Compare commits
3 commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
a950427db3 | ||
|
|
495fd329e7 | ||
|
|
fd7ae79085 |
15 changed files with 746 additions and 2233 deletions
|
|
@ -1 +0,0 @@
|
|||
1
|
||||
114
.gitignore
vendored
114
.gitignore
vendored
|
|
@ -1 +1,113 @@
|
|||
/cups-filters-*.tar.gz
|
||||
/cups-filters-1.0.20.tar.xz
|
||||
/cups-filters-1.0.22.tar.xz
|
||||
/cups-filters-1.0.23.tar.xz
|
||||
/cups-filters-1.0.24.tar.xz
|
||||
/cups-filters-1.0.25.tar.xz
|
||||
/cups-filters-1.0.28.tar.xz
|
||||
/cups-filters-1.0.29.tar.xz
|
||||
/cups-filters-1.0.30.tar.xz
|
||||
/cups-filters-1.0.31.tar.xz
|
||||
/cups-filters-1.0.32.tar.xz
|
||||
/cups-filters-1.0.33.tar.xz
|
||||
/cups-filters-1.0.34.tar.xz
|
||||
/cups-filters-1.0.35.tar.xz
|
||||
/cups-filters-1.0.36.tar.xz
|
||||
/cups-filters-1.0.37.tar.xz
|
||||
/cups-filters-1.0.38.tar.xz
|
||||
/cups-filters-1.0.39.tar.xz
|
||||
/cups-filters-1.0.40.tar.xz
|
||||
/cups-filters-1.0.41.tar.xz
|
||||
/cups-filters-1.0.42.tar.xz
|
||||
/cups-filters-1.0.43.tar.xz
|
||||
/cups-filters-1.0.44.tar.xz
|
||||
/cups-filters-1.0.45.tar.xz
|
||||
/cups-filters-1.0.46.tar.xz
|
||||
/cups-filters-1.0.47.tar.xz
|
||||
/cups-filters-1.0.48.tar.xz
|
||||
/cups-filters-1.0.49.tar.xz
|
||||
/cups-filters-1.0.50.tar.xz
|
||||
/cups-filters-1.0.51.tar.xz
|
||||
/cups-filters-1.0.52.tar.xz
|
||||
/cups-filters-1.0.53.tar.xz
|
||||
/cups-filters-1.0.54.tar.xz
|
||||
/cups-filters-1.0.55.tar.xz
|
||||
/cups-filters-1.0.58.tar.xz
|
||||
/cups-filters-1.0.59.tar.xz
|
||||
/cups-filters-1.0.60.tar.xz
|
||||
/cups-filters-1.0.61.tar.xz
|
||||
/cups-filters-1.0.65.tar.xz
|
||||
/cups-filters-1.0.66.tar.xz
|
||||
/cups-filters-1.0.67.tar.xz
|
||||
/cups-filters-1.0.68.tar.xz
|
||||
/cups-filters-1.0.69.tar.xz
|
||||
/cups-filters-1.0.70.tar.xz
|
||||
/cups-filters-1.0.71.tar.xz
|
||||
/cups-filters-1.0.73.tar.xz
|
||||
/cups-filters-1.0.74.tar.xz
|
||||
/cups-filters-1.0.75.tar.xz
|
||||
/cups-filters-1.0.76.tar.xz
|
||||
/cups-filters-1.1.0.tar.xz
|
||||
/cups-filters-1.2.0.tar.xz
|
||||
/cups-filters-1.3.0.tar.xz
|
||||
/cups-filters-1.4.0.tar.xz
|
||||
/cups-filters-1.5.0.tar.xz
|
||||
/cups-filters-1.6.0.tar.xz
|
||||
/cups-filters-1.7.0.tar.xz
|
||||
/cups-filters-1.8.0.tar.xz
|
||||
/cups-filters-1.8.1.tar.xz
|
||||
/cups-filters-1.8.2.tar.xz
|
||||
/cups-filters-1.8.3.tar.xz
|
||||
/cups-filters-1.9.0.tar.xz
|
||||
/cups-filters-1.10.0.tar.xz
|
||||
/cups-filters-1.11.2.tar.xz
|
||||
/cups-filters-1.11.3.tar.xz
|
||||
/cups-filters-1.11.4.tar.xz
|
||||
/cups-filters-1.11.5.tar.xz
|
||||
/cups-filters-1.11.6.tar.xz
|
||||
/cups-filters-1.12.0.tar.xz
|
||||
/cups-filters-1.13.0.tar.xz
|
||||
/cups-filters-1.13.1.tar.xz
|
||||
/cups-filters-1.13.2.tar.xz
|
||||
/cups-filters-1.13.3.tar.xz
|
||||
/cups-filters-1.13.4.tar.xz
|
||||
/cups-filters-1.13.5.tar.xz
|
||||
/cups-filters-1.14.0.tar.xz
|
||||
/cups-filters-1.14.1.tar.xz
|
||||
/cups-filters-1.16.0.tar.xz
|
||||
/cups-filters-1.16.1.tar.xz
|
||||
/cups-filters-1.16.3.tar.xz
|
||||
/cups-filters-1.17.2.tar.xz
|
||||
/cups-filters-1.17.7.tar.xz
|
||||
/cups-filters-1.17.8.tar.xz
|
||||
/cups-filters-1.17.9.tar.xz
|
||||
/cups-filters-1.19.0.tar.xz
|
||||
/cups-filters-1.20.0.tar.xz
|
||||
/cups-filters-1.20.1.tar.xz
|
||||
/cups-filters-1.20.2.tar.xz
|
||||
/cups-filters-1.20.3.tar.xz
|
||||
/cups-filters-1.21.2.tar.xz
|
||||
/cups-filters-1.21.5.tar.xz
|
||||
/cups-filters-1.21.6.tar.xz
|
||||
/cups-filters-1.22.0.tar.xz
|
||||
/cups-filters-1.22.3.tar.xz
|
||||
/cups-filters-1.22.5.tar.xz
|
||||
/cups-filters-1.26.0.tar.xz
|
||||
/cups-filters-1.27.0.tar.xz
|
||||
/cups-filters-1.27.1.tar.xz
|
||||
/cups-filters-1.27.2.tar.xz
|
||||
/cups-filters-1.27.3.tar.xz
|
||||
/cups-filters-1.27.4.tar.xz
|
||||
/cups-filters-1.27.5.tar.xz
|
||||
/cups-filters-1.28.1.tar.xz
|
||||
/cups-filters-1.28.2.tar.xz
|
||||
/cups-filters-1.28.5.tar.xz
|
||||
/cups-filters-1.28.6.tar.xz
|
||||
/cups-filters-1.28.7.tar.xz
|
||||
/cups-filters-1.28.8.tar.xz
|
||||
/cups-filters-1.28.9.tar.xz
|
||||
/cups-filters-1.28.10.tar.xz
|
||||
/cups-filters-1.28.11.tar.xz
|
||||
/cups-filters-1.28.12.tar.xz
|
||||
/cups-filters-1.28.14.tar.xz
|
||||
/cups-filters-1.28.15.tar.xz
|
||||
/cups-filters-1.28.16.tar.xz
|
||||
|
|
|
|||
|
|
@ -1,27 +0,0 @@
|
|||
From 44f59a1aa74c48515d8feba5a61b7ea3aaa592c4 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Dohnal <zdohnal@redhat.com>
|
||||
Date: Fri, 24 Jan 2025 09:44:58 +0100
|
||||
Subject: [PATCH] Fix build failure with GCC 15 and -std=c23
|
||||
|
||||
The newest standard has more strict data type checks, function pointers
|
||||
in function prototypes have to declare data types of its arguments.
|
||||
---
|
||||
filter/foomatic-rip/process.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/filter/foomatic-rip/process.h b/filter/foomatic-rip/process.h
|
||||
index f6e15f65c..54a42923a 100644
|
||||
--- a/filter/foomatic-rip/process.h
|
||||
+++ b/filter/foomatic-rip/process.h
|
||||
@@ -18,7 +18,7 @@
|
||||
#include <sys/wait.h>
|
||||
|
||||
|
||||
-pid_t start_process(const char *name, int (*proc_func)(), void *user_arg,
|
||||
+pid_t start_process(const char *name, int (*proc_func)(FILE*, FILE*, void*), void *user_arg,
|
||||
FILE **fdin, FILE **fdout);
|
||||
pid_t start_system_process(const char *name, const char *command, FILE **fdin,
|
||||
FILE **fdout);
|
||||
--
|
||||
2.48.1
|
||||
|
||||
File diff suppressed because it is too large
Load diff
208
0001-beh-backend-Use-execv-instead-of-system-CVE-2023-248.patch
Normal file
208
0001-beh-backend-Use-execv-instead-of-system-CVE-2023-248.patch
Normal file
|
|
@ -0,0 +1,208 @@
|
|||
From 93e60d3df358c0ae6f3dba79e1c9684657683d89 Mon Sep 17 00:00:00 2001
|
||||
From: Till Kamppeter <till.kamppeter@gmail.com>
|
||||
Date: Wed, 17 May 2023 11:11:29 +0200
|
||||
Subject: [PATCH] beh backend: Use execv() instead of system() - CVE-2023-24805
|
||||
|
||||
With execv() command line arguments are passed as separate strings and
|
||||
not the full command line in a single string. This prevents arbitrary
|
||||
command execution by escaping the quoting of the arguments in a job
|
||||
with a forged job title.
|
||||
|
||||
In addition, done the following fixes and improvements:
|
||||
|
||||
- Do not allow '/' in the scheme of the URI (= backend executable
|
||||
name), to assure that only backends inside /usr/lib/cups/backend/
|
||||
are used.
|
||||
|
||||
- URI must have ':', to split off scheme, otherwise error out.
|
||||
|
||||
- Check return value of snprintf() to create call path for backend, to
|
||||
error out on truncation of a too long scheme or on complete failure
|
||||
due to a completely odd scheme.
|
||||
|
||||
- Use strncat() instead of strncpy() for getting scheme from URI, the latter
|
||||
does not require setting terminating zero byte in case of truncation.
|
||||
|
||||
- Also exclude "." or ".." as scheme, as directories are not valid CUPS
|
||||
backends.
|
||||
|
||||
- Do not use fprintf() in sigterm_handler(), to not interfere with a
|
||||
fprintf() which could be running in the main process when
|
||||
sigterm_handler() is triggered.
|
||||
|
||||
- Use "static volatile int" for global variable job_canceled.
|
||||
---
|
||||
backend/beh.c | 107 +++++++++++++++++++++++++++++++++++++++-----------
|
||||
1 file changed, 84 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/backend/beh.c b/backend/beh.c
|
||||
index 225fd27d5..8d51235b1 100644
|
||||
--- a/backend/beh.c
|
||||
+++ b/backend/beh.c
|
||||
@@ -22,12 +22,13 @@
|
||||
#include "backend-private.h"
|
||||
#include <cups/array.h>
|
||||
#include <ctype.h>
|
||||
+#include <sys/wait.h>
|
||||
|
||||
/*
|
||||
* Local globals...
|
||||
*/
|
||||
|
||||
-static int job_canceled = 0; /* Set to 1 on SIGTERM */
|
||||
+static volatile int job_canceled = 0; /* Set to 1 on SIGTERM */
|
||||
|
||||
/*
|
||||
* Local functions...
|
||||
@@ -213,21 +214,40 @@ call_backend(char *uri, /* I - URI of final destination */
|
||||
char **argv, /* I - Command-line arguments */
|
||||
char *filename) { /* I - File name of input data */
|
||||
const char *cups_serverbin; /* Location of programs */
|
||||
+ char *backend_argv[8]; /* Arguments for backend */
|
||||
char scheme[1024], /* Scheme from URI */
|
||||
*ptr, /* Pointer into scheme */
|
||||
- cmdline[65536]; /* Backend command line */
|
||||
- int retval;
|
||||
+ backend_path[2048]; /* Backend path */
|
||||
+ int pid = 0, /* Process ID of backend */
|
||||
+ wait_pid, /* Process ID from wait() */
|
||||
+ wait_status, /* Status from child */
|
||||
+ retval = 0;
|
||||
+ int bytes;
|
||||
|
||||
/*
|
||||
* Build the backend command line...
|
||||
*/
|
||||
|
||||
- strncpy(scheme, uri, sizeof(scheme) - 1);
|
||||
- if (strlen(uri) > 1023)
|
||||
- scheme[1023] = '\0';
|
||||
+ scheme[0] = '\0';
|
||||
+ strncat(scheme, uri, sizeof(scheme) - 1);
|
||||
if ((ptr = strchr(scheme, ':')) != NULL)
|
||||
*ptr = '\0';
|
||||
-
|
||||
+ else {
|
||||
+ fprintf(stderr,
|
||||
+ "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme part.\n");
|
||||
+ exit (CUPS_BACKEND_FAILED);
|
||||
+ }
|
||||
+ if (strchr(scheme, '/')) {
|
||||
+ fprintf(stderr,
|
||||
+ "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n");
|
||||
+ exit (CUPS_BACKEND_FAILED);
|
||||
+ }
|
||||
+ if (!strcmp(scheme, ".") || !strcmp(scheme, "..")) {
|
||||
+ fprintf(stderr,
|
||||
+ "ERROR: beh: Invalid URI, scheme (\"%s\") is a directory.\n",
|
||||
+ scheme);
|
||||
+ exit (CUPS_BACKEND_FAILED);
|
||||
+ }
|
||||
if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL)
|
||||
cups_serverbin = CUPS_SERVERBIN;
|
||||
|
||||
@@ -235,16 +255,29 @@ call_backend(char *uri, /* I - URI of final destination */
|
||||
fprintf(stderr,
|
||||
"ERROR: beh: Direct output into a file not supported.\n");
|
||||
exit (CUPS_BACKEND_FAILED);
|
||||
- } else
|
||||
- snprintf(cmdline, sizeof(cmdline),
|
||||
- "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
|
||||
- cups_serverbin, scheme, argv[1], argv[2], argv[3],
|
||||
- /* Apply number of copies only if beh was called with a
|
||||
- file name and not with the print data in stdin, as
|
||||
- backends should handle copies only if they are called
|
||||
- with a file name */
|
||||
- (argc == 6 ? "1" : argv[4]),
|
||||
- argv[5], filename);
|
||||
+ }
|
||||
+
|
||||
+ backend_argv[0] = uri;
|
||||
+ backend_argv[1] = argv[1];
|
||||
+ backend_argv[2] = argv[2];
|
||||
+ backend_argv[3] = argv[3];
|
||||
+ /* Apply number of copies only if beh was called with a file name
|
||||
+ and not with the print data in stdin, as backends should handle
|
||||
+ copies only if they are called with a file name */
|
||||
+ backend_argv[4] = (argc == 6 ? "1" : argv[4]);
|
||||
+ backend_argv[5] = argv[5];
|
||||
+ backend_argv[6] = filename;
|
||||
+ backend_argv[7] = NULL;
|
||||
+
|
||||
+ bytes = snprintf(backend_path, sizeof(backend_path),
|
||||
+ "%s/backend/%s", cups_serverbin, scheme);
|
||||
+ if (bytes < 0 || bytes >= sizeof(backend_path))
|
||||
+ {
|
||||
+ fprintf(stderr,
|
||||
+ "ERROR: beh: Invalid scheme (\"%s\"), could not determing backend path.\n",
|
||||
+ scheme);
|
||||
+ return (CUPS_BACKEND_FAILED);
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Overwrite the device URI and run the actual backend...
|
||||
@@ -253,18 +286,44 @@ call_backend(char *uri, /* I - URI of final destination */
|
||||
setenv("DEVICE_URI", uri, 1);
|
||||
|
||||
fprintf(stderr,
|
||||
- "DEBUG: beh: Executing backend command line \"%s\"...\n",
|
||||
- cmdline);
|
||||
+ "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s' '%s' %s\"...\n",
|
||||
+ backend_path, backend_argv[1], backend_argv[2], backend_argv[3],
|
||||
+ backend_argv[4], backend_argv[5], backend_argv[6]);
|
||||
fprintf(stderr,
|
||||
"DEBUG: beh: Using device URI: %s\n",
|
||||
uri);
|
||||
|
||||
- retval = system(cmdline) >> 8;
|
||||
+ if ((pid = fork()) == 0) {
|
||||
+ /*
|
||||
+ * Child comes here...
|
||||
+ */
|
||||
+
|
||||
+ /* Run the backend */
|
||||
+ execv(backend_path, backend_argv);
|
||||
|
||||
- if (retval == -1)
|
||||
fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n",
|
||||
strerror(errno));
|
||||
|
||||
+ exit(1);
|
||||
+ } else if (pid < 0) {
|
||||
+ /*
|
||||
+ * Unable to fork!
|
||||
+ */
|
||||
+
|
||||
+ return (CUPS_BACKEND_FAILED);
|
||||
+ }
|
||||
+
|
||||
+ while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR);
|
||||
+
|
||||
+ if (wait_pid >= 0 && wait_status) {
|
||||
+ if (WIFEXITED(wait_status))
|
||||
+ retval = WEXITSTATUS(wait_status);
|
||||
+ else if (WTERMSIG(wait_status) != SIGTERM)
|
||||
+ retval = WTERMSIG(wait_status);
|
||||
+ else
|
||||
+ retval = 0;
|
||||
+ }
|
||||
+
|
||||
return (retval);
|
||||
}
|
||||
|
||||
@@ -277,8 +336,10 @@ static void
|
||||
sigterm_handler(int sig) { /* I - Signal number (unused) */
|
||||
(void)sig;
|
||||
|
||||
- fprintf(stderr,
|
||||
- "DEBUG: beh: Job canceled.\n");
|
||||
+ const char * const msg = "DEBUG: beh: Job canceled.\n";
|
||||
+ /* The if() is to eliminate the return value and silence the warning
|
||||
+ about an unused return value. */
|
||||
+ if (write(2, msg, strlen(msg)));
|
||||
|
||||
if (job_canceled)
|
||||
_exit(CUPS_BACKEND_OK);
|
||||
--
|
||||
2.40.1
|
||||
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
diff --git a/utils/cups-browsed.c b/utils/cups-browsed.c
|
||||
index 79ece21..80c76d8 100644
|
||||
--- a/utils/cups-browsed.c
|
||||
+++ b/utils/cups-browsed.c
|
||||
@@ -5841,10 +5841,18 @@ get_local_queue_name(const char *service_name,
|
||||
make/model info */
|
||||
queue_name = remove_bad_chars(make_model, 0);
|
||||
else if (LocalQueueNamingRemoteCUPS == LOCAL_QUEUE_NAMING_REMOTE_NAME)
|
||||
+ {
|
||||
/* Not directly used in script generation input later, but taken from
|
||||
packet, so better safe than sorry. (consider second loop with
|
||||
backup_queue_name) */
|
||||
- queue_name = remove_bad_chars(strrchr(resource, '/') + 1, 0);
|
||||
+
|
||||
+ /* We can get resource without / or without string after / - use
|
||||
+ * the original string (possible trailing / will be removed) */
|
||||
+ if ((str = strrchr(resource, '/')) == NULL || strlen(str) <= 1)
|
||||
+ str = resource;
|
||||
+
|
||||
+ queue_name = remove_bad_chars(str, 0);
|
||||
+ }
|
||||
else
|
||||
/* Convert DNS-SD service name into a CUPS queue name exactly
|
||||
as CUPS would do it, to override CUPS' own temporary queue
|
||||
|
|
@ -1,79 +0,0 @@
|
|||
From 0fe46c511e81062575b05936f804eb18c9f0a011 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Dohnal <zdohnal@redhat.com>
|
||||
Date: Wed, 12 Nov 2025 15:47:24 +0100
|
||||
Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file
|
||||
|
||||
Infinite loop happened because of crafted input raster file, which led
|
||||
into heap buffer overflow of `CompressBuf` array.
|
||||
|
||||
Based on comments there should be always some `count` when compressing
|
||||
the data, and processing of crafted file ended with offset and count
|
||||
being 0.
|
||||
|
||||
Fixes CVE-2025-64524
|
||||
---
|
||||
filter/rastertopclx.c | 25 +++++++++++++++++++++++--
|
||||
1 file changed, 23 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c
|
||||
index ded86f114..39cb378bf 100644
|
||||
--- a/filter/rastertopclx.c
|
||||
+++ b/filter/rastertopclx.c
|
||||
@@ -825,10 +825,10 @@ StartPage(cf_filter_data_t *data, // I - filter data
|
||||
}
|
||||
|
||||
if (header->cupsCompression)
|
||||
- CompBuffer = malloc(DotBufferSize * 4);
|
||||
+ CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char));
|
||||
|
||||
if (header->cupsCompression >= 3)
|
||||
- SeedBuffer = malloc(DotBufferSize);
|
||||
+ SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char));
|
||||
|
||||
SeedInvalid = 1;
|
||||
|
||||
@@ -1159,6 +1159,13 @@ CompressData(unsigned char *line, // I - Data to compress
|
||||
seed ++;
|
||||
count ++;
|
||||
}
|
||||
+
|
||||
+ //
|
||||
+ // Bail out if we don't have count to compress
|
||||
+ //
|
||||
+
|
||||
+ if (count == 0)
|
||||
+ break;
|
||||
}
|
||||
|
||||
//
|
||||
@@ -1252,6 +1259,13 @@ CompressData(unsigned char *line, // I - Data to compress
|
||||
|
||||
count = line_ptr - start;
|
||||
|
||||
+ //
|
||||
+ // Bail out if we don't have count to compress
|
||||
+ //
|
||||
+
|
||||
+ if (count == 0)
|
||||
+ break;
|
||||
+
|
||||
#if 0
|
||||
fprintf(stderr,
|
||||
"DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n",
|
||||
@@ -1424,6 +1438,13 @@ CompressData(unsigned char *line, // I - Data to compress
|
||||
|
||||
count = (line_ptr - start) / 3;
|
||||
|
||||
+ //
|
||||
+ // Bail out if we don't have count to compress
|
||||
+ //
|
||||
+
|
||||
+ if (count == 0)
|
||||
+ break;
|
||||
+
|
||||
//
|
||||
// Place mode 10 compression data in the buffer; each sequence
|
||||
// starts with a command byte that looks like:
|
||||
--
|
||||
2.51.1
|
||||
|
||||
121
browsed-updatenetif.patch
Normal file
121
browsed-updatenetif.patch
Normal file
|
|
@ -0,0 +1,121 @@
|
|||
diff --git a/configure.ac b/configure.ac
|
||||
index c1b108f..e921820 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -902,6 +902,16 @@ AC_ARG_WITH([shell],
|
||||
)
|
||||
AC_DEFINE_UNQUOTED([SHELL], "$with_shell", [Path for a modern shell])
|
||||
|
||||
+AC_ARG_ENABLE([frequent_netif_update],
|
||||
+ [AS_HELP_STRING([--enable-frequent-netif-update], [Enable network interface update after each found entry to prevent network issues])],
|
||||
+ [FREQUENT_NETIF_UPDATE=$enableval],
|
||||
+ [FREQUENT_NETIF_UPDATE=yes]
|
||||
+)
|
||||
+
|
||||
+AS_IF([test "x$FREQUENT_NETIF_UPDATE" != "xno"],
|
||||
+ [AC_DEFINE([FREQUENT_NETIF_UPDATE], [1], [Define whether we want network interface update after each found entry])]
|
||||
+)
|
||||
+
|
||||
# =====================
|
||||
# Prepare all .in files
|
||||
# =====================
|
||||
@@ -978,6 +988,7 @@ Build configuration:
|
||||
pclm: ${enable_pclm}
|
||||
local queue naming for remote CUPS queues: ${REMOTE_CUPS_LOCAL_QUEUE_NAMING}
|
||||
keep generated queues during shutdown: ${SAVING_CREATED_QUEUES}
|
||||
+ update network interfaces after each found entry: ${FREQUENT_NETIF_UPDATE}
|
||||
all ipp printer auto-setup: ${enable_auto_setup_all}
|
||||
only driverless auto-setup: ${enable_auto_setup_driverless_only}
|
||||
only local auto-setup: ${enable_auto_setup_local_only}
|
||||
diff --git a/utils/cups-browsed.c b/utils/cups-browsed.c
|
||||
index 9971209..79ece21 100644
|
||||
--- a/utils/cups-browsed.c
|
||||
+++ b/utils/cups-browsed.c
|
||||
@@ -490,6 +490,11 @@ static autoshutdown_inactivity_type_t autoshutdown_on = NO_QUEUES;
|
||||
static guint autoshutdown_exec_id = 0;
|
||||
static const char *default_printer = NULL;
|
||||
static unsigned int notify_lease_duration = 86400;
|
||||
+#ifdef FREQUENT_NETIF_UPDATE
|
||||
+static int FrequentNetifUpdate = 1;
|
||||
+#else
|
||||
+static int FrequentNetifUpdate = 0;
|
||||
+#endif
|
||||
|
||||
static int debug_stderr = 0;
|
||||
static int debug_logfile = 0;
|
||||
@@ -9700,7 +9705,7 @@ examine_discovered_printer_record(const char *host,
|
||||
or legacy CUPS, needed for the is_local_hostname() function calls.
|
||||
During DNS-SD discovery the update is already done by the Avahi
|
||||
event handler function. */
|
||||
- if (type == NULL || type[0] == '\0')
|
||||
+ if (FrequentNetifUpdate && (type == NULL || type[0] == '\0'))
|
||||
update_netifs(NULL);
|
||||
|
||||
/* Check if we have already created a queue for the discovered
|
||||
@@ -10100,9 +10105,11 @@ static void resolve_callback(AvahiServiceResolver *r,
|
||||
strncpy(ifname, "Unknown", sizeof(ifname) - 1);
|
||||
}
|
||||
|
||||
+ if (FrequentNetifUpdate)
|
||||
+ update_netifs(NULL);
|
||||
+
|
||||
/* Ignore local queues of the cupsd we are serving for, identifying them
|
||||
via UUID */
|
||||
- update_netifs(NULL);
|
||||
if ((flags & AVAHI_LOOKUP_RESULT_LOCAL) || !strcasecmp(ifname, "lo") ||
|
||||
is_local_hostname(host_name)) {
|
||||
update_local_printers ();
|
||||
@@ -11967,6 +11974,13 @@ read_configuration (const char *filename)
|
||||
else if (!strcasecmp(value, "no") || !strcasecmp(value, "false") ||
|
||||
!strcasecmp(value, "off") || !strcasecmp(value, "0"))
|
||||
AutoClustering = 0;
|
||||
+ } else if (!strcasecmp(line, "FrequentNetifUpdate") && value) {
|
||||
+ if (!strcasecmp(value, "yes") || !strcasecmp(value, "true") ||
|
||||
+ !strcasecmp(value, "on") || !strcasecmp(value, "1"))
|
||||
+ FrequentNetifUpdate = 1;
|
||||
+ else if (!strcasecmp(value, "no") || !strcasecmp(value, "false") ||
|
||||
+ !strcasecmp(value, "off") || !strcasecmp(value, "0"))
|
||||
+ FrequentNetifUpdate = 0;
|
||||
} else if (!strcasecmp(line, "Cluster") && value) {
|
||||
ptr = value;
|
||||
ptr2 = NULL;
|
||||
diff --git a/utils/cups-browsed.conf.5 b/utils/cups-browsed.conf.5
|
||||
index 7e6ee3b..7f60168 100644
|
||||
--- a/utils/cups-browsed.conf.5
|
||||
+++ b/utils/cups-browsed.conf.5
|
||||
@@ -1005,6 +1005,18 @@ and doing specific actions when a D-BUS notification comes.
|
||||
NotifLeaseDuration 86400
|
||||
.fam T
|
||||
.fi
|
||||
+FrequentNetifUpdate turns on/off the network interface update routines
|
||||
+which happen for each found entry, which can slow up cups-browsed significantly
|
||||
+if we are on a network with many shared printers or if we use BrowsePoll to a server
|
||||
+with many queues. Network interface updates after receiving D-BUS notification
|
||||
+from NetworkManager won't be turned off with the directive. The default value
|
||||
+is 'Yes'.
|
||||
+.PP
|
||||
+.nf
|
||||
+.fam C
|
||||
+ FrequentNetifUpdate Yes
|
||||
+.fam T
|
||||
+.fi
|
||||
.SH SEE ALSO
|
||||
|
||||
\fBcups-browsed\fP(8)
|
||||
diff --git a/utils/cups-browsed.conf.in b/utils/cups-browsed.conf.in
|
||||
index ee2f5bf..6866918 100644
|
||||
--- a/utils/cups-browsed.conf.in
|
||||
+++ b/utils/cups-browsed.conf.in
|
||||
@@ -774,3 +774,12 @@ BrowseRemoteProtocols @BROWSEREMOTEPROTOCOLS@
|
||||
# and doing specific actions when a D-BUS notification comes.
|
||||
|
||||
# NotifLeaseDuration 86400
|
||||
+
|
||||
+# FrequentNetifUpdate turns on/off the network interface update routines
|
||||
+# which happen for each found entry, which can slow up cups-browsed significantly
|
||||
+# if we are on a network with many shared printers or if we use BrowsePoll to a server
|
||||
+# with many queues. Network interface updates after receiving D-BUS notification
|
||||
+# from NetworkManager won't be turned off with the directive. The default value
|
||||
+# is 'Yes'.
|
||||
+#
|
||||
+# FrequentNetifUpdate Yes
|
||||
1
ci.fmf
1
ci.fmf
|
|
@ -1 +0,0 @@
|
|||
resultsdb-testcase: separate
|
||||
|
|
@ -1,90 +1,155 @@
|
|||
%if 0%{?fedora}
|
||||
%bcond_without mdns
|
||||
%bcond_without braille
|
||||
%else
|
||||
%bcond_with mdns
|
||||
%bcond_with braille
|
||||
%endif
|
||||
|
||||
# currently we use CUPS PPD compiler which will be removed
|
||||
# in CUPS 3.0, then we will use PPD compiler from libppd-tools
|
||||
%bcond_without cups_ppdc
|
||||
|
||||
# we build CUPS also with relro
|
||||
%global _hardened_build 1
|
||||
|
||||
Summary: OpenPrinting CUPS filters for CUPS 2.X
|
||||
Summary: OpenPrinting CUPS filters and backends
|
||||
Name: cups-filters
|
||||
Epoch: 1
|
||||
Version: 2.0.1
|
||||
Release: 12%{?dist}
|
||||
Version: 1.28.16
|
||||
Release: 5%{?dist}
|
||||
|
||||
# the CUPS exception text is the same as LLVM exception, so using that name with
|
||||
# agreement from legal team
|
||||
# https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/message/A7GFSD6M3GYGSI32L2FC5KB22DUAEQI3/
|
||||
License: Apache-2.0 WITH LLVM-exception
|
||||
# For a breakdown of the licensing, see COPYING file
|
||||
# GPLv2: filters: commandto*, imagetoraster, pdftops, rasterto*,
|
||||
# imagetopdf, pstopdf, texttopdf
|
||||
# backends: parallel, serial
|
||||
# GPLv2+: filters: gstopxl, textonly, texttops, imagetops, foomatic-rip
|
||||
# GPLv3: filters: bannertopdf
|
||||
# GPLv3+: filters: urftopdf, rastertopdf
|
||||
# LGPLv2+: utils: cups-browsed
|
||||
# MIT: filters: gstoraster, pdftoijs, pdftoopvp, pdftopdf, pdftoraster
|
||||
License: GPLv2 and GPLv2+ and GPLv3 and GPLv3+ and LGPLv2+ and MIT and BSD with advertising
|
||||
|
||||
URL: https://github.com/OpenPrinting/cups-filters
|
||||
Source0: %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz
|
||||
Url: http://www.linuxfoundation.org/collaborate/workgroups/openprinting/cups-filters
|
||||
Source0: http://www.openprinting.org/download/cups-filters/cups-filters-%{version}.tar.xz
|
||||
Source1: lftocrlf.ppd
|
||||
Source2: lftocrlf
|
||||
|
||||
# backported from upstream
|
||||
Patch0001: browsed-updatenetif.patch
|
||||
Patch0002: 0001-beh-backend-Use-execv-instead-of-system-CVE-2023-248.patch
|
||||
Patch0003: 0001-cups-browsed.c-Ensure-we-always-send-a-valid-name-to.patch
|
||||
|
||||
# Patches
|
||||
# https://github.com/OpenPrinting/cups-filters/pull/618
|
||||
Patch001: 0001-Fix-build-failure-with-GCC-15-and-std-c23.patch
|
||||
# introducing foomatic-hash, but without rejecting values in foomatic-rip
|
||||
# https://github.com/OpenPrinting/cups-filters/pull/648
|
||||
Patch002: 0001-Introduce-foomatic-hash-and-reject-unauthorized-valu.patch
|
||||
# make sure errors from foomatic-rip are propagated
|
||||
# https://github.com/OpenPrinting/cups-filters/pull/649
|
||||
Patch003: foomatic-ripdie-error.patch
|
||||
# rejecting the unknown values in foomatic-rip
|
||||
# https://github.com/OpenPrinting/cups-filters/pull/648
|
||||
Patch004: foomaticrip-reject-unknown-values.patch
|
||||
# CVE-2025-64524 fix
|
||||
Patch005: 0001-rastertopclx.c-Fix-infinite-loop-caused-by-crafted-f.patch
|
||||
|
||||
|
||||
# driverless backend/driver was moved into a separate package to
|
||||
# remove avahi dependency for filters
|
||||
# remove once C10S is released and F40 is EOL
|
||||
Conflicts: cups-filters-driverless < 1:2.0.0-3
|
||||
|
||||
# autogen.sh
|
||||
BuildRequires: autoconf
|
||||
# autogen.sh
|
||||
BuildRequires: automake
|
||||
# filter binaries and backends are written in C
|
||||
BuildRequires: gcc
|
||||
# autogen.sh
|
||||
BuildRequires: gettext-devel
|
||||
BuildRequires: libtool
|
||||
|
||||
# build requirements for build system:
|
||||
# gcc for backends (implicitclass, parallel, serial, backend error handling)
|
||||
# cupsfilters (colord, color manager...), filter (banners,
|
||||
# commandto*, braille, foomatic-rip, imagetoraster, imagetopdf, gstoraster e.g.),
|
||||
# fontembed, cups-browsed
|
||||
BuildRequires: gcc
|
||||
# gcc-c++ for pdftoopvp, pdftopdf
|
||||
BuildRequires: gcc-c++
|
||||
# for autosetup
|
||||
BuildRequires: git-core
|
||||
# autogen.sh
|
||||
BuildRequires: libtool
|
||||
# uses make for compiling
|
||||
BuildRequires: make
|
||||
# we use pkgconfig to get a proper devel packages
|
||||
# proper CFLAGS and LDFLAGS
|
||||
BuildRequires: pkgconf-pkg-config
|
||||
# uses CUPS API
|
||||
BuildRequires: pkgconfig(cups) >= 2.2.2
|
||||
# uses cupsfilters API
|
||||
BuildRequires: pkgconfig(libcupsfilters) >= 2.0b3
|
||||
# uses PPD API
|
||||
BuildRequires: pkgconfig(libppd) >= 2.0b3
|
||||
|
||||
# uses CUPS API functions - arrays, ipp functions
|
||||
BuildRequires: cups-devel
|
||||
|
||||
# pdftopdf
|
||||
BuildRequires: pkgconfig(libqpdf)
|
||||
|
||||
# pdftops
|
||||
BuildRequires: poppler-utils
|
||||
|
||||
# pdftoraster, gstoraster
|
||||
BuildRequires: ghostscript
|
||||
BuildRequires: libjpeg-turbo-devel
|
||||
BuildRequires: libtiff-devel
|
||||
BuildRequires: pkgconfig(dbus-1)
|
||||
BuildRequires: pkgconfig(fontconfig)
|
||||
BuildRequires: pkgconfig(freetype2)
|
||||
BuildRequires: pkgconfig(lcms2)
|
||||
# used for getting image resolution from images - they have
|
||||
# EXIF data in them and library accesses it
|
||||
BuildRequires: pkgconfig(libexif)
|
||||
BuildRequires: pkgconfig(libpng)
|
||||
BuildRequires: pkgconfig(poppler-cpp)
|
||||
BuildRequires: pkgconfig(zlib)
|
||||
|
||||
# cups-browsed
|
||||
BuildRequires: avahi-devel
|
||||
BuildRequires: pkgconfig(avahi-glib)
|
||||
BuildRequires: pkgconfig(glib-2.0)
|
||||
BuildRequires: systemd
|
||||
|
||||
# Make sure we get postscriptdriver tags.
|
||||
BuildRequires: python3-cups
|
||||
# for systemd unit for upgrade
|
||||
|
||||
# Testing font for test scripts.
|
||||
BuildRequires: dejavu-sans-fonts
|
||||
|
||||
# needed for systemd rpm macros in scriptlets
|
||||
BuildRequires: systemd-rpm-macros
|
||||
|
||||
%if %{with braille}
|
||||
Recommends: braille-printer-app
|
||||
# cups-browsed needs systemd-resolved or nss-mdns for resolving .local addresses of remote print queues
|
||||
# let's not require a specific package and let the user decide what he wants to use.
|
||||
# just recommend nss-mdns for Fedora for now to have working default, but
|
||||
# don't hardwire it for resolved users
|
||||
%if 0%{?fedora}
|
||||
Recommends: nss-mdns
|
||||
%endif
|
||||
# needs cups dirs
|
||||
Requires: cups-filesystem
|
||||
# Avahi is needed for device discovery for newer (2012+) devices and its sharing - make it recommended
|
||||
Recommends: avahi
|
||||
# ippfind is used in driverless backend, not needed classic PPD based print queue
|
||||
Recommends: cups-ipptool
|
||||
# braille filters and backend
|
||||
Recommends: %{name}-braille%{?_isa} = %{version}-%{release}
|
||||
|
||||
# pstopdf
|
||||
Requires: bc grep sed which
|
||||
# for getting ICC profiles for filters (dbus must run)
|
||||
Requires: colord
|
||||
Requires: cups-filesystem
|
||||
# have the same libs for the package
|
||||
Requires: cups-filters-libs%{?_isa} = %{version}-%{release}
|
||||
# several filters calls 'gs' binary during filtering
|
||||
Requires: ghostscript
|
||||
# texttopdf
|
||||
Requires: liberation-mono-fonts
|
||||
# if --with-pdftops is set to hybrid, we use poppler filters for several printers
|
||||
# and for printing banners, for other printers we need gs - ghostscript
|
||||
Requires: poppler-utils
|
||||
|
||||
# cups-browsed
|
||||
# cups-browsed needs to have cups.service to run
|
||||
Requires: cups
|
||||
Requires(post): systemd
|
||||
Requires(preun): systemd
|
||||
Requires(postun): systemd
|
||||
|
||||
|
||||
%package libs
|
||||
Summary: OpenPrinting CUPS filters and backends - cupsfilters and fontembed libraries
|
||||
# LGPLv2: libcupsfilters
|
||||
# MIT: libfontembed
|
||||
License: LGPLv2 and MIT
|
||||
|
||||
%package devel
|
||||
Summary: OpenPrinting CUPS filters and backends - development environment
|
||||
License: LGPLv2 and MIT
|
||||
Requires: cups-filters-libs%{?_isa} = %{version}-%{release}
|
||||
|
||||
%package braille
|
||||
Summary: OpenPrinting CUPS filters and backends - braille filters and backend
|
||||
License: GPLv2+ and MIT
|
||||
BuildRequires: liblouis-devel
|
||||
# remove after F36 goes EOL
|
||||
Conflicts: cups-filters < 1.28.11-1
|
||||
# we need classic pdftopdf and other filters as well
|
||||
Requires: cups-filters%{?_isa} = %{version}-%{release}
|
||||
# lou_translate and file2brl are needed for file conversions
|
||||
# liblouis-utils for lou_translate
|
||||
Requires: liblouis-utils
|
||||
# liblouisutdml-utils for file2brl
|
||||
Requires: liblouisutdml-utils
|
||||
|
||||
%description
|
||||
Contains backends, filters, and other software that was
|
||||
|
|
@ -93,65 +158,55 @@ Apple Inc. In addition it contains additional filters developed
|
|||
independently of Apple, especially filters for the PDF-centric printing
|
||||
workflow introduced by OpenPrinting.
|
||||
|
||||
%description libs
|
||||
This package provides cupsfilters and fontembed libraries.
|
||||
|
||||
%package driverless
|
||||
Summary: OpenPrinting driverless backends and drivers for CUPS 2.X
|
||||
License: Apache-2.0 WITH LLVM-exception
|
||||
|
||||
# backends and drivers has been moved from the main package to subpackage
|
||||
# to remove the avahi/mdns dependency needed for driverless
|
||||
# remove after F40 is EOL and C10S is released
|
||||
Conflicts: cups-filters < 1:2.0.0-3
|
||||
|
||||
# finding device via driverless depends on running avahi-daemon
|
||||
Requires: avahi
|
||||
# ippfind is used in driverless backend, not needed classic PPD based print queue
|
||||
Requires: cups-ipptool
|
||||
# cups-browsed needs systemd-resolved or nss-mdns for resolving .local addresses of remote print queues
|
||||
# let's not require a specific package and let the user decide what he wants to use.
|
||||
# just recommend nss-mdns for Fedora for now to have working default, but
|
||||
# don't hardwire it for resolved users
|
||||
%if %{with mdns}
|
||||
Recommends: nss-mdns
|
||||
%endif
|
||||
|
||||
# needs cups dirs
|
||||
Requires: cups-filesystem
|
||||
|
||||
|
||||
%description driverless
|
||||
Contains backends and drivers for driverless implementation for cups-filters,
|
||||
which makes driverless printers to be seen when listing printers nearby and gives
|
||||
a specific generated driver for driverless printer in the local network. They are
|
||||
tools for backward compatibility with applications which don't handle CUPS temporary
|
||||
queues.
|
||||
%description devel
|
||||
This is the development package for OpenPrinting CUPS filters and backends.
|
||||
|
||||
%description braille
|
||||
The package provides filters and cups-brf backend needed for braille printing.
|
||||
|
||||
%prep
|
||||
%autosetup -S git -N
|
||||
|
||||
%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
|
||||
%autopatch
|
||||
%else
|
||||
%autopatch -M 3
|
||||
%endif
|
||||
|
||||
%autosetup -S git
|
||||
|
||||
%build
|
||||
# work-around Rpath
|
||||
./autogen.sh
|
||||
|
||||
%configure --enable-driverless \
|
||||
--enable-individual-cups-filters \
|
||||
--disable-universal-cups-filter \
|
||||
--disable-mutool \
|
||||
--disable-rpath \
|
||||
# --with-pdftops=hybrid - use Poppler's pdftops instead of Ghostscript for
|
||||
# Brother, Minolta, and Konica Minolta to work around
|
||||
# bugs in the printer's PS interpreters
|
||||
# --with-rcdir=no - don't install SysV init script
|
||||
# --enable-driverless - enable PPD generator for driverless printing in
|
||||
# /usr/lib/cups/driver, it is for manual setup of
|
||||
# driverless printers with printer setup tool
|
||||
# --disable-static - do not build static libraries (becuase of Fedora Packaging
|
||||
# Guidelines)
|
||||
# --enable-dbus - enable DBus Connection Manager's code
|
||||
# --disable-silent-rules - verbose build output
|
||||
# --disable-mutool - mupdf is retired in Fedora, use qpdf
|
||||
# --enable-pclm - support for pclm language
|
||||
# --with-remote-cups-local-queue-naming=RemoteName - name created local queues, which point to
|
||||
# remote CUPS queue, by its name from the server
|
||||
# --disable-frequent-netif-update - cups-browsed can update its network interface data after every found printer,
|
||||
# which slows down the printer creation - this disables it and leave the network
|
||||
# interface update only after notification from NetworkManager
|
||||
|
||||
%configure --disable-static \
|
||||
--disable-silent-rules \
|
||||
--disable-static
|
||||
--with-pdftops=hybrid \
|
||||
--enable-dbus \
|
||||
--with-rcdir=no \
|
||||
--disable-mutool \
|
||||
--enable-driverless \
|
||||
--enable-pclm \
|
||||
--with-apple-raster-filter=rastertopdf \
|
||||
--with-remote-cups-local-queue-naming=RemoteName \
|
||||
--disable-frequent-netif-update
|
||||
|
||||
%make_build
|
||||
|
||||
|
||||
%install
|
||||
%make_install
|
||||
|
||||
|
|
@ -159,143 +214,75 @@ queues.
|
|||
install -p -m 0755 %{SOURCE2} %{buildroot}%{_cups_serverbin}/filter/lftocrlf
|
||||
install -p -m 0644 %{SOURCE1} %{buildroot}%{_datadir}/ppd/cupsfilters/lftocrlf.ppd
|
||||
|
||||
# remove this once F43 is EOL
|
||||
%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
|
||||
# Don't ship libtool la files.
|
||||
rm -f %{buildroot}%{_libdir}/lib*.la
|
||||
|
||||
mkdir -p %{buildroot}%{_libexecdir}/%{name}
|
||||
# Not sure what is this good for.
|
||||
rm -f %{buildroot}%{_bindir}/ttfread
|
||||
|
||||
cat > %{buildroot}%{_libexecdir}/%{name}/posttrans.sh << EOF
|
||||
#!/usr/bin/bash
|
||||
|
||||
if \$(grep -q -R 'FoomaticRIPCommandLine\|FoomaticRipOptionSetting' %{_sysconfdir}/cups/ppd)
|
||||
then
|
||||
tmpfile=\$(mktemp -p /var/tmp foomatic-scan.XXXXXXXX)
|
||||
|
||||
for ppd in %{_sysconfdir}/cups/ppd/*.ppd
|
||||
do
|
||||
foomatic-hash --ppd \$ppd \$tmpfile %{_sysconfdir}/foomatic/hashes.d/hashes.upgrade || :
|
||||
done
|
||||
|
||||
if test -f %{_sysconfdir}/foomatic/hashes.d/hashes.upgrade
|
||||
then
|
||||
echo "Foomatic-rip values which can inject code found - review findings in \$tmpfile. Read release notes for instructions." || :
|
||||
fi
|
||||
else
|
||||
touch %{_sysconfdir}/foomatic/hashes.d/hashes.new
|
||||
fi
|
||||
|
||||
exit 0
|
||||
EOF
|
||||
rm -f %{buildroot}%{_pkgdocdir}/INSTALL
|
||||
mkdir -p %{buildroot}%{_pkgdocdir}/fontembed/
|
||||
cp -p fontembed/README %{buildroot}%{_pkgdocdir}/fontembed/
|
||||
|
||||
# systemd unit file
|
||||
mkdir -p %{buildroot}%{_unitdir}
|
||||
|
||||
cat > %{buildroot}%{_unitdir}/foomaticrip-upgrade.service << EOF
|
||||
[Unit]
|
||||
Description=Allowing already installed printers for foomatic-rip
|
||||
ConditionPathIsDirectory=%{_sysconfdir}/foomatic/hashes.d
|
||||
ConditionDirectoryNotEmpty=!%{_sysconfdir}/foomatic/hashes.d
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=bash -c %{_libexecdir}/%{name}/posttrans.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
|
||||
mkdir -p %{buildroot}%{_unitdir}/cups.service.d
|
||||
|
||||
cat > %{buildroot}%{_unitdir}/cups.service.d/10-foomaticrip-upgrade.conf << EOF
|
||||
[Unit]
|
||||
After=foomaticrip-upgrade.service
|
||||
Wants=foomaticrip-upgrade.service
|
||||
EOF
|
||||
|
||||
%endif
|
||||
|
||||
install -p -m 644 utils/cups-browsed.service %{buildroot}%{_unitdir}
|
||||
|
||||
# LSB3.2 requires /usr/bin/foomatic-rip,
|
||||
# create it temporarily as a relative symlink
|
||||
# we may use symlink to universal filter, but LSB is about guaranteed compatibility set
|
||||
# among distibutions, so rather have the strict foomatic-rip filter...
|
||||
ln -sf %{_cups_serverbin}/filter/foomatic-rip %{buildroot}%{_bindir}/foomatic-rip
|
||||
|
||||
%if %{with cups_ppdc}
|
||||
mkdir -p %{buildroot}%{_datadir}/cups/ppdc
|
||||
mv %{buildroot}%{_datadir}/{ppdc/pcl.h,cups/ppdc/pcl.h}
|
||||
mv %{buildroot}%{_datadir}/{ppdc/escp.h,cups/ppdc/escp.h}
|
||||
%endif
|
||||
|
||||
# remove license files which are in %%pkgdocdir
|
||||
rm -f %{buildroot}%{_pkgdocdir}/{COPYING,NOTICE,LICENSE}
|
||||
|
||||
# remove INSTALL since it is unnecessary
|
||||
rm -f %{buildroot}%{_pkgdocdir}/INSTALL
|
||||
|
||||
# remove CHANGES-1.x.md, since it is carried by a dependency
|
||||
rm -f %{buildroot}%{_pkgdocdir}/CHANGES-1.x.md
|
||||
|
||||
|
||||
%check
|
||||
make check
|
||||
|
||||
|
||||
%post
|
||||
# remove PPD cache to make bz#2351389 fix work right away
|
||||
# remove after F43 EOL
|
||||
if [ $1 -gt 1 ]
|
||||
then
|
||||
rm -f /var/cache/cups/ppds.dat || :
|
||||
fi
|
||||
|
||||
%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
|
||||
%systemd_post foomaticrip-upgrade.service
|
||||
%endif
|
||||
%systemd_post cups-browsed.service
|
||||
|
||||
# put UpdateCUPSQueuesMaxPerCall and PauseBetweenCUPSQueueUpdates into cups-browsed.conf
|
||||
# for making cups-browsed work more stable for environments with many print queues
|
||||
# remove this after 1-2 releases
|
||||
for directive in "UpdateCUPSQueuesMaxPerCall" "PauseBetweenCUPSQueueUpdates"
|
||||
do
|
||||
found=`%{_bindir}/grep "^[[:blank:]]*$directive" %{_sysconfdir}/cups/cups-browsed.conf`
|
||||
if [ -z "$found" ]
|
||||
then
|
||||
if [ "x$directive" == "xUpdateCUPSQueuesMaxPerCall" ]
|
||||
then
|
||||
%{_bindir}/echo "UpdateCUPSQueuesMaxPerCall 20" >> %{_sysconfdir}/cups/cups-browsed.conf
|
||||
else
|
||||
%{_bindir}/echo "PauseBetweenCUPSQueueUpdates 5" >> %{_sysconfdir}/cups/cups-browsed.conf
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
%preun
|
||||
%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
|
||||
%systemd_preun foomaticrip-upgrade.service
|
||||
%endif
|
||||
|
||||
%systemd_preun cups-browsed.service
|
||||
|
||||
%postun
|
||||
%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
|
||||
%systemd_postun foomaticrip-upgrade.service
|
||||
%endif
|
||||
%systemd_postun_with_restart cups-browsed.service
|
||||
|
||||
|
||||
%posttrans
|
||||
%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
|
||||
%systemd_posttrans_with_reload foomaticrip-upgrade.service
|
||||
%endif
|
||||
|
||||
if [ $1 -gt 1 ]
|
||||
then
|
||||
# since we moved to individual filters, we have to restart cups
|
||||
# to load new conversion tables if it is running
|
||||
# remove by F43 EOL and C11S release
|
||||
if systemctl is-active cups &> /dev/null
|
||||
then
|
||||
systemctl restart cups || :
|
||||
fi
|
||||
|
||||
%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
|
||||
systemctl start foomaticrip-upgrade.service || :
|
||||
%endif
|
||||
fi
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
|
||||
%files
|
||||
%license COPYING LICENSE NOTICE
|
||||
%doc AUTHORS ABOUT-NLS CHANGES.md CONTRIBUTING.md DEVELOPING.md README.md
|
||||
%{_bindir}/foomatic-hash
|
||||
%{_pkgdocdir}/README
|
||||
%{_pkgdocdir}/ABOUT-NLS
|
||||
%{_pkgdocdir}/AUTHORS
|
||||
%{_pkgdocdir}/NEWS
|
||||
%{_bindir}/foomatic-rip
|
||||
%attr(0744,root,root) %{_cups_serverbin}/backend/beh
|
||||
%{_bindir}/driverless
|
||||
%{_bindir}/driverless-fax
|
||||
%{_sbindir}/cups-browsed
|
||||
%attr(0700,root,root) %{_cups_serverbin}/backend/beh
|
||||
# implicitclass backend must be run as root
|
||||
%attr(0700,root,root) %{_cups_serverbin}/backend/implicitclass
|
||||
# all backends needs to be run only as root because of kerberos
|
||||
%attr(0744,root,root) %{_cups_serverbin}/backend/parallel
|
||||
%attr(0700,root,root) %{_cups_serverbin}/backend/parallel
|
||||
# Serial backend needs to run as root (bug #212577#c4).
|
||||
%attr(0744,root,root) %{_cups_serverbin}/backend/serial
|
||||
%attr(0700,root,root) %{_cups_serverbin}/backend/serial
|
||||
%{_cups_serverbin}/backend/driverless
|
||||
%{_cups_serverbin}/backend/driverless-fax
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/bannertopdf
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/commandtoescpx
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/commandtopclx
|
||||
|
|
@ -308,166 +295,108 @@ fi
|
|||
%attr(0755,root,root) %{_cups_serverbin}/filter/imagetoraster
|
||||
# 2229776 - Add textonly driver back, but as lftocrlf
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/lftocrlf
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/pclmtoraster
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/pdftopdf
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/pdftops
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/pdftoraster
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/pwgtopclm
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/pwgtopdf
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/pwgtoraster
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/rastertoescpx
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/rastertopclm
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/rastertopclx
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/rastertopdf
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/rastertops
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/sys5ippprinter
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/textbrftoindexv3
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/texttobrf
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/texttopdf
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/texttops
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/texttotext
|
||||
%{_cups_serverbin}/driver/driverless
|
||||
%{_cups_serverbin}/driver/driverless-fax
|
||||
%{_datadir}/cups/banners
|
||||
%{_datadir}/cups/charsets
|
||||
%{_datadir}/cups/data/*
|
||||
%{_datadir}/cups/drv/cupsfilters.drv
|
||||
%{_datadir}/cups/mime/cupsfilters.types
|
||||
%{_datadir}/cups/mime/cupsfilters.convs
|
||||
%{_datadir}/cups/mime/cupsfilters-ghostscript.convs
|
||||
%{_datadir}/cups/mime/cupsfilters-individual.convs
|
||||
%{_datadir}/cups/mime/cupsfilters-poppler.convs
|
||||
%dir %{_datadir}/foomatic
|
||||
%dir %{_datadir}/foomatic/hashes.d
|
||||
%{_datadir}/ppd/cupsfilters
|
||||
%if %{with cups_ppdc}
|
||||
# escp.h and pcl.h are required during runtime, because
|
||||
# CUPS PPD compiler (ppdc) uses them for generating drivers
|
||||
# per request from cupsfilters.drv file
|
||||
%{_datadir}/cups/ppdc/escp.h
|
||||
# this needs to be in the main package because of cupsfilters.drv
|
||||
%{_datadir}/cups/ppdc/pcl.h
|
||||
%else
|
||||
%dir %{_datadir}/ppdc
|
||||
%{_datadir}/ppdc/escp.h
|
||||
%{_datadir}/ppdc/pcl.h
|
||||
%endif
|
||||
%{_mandir}/man1/foomatic-hash.1.gz
|
||||
%{_mandir}/man1/foomatic-rip.1.gz
|
||||
%config(noreplace) %{_sysconfdir}/foomatic
|
||||
%if 0%{?fedora} >= 43 || 0%{?rhel} >=9
|
||||
%dir %{_libexecdir}/%{name}
|
||||
%attr(0744,root,root) %{_libexecdir}/%{name}/posttrans.sh
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/foomatic/hashes.d/hashes.new
|
||||
%dir %{_unitdir}/cups.service.d
|
||||
%{_unitdir}/cups.service.d/10-foomaticrip-upgrade.conf
|
||||
%{_unitdir}/foomaticrip-upgrade.service
|
||||
%endif
|
||||
|
||||
%files driverless
|
||||
%license COPYING LICENSE NOTICE
|
||||
%{_bindir}/driverless
|
||||
%{_bindir}/driverless-fax
|
||||
%{_cups_serverbin}/backend/driverless
|
||||
%{_cups_serverbin}/backend/driverless-fax
|
||||
%{_cups_serverbin}/driver/driverless
|
||||
%{_cups_serverbin}/driver/driverless-fax
|
||||
%{_mandir}/man1/driverless.1.gz
|
||||
%{_mandir}/man5/cups-browsed.conf.5.gz
|
||||
%{_mandir}/man8/cups-browsed.8.gz
|
||||
# 2123809 - rpm -Va reports changes due %post scriptlet (remove the verify part once we remove
|
||||
# cups-browsed.conf update from %post)
|
||||
%config(noreplace) %verify(not size filedigest mtime) %{_sysconfdir}/cups/cups-browsed.conf
|
||||
%{_unitdir}/cups-browsed.service
|
||||
|
||||
%files libs
|
||||
%dir %{_pkgdocdir}/
|
||||
%{_pkgdocdir}/COPYING
|
||||
%dir %{_pkgdocdir}/fontembed
|
||||
%{_pkgdocdir}/fontembed/README
|
||||
%{_libdir}/libcupsfilters.so.1*
|
||||
%{_libdir}/libfontembed.so.1*
|
||||
|
||||
%files devel
|
||||
%{_datadir}/cups/ppdc/escp.h
|
||||
%{_includedir}/cupsfilters
|
||||
%{_includedir}/fontembed
|
||||
%{_libdir}/libcupsfilters.so
|
||||
%{_libdir}/libfontembed.so
|
||||
%{_libdir}/pkgconfig/libcupsfilters.pc
|
||||
%{_libdir}/pkgconfig/libfontembed.pc
|
||||
|
||||
%files braille
|
||||
# cups-brf needs to be run as root, otherwise it leaves error messages
|
||||
# in journal
|
||||
%attr(0700,root,root) %{_cups_serverbin}/backend/cups-brf
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/brftoembosser
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/brftopagedbrf
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/imagetobrf
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/imageubrltoindexv3
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/imageubrltoindexv4
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/musicxmltobrf
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/vectortobrf
|
||||
%attr(0755,root,root) %{_cups_serverbin}/filter/vectortopdf
|
||||
%{_cups_serverbin}/filter/cgmtopdf
|
||||
%{_cups_serverbin}/filter/cmxtopdf
|
||||
%{_cups_serverbin}/filter/emftopdf
|
||||
%{_cups_serverbin}/filter/imagetoubrl
|
||||
%{_cups_serverbin}/filter/svgtopdf
|
||||
%{_cups_serverbin}/filter/textbrftoindexv4
|
||||
%{_cups_serverbin}/filter/vectortoubrl
|
||||
%{_cups_serverbin}/filter/xfigtopdf
|
||||
%{_cups_serverbin}/filter/wmftopdf
|
||||
%{_datadir}/cups/braille
|
||||
%{_datadir}/cups/drv/generic-brf.drv
|
||||
%{_datadir}/cups/drv/generic-ubrl.drv
|
||||
%{_datadir}/cups/drv/indexv3.drv
|
||||
%{_datadir}/cups/drv/indexv4.drv
|
||||
%{_datadir}/cups/ppdc/braille.defs
|
||||
%{_datadir}/cups/ppdc/fr-braille.po
|
||||
%{_datadir}/cups/ppdc/imagemagick.defs
|
||||
%{_datadir}/cups/ppdc/index.defs
|
||||
%{_datadir}/cups/ppdc/liblouis.defs
|
||||
%{_datadir}/cups/ppdc/liblouis1.defs
|
||||
%{_datadir}/cups/ppdc/liblouis2.defs
|
||||
%{_datadir}/cups/ppdc/liblouis3.defs
|
||||
%{_datadir}/cups/ppdc/liblouis4.defs
|
||||
%{_datadir}/cups/ppdc/media-braille.defs
|
||||
%{_datadir}/cups/mime/braille.convs
|
||||
%{_datadir}/cups/mime/braille.types
|
||||
|
||||
%changelog
|
||||
* Fri Nov 28 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-12
|
||||
- fix CVE-2025-64524
|
||||
* Tue Aug 29 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.16-5
|
||||
- 2150035 - [abrt] cups-filters: __strlen_avx2(): cups-browsed killed by SIGSEGV
|
||||
|
||||
* Mon Nov 10 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-11
|
||||
- change return value of foomatic-hash if built without libppd
|
||||
|
||||
* Wed Oct 01 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-10
|
||||
- protect older Fedoras from F43+ changes, fix installability report about hashes.new
|
||||
|
||||
* Thu Jul 31 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-9
|
||||
- Reject unknown values in foomatic-rip in F43+
|
||||
|
||||
* Wed Jul 30 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-8
|
||||
- Introduce foomatic-hash, but not rejecting values in foomatic-rip
|
||||
|
||||
* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0.1-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
|
||||
|
||||
* Mon Jun 09 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-6
|
||||
- CUPS restart has to happen after universal filter is gone for good (in posttrans) (fedora#2370978)
|
||||
|
||||
* Mon Jun 02 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-5
|
||||
- individual filters have to explicitly enabled
|
||||
|
||||
* Mon Jun 02 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-4
|
||||
- disable universal filter for now - some 3rd party drivers did not work with it
|
||||
|
||||
* Tue Mar 11 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-3
|
||||
- textonly driver was missing (fedora#2351389)
|
||||
|
||||
* Fri Jan 24 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-2
|
||||
- fix FTBFS (fedora#2340017)
|
||||
|
||||
* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
|
||||
|
||||
* Thu Aug 15 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.1-1
|
||||
- 2.0.1
|
||||
|
||||
* Fri Jul 19 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.0-9
|
||||
- fix missing epochs in conflicts
|
||||
|
||||
* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0.0-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
|
||||
|
||||
* Tue May 28 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.0-7
|
||||
- 2283295 - The directory /usr/share/ppdc/ is not in the RPM database.
|
||||
|
||||
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0.0-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0.0-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Tue Dec 19 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.0-4
|
||||
- make driverless subpackage require avahi and ipptool - they don't
|
||||
work without them
|
||||
|
||||
* Tue Dec 19 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.0-3
|
||||
- introduce cups-filters-driverless to strip avahi dependency for filters
|
||||
|
||||
* Tue Dec 19 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.0-2
|
||||
- use exact foomatic-rip filter to comply with LSB
|
||||
|
||||
* Thu Oct 19 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0.0-1
|
||||
- rebase to 2.0.0
|
||||
|
||||
* Mon Aug 07 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0~rc2-3
|
||||
* Mon Aug 07 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.16-4
|
||||
- 2229776 - Add textonly driver back as lftocrlf driver
|
||||
|
||||
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.0~rc2-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
* Wed Jun 28 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0~rc2-1
|
||||
- 2.0rc2
|
||||
|
||||
* Wed May 17 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0~rc1-2
|
||||
* Wed May 17 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.16-3
|
||||
- 2207970 - CVE-2023-24805 cups-filters: remote code execution in cups-filters, beh CUPS backend
|
||||
|
||||
* Thu Apr 27 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0~rc1-1
|
||||
- 2.0rc1
|
||||
|
||||
* Wed Mar 01 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.0~b3-2
|
||||
- use epoch to ensure clean upgrade path, because I didn't read FPG carefully
|
||||
|
||||
* Mon Feb 20 2023 Zdenek Dohnal <zdohnal@redhat.com> - 2.0b3-1
|
||||
- 2170538 - rebase to 2.0b3
|
||||
|
||||
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.28.16-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
* Thu Oct 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.16-6
|
||||
- really build with qpdf-11.1.1 (forgot to wait for qpdf in side tag...)
|
||||
|
||||
* Thu Oct 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.16-5
|
||||
- rebuilt with qpdf-11.1.1
|
||||
|
||||
* Thu Sep 22 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.16-4
|
||||
- rebuilt with qpdf-11.1.0
|
||||
|
||||
* Thu Sep 22 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.16-3
|
||||
- build braille subpackage only on Fedora and CentOS Stream > 9
|
||||
|
||||
* Wed Sep 21 2022 Zdenek Dohnal <zdohnal@redhat.com> - 1.28.16-2
|
||||
- disable frequent network interface data update, which slows down the queue creation
|
||||
|
||||
|
|
|
|||
|
|
@ -1,13 +0,0 @@
|
|||
diff --git a/filter/foomatic-rip/util.c b/filter/foomatic-rip/util.c
|
||||
index 508bc09..ad79fbf 100644
|
||||
--- a/filter/foomatic-rip/util.c
|
||||
+++ b/filter/foomatic-rip/util.c
|
||||
@@ -76,7 +76,7 @@ rip_die(int status,
|
||||
{
|
||||
va_list ap;
|
||||
|
||||
- _log("Process is dying with \"");
|
||||
+ _log("ERROR: Process is dying with \"");
|
||||
va_start(ap, msg);
|
||||
_logv(msg, ap);
|
||||
va_end(ap);
|
||||
|
|
@ -1,188 +0,0 @@
|
|||
From 41c5f2f6139e4d3693c2483ee4281202a80ae451 Mon Sep 17 00:00:00 2001
|
||||
From: zdohnal <zdohnal@redhat.com>
|
||||
Date: Tue, 22 Jul 2025 15:12:19 +0200
|
||||
Subject: [PATCH] Introduce foomatic-hash and reject unauthorized values in
|
||||
foomatic-rip (#648)
|
||||
|
||||
The change provides a way for users to have control over what values are
|
||||
allowed for the foomatic-rip-related PPD keywords FoomaticRIPCommandLine,
|
||||
FoomaticRIPCommandLinePDF, and FoomaticRIPOptionSetting. Since the
|
||||
values can be later used when constructing a shell command, the filter
|
||||
foomatic-rip was a target of several exploits (caused by issues at
|
||||
different places in CUPS or in different projects of the printing stack) to
|
||||
do arbitrary code execution when the filter is used.
|
||||
|
||||
By default the filter is run by user lp, so the issue is mitigated, but
|
||||
this PR gives admin complete control over what can be run in
|
||||
foomatic-rip and reject anything injected into system via different
|
||||
ways.
|
||||
|
||||
First, the new tool - foomatic-hash - can be called on a PPD file or
|
||||
directory with drivers/PPDs, with scan output and file with hexadecimal
|
||||
representation of hashed values. Once the scan output is reviewed by
|
||||
admin, admin can decide to put the resulting hashes into
|
||||
/etc/foomatic/hashes.d and allow them for the filter.
|
||||
---
|
||||
Makefile.am | 44 ++-
|
||||
README.md | 23 ++
|
||||
configure.ac | 2 +-
|
||||
filter/foomatic-rip/foomatic-hash.1 | 66 ++++
|
||||
filter/foomatic-rip/foomatic-hash.c | 549 ++++++++++++++++++++++++++
|
||||
filter/foomatic-rip/foomatic-rip.1.in | 16 +
|
||||
filter/foomatic-rip/foomaticrip.c | 75 ----
|
||||
filter/foomatic-rip/foomaticrip.h | 40 --
|
||||
filter/foomatic-rip/options.c | 67 ++++
|
||||
filter/foomatic-rip/process.c | 9 +
|
||||
filter/foomatic-rip/process.h | 3 +
|
||||
filter/foomatic-rip/util.c | 341 +++++++++++++++-
|
||||
filter/foomatic-rip/util.h | 67 ++++
|
||||
13 files changed, 1178 insertions(+), 124 deletions(-)
|
||||
create mode 100644 filter/foomatic-rip/foomatic-hash.1
|
||||
create mode 100644 filter/foomatic-rip/foomatic-hash.c
|
||||
|
||||
diff --git a/filter/foomatic-rip/foomatic-rip.1.in b/filter/foomatic-rip/foomatic-rip.1.in
|
||||
index 9685a95f5..3dff5215f 100644
|
||||
--- a/filter/foomatic-rip/foomatic-rip.1.in
|
||||
+++ b/filter/foomatic-rip/foomatic-rip.1.in
|
||||
@@ -193,6 +193,15 @@ friends. Several PPD files use shell constructs that require a more
|
||||
modern shell like \fBbash\fR, \fBzsh\fR, or \fBksh\fR.
|
||||
|
||||
|
||||
+.SH PPD OPTION VALUE RESTRICTIONS AND EXCEPTIONS
|
||||
+
|
||||
+The values of PPD options \fBFoomaticRIPCommandLine\fR, \fBFoomaticRIPCommandLinePDF\fR and \fBFoomaticRIPOptionSetting\fR
|
||||
+are rejected in the default configuration because of security implications. Users can use the tool \fBfoomatic-hash(1)\fR, which provides
|
||||
+values of affected PPD options from found drivers and hashes of those values in hexadecimal format. User is expected to review the found values,
|
||||
+and if there is nothing suspicious in the output, copy the file with hashes into into the directory \fB@sysconfdir@/foomatic/hashes.d\fR
|
||||
+to allow the exceptions for found values.
|
||||
+
|
||||
+
|
||||
.SH FILES
|
||||
.PD 0
|
||||
.TP 0
|
||||
@@ -209,6 +218,13 @@ The PPD files of the currently defined printers
|
||||
|
||||
Configuration file for foomatic-rip
|
||||
|
||||
+.TP 0
|
||||
+@sysconfdir@/foomatic/hashes.d
|
||||
+.TP 0
|
||||
+@datadir@/foomatic/hashes.d
|
||||
+
|
||||
+Directories with hashes of allowed values
|
||||
+
|
||||
.PD 0
|
||||
|
||||
.\".SH SEE ALSO
|
||||
diff --git a/filter/foomatic-rip/options.c b/filter/foomatic-rip/options.c
|
||||
index bad833bc1..032fe9ec3 100644
|
||||
--- a/filter/foomatic-rip/options.c
|
||||
+++ b/filter/foomatic-rip/options.c
|
||||
@@ -102,6 +102,42 @@ get_icc_profile_for_qualifier(const char **qualifier)
|
||||
}
|
||||
|
||||
|
||||
+//
|
||||
+// 'is_allowed_value' - Check if the option value is allowed.
|
||||
+//
|
||||
+
|
||||
+int // O - Boolean value - true 1 / false 0
|
||||
+is_allowed_value(cups_array_t *ar, // I - Array of already known hashes from system
|
||||
+ char *value, // I - Scanned value from PPD file
|
||||
+ size_t value_len) // I - Value length
|
||||
+{
|
||||
+ char hash_string[65]; // Help array to store hexadecimal hashed string
|
||||
+
|
||||
+ //
|
||||
+ // Empty string is allowed...
|
||||
+ //
|
||||
+
|
||||
+ if (!value_len)
|
||||
+ return (1);
|
||||
+
|
||||
+ //
|
||||
+ // Hash the value and get hexadecimal string for it...
|
||||
+ //
|
||||
+
|
||||
+ if (hash_data((unsigned char*)value, value_len, hash_string, sizeof(hash_string)))
|
||||
+ return (0);
|
||||
+
|
||||
+ //
|
||||
+ // Check if the found hexadecimal hashed string is in the array -> allowed on the system...
|
||||
+ //
|
||||
+
|
||||
+ if (cupsArrayFind(ar, hash_string))
|
||||
+ return (1);
|
||||
+
|
||||
+ return (0);
|
||||
+}
|
||||
+
|
||||
+
|
||||
// a selector is a general tri-dotted specification.
|
||||
// The 2nd and 3rd elements of the qualifier are optionally modified by
|
||||
// cupsICCQualifier2 and cupsICCQualifier3:
|
||||
@@ -1866,12 +1902,19 @@ read_ppd_file(const char *filename)
|
||||
option_t *opt, *current_opt = NULL;
|
||||
param_t *param;
|
||||
icc_mapping_entry_t *entry;
|
||||
+ cups_array_t *known_hashes = NULL;
|
||||
|
||||
fh = fopen(filename, "r");
|
||||
if (!fh)
|
||||
rip_die(EXIT_PRNERR_NORETRY_BAD_SETTINGS, "Unable to open PPD file %s\n", filename);
|
||||
_log("Parsing PPD file ...\n");
|
||||
|
||||
+ if (load_system_hashes(&known_hashes))
|
||||
+ {
|
||||
+ fclose(fh);
|
||||
+ rip_die(EXIT_PRNERR_NORETRY, "Not enough memory for array allocation\n.");
|
||||
+ }
|
||||
+
|
||||
dstrassure(value, 256);
|
||||
|
||||
qualifier_data = list_create();
|
||||
@@ -1955,10 +1998,26 @@ read_ppd_file(const char *filename)
|
||||
}
|
||||
else if (strcmp(key, "FoomaticRIPCommandLine") == 0)
|
||||
{
|
||||
+ if (!is_allowed_value(known_hashes, value->data, strlen(value->data)))
|
||||
+ {
|
||||
+ cupsArrayDelete(known_hashes);
|
||||
+ fclose(fh);
|
||||
+
|
||||
+ rip_die(EXIT_PRNERR_NOTALLOWED, "ERROR: The value of the key %s is not among the allowed values - see foomatic-rip man page for more instructions.\n", key);
|
||||
+ }
|
||||
+
|
||||
unhtmlify(cmd, 4096, value->data);
|
||||
}
|
||||
else if (strcmp(key, "FoomaticRIPCommandLinePDF") == 0)
|
||||
{
|
||||
+ if (!is_allowed_value(known_hashes, value->data, strlen(value->data)))
|
||||
+ {
|
||||
+ cupsArrayDelete(known_hashes);
|
||||
+ fclose(fh);
|
||||
+
|
||||
+ rip_die(EXIT_PRNERR_NOTALLOWED, "ERROR: The value of the key %s is not among the allowed values - see foomatic-rip man page for more instructions.\n", key);
|
||||
+ }
|
||||
+
|
||||
unhtmlify(cmd_pdf, 4096, value->data);
|
||||
}
|
||||
else if (!strcmp(key, "cupsFilter"))
|
||||
@@ -2097,6 +2156,14 @@ read_ppd_file(const char *filename)
|
||||
}
|
||||
else if (!strcmp(key, "FoomaticRIPOptionSetting"))
|
||||
{
|
||||
+ if (!is_allowed_value(known_hashes, value->data, strlen(value->data)))
|
||||
+ {
|
||||
+ cupsArrayDelete(known_hashes);
|
||||
+ fclose(fh);
|
||||
+
|
||||
+ rip_die(EXIT_PRNERR_NOTALLOWED, "ERROR: The value of the key %s is not among the allowed values - see foomatic-rip man page for more instructions.\n", key);
|
||||
+ }
|
||||
+
|
||||
// "*FoomaticRIPOptionSetting <option>[=<choice>]: <code>
|
||||
// For boolean options <choice> is not given
|
||||
option_set_choice(assure_option(name),
|
||||
--
|
||||
2.50.1
|
||||
|
||||
28
gating.yaml
28
gating.yaml
|
|
@ -1,28 +0,0 @@
|
|||
--- !Policy
|
||||
product_versions:
|
||||
- fedora-*
|
||||
decision_context: bodhi_update_push_testing
|
||||
subject_type: koji_build
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/cups-tier1-public.functional}
|
||||
#Rawhide
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- fedora-*
|
||||
decision_context: bodhi_update_push_stable
|
||||
subject_type: koji_build
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/cups-tier1-public.functional}
|
||||
|
||||
#gating rhel
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-*
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional}
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/cups-tier1-public.functional}
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/cups-tier1-internal.functional}
|
||||
59
plans.fmf
59
plans.fmf
|
|
@ -1,59 +0,0 @@
|
|||
/tier1-internal:
|
||||
plan:
|
||||
import:
|
||||
url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
|
||||
name: /plans/tier1/internal
|
||||
|
||||
/tier1-public:
|
||||
plan:
|
||||
import:
|
||||
url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
|
||||
name: /plans/tier1/public
|
||||
|
||||
/tier2-tier3-internal:
|
||||
plan:
|
||||
import:
|
||||
url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
|
||||
name: /plans/tier2-tier3/internal
|
||||
|
||||
/tier2-tier3-public:
|
||||
plan:
|
||||
import:
|
||||
url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
|
||||
name: /plans/tier2-tier3/public
|
||||
|
||||
/others-internal:
|
||||
plan:
|
||||
import:
|
||||
url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
|
||||
name: /plans/others/internal
|
||||
|
||||
/others-public:
|
||||
plan:
|
||||
import:
|
||||
url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
|
||||
name: /plans/others/public
|
||||
|
||||
/multihost:
|
||||
plan:
|
||||
import:
|
||||
url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
|
||||
name: /plans/multihost/multihost
|
||||
|
||||
/fips-internal:
|
||||
plan:
|
||||
import:
|
||||
url: https://gitlab.com/redhat/centos-stream/tests/cups-filters.git
|
||||
name: /plans/others/fips
|
||||
|
||||
/cups-tier1-internal:
|
||||
plan:
|
||||
import:
|
||||
url: https://gitlab.com/redhat/centos-stream/tests/cups.git
|
||||
name: /plans/tier1/internal
|
||||
|
||||
/cups-tier1-public:
|
||||
plan:
|
||||
import:
|
||||
url: https://gitlab.com/redhat/centos-stream/tests/cups.git
|
||||
name: /plans/tier1/public
|
||||
2
sources
2
sources
|
|
@ -1 +1 @@
|
|||
SHA512 (cups-filters-2.0.1.tar.gz) = b5d7b8f5a89a6a6bba0e861dd3c3263195be75996d22129d123f325f6bff74fbabf22f2ee2d953908ffb8294d825af5568af6695896c76ef4082ae98cd19c42c
|
||||
SHA512 (cups-filters-1.28.16.tar.xz) = 0369f96a8ae5e33bf75c8765947d5ad7285b3532e9d9b0ded7e206798834c9ade3a2ac3f1d16e0fdd43346f2bc7852c541130e935cbb20f9c1239a53118d1239
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue