spec: mention when to remove the upgrade script

See
https://fedoraproject.org/wiki/Changes/FoomaticRipRejectsUnknownValues
for more information.

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1,113 +1 @@
-/cups-filters-1.0.20.tar.xz
-/cups-filters-1.0.22.tar.xz
-/cups-filters-1.0.23.tar.xz
-/cups-filters-1.0.24.tar.xz
-/cups-filters-1.0.25.tar.xz
-/cups-filters-1.0.28.tar.xz
-/cups-filters-1.0.29.tar.xz
-/cups-filters-1.0.30.tar.xz
-/cups-filters-1.0.31.tar.xz
-/cups-filters-1.0.32.tar.xz
-/cups-filters-1.0.33.tar.xz
-/cups-filters-1.0.34.tar.xz
-/cups-filters-1.0.35.tar.xz
-/cups-filters-1.0.36.tar.xz
-/cups-filters-1.0.37.tar.xz
-/cups-filters-1.0.38.tar.xz
-/cups-filters-1.0.39.tar.xz
-/cups-filters-1.0.40.tar.xz
-/cups-filters-1.0.41.tar.xz
-/cups-filters-1.0.42.tar.xz
-/cups-filters-1.0.43.tar.xz
-/cups-filters-1.0.44.tar.xz
-/cups-filters-1.0.45.tar.xz
-/cups-filters-1.0.46.tar.xz
-/cups-filters-1.0.47.tar.xz
-/cups-filters-1.0.48.tar.xz
-/cups-filters-1.0.49.tar.xz
-/cups-filters-1.0.50.tar.xz
-/cups-filters-1.0.51.tar.xz
-/cups-filters-1.0.52.tar.xz
-/cups-filters-1.0.53.tar.xz
-/cups-filters-1.0.54.tar.xz
-/cups-filters-1.0.55.tar.xz
-/cups-filters-1.0.58.tar.xz
-/cups-filters-1.0.59.tar.xz
-/cups-filters-1.0.60.tar.xz
-/cups-filters-1.0.61.tar.xz
-/cups-filters-1.0.65.tar.xz
-/cups-filters-1.0.66.tar.xz
-/cups-filters-1.0.67.tar.xz
-/cups-filters-1.0.68.tar.xz
-/cups-filters-1.0.69.tar.xz
-/cups-filters-1.0.70.tar.xz
-/cups-filters-1.0.71.tar.xz
-/cups-filters-1.0.73.tar.xz
-/cups-filters-1.0.74.tar.xz
-/cups-filters-1.0.75.tar.xz
-/cups-filters-1.0.76.tar.xz
-/cups-filters-1.1.0.tar.xz
-/cups-filters-1.2.0.tar.xz
-/cups-filters-1.3.0.tar.xz
-/cups-filters-1.4.0.tar.xz
-/cups-filters-1.5.0.tar.xz
-/cups-filters-1.6.0.tar.xz
-/cups-filters-1.7.0.tar.xz
-/cups-filters-1.8.0.tar.xz
-/cups-filters-1.8.1.tar.xz
-/cups-filters-1.8.2.tar.xz
-/cups-filters-1.8.3.tar.xz
-/cups-filters-1.9.0.tar.xz
-/cups-filters-1.10.0.tar.xz
-/cups-filters-1.11.2.tar.xz
-/cups-filters-1.11.3.tar.xz
-/cups-filters-1.11.4.tar.xz
-/cups-filters-1.11.5.tar.xz
-/cups-filters-1.11.6.tar.xz
-/cups-filters-1.12.0.tar.xz
-/cups-filters-1.13.0.tar.xz
-/cups-filters-1.13.1.tar.xz
-/cups-filters-1.13.2.tar.xz
-/cups-filters-1.13.3.tar.xz
-/cups-filters-1.13.4.tar.xz
-/cups-filters-1.13.5.tar.xz
-/cups-filters-1.14.0.tar.xz
-/cups-filters-1.14.1.tar.xz
-/cups-filters-1.16.0.tar.xz
-/cups-filters-1.16.1.tar.xz
-/cups-filters-1.16.3.tar.xz
-/cups-filters-1.17.2.tar.xz
-/cups-filters-1.17.7.tar.xz
-/cups-filters-1.17.8.tar.xz
-/cups-filters-1.17.9.tar.xz
-/cups-filters-1.19.0.tar.xz
-/cups-filters-1.20.0.tar.xz
-/cups-filters-1.20.1.tar.xz
-/cups-filters-1.20.2.tar.xz
-/cups-filters-1.20.3.tar.xz
-/cups-filters-1.21.2.tar.xz
-/cups-filters-1.21.5.tar.xz
-/cups-filters-1.21.6.tar.xz
-/cups-filters-1.22.0.tar.xz
-/cups-filters-1.22.3.tar.xz
-/cups-filters-1.22.5.tar.xz
-/cups-filters-1.26.0.tar.xz
-/cups-filters-1.27.0.tar.xz
-/cups-filters-1.27.1.tar.xz
-/cups-filters-1.27.2.tar.xz
-/cups-filters-1.27.3.tar.xz
-/cups-filters-1.27.4.tar.xz
-/cups-filters-1.27.5.tar.xz
-/cups-filters-1.28.1.tar.xz
-/cups-filters-1.28.2.tar.xz
-/cups-filters-1.28.5.tar.xz
-/cups-filters-1.28.6.tar.xz
-/cups-filters-1.28.7.tar.xz
-/cups-filters-1.28.8.tar.xz
-/cups-filters-1.28.9.tar.xz
-/cups-filters-1.28.10.tar.xz
-/cups-filters-1.28.11.tar.xz
-/cups-filters-1.28.12.tar.xz
-/cups-filters-1.28.14.tar.xz
-/cups-filters-1.28.15.tar.xz
-/cups-filters-1.28.16.tar.xz
+/cups-filters-*.tar.gz

0001-Fix-build-failure-with-GCC-15-and-std-c23.patch

@@ -0,0 +1,27 @@
+From 44f59a1aa74c48515d8feba5a61b7ea3aaa592c4 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Fri, 24 Jan 2025 09:44:58 +0100
+Subject: [PATCH] Fix build failure with GCC 15 and -std=c23
+
+The newest standard has more strict data type checks, function pointers
+in function prototypes have to declare data types of its arguments.
+---
+ filter/foomatic-rip/process.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/filter/foomatic-rip/process.h b/filter/foomatic-rip/process.h
+index f6e15f65c..54a42923a 100644
+--- a/filter/foomatic-rip/process.h
++++ b/filter/foomatic-rip/process.h
+@@ -18,7 +18,7 @@
+ #include <sys/wait.h>
+ 
+ 
+-pid_t start_process(const char *name, int (*proc_func)(), void *user_arg,
++pid_t start_process(const char *name, int (*proc_func)(FILE*, FILE*, void*), void *user_arg,
+ 		    FILE **fdin, FILE **fdout);
+ pid_t start_system_process(const char *name, const char *command, FILE **fdin,
+ 			   FILE **fdout);
+-- 
+2.48.1
+

0001-rastertopclx.c-Fix-infinite-loop-caused-by-crafted-f.patch

@@ -0,0 +1,79 @@
+From 0fe46c511e81062575b05936f804eb18c9f0a011 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 12 Nov 2025 15:47:24 +0100
+Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file
+
+Infinite loop happened because of crafted input raster file, which led
+into heap buffer overflow of `CompressBuf` array.
+
+Based on comments there should be always some `count` when compressing
+the data, and processing of crafted file ended with offset and count
+being 0.
+
+Fixes CVE-2025-64524
+---
+ filter/rastertopclx.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c
+index ded86f114..39cb378bf 100644
+--- a/filter/rastertopclx.c
++++ b/filter/rastertopclx.c
+@@ -825,10 +825,10 @@ StartPage(cf_filter_data_t      *data,	// I - filter data
+   }
+ 
+   if (header->cupsCompression)
+-    CompBuffer = malloc(DotBufferSize * 4);
++    CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char));
+ 
+   if (header->cupsCompression >= 3)
+-    SeedBuffer = malloc(DotBufferSize);
++    SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char));
+ 
+   SeedInvalid = 1;
+ 
+@@ -1159,6 +1159,13 @@ CompressData(unsigned char *line,	// I - Data to compress
+               seed ++;
+               count ++;
+             }
++
++	    //
++	    // Bail out if we don't have count to compress
++	    //
++
++	    if (count == 0)
++	      break;
+ 	  }
+ 
+ 	  //
+@@ -1252,6 +1259,13 @@ CompressData(unsigned char *line,	// I - Data to compress
+ 
+             count = line_ptr - start;
+ 
++	    //
++	    // Bail out if we don't have count to compress
++	    //
++
++	    if (count == 0)
++	      break;
++
+ #if 0
+             fprintf(stderr,
+ 		    "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n",
+@@ -1424,6 +1438,13 @@ CompressData(unsigned char *line,	// I - Data to compress
+ 
+             count = (line_ptr - start) / 3;
+ 
++	    //
++	    // Bail out if we don't have count to compress
++	    //
++
++	    if (count == 0)
++	      break;
++
+ 	    //
+ 	    // Place mode 10 compression data in the buffer; each sequence
+ 	    // starts with a command byte that looks like:
+-- 
+2.51.1
+

browsed-updatenetif.patch

@@ -1,121 +0,0 @@
-diff --git a/configure.ac b/configure.ac
-index c1b108f..e921820 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -902,6 +902,16 @@ AC_ARG_WITH([shell],
- )
- AC_DEFINE_UNQUOTED([SHELL], "$with_shell", [Path for a modern shell])
- 
-+AC_ARG_ENABLE([frequent_netif_update],
-+              [AS_HELP_STRING([--enable-frequent-netif-update], [Enable network interface update after each found entry to prevent network issues])],
-+              [FREQUENT_NETIF_UPDATE=$enableval],
-+              [FREQUENT_NETIF_UPDATE=yes]
-+)
-+
-+AS_IF([test "x$FREQUENT_NETIF_UPDATE" != "xno"],
-+      [AC_DEFINE([FREQUENT_NETIF_UPDATE], [1], [Define whether we want network interface update after each found entry])]
-+)
-+
- # =====================
- # Prepare all .in files
- # =====================
-@@ -978,6 +988,7 @@ Build configuration:
- 	pclm:            ${enable_pclm}
- 	local queue naming for remote CUPS queues: ${REMOTE_CUPS_LOCAL_QUEUE_NAMING}
- 	keep generated queues during shutdown:     ${SAVING_CREATED_QUEUES}
-+	update network interfaces after each found entry:     ${FREQUENT_NETIF_UPDATE}
- 	all ipp printer auto-setup: ${enable_auto_setup_all}
- 	only driverless auto-setup: ${enable_auto_setup_driverless_only}
- 	only local auto-setup: ${enable_auto_setup_local_only}
-diff --git a/utils/cups-browsed.c b/utils/cups-browsed.c
-index 9971209..79ece21 100644
---- a/utils/cups-browsed.c
-+++ b/utils/cups-browsed.c
-@@ -490,6 +490,11 @@ static autoshutdown_inactivity_type_t autoshutdown_on = NO_QUEUES;
- static guint autoshutdown_exec_id = 0;
- static const char *default_printer = NULL;
- static unsigned int notify_lease_duration = 86400;
-+#ifdef FREQUENT_NETIF_UPDATE
-+static int FrequentNetifUpdate = 1;
-+#else
-+static int FrequentNetifUpdate = 0;
-+#endif
- 
- static int debug_stderr = 0;
- static int debug_logfile = 0;
-@@ -9700,7 +9705,7 @@ examine_discovered_printer_record(const char *host,
-      or legacy CUPS, needed for the is_local_hostname() function calls.
-      During DNS-SD discovery the update is already done by the Avahi
-      event handler function. */
--  if (type == NULL || type[0] == '\0')
-+  if (FrequentNetifUpdate && (type == NULL || type[0] == '\0'))
-     update_netifs(NULL);
- 
-   /* Check if we have already created a queue for the discovered
-@@ -10100,9 +10105,11 @@ static void resolve_callback(AvahiServiceResolver *r,
-     strncpy(ifname, "Unknown", sizeof(ifname) - 1);
-   }
- 
-+  if (FrequentNetifUpdate)
-+    update_netifs(NULL);
-+
-   /* Ignore local queues of the cupsd we are serving for, identifying them
-      via UUID */
--  update_netifs(NULL);
-   if ((flags & AVAHI_LOOKUP_RESULT_LOCAL) || !strcasecmp(ifname, "lo") ||
-       is_local_hostname(host_name)) {
-     update_local_printers ();
-@@ -11967,6 +11974,13 @@ read_configuration (const char *filename)
-       else if (!strcasecmp(value, "no") || !strcasecmp(value, "false") ||
- 	       !strcasecmp(value, "off") || !strcasecmp(value, "0"))
- 	AutoClustering = 0;
-+    } else if (!strcasecmp(line, "FrequentNetifUpdate") && value) {
-+      if (!strcasecmp(value, "yes") || !strcasecmp(value, "true") ||
-+	  !strcasecmp(value, "on") || !strcasecmp(value, "1"))
-+	FrequentNetifUpdate = 1;
-+      else if (!strcasecmp(value, "no") || !strcasecmp(value, "false") ||
-+	       !strcasecmp(value, "off") || !strcasecmp(value, "0"))
-+	FrequentNetifUpdate = 0;
-     } else if (!strcasecmp(line, "Cluster") && value) {
-       ptr = value;
-       ptr2 = NULL;
-diff --git a/utils/cups-browsed.conf.5 b/utils/cups-browsed.conf.5
-index 7e6ee3b..7f60168 100644
---- a/utils/cups-browsed.conf.5
-+++ b/utils/cups-browsed.conf.5
-@@ -1005,6 +1005,18 @@ and doing specific actions when a D-BUS notification comes.
-         NotifLeaseDuration 86400
- .fam T
- .fi
-+FrequentNetifUpdate turns on/off the network interface update routines
-+which happen for each found entry, which can slow up cups-browsed significantly
-+if we are on a network with many shared printers or if we use BrowsePoll to a server
-+with many queues. Network interface updates after receiving D-BUS notification
-+from NetworkManager won't be turned off with the directive. The default value
-+is 'Yes'.
-+.PP
-+.nf
-+.fam C
-+        FrequentNetifUpdate Yes
-+.fam T
-+.fi
- .SH SEE ALSO
- 
- \fBcups-browsed\fP(8)
-diff --git a/utils/cups-browsed.conf.in b/utils/cups-browsed.conf.in
-index ee2f5bf..6866918 100644
---- a/utils/cups-browsed.conf.in
-+++ b/utils/cups-browsed.conf.in
-@@ -774,3 +774,12 @@ BrowseRemoteProtocols @BROWSEREMOTEPROTOCOLS@
- # and doing specific actions when a D-BUS notification comes.
- 
- # NotifLeaseDuration 86400
-+
-+# FrequentNetifUpdate turns on/off the network interface update routines
-+# which happen for each found entry, which can slow up cups-browsed significantly
-+# if we are on a network with many shared printers or if we use BrowsePoll to a server
-+# with many queues. Network interface updates after receiving D-BUS notification
-+# from NetworkManager won't be turned off with the directive. The default value
-+# is 'Yes'.
-+#
-+# FrequentNetifUpdate Yes

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

cups-filters.spec

@@ -1,151 +1,90 @@
+%if 0%{?fedora}
+%bcond_without mdns
+%bcond_without braille
+%else
+%bcond_with mdns
+%bcond_with braille
+%endif
+
+# currently we use CUPS PPD compiler which will be removed
+# in CUPS 3.0, then we will use PPD compiler from libppd-tools
+%bcond_without cups_ppdc
+
 # we build CUPS also with relro
 %global _hardened_build 1
 
-Summary: OpenPrinting CUPS filters and backends
+Summary: OpenPrinting CUPS filters for CUPS 2.X
 Name:    cups-filters
-Version: 1.28.16
-Release: 2%{?dist}
+Epoch:   1
+Version: 2.0.1
+Release: 12%{?dist}
 
-# For a breakdown of the licensing, see COPYING file
-# GPLv2:   filters: commandto*, imagetoraster, pdftops, rasterto*,
-#                   imagetopdf, pstopdf, texttopdf
-#         backends: parallel, serial
-# GPLv2+:  filters: gstopxl, textonly, texttops, imagetops, foomatic-rip
-# GPLv3:   filters: bannertopdf
-# GPLv3+:  filters: urftopdf, rastertopdf
-# LGPLv2+:   utils: cups-browsed
-# MIT:     filters: gstoraster, pdftoijs, pdftoopvp, pdftopdf, pdftoraster
-License: GPLv2 and GPLv2+ and GPLv3 and GPLv3+ and LGPLv2+ and MIT and BSD with advertising
+# the CUPS exception text is the same as LLVM exception, so using that name with
+# agreement from legal team
+# https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/message/A7GFSD6M3GYGSI32L2FC5KB22DUAEQI3/
+License: Apache-2.0 WITH LLVM-exception
 
-Url:     http://www.linuxfoundation.org/collaborate/workgroups/openprinting/cups-filters
-Source0: http://www.openprinting.org/download/cups-filters/cups-filters-%{version}.tar.xz
+URL:     https://github.com/OpenPrinting/cups-filters
+Source0: %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz
+Source1: lftocrlf.ppd
+Source2: lftocrlf
 
-# backported from upstream
-Patch0001: browsed-updatenetif.patch
 
+# Patches
+# https://github.com/OpenPrinting/cups-filters/pull/618
+Patch001: 0001-Fix-build-failure-with-GCC-15-and-std-c23.patch
+# introducing foomatic-hash, but without rejecting values in foomatic-rip
+# https://github.com/OpenPrinting/cups-filters/pull/648
+Patch002: 0001-Introduce-foomatic-hash-and-reject-unauthorized-valu.patch
+# make sure errors from foomatic-rip are propagated
+# https://github.com/OpenPrinting/cups-filters/pull/649
+Patch003: foomatic-ripdie-error.patch
+# rejecting the unknown values in foomatic-rip
+# https://github.com/OpenPrinting/cups-filters/pull/648
+Patch004: foomaticrip-reject-unknown-values.patch
+# CVE-2025-64524 fix
+Patch005: 0001-rastertopclx.c-Fix-infinite-loop-caused-by-crafted-f.patch
+
+
+# driverless backend/driver was moved into a separate package to
+# remove avahi dependency for filters
+# remove once C10S is released and F40 is EOL
+Conflicts: cups-filters-driverless < 1:2.0.0-3
 
 # autogen.sh
 BuildRequires: autoconf
+# autogen.sh
 BuildRequires: automake
-BuildRequires: gettext-devel
-BuildRequires: libtool
-
-# build requirements for build system:
-# gcc for backends (implicitclass, parallel, serial, backend error handling)
-# cupsfilters (colord, color manager...), filter (banners, 
-# commandto*, braille, foomatic-rip, imagetoraster, imagetopdf, gstoraster e.g.),
-# fontembed, cups-browsed
+# filter binaries and backends are written in C
 BuildRequires: gcc
-# gcc-c++ for pdftoopvp, pdftopdf
-BuildRequires: gcc-c++
+# autogen.sh
+BuildRequires: gettext-devel
 # for autosetup
 BuildRequires: git-core
+# autogen.sh
+BuildRequires: libtool
 # uses make for compiling
 BuildRequires: make
 # we use pkgconfig to get a proper devel packages
 # proper CFLAGS and LDFLAGS
 BuildRequires: pkgconf-pkg-config
-
-# uses CUPS API functions - arrays, ipp functions
-BuildRequires: cups-devel
-
-# pdftopdf
-BuildRequires: pkgconfig(libqpdf)
-
-# pdftops
-BuildRequires: poppler-utils
-
-# pdftoraster, gstoraster
-BuildRequires: ghostscript
-BuildRequires: libjpeg-turbo-devel
-BuildRequires: libtiff-devel
-BuildRequires: pkgconfig(dbus-1)
-BuildRequires: pkgconfig(fontconfig)
-BuildRequires: pkgconfig(freetype2)
-BuildRequires: pkgconfig(lcms2)
-# used for getting image resolution from images - they have
-# EXIF data in them and library accesses it
-BuildRequires: pkgconfig(libexif)
-BuildRequires: pkgconfig(libpng)
-BuildRequires: pkgconfig(poppler-cpp)
-BuildRequires: pkgconfig(zlib)
-
-# cups-browsed
-BuildRequires: avahi-devel
-BuildRequires: pkgconfig(avahi-glib)
-BuildRequires: pkgconfig(glib-2.0)
-BuildRequires: systemd
-
+# uses CUPS API
+BuildRequires: pkgconfig(cups) >= 2.2.2
+# uses cupsfilters API
+BuildRequires: pkgconfig(libcupsfilters) >= 2.0b3
+# uses PPD API
+BuildRequires: pkgconfig(libppd) >= 2.0b3
 # Make sure we get postscriptdriver tags.
 BuildRequires: python3-cups
-
-# Testing font for test scripts.
-BuildRequires: dejavu-sans-fonts
-
-# needed for systemd rpm macros in scriptlets
+# for systemd unit for upgrade
 BuildRequires: systemd-rpm-macros
 
-# cups-browsed needs systemd-resolved or nss-mdns for resolving .local addresses of remote print queues
-# let's not require a specific package and let the user decide what he wants to use.
-# just recommend nss-mdns for Fedora for now to have working default, but
-# don't hardwire it for resolved users
-%if 0%{?fedora}
-Recommends: nss-mdns
+%if %{with braille}
+Recommends: braille-printer-app
 %endif
-# Avahi is needed for device discovery for newer (2012+) devices and its sharing - make it recommended
-Recommends: avahi
-# ippfind is used in driverless backend, not needed classic PPD based print queue
-Recommends: cups-ipptool
-# braille filters and backend
-Recommends: %{name}-braille%{?_isa} = %{version}-%{release}
-
-# pstopdf
-Requires: bc grep sed which
-# for getting ICC profiles for filters (dbus must run)
-Requires: colord
+# needs cups dirs
 Requires: cups-filesystem
-# have the same libs for the package
-Requires: cups-filters-libs%{?_isa} = %{version}-%{release}
-# several filters calls 'gs' binary during filtering
-Requires: ghostscript
-# texttopdf
-Requires: liberation-mono-fonts
-# if --with-pdftops is set to hybrid, we use poppler filters for several printers
-# and for printing banners, for other printers we need gs - ghostscript
-Requires: poppler-utils
 
-# cups-browsed
-# cups-browsed needs to have cups.service to run
-Requires: cups
-Requires(post): systemd
-Requires(preun): systemd
-Requires(postun): systemd
-
-
-%package libs
-Summary: OpenPrinting CUPS filters and backends - cupsfilters and fontembed libraries
-# LGPLv2: libcupsfilters
-# MIT:    libfontembed
-License: LGPLv2 and MIT
-
-%package devel
-Summary: OpenPrinting CUPS filters and backends - development environment
-License: LGPLv2 and MIT
-Requires: cups-filters-libs%{?_isa} = %{version}-%{release}
-
-%package braille
-Summary: OpenPrinting CUPS filters and backends - braille filters and backend
-License: GPLv2+ and MIT
-BuildRequires: liblouis-devel
-# remove after F36 goes EOL
-Conflicts: cups-filters < 1.28.11-1
-# we need classic pdftopdf and other filters as well
-Requires: cups-filters%{?_isa} = %{version}-%{release}
-# lou_translate and file2brl are needed for file conversions
-# liblouis-utils for lou_translate
-Requires: liblouis-utils
-# liblouisutdml-utils for file2brl
-Requires: liblouisutdml-utils
 
 %description
 Contains backends, filters, and other software that was
@@ -154,127 +93,209 @@ Apple Inc. In addition it contains additional filters developed
 independently of Apple, especially filters for the PDF-centric printing
 workflow introduced by OpenPrinting.
 
-%description libs
-This package provides cupsfilters and fontembed libraries.
 
-%description devel
-This is the development package for OpenPrinting CUPS filters and backends.
+%package driverless
+Summary: OpenPrinting driverless backends and drivers for CUPS 2.X
+License: Apache-2.0 WITH LLVM-exception
+
+# backends and drivers has been moved from the main package to subpackage
+# to remove the avahi/mdns dependency needed for driverless
+# remove after F40 is EOL and C10S is released
+Conflicts: cups-filters < 1:2.0.0-3
+
+# finding device via driverless depends on running avahi-daemon
+Requires: avahi
+# ippfind is used in driverless backend, not needed classic PPD based print queue
+Requires: cups-ipptool
+# cups-browsed needs systemd-resolved or nss-mdns for resolving .local addresses of remote print queues
+# let's not require a specific package and let the user decide what he wants to use.
+# just recommend nss-mdns for Fedora for now to have working default, but
+# don't hardwire it for resolved users
+%if %{with mdns}
+Recommends: nss-mdns
+%endif
+
+# needs cups dirs
+Requires: cups-filesystem
+
+
+%description driverless
+Contains backends and drivers for driverless implementation for cups-filters,
+which makes driverless printers to be seen when listing printers nearby and gives
+a specific generated driver for driverless printer in the local network. They are
+tools for backward compatibility with applications which don't handle CUPS temporary
+queues.
 
-%description braille
-The package provides filters and cups-brf backend needed for braille printing.
 
 %prep
-%autosetup -S git
+%autosetup -S git -N
+
+%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
+%autopatch
+%else
+%autopatch -M 3
+%endif
+
 
 %build
 # work-around Rpath
 ./autogen.sh
 
-# --with-pdftops=hybrid - use Poppler's pdftops instead of Ghostscript for
-#                         Brother, Minolta, and Konica Minolta to work around
-#                         bugs in the printer's PS interpreters
-# --with-rcdir=no - don't install SysV init script
-# --enable-driverless - enable PPD generator for driverless printing in 
-#                       /usr/lib/cups/driver, it is for manual setup of 
-#                       driverless printers with printer setup tool
-# --disable-static - do not build static libraries (becuase of Fedora Packaging
-#                    Guidelines)
-# --enable-dbus - enable DBus Connection Manager's code
-# --disable-silent-rules - verbose build output
-# --disable-mutool - mupdf is retired in Fedora, use qpdf
-# --enable-pclm - support for pclm language
-# --with-remote-cups-local-queue-naming=RemoteName - name created local queues, which point to
-#                                                    remote CUPS queue, by its name from the server
-# --disable-frequent-netif-update - cups-browsed can update its network interface data after every found printer,
-#                                   which slows down the printer creation - this disables it and leave the network
-#                                   interface update only after notification from NetworkManager
-
-%configure --disable-static \
-           --disable-silent-rules \
-           --with-pdftops=hybrid \
-           --enable-dbus \
-           --with-rcdir=no \
+%configure --enable-driverless \
+           --enable-individual-cups-filters \
+           --disable-universal-cups-filter \
            --disable-mutool \
-           --enable-driverless \
-           --enable-pclm \
-           --with-apple-raster-filter=rastertopdf \
-           --with-remote-cups-local-queue-naming=RemoteName \
-           --disable-frequent-netif-update
+           --disable-rpath \
+           --disable-silent-rules \
+           --disable-static
 
 %make_build
 
+
 %install
 %make_install
 
-# Don't ship libtool la files.
-rm -f %{buildroot}%{_libdir}/lib*.la
+# 2229776 - Add textonly driver back, but as lftocrlf
+install -p -m 0755 %{SOURCE2} %{buildroot}%{_cups_serverbin}/filter/lftocrlf
+install -p -m 0644 %{SOURCE1} %{buildroot}%{_datadir}/ppd/cupsfilters/lftocrlf.ppd
 
-# Not sure what is this good for.
-rm -f %{buildroot}%{_bindir}/ttfread
+# remove this once F43 is EOL
+%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
 
-rm -f %{buildroot}%{_pkgdocdir}/INSTALL
-mkdir -p %{buildroot}%{_pkgdocdir}/fontembed/
-cp -p fontembed/README %{buildroot}%{_pkgdocdir}/fontembed/
+mkdir -p %{buildroot}%{_libexecdir}/%{name}
+
+cat > %{buildroot}%{_libexecdir}/%{name}/posttrans.sh << EOF
+#!/usr/bin/bash
+
+if \$(grep -q -R 'FoomaticRIPCommandLine\|FoomaticRipOptionSetting' %{_sysconfdir}/cups/ppd)
+then
+  tmpfile=\$(mktemp -p /var/tmp foomatic-scan.XXXXXXXX)
+
+  for ppd in %{_sysconfdir}/cups/ppd/*.ppd
+  do
+    foomatic-hash --ppd \$ppd \$tmpfile %{_sysconfdir}/foomatic/hashes.d/hashes.upgrade || :
+  done
+
+  if test -f %{_sysconfdir}/foomatic/hashes.d/hashes.upgrade
+  then
+    echo "Foomatic-rip values which can inject code found - review findings in \$tmpfile. Read release notes for instructions." || :
+  fi
+else
+  touch %{_sysconfdir}/foomatic/hashes.d/hashes.new
+fi
+
+exit 0
+EOF
 
-# systemd unit file
 mkdir -p %{buildroot}%{_unitdir}
-install -p -m 644 utils/cups-browsed.service %{buildroot}%{_unitdir}
+
+cat > %{buildroot}%{_unitdir}/foomaticrip-upgrade.service << EOF
+[Unit]
+Description=Allowing already installed printers for foomatic-rip
+ConditionPathIsDirectory=%{_sysconfdir}/foomatic/hashes.d
+ConditionDirectoryNotEmpty=!%{_sysconfdir}/foomatic/hashes.d
+
+[Service]
+Type=oneshot
+ExecStart=bash -c %{_libexecdir}/%{name}/posttrans.sh
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+mkdir -p %{buildroot}%{_unitdir}/cups.service.d
+
+cat > %{buildroot}%{_unitdir}/cups.service.d/10-foomaticrip-upgrade.conf << EOF
+[Unit]
+After=foomaticrip-upgrade.service
+Wants=foomaticrip-upgrade.service
+EOF
+
+%endif
+
 
 # LSB3.2 requires /usr/bin/foomatic-rip,
 # create it temporarily as a relative symlink
+# we may use symlink to universal filter, but LSB is about guaranteed compatibility set
+# among distibutions, so rather have the strict foomatic-rip filter...
 ln -sf %{_cups_serverbin}/filter/foomatic-rip %{buildroot}%{_bindir}/foomatic-rip
 
+%if %{with cups_ppdc}
+mkdir -p %{buildroot}%{_datadir}/cups/ppdc
+mv %{buildroot}%{_datadir}/{ppdc/pcl.h,cups/ppdc/pcl.h}
+mv %{buildroot}%{_datadir}/{ppdc/escp.h,cups/ppdc/escp.h}
+%endif
+
+# remove license files which are in %%pkgdocdir
+rm -f %{buildroot}%{_pkgdocdir}/{COPYING,NOTICE,LICENSE}
+
+# remove INSTALL since it is unnecessary
+rm -f %{buildroot}%{_pkgdocdir}/INSTALL
+
+# remove CHANGES-1.x.md, since it is carried by a dependency
+rm -f %{buildroot}%{_pkgdocdir}/CHANGES-1.x.md
+
 
 %check
 make check
 
-%post
-%systemd_post cups-browsed.service
 
-# put UpdateCUPSQueuesMaxPerCall and PauseBetweenCUPSQueueUpdates into cups-browsed.conf
-# for making cups-browsed work more stable for environments with many print queues
-# remove this after 1-2 releases
-for directive in "UpdateCUPSQueuesMaxPerCall" "PauseBetweenCUPSQueueUpdates"
-do
-    found=`%{_bindir}/grep "^[[:blank:]]*$directive" %{_sysconfdir}/cups/cups-browsed.conf`
-    if [ -z "$found" ]
-    then
-        if [ "x$directive" == "xUpdateCUPSQueuesMaxPerCall" ]
-        then
-            %{_bindir}/echo "UpdateCUPSQueuesMaxPerCall 20" >> %{_sysconfdir}/cups/cups-browsed.conf
-        else
-            %{_bindir}/echo "PauseBetweenCUPSQueueUpdates 5" >> %{_sysconfdir}/cups/cups-browsed.conf
-        fi
-    fi
-done
+%post
+# remove PPD cache to make bz#2351389 fix work right away
+# remove after F43 EOL
+if [ $1 -gt 1 ]
+then
+  rm -f /var/cache/cups/ppds.dat || :
+fi
+
+%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
+  %systemd_post foomaticrip-upgrade.service
+%endif
+
 
 %preun
-%systemd_preun cups-browsed.service
+%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
+  %systemd_preun foomaticrip-upgrade.service
+%endif
+
 
 %postun
-%systemd_postun_with_restart cups-browsed.service 
+%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
+  %systemd_postun foomaticrip-upgrade.service
+%endif
 
-%ldconfig_scriptlets libs
+
+%posttrans
+%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
+  %systemd_posttrans_with_reload foomaticrip-upgrade.service
+%endif
+
+if [ $1 -gt 1 ]
+then
+  # since we moved to individual filters, we have to restart cups
+  # to load new conversion tables if it is running
+  # remove by F43 EOL and C11S release
+  if systemctl is-active cups &> /dev/null
+  then
+    systemctl restart cups || :
+  fi
+
+  %if 0%{?fedora} >= 43 || 0%{?rhel} >=9
+    systemctl start foomaticrip-upgrade.service || :
+  %endif
+fi
 
 
 %files
-%{_pkgdocdir}/README
-%{_pkgdocdir}/ABOUT-NLS
-%{_pkgdocdir}/AUTHORS
-%{_pkgdocdir}/NEWS
+%license COPYING LICENSE NOTICE
+%doc AUTHORS ABOUT-NLS CHANGES.md CONTRIBUTING.md DEVELOPING.md README.md
+%{_bindir}/foomatic-hash
 %{_bindir}/foomatic-rip
-%{_bindir}/driverless
-%{_bindir}/driverless-fax
-%{_sbindir}/cups-browsed
-%attr(0700,root,root) %{_cups_serverbin}/backend/beh
-# implicitclass backend must be run as root
-%attr(0700,root,root) %{_cups_serverbin}/backend/implicitclass
+%attr(0744,root,root) %{_cups_serverbin}/backend/beh
 # all backends needs to be run only as root because of kerberos
-%attr(0700,root,root) %{_cups_serverbin}/backend/parallel
+%attr(0744,root,root) %{_cups_serverbin}/backend/parallel
 # Serial backend needs to run as root (bug #212577#c4).
-%attr(0700,root,root) %{_cups_serverbin}/backend/serial
-%{_cups_serverbin}/backend/driverless
-%{_cups_serverbin}/backend/driverless-fax
+%attr(0744,root,root) %{_cups_serverbin}/backend/serial
 %attr(0755,root,root) %{_cups_serverbin}/filter/bannertopdf
 %attr(0755,root,root) %{_cups_serverbin}/filter/commandtoescpx
 %attr(0755,root,root) %{_cups_serverbin}/filter/commandtopclx
@@ -285,99 +306,168 @@ done
 %attr(0755,root,root) %{_cups_serverbin}/filter/imagetopdf
 %attr(0755,root,root) %{_cups_serverbin}/filter/imagetops
 %attr(0755,root,root) %{_cups_serverbin}/filter/imagetoraster
+# 2229776 - Add textonly driver back, but as lftocrlf
+%attr(0755,root,root) %{_cups_serverbin}/filter/lftocrlf
+%attr(0755,root,root) %{_cups_serverbin}/filter/pclmtoraster
 %attr(0755,root,root) %{_cups_serverbin}/filter/pdftopdf
 %attr(0755,root,root) %{_cups_serverbin}/filter/pdftops
 %attr(0755,root,root) %{_cups_serverbin}/filter/pdftoraster
+%attr(0755,root,root) %{_cups_serverbin}/filter/pwgtopclm
+%attr(0755,root,root) %{_cups_serverbin}/filter/pwgtopdf
+%attr(0755,root,root) %{_cups_serverbin}/filter/pwgtoraster
 %attr(0755,root,root) %{_cups_serverbin}/filter/rastertoescpx
-%attr(0755,root,root) %{_cups_serverbin}/filter/rastertopclm
 %attr(0755,root,root) %{_cups_serverbin}/filter/rastertopclx
-%attr(0755,root,root) %{_cups_serverbin}/filter/rastertopdf
 %attr(0755,root,root) %{_cups_serverbin}/filter/rastertops
-%attr(0755,root,root) %{_cups_serverbin}/filter/sys5ippprinter
-%attr(0755,root,root) %{_cups_serverbin}/filter/textbrftoindexv3
-%attr(0755,root,root) %{_cups_serverbin}/filter/texttobrf
 %attr(0755,root,root) %{_cups_serverbin}/filter/texttopdf
 %attr(0755,root,root) %{_cups_serverbin}/filter/texttops
 %attr(0755,root,root) %{_cups_serverbin}/filter/texttotext
-%{_cups_serverbin}/driver/driverless
-%{_cups_serverbin}/driver/driverless-fax
-%{_datadir}/cups/banners
-%{_datadir}/cups/charsets
-%{_datadir}/cups/data/*
 %{_datadir}/cups/drv/cupsfilters.drv
 %{_datadir}/cups/mime/cupsfilters.types
 %{_datadir}/cups/mime/cupsfilters.convs
 %{_datadir}/cups/mime/cupsfilters-ghostscript.convs
+%{_datadir}/cups/mime/cupsfilters-individual.convs
 %{_datadir}/cups/mime/cupsfilters-poppler.convs
+%dir %{_datadir}/foomatic
+%dir %{_datadir}/foomatic/hashes.d
 %{_datadir}/ppd/cupsfilters
-# this needs to be in the main package because of cupsfilters.drv
-%{_datadir}/cups/ppdc/pcl.h
-%{_mandir}/man1/foomatic-rip.1.gz
-%{_mandir}/man1/driverless.1.gz
-%{_mandir}/man5/cups-browsed.conf.5.gz
-%{_mandir}/man8/cups-browsed.8.gz
-# 2123809 - rpm -Va reports changes due %post scriptlet (remove the verify part once we remove
-# cups-browsed.conf update from %post) 
-%config(noreplace) %verify(not size filedigest mtime) %{_sysconfdir}/cups/cups-browsed.conf
-%{_unitdir}/cups-browsed.service
-
-%files libs
-%dir %{_pkgdocdir}/
-%{_pkgdocdir}/COPYING
-%dir %{_pkgdocdir}/fontembed
-%{_pkgdocdir}/fontembed/README
-%{_libdir}/libcupsfilters.so.1*
-%{_libdir}/libfontembed.so.1*
-
-%files devel
+%if %{with cups_ppdc}
+# escp.h and pcl.h are required during runtime, because
+# CUPS PPD compiler (ppdc) uses them for generating drivers
+# per request from cupsfilters.drv file
 %{_datadir}/cups/ppdc/escp.h
-%{_includedir}/cupsfilters
-%{_includedir}/fontembed
-%{_libdir}/libcupsfilters.so
-%{_libdir}/libfontembed.so
-%{_libdir}/pkgconfig/libcupsfilters.pc
-%{_libdir}/pkgconfig/libfontembed.pc
+%{_datadir}/cups/ppdc/pcl.h
+%else
+%dir %{_datadir}/ppdc
+%{_datadir}/ppdc/escp.h
+%{_datadir}/ppdc/pcl.h
+%endif
+%{_mandir}/man1/foomatic-hash.1.gz
+%{_mandir}/man1/foomatic-rip.1.gz
+%config(noreplace) %{_sysconfdir}/foomatic
+%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
+%dir %{_libexecdir}/%{name}
+%attr(0744,root,root) %{_libexecdir}/%{name}/posttrans.sh
+%ghost %attr(0644,root,root) %{_sysconfdir}/foomatic/hashes.d/hashes.new
+%dir %{_unitdir}/cups.service.d
+%{_unitdir}/cups.service.d/10-foomaticrip-upgrade.conf
+%{_unitdir}/foomaticrip-upgrade.service
+%endif
+
+%files driverless
+%license COPYING LICENSE NOTICE
+%{_bindir}/driverless
+%{_bindir}/driverless-fax
+%{_cups_serverbin}/backend/driverless
+%{_cups_serverbin}/backend/driverless-fax
+%{_cups_serverbin}/driver/driverless
+%{_cups_serverbin}/driver/driverless-fax
+%{_mandir}/man1/driverless.1.gz
 
-%files braille
-# cups-brf needs to be run as root, otherwise it leaves error messages
-# in journal
-%attr(0700,root,root) %{_cups_serverbin}/backend/cups-brf
-%attr(0755,root,root) %{_cups_serverbin}/filter/brftoembosser
-%attr(0755,root,root) %{_cups_serverbin}/filter/brftopagedbrf
-%attr(0755,root,root) %{_cups_serverbin}/filter/imagetobrf
-%attr(0755,root,root) %{_cups_serverbin}/filter/imageubrltoindexv3
-%attr(0755,root,root) %{_cups_serverbin}/filter/imageubrltoindexv4
-%attr(0755,root,root) %{_cups_serverbin}/filter/musicxmltobrf
-%attr(0755,root,root) %{_cups_serverbin}/filter/vectortobrf
-%attr(0755,root,root) %{_cups_serverbin}/filter/vectortopdf
-%{_cups_serverbin}/filter/cgmtopdf
-%{_cups_serverbin}/filter/cmxtopdf
-%{_cups_serverbin}/filter/emftopdf
-%{_cups_serverbin}/filter/imagetoubrl
-%{_cups_serverbin}/filter/svgtopdf
-%{_cups_serverbin}/filter/textbrftoindexv4
-%{_cups_serverbin}/filter/vectortoubrl
-%{_cups_serverbin}/filter/xfigtopdf
-%{_cups_serverbin}/filter/wmftopdf
-%{_datadir}/cups/braille
-%{_datadir}/cups/drv/generic-brf.drv
-%{_datadir}/cups/drv/generic-ubrl.drv
-%{_datadir}/cups/drv/indexv3.drv
-%{_datadir}/cups/drv/indexv4.drv
-%{_datadir}/cups/ppdc/braille.defs
-%{_datadir}/cups/ppdc/fr-braille.po
-%{_datadir}/cups/ppdc/imagemagick.defs
-%{_datadir}/cups/ppdc/index.defs
-%{_datadir}/cups/ppdc/liblouis.defs
-%{_datadir}/cups/ppdc/liblouis1.defs
-%{_datadir}/cups/ppdc/liblouis2.defs
-%{_datadir}/cups/ppdc/liblouis3.defs
-%{_datadir}/cups/ppdc/liblouis4.defs
-%{_datadir}/cups/ppdc/media-braille.defs
-%{_datadir}/cups/mime/braille.convs
-%{_datadir}/cups/mime/braille.types
 
 %changelog
+* Fri Nov 28 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-12
+- fix CVE-2025-64524
+
+* Mon Nov 10 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-11
+- change return value of foomatic-hash if built without libppd
+
+* Wed Oct 01 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-10
+- protect older Fedoras from F43+ changes, fix installability report about hashes.new
+
+* Thu Jul 31 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-9
+- Reject unknown values in foomatic-rip in F43+
+
+* Wed Jul 30 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-8
+- Introduce foomatic-hash, but not rejecting values in foomatic-rip
+
+* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Mon Jun 09 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-6
+- CUPS restart has to happen after universal filter is gone for good (in posttrans) (fedora#2370978)
+
+* Mon Jun 02 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-5
+- individual filters have to explicitly enabled
+
+* Mon Jun 02 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-4
+- disable universal filter for now - some 3rd party drivers did not work with it
+
+* Tue Mar 11 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-3
+- textonly driver was missing (fedora#2351389)
+
+* Fri Jan 24 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-2
+- fix FTBFS (fedora#2340017)
+
+* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Thu Aug 15 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-1
+- 2.0.1
+
+* Fri Jul 19 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.0-9
+- fix missing epochs in conflicts
+
+* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0.0-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Tue May 28 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.0-7
+- 2283295 - The directory /usr/share/ppdc/ is not in the RPM database.
+
+* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Tue Dec 19 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.0-4
+- make driverless subpackage require avahi and ipptool - they don't 
+  work without them
+
+* Tue Dec 19 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.0-3
+- introduce cups-filters-driverless to strip avahi dependency for filters
+
+* Tue Dec 19 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.0-2
+- use exact foomatic-rip filter to comply with LSB
+
+* Thu Oct 19 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.0-1
+- rebase to 2.0.0
+
+* Mon Aug 07 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0~rc2-3
+- 2229776 - Add textonly driver back as lftocrlf driver
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0~rc2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Wed Jun 28 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0~rc2-1
+- 2.0rc2
+
+* Wed May 17 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0~rc1-2
+- 2207970 - CVE-2023-24805 cups-filters: remote code execution in cups-filters, beh CUPS backend
+
+* Thu Apr 27 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0~rc1-1
+- 2.0rc1
+
+* Wed Mar 01 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0~b3-2
+- use epoch to ensure clean upgrade path, because I didn't read FPG carefully
+
+* Mon Feb 20 2023 Zdenek Dohnal <zdohnal@redhat.com> - 2.0b3-1
+- 2170538 - rebase to 2.0b3
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.28.16-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Thu Oct 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.16-6
+- really build with qpdf-11.1.1 (forgot to wait for qpdf in side tag...)
+
+* Thu Oct 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.16-5
+- rebuilt with qpdf-11.1.1
+
+* Thu Sep 22 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.16-4
+- rebuilt with qpdf-11.1.0
+
+* Thu Sep 22 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.16-3
+- build braille subpackage only on Fedora and CentOS Stream > 9
+
 * Wed Sep 21 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.16-2
 - disable frequent network interface data update, which slows down the queue creation
 

foomatic-ripdie-error.patch

@@ -0,0 +1,13 @@
+diff --git a/filter/foomatic-rip/util.c b/filter/foomatic-rip/util.c
+index 508bc09..ad79fbf 100644
+--- a/filter/foomatic-rip/util.c
++++ b/filter/foomatic-rip/util.c
+@@ -76,7 +76,7 @@ rip_die(int status,
+ {
+   va_list ap;
+ 
+-  _log("Process is dying with \"");
++  _log("ERROR: Process is dying with \"");
+   va_start(ap, msg);
+   _logv(msg, ap);
+   va_end(ap);

foomaticrip-reject-unknown-values.patch

@@ -0,0 +1,188 @@
+From 41c5f2f6139e4d3693c2483ee4281202a80ae451 Mon Sep 17 00:00:00 2001
+From: zdohnal <zdohnal@redhat.com>
+Date: Tue, 22 Jul 2025 15:12:19 +0200
+Subject: [PATCH] Introduce foomatic-hash and reject unauthorized values in
+ foomatic-rip (#648)
+
+The change provides a way for users to have control over what values are
+allowed for the foomatic-rip-related PPD keywords FoomaticRIPCommandLine,
+FoomaticRIPCommandLinePDF, and FoomaticRIPOptionSetting. Since the
+values can be later used when constructing a shell command, the filter
+foomatic-rip was a target of several exploits (caused by issues at
+different places in CUPS or in different projects of the printing stack) to
+do arbitrary code execution when the filter is used.
+
+By default the filter is run by user lp, so the issue is mitigated, but
+this PR gives admin complete control over what can be run in
+foomatic-rip and reject anything injected into system via different
+ways.
+
+First, the new tool - foomatic-hash - can be called on a PPD file or
+directory with drivers/PPDs, with scan output and file with hexadecimal
+representation of hashed values. Once the scan output is reviewed by
+admin, admin can decide to put the resulting hashes into
+/etc/foomatic/hashes.d and allow them for the filter.
+---
+ Makefile.am                           |  44 ++-
+ README.md                             |  23 ++
+ configure.ac                          |   2 +-
+ filter/foomatic-rip/foomatic-hash.1   |  66 ++++
+ filter/foomatic-rip/foomatic-hash.c   | 549 ++++++++++++++++++++++++++
+ filter/foomatic-rip/foomatic-rip.1.in |  16 +
+ filter/foomatic-rip/foomaticrip.c     |  75 ----
+ filter/foomatic-rip/foomaticrip.h     |  40 --
+ filter/foomatic-rip/options.c         |  67 ++++
+ filter/foomatic-rip/process.c         |   9 +
+ filter/foomatic-rip/process.h         |   3 +
+ filter/foomatic-rip/util.c            | 341 +++++++++++++++-
+ filter/foomatic-rip/util.h            |  67 ++++
+ 13 files changed, 1178 insertions(+), 124 deletions(-)
+ create mode 100644 filter/foomatic-rip/foomatic-hash.1
+ create mode 100644 filter/foomatic-rip/foomatic-hash.c
+
+diff --git a/filter/foomatic-rip/foomatic-rip.1.in b/filter/foomatic-rip/foomatic-rip.1.in
+index 9685a95f5..3dff5215f 100644
+--- a/filter/foomatic-rip/foomatic-rip.1.in
++++ b/filter/foomatic-rip/foomatic-rip.1.in
+@@ -193,6 +193,15 @@ friends. Several PPD files use shell constructs that require a more
+ modern shell like \fBbash\fR, \fBzsh\fR, or \fBksh\fR.
+ 
+ 
++.SH PPD OPTION VALUE RESTRICTIONS AND EXCEPTIONS
++
++The values of PPD options \fBFoomaticRIPCommandLine\fR, \fBFoomaticRIPCommandLinePDF\fR and \fBFoomaticRIPOptionSetting\fR
++are rejected in the default configuration because of security implications. Users can use the tool \fBfoomatic-hash(1)\fR, which provides
++values of affected PPD options from found drivers and hashes of those values in hexadecimal format. User is expected to review the found values,
++and if there is nothing suspicious in the output, copy the file with hashes into into the directory \fB@sysconfdir@/foomatic/hashes.d\fR
++to allow the exceptions for found values.
++
++
+ .SH FILES
+ .PD 0
+ .TP 0
+@@ -209,6 +218,13 @@ The PPD files of the currently defined printers
+ 
+ Configuration file for foomatic-rip
+ 
++.TP 0
++@sysconfdir@/foomatic/hashes.d
++.TP 0
++@datadir@/foomatic/hashes.d
++
++Directories with hashes of allowed values
++
+ .PD 0
+ 
+ .\".SH SEE ALSO
+diff --git a/filter/foomatic-rip/options.c b/filter/foomatic-rip/options.c
+index bad833bc1..032fe9ec3 100644
+--- a/filter/foomatic-rip/options.c
++++ b/filter/foomatic-rip/options.c
+@@ -102,6 +102,42 @@ get_icc_profile_for_qualifier(const char **qualifier)
+ }
+ 
+ 
++//
++// 'is_allowed_value' - Check if the option value is allowed.
++//
++
++int					 // O - Boolean value - true 1 / false 0
++is_allowed_value(cups_array_t *ar,       // I - Array of already known hashes from system
++		 char	      *value,    // I - Scanned value from PPD file
++		 size_t       value_len) // I - Value length
++{
++  char hash_string[65];			 // Help array to store hexadecimal hashed string
++
++  //
++  // Empty string is allowed...
++  //
++
++  if (!value_len)
++    return (1);
++
++  //
++  // Hash the value and get hexadecimal string for it...
++  //
++
++  if (hash_data((unsigned char*)value, value_len, hash_string, sizeof(hash_string)))
++    return (0);
++
++  //
++  // Check if the found hexadecimal hashed string is in the array -> allowed on the system...
++  //
++
++  if (cupsArrayFind(ar, hash_string))
++    return (1);
++
++  return (0);
++}
++
++
+ // a selector is a general tri-dotted specification.
+ // The 2nd and 3rd elements of the qualifier are optionally modified by
+ // cupsICCQualifier2 and cupsICCQualifier3:
+@@ -1866,12 +1902,19 @@ read_ppd_file(const char *filename)
+   option_t *opt, *current_opt = NULL;
+   param_t *param;
+   icc_mapping_entry_t *entry;
++  cups_array_t *known_hashes = NULL;
+ 
+   fh = fopen(filename, "r");
+   if (!fh)
+     rip_die(EXIT_PRNERR_NORETRY_BAD_SETTINGS, "Unable to open PPD file %s\n", filename);
+   _log("Parsing PPD file ...\n");
+ 
++  if (load_system_hashes(&known_hashes))
++  {
++    fclose(fh);
++    rip_die(EXIT_PRNERR_NORETRY, "Not enough memory for array allocation\n.");
++  }
++
+   dstrassure(value, 256);
+ 
+   qualifier_data = list_create();
+@@ -1955,10 +1998,26 @@ read_ppd_file(const char *filename)
+     }
+     else if (strcmp(key, "FoomaticRIPCommandLine") == 0)
+     {
++      if (!is_allowed_value(known_hashes, value->data, strlen(value->data)))
++      {
++        cupsArrayDelete(known_hashes);
++        fclose(fh);
++
++        rip_die(EXIT_PRNERR_NOTALLOWED, "ERROR: The value of the key %s is not among the allowed values - see foomatic-rip man page for more instructions.\n", key);
++      }
++
+       unhtmlify(cmd, 4096, value->data);
+     }
+     else if (strcmp(key, "FoomaticRIPCommandLinePDF") == 0)
+     {
++      if (!is_allowed_value(known_hashes, value->data, strlen(value->data)))
++      {
++        cupsArrayDelete(known_hashes);
++        fclose(fh);
++
++        rip_die(EXIT_PRNERR_NOTALLOWED, "ERROR: The value of the key %s is not among the allowed values - see foomatic-rip man page for more instructions.\n", key);
++      }
++
+       unhtmlify(cmd_pdf, 4096, value->data);
+     }
+     else if (!strcmp(key, "cupsFilter"))
+@@ -2097,6 +2156,14 @@ read_ppd_file(const char *filename)
+     }
+     else if (!strcmp(key, "FoomaticRIPOptionSetting"))
+     {
++      if (!is_allowed_value(known_hashes, value->data, strlen(value->data)))
++      {
++        cupsArrayDelete(known_hashes);
++        fclose(fh);
++
++        rip_die(EXIT_PRNERR_NOTALLOWED, "ERROR: The value of the key %s is not among the allowed values - see foomatic-rip man page for more instructions.\n", key);
++      }
++
+       // "*FoomaticRIPOptionSetting <option>[=<choice>]: <code>
+       // For boolean options <choice> is not given
+       option_set_choice(assure_option(name),
+-- 
+2.50.1
+

gating.yaml

@@ -0,0 +1,28 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/cups-tier1-public.functional}
+#Rawhide
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/cups-tier1-public.functional} 
+
+#gating rhel
+--- !Policy
+product_versions:
+  - rhel-*
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/cups-tier1-public.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/cups-tier1-internal.functional}

lftocrlf

@@ -0,0 +1,124 @@
+#!/bin/bash
+## Copyright (C) 2003-2006 Red Hat, Inc.
+## Copyright (C) 2003-2006 Tim Waugh <twaugh@redhat.com>
+## Changed on 2007/05/17, Opher Shachar, LADPC Ltd.
+##     Added support for page-ranges option.
+##     Added page accounting.
+
+## This program is free software; you can redistribute it and/or
+## modify it under the terms of the GNU General Public License
+## as published by the Free Software Foundation; either version 2
+## of the License, or (at your option) any later version.
+
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+if [ $# == 0 ]; then
+  echo >&2 "ERROR: $0 job-id user title copies options [file]"
+  exit 1
+fi
+
+# Extract the papersize
+SENDFF=`grep '^\*DefaultSendFF' "$PPD" | cut -d\  -f2`
+COPIES=1
+if [ $# -ge 4 ]; then
+  COPIES="$4"
+fi
+
+if [ $# -lt 6 ]; then
+  unset TMPFILE
+  trap -- 'rm -f "$TMPFILE"' EXIT
+  TMPFILE=$(mktemp ${TMPDIR:-/tmp}/lftocrlf.XXXXXX)
+  cat > "$TMPFILE"
+else
+  TMPFILE="$6"
+fi
+
+PR=${5#*page-ranges=}
+# Do options specify page-ranges?
+if [[ "$PR" != "$5" ]]; then
+  PR=${PR%% *}
+else
+  #unset PR
+  PR=1-999999
+fi
+
+if [[ "$PR" ]]; then
+  TMPFILE2=$(mktemp ${TMPDIR:-/tmp}/lftocrlf2.XXXXXX)
+  pagenum=0
+  EOF=
+  { 
+  while [[ "$PR" ]]; do
+    pl=${PR%%,*}		;# take first subrange
+    PR=${PR#$pl};PR=${PR#,}	;# remove from range list
+    pu=${pl#*-}			;# extract upper and lower
+    pl=${pl%-*}			;# pages of subrange
+    # Allows interpreting 0-5,3-10 as 1-5,6-10 rejects 5-1 or 1-
+    (( pagenum >= pl )) && pl=$(( pagenum + 1 ))
+    (( pl > pu )) && continue
+    
+    # Loop reading pages until at or over lower page of subrange.
+    while read -d `echo -ne '\f'` -r; do
+      (( pagenum++ ))
+      (( pagenum == pl )) && break
+    done
+    # Did we reach lower page of subrange or EOF?
+    if (( pagenum < pl )); then
+      [[ ! "$REPLY" ]] && break		;# empty last page - we're done.
+      (( pagenum++ ))
+      EOF=y
+    fi
+    # Output page and report to page log
+    if (( pagenum == pl )); then
+      echo -n "${REPLY}" >>"$TMPFILE2"
+      # If EOF then page has no final FF
+      [[ ! "$EOF" ]] && echo -ne '\f' >>"$TMPFILE2"
+      echo "PAGE: $pagenum $COPIES" >&2
+    fi
+    [[ "$EOF" ]] && break
+    # Is the current subrange a single page?
+    (( pagenum == pu )) && continue
+    while read -d `echo -ne '\f'` -r; do
+      (( pagenum++ ))
+      echo -ne "${REPLY}\f" >>"$TMPFILE2"
+      echo "PAGE: $pagenum $COPIES" >&2
+      (( pagenum == pu )) && break
+    done
+    # Could be that we reached EOF before page boundry
+    if (( pagenum < pu )); then
+      if [[ "$REPLY" ]]; then
+        (( pagenum++ ))
+        echo -n "${REPLY}" >>"$TMPFILE2"
+        echo "PAGE: $pagenum $COPIES" >&2
+      fi
+      break
+    fi
+  done
+  } <"$TMPFILE"
+else
+  TMPFILE2="$TMPFILE"
+  pc=$(grep -co `echo -ne '\f'` "$TMPFILE2")
+  pc=$(( pc * $COPIES ))
+  echo "PAGE: $pc" >&2
+fi
+
+while [ "$COPIES" -gt 0 ]; do
+  # Just translate LF->CRLF at the moment, until the PPD has options added.
+  sed -e 's/$/'`echo -ne '\r'`'/g' "$TMPFILE2"
+
+  if [ "$SENDFF" == "True" ]
+    then
+    echo -ne \\014
+  fi
+
+  COPIES=$(($COPIES - 1))
+done
+# Cleanup
+[[ "$TMPFILE" != "$TMPFILE2" ]] && rm -f "$TMPFILE2"
+exit 0

lftocrlf.ppd

@@ -0,0 +1,47 @@
+*PPD-Adobe: "4.3"
+*%
+*% Text-only printer definition
+*%
+*FormatVersion:	"4.3"
+*FileVersion:	"1.1"
+*LanguageVersion: English
+*LanguageEncoding: ISOLatin1
+*PCFileName:	"LFTOCRLF.PPD"
+*Manufacturer:	"Generic"
+*Product:	"(Generic)"
+*cupsVersion:   1.0
+*cupsManualCopies: True
+*cupsModelNumber:  2
+*cupsFilter:    "text/plain 0 lftocrlf"
+*ModelName:     "Generic LF-to-CRLF printer"
+*ShortNickName: "Generic LF-to-CRLF printer"
+*NickName:      "Generic LF-to-CRLF printer"
+*PSVersion:	"(2017.000) 0"
+*LanguageLevel:	"2"
+*ColorDevice:	False
+*DefaultColorSpace: Gray
+*FileSystem:	False
+*Throughput:	"8"
+*LandscapeOrientation: Plus90
+*VariablePaperSize: False
+*TTRasterizer:	Type42
+*DefaultImageableArea: Letter
+*ImageableArea Letter/US Letter:	"18 36 594 756"
+*DefaultPaperDimension: Letter
+*PaperDimension Letter/Letter:		"612 792"
+*OpenUI *PageSize/Media Size: PickOne
+*OrderDependency: 10 AnySetup *PageSize
+*DefaultPageSize: Letter
+*PageSize Letter/Letter:	"<</PageSize[612 792]/ImagingBBox null>>setpagedevice"
+*CloseUI: *PageSize
+*OpenUI *PageRegion: PickOne
+*OrderDependency: 10 AnySetup *PageRegion
+*DefaultPageRegion: Letter
+*PageRegion Letter/Letter:	"<</PageSize[612 792]/ImagingBBox null>>setpagedevice"
+*CloseUI: *PageRegion
+
+*OpenUI *SendFF: Boolean
+*DefaultSendFF: False
+*SendFF True/True:        ""
+*SendFF False/False:   ""
+*CloseUI: *SendFF

plans.fmf

@@ -0,0 +1,59 @@
+/tier1-internal:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
+      name: /plans/tier1/internal
+
+/tier1-public:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
+      name: /plans/tier1/public
+
+/tier2-tier3-internal:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
+      name: /plans/tier2-tier3/internal
+
+/tier2-tier3-public:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
+      name: /plans/tier2-tier3/public
+
+/others-internal:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
+      name: /plans/others/internal
+
+/others-public:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
+      name: /plans/others/public
+
+/multihost:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
+      name: /plans/multihost/multihost
+
+/fips-internal:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
+      name: /plans/others/fips
+
+/cups-tier1-internal:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/cups.git
+      name: /plans/tier1/internal
+
+/cups-tier1-public:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/cups.git
+      name: /plans/tier1/public

sources

@@ -1 +1 @@
-SHA512 (cups-filters-1.28.16.tar.xz) = 0369f96a8ae5e33bf75c8765947d5ad7285b3532e9d9b0ded7e206798834c9ade3a2ac3f1d16e0fdd43346f2bc7852c541130e935cbb20f9c1239a53118d1239
+SHA512 (cups-filters-2.0.1.tar.gz) = b5d7b8f5a89a6a6bba0e861dd3c3263195be75996d22129d123f325f6bff74fbabf22f2ee2d953908ffb8294d825af5568af6695896c76ef4082ae98cd19c42c