22:09.000000000 +0200
-@@ -1,10 +1,11 @@
- [Unit]
- Description=CUPS Scheduler
- Documentation=man:cupsd(8)
-+After=network.target
-
- [Service]
- ExecStart=@sbindir@/cupsd -l
--Type=simple
-+Type=notify
-
- [Install]
- Also=org.cups.cupsd.socket org.cups.cupsd.path
Index: cups-2.3.3op2-source.tar.gz
===================================================================
Binary file cups-2.3.3op2-source.tar.gz (revision 380) deleted
Index: cups-2.3.3op2-source.tar.gz.sig
===================================================================
Binary file cups-2.3.3op2-source.tar.gz.sig (revision 380) deleted
Index: fix-negotiate-authentication-between-CGIs-and-scheduler.patch
===================================================================
--- fix-negotiate-authentication-between-CGIs-and-scheduler.patch (revision 380)
+++ fix-negotiate-authentication-between-CGIs-and-scheduler.patch (deleted)
@@ -1,223 +0,0 @@
-From d4521ed0df7e625ccf2bc079bab6f48c46ef9bf9 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@suse.de>
-Date: Mon, 26 Oct 2020 17:35:22 +0100
-Subject: [PATCH 1/4] Avoid infinite loop in admin.cgi when negotiate is used
-
-SetAuthorizationString with NULL argument sets an empty string.
-
-Related: #5596
-
-Signed-off-by: Samuel Cabrero <scabrero@suse.de>
----
- cups/auth.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/cups/auth.c b/cups/auth.c
-index db45bbba6..f2409350a 100644
---- a/cups/auth.c
-+++ b/cups/auth.c
-@@ -295,7 +295,7 @@ cupsDoAuthentication(
- }
- }
-
-- if (http->authstring)
-+ if (http->authstring && http->authstring[0])
- {
- DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\".", http->authstring));
-
---
-2.30.2
-
-
-From 61ad7780bc7d0593e3225d088ac6dff31badf801 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@suse.de>
-Date: Tue, 27 Oct 2020 16:11:41 +0100
-Subject: [PATCH 2/4] Add cups_is_local_connection() to check if connection is
- to localhost
-
-Related: #5596
-
-Signed-off-by: Samuel Cabrero <scabrero@suse.de>
----
- cups/auth.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/cups/auth.c b/cups/auth.c
-index f2409350a..d2956438d 100644
---- a/cups/auth.c
-+++ b/cups/auth.c
-@@ -90,6 +90,7 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status,
- # define cups_gss_printf(major, minor, message)
- # endif /* DEBUG */
- #endif /* HAVE_GSSAPI */
-+static int cups_is_local_connection(http_t *http);
- static int cups_local_auth(http_t *http);
-
-
-@@ -916,6 +917,14 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */
- # endif /* DEBUG */
- #endif /* HAVE_GSSAPI */
-
-+static int /* O - 0 if not a local connection */
-+ /* 1 if local connection */
-+cups_is_local_connection(http_t *http) /* I - HTTP connection to server */
-+{
-+ if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
-+ return 0;
-+ return 1;
-+}
-
- /*
- * 'cups_local_auth()' - Get the local authorization certificate if
-@@ -958,7 +967,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
- * See if we are accessing localhost...
- */
-
-- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
-+ if (!cups_is_local_connection(http))
- {
- DEBUG_puts("8cups_local_auth: Not a local connection!");
- return (1);
---
-2.30.2
-
-
-From f629d079750a86b1b605c285f99c0dea3933ca50 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@suse.de>
-Date: Tue, 27 Oct 2020 16:23:30 +0100
-Subject: [PATCH 3/4] Try local kerberos ccache credentials only for remote
- servers
-
-If connecting to localhost then proceed to ask the client for the
-authorization using cupsGetPassword2. The get password callback will
-return 401 to the client with WWW-Authenticate: Negotiate.
-
-Fixes: #5596
-
-Signed-off-by: Samuel Cabrero <scabrero@suse.de>
----
- cups/auth.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/cups/auth.c b/cups/auth.c
-index d2956438d..9661657fc 100644
---- a/cups/auth.c
-+++ b/cups/auth.c
-@@ -175,10 +175,10 @@ cupsDoAuthentication(
- DEBUG_printf(("2cupsDoAuthentication: Trying scheme \"%s\"...", scheme));
-
- #ifdef HAVE_GSSAPI
-- if (!_cups_strcasecmp(scheme, "Negotiate"))
-+ if (!_cups_strcasecmp(scheme, "Negotiate") && !cups_is_local_connection(http))
- {
- /*
-- * Kerberos authentication...
-+ * Kerberos authentication to remote server...
- */
-
- int gss_status; /* Auth status */
-@@ -202,7 +202,9 @@ cupsDoAuthentication(
- }
- else
- #endif /* HAVE_GSSAPI */
-- if (_cups_strcasecmp(scheme, "Basic") && _cups_strcasecmp(scheme, "Digest"))
-+ if (_cups_strcasecmp(scheme, "Basic") &&
-+ _cups_strcasecmp(scheme, "Digest") &&
-+ _cups_strcasecmp(scheme, "Negotiate"))
- {
- /*
- * Other schemes not yet supported...
-@@ -216,7 +218,7 @@ cupsDoAuthentication(
- * See if we should retry the current username:password...
- */
-
-- if ((http->digest_tries > 1 || !http->userpass[0]) && (!_cups_strcasecmp(scheme, "Basic") || (!_cups_strcasecmp(scheme, "Digest"))))
-+ if (http->digest_tries > 1 || !http->userpass[0])
- {
- /*
- * Nope - get a new password from the user...
---
-2.30.2
-
-
-From 0563a28b18b21d5574a5e0e38b74246146074bbf Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@suse.de>
-Date: Tue, 27 Oct 2020 16:18:03 +0100
-Subject: [PATCH 4/4] Allow Local authentication for Negotiate
-
-PeerCred is also possible if address family is AF_LOCAL. This will allow
-the CGI programs to generate the authorization from the local
-certificates based on PID also when Negotiate is used for local
-connections:
-
-Client CGI
-Browser <- Remote conn -> admin.cgi <--- Localhost conn ---> Scheduler
- | | |
- + --- HTTP/POST /admin/ --> | |
- | + --- CUPS-Get-Devices ------------> |
- | | |
- | | <-- 401 Unauthorized --------------+
- | | WWW-Authenticate: |
- | | Negotiate, (PeerCred,) Local |
- | | |
- | <-- 401 Unauthorized -----+ |
- | WWW-Authenticate: | |
- | Negotiate | |
- | | |
- | --- HTTP/POST /admin/ --> | |
- | Authorization: + --- IPP CUPS-GetDevices ---------> |
- | Negotiate | Authorization: Local <cert> |
- | | |
-
-Fixes: #5596
-
-Signed-off-by: Samuel Cabrero <scabrero@suse.de>
----
- cups/auth.c | 5 -----
- scheduler/client.c | 9 ++-------
- 2 files changed, 2 insertions(+), 12 deletions(-)
-
-diff --git a/cups/auth.c b/cups/auth.c
-index 9661657fc..b6fec6b98 100644
---- a/cups/auth.c
-+++ b/cups/auth.c
-@@ -1043,11 +1043,6 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
- }
- # endif /* HAVE_AUTHORIZATION_H */
-
--# ifdef HAVE_GSSAPI
-- if (cups_auth_find(www_auth, "Negotiate"))
-- return (1);
--# endif /* HAVE_GSSAPI */
--
- # if defined(SO_PEERCRED) && defined(AF_LOCAL)
- /*
- * See if we can authenticate using the peer credentials provided over a
-diff --git a/scheduler/client.c b/scheduler/client.c
-index c2ee8f12a..56797d58d 100644
---- a/scheduler/client.c
-+++ b/scheduler/client.c
-@@ -2109,18 +2109,13 @@ cupsdSendHeader(
- }
- else if (auth_type == CUPSD_AUTH_NEGOTIATE)
- {
--#if defined(SO_PEERCRED) && defined(AF_LOCAL)
-- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
-- strlcpy(auth_str, "PeerCred", sizeof(auth_str));
-- else
--#endif /* SO_PEERCRED && AF_LOCAL */
- strlcpy(auth_str, "Negotiate", sizeof(auth_str));
- }
-
-- if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
-+ if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
- {
- /*
-- * Add a "trc" (try root certification) parameter for local non-Kerberos
-+ * Add a "trc" (try root certification) parameter for local
- * requests when the request requires system group membership - then the
- * client knows the root certificate can/should be used.
- *
---
-2.30.2
-
Index: upstream_pull_174.patch
===================================================================
--- upstream_pull_174.patch (revision 380)
+++ upstream_pull_174.patch (deleted)
@@ -1,53 +0,0 @@
-From c37d71b1a31d26a4790166e2508822b18934a5c0 Mon Sep 17 00:00:00 2001
-From: Zdenek Dohnal <zdohnal@redhat.com>
-Date: Tue, 13 Apr 2021 15:44:14 +0200
-Subject: [PATCH 1/2] backend/usb-libusb.c: Use 60s timeout for reading at
- backchannel
-
-Some older models malfunction if timeout is too short.
----
- CHANGES.md | 1 +
- backend/usb-libusb.c | 2 +-
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
---- a/backend/usb-libusb.c
-+++ b/backend/usb-libusb.c
-@@ -1704,7 +1704,7 @@ static void *read_thread(void *reference)
- readstatus = libusb_bulk_transfer(g.printer->handle,
- g.printer->read_endp,
- readbuffer, rbytes,
-- &rbytes, 250);
-+ &rbytes, 60000);
- if (readstatus == LIBUSB_SUCCESS && rbytes > 0)
- {
- fprintf(stderr, "DEBUG: Read %d bytes of back-channel data...\n", (int)rbytes);
-
-From 4cb6f6806cdbe040d478b266a1d351b19341dd79 Mon Sep 17 00:00:00 2001
-From: Zdenek Dohnal <zdohnal@redhat.com>
-Date: Tue, 13 Apr 2021 15:47:37 +0200
-Subject: [PATCH 2/2] backend/usb-libusb.c: Revert enforcing read limits
-
-This commit reverts the change introduced by 2.2.12 [1] - its
-implementation caused a regression with Lexmark filters.
-
-[1]
-https://github.com/apple/cups/commit/35e927f83529cd9b4bc37bcd418c50e307fced35
----
- CHANGES.md | 1 +
- backend/usb-libusb.c | 3 ++-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/backend/usb-libusb.c b/backend/usb-libusb.c
-index fbb0d9d89..89b5182f7 100644
---- a/backend/usb-libusb.c
-+++ b/backend/usb-libusb.c
-@@ -1721,7 +1721,8 @@ static void *read_thread(void *reference)
- * Make sure this loop executes no more than once every 250 miliseconds...
- */
-
-- if ((g.wait_eof || !g.read_thread_stop))
-+ if ((readstatus != LIBUSB_SUCCESS || rbytes == 0) &&
-+ (g.wait_eof || !g.read_thread_stop))
- usleep(250000);
- }
- while (g.wait_eof || !g.read_thread_stop);
Johannes Meixner (jsmeix)
accepted
request 950380
from
Johannes Meixner (jsmeix)
(revision 380)
Added ReadWritePaths=/etc/cups to cups.service (boo#1195288)
Johannes Meixner (jsmeix)
accepted
request 925363
from
Johannes Segitz (jsegitz)
(revision 379)
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
buildservice-autocommit
accepted
request 898073
from
Johannes Meixner (jsmeix)
(revision 378)
Johannes Meixner (jsmeix)
(revision 378)
baserev update by copy to link target
Johannes Meixner (jsmeix)
accepted
request 898072
from
Johannes Meixner (jsmeix)
(revision 377)
Fixed "ppdc: Unable to find include file ... Bad driver information file /usr/share/cups/drv/sample.drv" (bsc#1186843)
buildservice-autocommit
accepted
request 889939
from
Johannes Meixner (jsmeix)
(revision 376)
Johannes Meixner (jsmeix)
(revision 376)
baserev update by copy to link target
Johannes Meixner (jsmeix)
accepted
request 889938
from
Johannes Meixner (jsmeix)
(revision 375)
Fixed CVE-2021-25317 (bsc#1184161)
buildservice-autocommit
accepted
request 888714
from
Factory Maintainer (factory-maintainer)
(revision 374)
Factory Maintainer (factory-maintainer)
(revision 374)
baserev update by copy to link target
Johannes Meixner (jsmeix)
accepted
request 886931
from
Johannes Meixner (jsmeix)
(revision 373)
Fix printing with older USB printers https://github.com/OpenPrinting/cups/pull/174
buildservice-autocommit
accepted
request 883251
from
Johannes Meixner (jsmeix)
(revision 372)
Johannes Meixner (jsmeix)
(revision 372)
baserev update by copy to link target
Johannes Meixner (jsmeix)
accepted
request 883250
from
Johannes Meixner (jsmeix)
(revision 371)
Disable testsuite for now until https://github.com/OpenPrinting/cups/issues/155 is fixed. Additionally improved syntax of some recent changes entries.
Johannes Meixner (jsmeix)
accepted
request 881387
from
Florian (sp1rit)
(revision 370)
I messed up with the changes file - here is the fixed version. For now I've disabled the testsuite with %bcond_without testsuite, that it can be enabled for testing. - Wrap make check and make test in bash, to "prevent" race-condition - fix-negotiate-authentication-between-CGIs-and-scheduler.patch fixes web UI Kerberos authentication (bsc#1175960) - Upstream changed to https://github.com/OpenPrinting/cups - Added %check section to specfile that executes the old `make check` and the new (see 2.3.3op1) `make test` (disabled for now) - Version upgrade to 2.3.3op2
buildservice-autocommit
accepted
request 880107
from
Johannes Meixner (jsmeix)
(revision 369)
Johannes Meixner (jsmeix)
(revision 369)
baserev update by copy to link target
Displaying revisions 21 - 40 of 408
