Compare commits
21 Commits
Author | SHA1 | Date |
---|---|---|
Zdenek Dohnal | e379c2751a | |
Zdenek Dohnal | 78742c5bec | |
Zdenek Dohnal | 98ef83e116 | |
Zdenek Dohnal | fa8bd39eb8 | |
Zdenek Dohnal | 4bdaf3c78c | |
Zdenek Dohnal | 818477f54a | |
Zdenek Dohnal | ede8ecee72 | |
Zdenek Dohnal | 8efc7404d8 | |
Zdenek Dohnal | f5d6636c22 | |
Zdenek Dohnal | 9d9b4f1948 | |
Zdenek Dohnal | ee75f7d599 | |
Zdenek Dohnal | 8d4b6080a8 | |
Zdenek Dohnal | 30b873f0fd | |
Zdenek Dohnal | 64d608a123 | |
Zdenek Dohnal | 0a2acd71f7 | |
Zdenek Dohnal | 529fc9e071 | |
Zdenek Dohnal | 7bc3c73006 | |
Zdenek Dohnal | c5bce140dd | |
Zdenek Dohnal | da772b1f3a | |
Zdenek Dohnal | 496ef6757c | |
Pavel Zhukov | 7ce4415f7b |
|
@ -0,0 +1,497 @@
|
|||
diff -up cups-2.2.6/cups/http-private.h.remove-weak-ciphers cups-2.2.6/cups/http-private.h
|
||||
--- cups-2.2.6/cups/http-private.h.remove-weak-ciphers 2017-11-01 15:57:53.000000000 +0100
|
||||
+++ cups-2.2.6/cups/http-private.h 2018-08-07 11:53:54.985633959 +0200
|
||||
@@ -180,13 +180,17 @@ extern "C" {
|
||||
|
||||
# define _HTTP_TLS_NONE 0 /* No TLS options */
|
||||
# define _HTTP_TLS_ALLOW_RC4 1 /* Allow RC4 cipher suites */
|
||||
-# define _HTTP_TLS_ALLOW_SSL3 2 /* Allow SSL 3.0 */
|
||||
-# define _HTTP_TLS_ALLOW_DH 4 /* Allow DH/DHE key negotiation */
|
||||
-# define _HTTP_TLS_DENY_TLS10 16 /* Deny TLS 1.0 */
|
||||
-# define _HTTP_TLS_DENY_CBC 32 /* Deny CBC cipher suites */
|
||||
-# define _HTTP_TLS_ONLY_TLS10 64 /* Only use TLS 1.0 */
|
||||
+# define _HTTP_TLS_ALLOW_DH 2 /* Allow DH/DHE key negotiation */
|
||||
+# define _HTTP_TLS_DENY_CBC 4 /* Deny CBC cipher suites */
|
||||
# define _HTTP_TLS_SET_DEFAULT 128 /* Setting the default TLS options */
|
||||
|
||||
+# define _HTTP_TLS_SSL3 0 /* Min/max version is SSL/3.0 */
|
||||
+# define _HTTP_TLS_1_0 1 /* Min/max version is TLS/1.0 */
|
||||
+# define _HTTP_TLS_1_1 2 /* Min/max version is TLS/1.1 */
|
||||
+# define _HTTP_TLS_1_2 3 /* Min/max version is TLS/1.2 */
|
||||
+# define _HTTP_TLS_1_3 4 /* Min/max version is TLS/1.3 */
|
||||
+# define _HTTP_TLS_MAX 5 /* Highest known TLS version */
|
||||
+
|
||||
|
||||
/*
|
||||
* Types and functions for SSL support...
|
||||
@@ -442,7 +446,7 @@ extern void _httpTLSInitialize(void);
|
||||
extern size_t _httpTLSPending(http_t *http);
|
||||
extern int _httpTLSRead(http_t *http, char *buf, int len);
|
||||
extern int _httpTLSSetCredentials(http_t *http);
|
||||
-extern void _httpTLSSetOptions(int options);
|
||||
+extern void _httpTLSSetOptions(int options, int min_version, int max_version);
|
||||
extern int _httpTLSStart(http_t *http);
|
||||
extern void _httpTLSStop(http_t *http);
|
||||
extern int _httpTLSWrite(http_t *http, const char *buf, int len);
|
||||
diff -up cups-2.2.6/cups/tlscheck.c.remove-weak-ciphers cups-2.2.6/cups/tlscheck.c
|
||||
--- cups-2.2.6/cups/tlscheck.c.remove-weak-ciphers 2017-11-01 15:57:53.000000000 +0100
|
||||
+++ cups-2.2.6/cups/tlscheck.c 2018-08-07 11:53:54.987633942 +0200
|
||||
@@ -54,6 +54,8 @@ main(int argc, /* I - Number of comm
|
||||
int af = AF_UNSPEC, /* Address family */
|
||||
tls_options = _HTTP_TLS_NONE,
|
||||
/* TLS options */
|
||||
+ tls_min_version = _HTTP_TLS_1_0,
|
||||
+ tls_max_version = _HTTP_TLS_MAX,
|
||||
verbose = 0; /* Verbosity */
|
||||
ipp_t *request, /* IPP Get-Printer-Attributes request */
|
||||
*response; /* IPP Get-Printer-Attributes response */
|
||||
@@ -88,11 +90,12 @@ main(int argc, /* I - Number of comm
|
||||
}
|
||||
else if (!strcmp(argv[i], "--no-tls10"))
|
||||
{
|
||||
- tls_options |= _HTTP_TLS_DENY_TLS10;
|
||||
+ tls_min_version = _HTTP_TLS_1_1;
|
||||
}
|
||||
else if (!strcmp(argv[i], "--tls10"))
|
||||
{
|
||||
- tls_options |= _HTTP_TLS_ONLY_TLS10;
|
||||
+ tls_min_version = _HTTP_TLS_1_0;
|
||||
+ tls_max_version = _HTTP_TLS_1_0;
|
||||
}
|
||||
else if (!strcmp(argv[i], "--rc4"))
|
||||
{
|
||||
@@ -148,7 +151,7 @@ main(int argc, /* I - Number of comm
|
||||
if (!port)
|
||||
port = 631;
|
||||
|
||||
- _httpTLSSetOptions(tls_options);
|
||||
+ _httpTLSSetOptions(tls_options, tls_min_version, tls_max_version);
|
||||
|
||||
http = httpConnect2(server, port, NULL, af, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL);
|
||||
if (!http)
|
||||
diff -up cups-2.2.6/cups/tls-darwin.c.remove-weak-ciphers cups-2.2.6/cups/tls-darwin.c
|
||||
--- cups-2.2.6/cups/tls-darwin.c.remove-weak-ciphers 2017-11-01 15:57:53.000000000 +0100
|
||||
+++ cups-2.2.6/cups/tls-darwin.c 2018-08-07 11:53:54.986633951 +0200
|
||||
@@ -53,7 +53,9 @@ static char *tls_keypath = NULL;
|
||||
/* Server cert keychain path */
|
||||
static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER;
|
||||
/* Mutex for keychain/certs */
|
||||
-static int tls_options = -1;/* Options for TLS connections */
|
||||
+static int tls_options = -1,/* Options for TLS connections */
|
||||
+ tls_min_version = _HTTP_TLS_1_0,
|
||||
+ tls_max_version = _HTTP_TLS_MAX;
|
||||
|
||||
|
||||
/*
|
||||
@@ -1139,10 +1141,16 @@ _httpTLSRead(http_t *http, /* I - HTTP
|
||||
*/
|
||||
|
||||
void
|
||||
-_httpTLSSetOptions(int options) /* I - Options */
|
||||
+_httpTLSSetOptions(int options, /* I - Options */
|
||||
+ int min_version, /* I - Minimum TLS version */
|
||||
+ int max_version) /* I - Maximum TLS version */
|
||||
{
|
||||
if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
|
||||
- tls_options = options;
|
||||
+ {
|
||||
+ tls_options = options;
|
||||
+ tls_min_version = min_version;
|
||||
+ tls_max_version = max_version;
|
||||
+ }
|
||||
}
|
||||
|
||||
|
||||
@@ -1174,7 +1182,7 @@ _httpTLSStart(http_t *http) /* I - HTTP
|
||||
{
|
||||
DEBUG_puts("4_httpTLSStart: Setting defaults.");
|
||||
_cupsSetDefaults();
|
||||
- DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
|
||||
+ DEBUG_printf(("4_httpTLSStart: tls_options=%x, tls_min_version=%d, tls_max_version=%d", tls_options, tls_min_version, tls_max_version));
|
||||
}
|
||||
|
||||
#ifdef HAVE_SECKEYCHAINOPEN
|
||||
@@ -1217,22 +1225,23 @@ _httpTLSStart(http_t *http) /* I - HTTP
|
||||
|
||||
if (!error)
|
||||
{
|
||||
- SSLProtocol minProtocol;
|
||||
-
|
||||
- if (tls_options & _HTTP_TLS_DENY_TLS10)
|
||||
- minProtocol = kTLSProtocol11;
|
||||
- else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
||||
- minProtocol = kSSLProtocol3;
|
||||
- else
|
||||
- minProtocol = kTLSProtocol1;
|
||||
+ static const SSLProtocol protocols[] = /* Min/max protocol versions */
|
||||
+ {
|
||||
+ kSSLProtocol3,
|
||||
+ kTLSProtocol1,
|
||||
+ kTLSProtocol11,
|
||||
+ kTLSProtocol12,
|
||||
+ kTLSProtocol13,
|
||||
+ kTLSProtocolMaxSupported
|
||||
+ };
|
||||
|
||||
- error = SSLSetProtocolVersionMin(http->tls, minProtocol);
|
||||
- DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin(%d), error=%d", minProtocol, (int)error));
|
||||
+ error = SSLSetProtocolVersionMin(http->tls, protocols[tls_min_version]);
|
||||
+ DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin(%d), error=%d", protocols[tls_min_version], (int)error));
|
||||
|
||||
- if (!error && (tls_options & _HTTP_TLS_ONLY_TLS10))
|
||||
+ if (!error)
|
||||
{
|
||||
- error = SSLSetProtocolVersionMax(http->tls, kTLSProtocol1);
|
||||
- DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMax(kTLSProtocol1), error=%d", (int)error));
|
||||
+ error = SSLSetProtocolVersionMax(http->tls, protocols[tls_max_version]);
|
||||
+ DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMax(%d), error=%d", protocols[tls_max_version], (int)error));
|
||||
}
|
||||
}
|
||||
|
||||
diff -up cups-2.2.6/cups/tls-gnutls.c.remove-weak-ciphers cups-2.2.6/cups/tls-gnutls.c
|
||||
--- cups-2.2.6/cups/tls-gnutls.c.remove-weak-ciphers 2017-11-01 15:57:53.000000000 +0100
|
||||
+++ cups-2.2.6/cups/tls-gnutls.c 2018-08-07 11:58:45.164114342 +0200
|
||||
@@ -35,7 +35,9 @@ static char *tls_keypath = NULL;
|
||||
/* Server cert keychain path */
|
||||
static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER;
|
||||
/* Mutex for keychain/certs */
|
||||
-static int tls_options = -1;/* Options for TLS connections */
|
||||
+static int tls_options = -1,/* Options for TLS connections */
|
||||
+ tls_min_version = _HTTP_TLS_1_0,
|
||||
+ tls_max_version = _HTTP_TLS_MAX;
|
||||
|
||||
|
||||
/*
|
||||
@@ -1224,10 +1226,16 @@ _httpTLSSetCredentials(http_t *http) /*
|
||||
*/
|
||||
|
||||
void
|
||||
-_httpTLSSetOptions(int options) /* I - Options */
|
||||
+_httpTLSSetOptions(int options, /* I - Options */
|
||||
+ int min_version, /* I - Minimum TLS version */
|
||||
+ int max_version) /* I - Maximum TLS version */
|
||||
{
|
||||
if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
|
||||
- tls_options = options;
|
||||
+ {
|
||||
+ tls_options = options;
|
||||
+ tls_min_version = min_version;
|
||||
+ tls_max_version = max_version;
|
||||
+ }
|
||||
}
|
||||
|
||||
|
||||
@@ -1245,6 +1253,16 @@ _httpTLSStart(http_t *http) /* I - Conn
|
||||
/* TLS credentials */
|
||||
char priority_string[2048];
|
||||
/* Priority string */
|
||||
+ int version; /* Current version */
|
||||
+ static const char * const versions[] =/* SSL/TLS versions */
|
||||
+ {
|
||||
+ "VERS-SSL3.0",
|
||||
+ "VERS-TLS1.0",
|
||||
+ "VERS-TLS1.1",
|
||||
+ "VERS-TLS1.2",
|
||||
+ "VERS-TLS1.3",
|
||||
+ "VERS-TLS-ALL"
|
||||
+ };
|
||||
|
||||
|
||||
DEBUG_printf(("3_httpTLSStart(http=%p)", http));
|
||||
@@ -1506,14 +1524,40 @@ _httpTLSStart(http_t *http) /* I - Conn
|
||||
|
||||
strlcpy(priority_string, "NORMAL", sizeof(priority_string));
|
||||
|
||||
- if (tls_options & _HTTP_TLS_DENY_TLS10)
|
||||
- strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-SSL3.0", sizeof(priority_string));
|
||||
- else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
||||
+ if (tls_max_version < _HTTP_TLS_MAX)
|
||||
+ {
|
||||
+ /*
|
||||
+ * Require specific TLS versions...
|
||||
+ */
|
||||
+
|
||||
+ strlcat(priority_string, ":-VERS-TLS-ALL", sizeof(priority_string));
|
||||
+ for (version = tls_min_version; version <= tls_max_version; version ++)
|
||||
+ {
|
||||
+ strlcat(priority_string, ":+", sizeof(priority_string));
|
||||
+ strlcat(priority_string, versions[version], sizeof(priority_string));
|
||||
+ }
|
||||
+ }
|
||||
+ else if (tls_min_version == _HTTP_TLS_SSL3)
|
||||
+ {
|
||||
+ /*
|
||||
+ * Allow all versions of TLS and SSL/3.0...
|
||||
+ */
|
||||
+
|
||||
strlcat(priority_string, ":+VERS-TLS-ALL:+VERS-SSL3.0", sizeof(priority_string));
|
||||
- else if (tls_options & _HTTP_TLS_ONLY_TLS10)
|
||||
- strlcat(priority_string, ":-VERS-TLS-ALL:-VERS-SSL3.0:+VERS-TLS1.0", sizeof(priority_string));
|
||||
+ }
|
||||
else
|
||||
- strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-SSL3.0", sizeof(priority_string));
|
||||
+ {
|
||||
+ /*
|
||||
+ * Require a minimum version...
|
||||
+ */
|
||||
+
|
||||
+ strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
|
||||
+ for (version = 0; version < tls_min_version; version ++)
|
||||
+ {
|
||||
+ strlcat(priority_string, ":-", sizeof(priority_string));
|
||||
+ strlcat(priority_string, versions[version], sizeof(priority_string));
|
||||
+ }
|
||||
+ }
|
||||
|
||||
if (tls_options & _HTTP_TLS_ALLOW_RC4)
|
||||
strlcat(priority_string, ":+ARCFOUR-128", sizeof(priority_string));
|
||||
diff -up cups-2.2.6/cups/tls-sspi.c.remove-weak-ciphers cups-2.2.6/cups/tls-sspi.c
|
||||
--- cups-2.2.6/cups/tls-sspi.c.remove-weak-ciphers 2017-11-01 15:57:53.000000000 +0100
|
||||
+++ cups-2.2.6/cups/tls-sspi.c 2018-08-07 11:53:54.986633951 +0200
|
||||
@@ -52,7 +52,9 @@
|
||||
* Local globals...
|
||||
*/
|
||||
|
||||
-static int tls_options = -1;/* Options for TLS connections */
|
||||
+static int tls_options = -1,/* Options for TLS connections */
|
||||
+ tls_min_version = _HTTP_TLS_1_0,
|
||||
+ tls_max_version = _HTTP_TLS_MAX;
|
||||
|
||||
|
||||
/*
|
||||
@@ -914,7 +916,11 @@ void
|
||||
_httpTLSSetOptions(int options) /* I - Options */
|
||||
{
|
||||
if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
|
||||
- tls_options = options;
|
||||
+ {
|
||||
+ tls_options = options;
|
||||
+ tls_min_version = min_version;
|
||||
+ tls_max_version = max_version;
|
||||
+ }
|
||||
}
|
||||
|
||||
|
||||
@@ -1782,14 +1788,14 @@ http_sspi_find_credentials(
|
||||
#else
|
||||
if (http->mode == _HTTP_MODE_SERVER)
|
||||
{
|
||||
- if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
||||
+ if (tls_min_version == _HTTP_TLS_SSL3)
|
||||
SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER;
|
||||
else
|
||||
SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER;
|
||||
}
|
||||
else
|
||||
{
|
||||
- if (tls_options & _HTTP_TLS_ALLOW_SSL3)
|
||||
+ if (tls_min_version == _HTTP_TLS_SSL3)
|
||||
SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT | SP_PROT_SSL3_CLIENT;
|
||||
else
|
||||
SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
|
||||
diff -up cups-2.2.6/cups/usersys.c.remove-weak-ciphers cups-2.2.6/cups/usersys.c
|
||||
--- cups-2.2.6/cups/usersys.c.remove-weak-ciphers 2018-08-07 11:53:54.945634283 +0200
|
||||
+++ cups-2.2.6/cups/usersys.c 2018-08-07 11:53:54.987633942 +0200
|
||||
@@ -54,7 +54,9 @@
|
||||
typedef struct _cups_client_conf_s /**** client.conf config data ****/
|
||||
{
|
||||
#ifdef HAVE_SSL
|
||||
- int ssl_options; /* SSLOptions values */
|
||||
+ int ssl_options, /* SSLOptions values */
|
||||
+ ssl_min_version,/* Minimum SSL/TLS version */
|
||||
+ ssl_max_version;/* Maximum SSL/TLS version */
|
||||
#endif /* HAVE_SSL */
|
||||
int trust_first, /* Trust on first use? */
|
||||
any_root, /* Allow any (e.g., self-signed) root */
|
||||
@@ -957,7 +959,7 @@ _cupsSetDefaults(void)
|
||||
cg->validate_certs = cc.validate_certs;
|
||||
|
||||
#ifdef HAVE_SSL
|
||||
- _httpTLSSetOptions(cc.ssl_options | _HTTP_TLS_SET_DEFAULT);
|
||||
+ _httpTLSSetOptions(cc.ssl_options | _HTTP_TLS_SET_DEFAULT, cc.ssl_min_version, cc.ssl_max_version);
|
||||
#endif /* HAVE_SSL */
|
||||
}
|
||||
|
||||
@@ -1336,7 +1338,9 @@ cups_set_ssl_options(
|
||||
* SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyTLS1.0] [None]
|
||||
*/
|
||||
|
||||
- int options = _HTTP_TLS_NONE; /* SSL/TLS options */
|
||||
+ int options = _HTTP_TLS_NONE, /* SSL/TLS options */
|
||||
+ min_version = _HTTP_TLS_1_0, /* Minimum SSL/TLS version */
|
||||
+ max_version = _HTTP_TLS_MAX; /* Maximum SSL/TLS version */
|
||||
char temp[256], /* Copy of value */
|
||||
*start, /* Start of option */
|
||||
*end; /* End of option */
|
||||
@@ -1364,20 +1368,38 @@ cups_set_ssl_options(
|
||||
if (!_cups_strcasecmp(start, "AllowRC4"))
|
||||
options |= _HTTP_TLS_ALLOW_RC4;
|
||||
else if (!_cups_strcasecmp(start, "AllowSSL3"))
|
||||
- options |= _HTTP_TLS_ALLOW_SSL3;
|
||||
+ min_version = _HTTP_TLS_SSL3;
|
||||
else if (!_cups_strcasecmp(start, "AllowDH"))
|
||||
options |= _HTTP_TLS_ALLOW_DH;
|
||||
else if (!_cups_strcasecmp(start, "DenyCBC"))
|
||||
options |= _HTTP_TLS_DENY_CBC;
|
||||
else if (!_cups_strcasecmp(start, "DenyTLS1.0"))
|
||||
- options |= _HTTP_TLS_DENY_TLS10;
|
||||
+ min_version = _HTTP_TLS_1_1;
|
||||
+ else if (!_cups_strcasecmp(start, "MaxTLS1.0"))
|
||||
+ max_version = _HTTP_TLS_1_0;
|
||||
+ else if (!_cups_strcasecmp(start, "MaxTLS1.1"))
|
||||
+ max_version = _HTTP_TLS_1_1;
|
||||
+ else if (!_cups_strcasecmp(start, "MaxTLS1.2"))
|
||||
+ max_version = _HTTP_TLS_1_2;
|
||||
+ else if (!_cups_strcasecmp(start, "MaxTLS1.3"))
|
||||
+ max_version = _HTTP_TLS_1_3;
|
||||
+ else if (!_cups_strcasecmp(start, "MinTLS1.0"))
|
||||
+ min_version = _HTTP_TLS_1_0;
|
||||
+ else if (!_cups_strcasecmp(start, "MinTLS1.1"))
|
||||
+ min_version = _HTTP_TLS_1_1;
|
||||
+ else if (!_cups_strcasecmp(start, "MinTLS1.2"))
|
||||
+ min_version = _HTTP_TLS_1_2;
|
||||
+ else if (!_cups_strcasecmp(start, "MinTLS1.3"))
|
||||
+ min_version = _HTTP_TLS_1_3;
|
||||
else if (!_cups_strcasecmp(start, "None"))
|
||||
options = _HTTP_TLS_NONE;
|
||||
}
|
||||
|
||||
- cc->ssl_options = options;
|
||||
+ cc->ssl_options = options;
|
||||
+ cc->ssl_max_version = max_version;
|
||||
+ cc->ssl_min_version = min_version;
|
||||
|
||||
- DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x", (void *)cc, value, options));
|
||||
+ DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x, min_version=%d, max_version=%d", (void *)cc, value, options, min_version, max_version));
|
||||
}
|
||||
#endif /* HAVE_SSL */
|
||||
|
||||
diff -up cups-2.2.6/man/client.conf.man.in.remove-weak-ciphers cups-2.2.6/man/client.conf.man.in
|
||||
--- cups-2.2.6/man/client.conf.man.in.remove-weak-ciphers 2017-11-01 15:57:53.000000000 +0100
|
||||
+++ cups-2.2.6/man/client.conf.man.in 2018-08-07 11:53:54.987633942 +0200
|
||||
@@ -10,7 +10,7 @@
|
||||
.\" which should have been included with this file. If this file is
|
||||
.\" file is missing or damaged, see the license at "http://www.cups.org/".
|
||||
.\"
|
||||
-.TH client.conf 5 "CUPS" "19 October 2017" "Apple Inc."
|
||||
+.TH client.conf 5 "CUPS" "3 November 2017" "Apple Inc."
|
||||
.SH NAME
|
||||
client.conf \- client configuration file for cups
|
||||
.SH DESCRIPTION
|
||||
@@ -56,7 +56,7 @@ Specifies the address and optionally the
|
||||
\fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR
|
||||
Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
|
||||
.TP 5
|
||||
-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR]
|
||||
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
|
||||
.TP 5
|
||||
\fBSSLOptions None\fR
|
||||
Sets encryption options (only in /etc/cups/client.conf).
|
||||
@@ -68,6 +68,9 @@ The \fIAllowRC4\fR option enables the 12
|
||||
The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
|
||||
The \fIDenyCBC\fR option disables all CBC cipher suites.
|
||||
The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
|
||||
+The \fMinTLS\fR options set the minimum TLS version to support.
|
||||
+The \fMaxTLS\fR options set the maximum TLS version to support.
|
||||
+Not all operating systems support TLS 1.3 at this time.
|
||||
.TP 5
|
||||
\fBTrustOnFirstUse Yes\fR
|
||||
.TP 5
|
||||
diff -up cups-2.2.6/man/cupsd.conf.man.in.remove-weak-ciphers cups-2.2.6/man/cupsd.conf.man.in
|
||||
--- cups-2.2.6/man/cupsd.conf.man.in.remove-weak-ciphers 2018-08-07 11:53:54.981633991 +0200
|
||||
+++ cups-2.2.6/man/cupsd.conf.man.in 2018-08-07 11:53:54.987633942 +0200
|
||||
@@ -432,10 +432,11 @@ The default is "Minimal".
|
||||
Listens on the specified address and port for encrypted connections.
|
||||
.\"#SSLOptions
|
||||
.TP 5
|
||||
-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR]
|
||||
+.TP 5
|
||||
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
|
||||
.TP 5
|
||||
\fBSSLOptions None\fR
|
||||
-Sets encryption options.
|
||||
+Sets encryption options (only in /etc/cups/client.conf).
|
||||
By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
|
||||
Security is reduced when \fIAllow\fR options are used.
|
||||
Security is enhanced when \fIDeny\fR options are used.
|
||||
@@ -444,6 +445,9 @@ The \fIAllowRC4\fR option enables the 12
|
||||
The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
|
||||
The \fIDenyCBC\fR option disables all CBC cipher suites.
|
||||
The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
|
||||
+The \fMinTLS\fR options set the minimum TLS version to support.
|
||||
+The \fMaxTLS\fR options set the maximum TLS version to support.
|
||||
+Not all operating systems support TLS 1.3 at this time.
|
||||
.\"#SSLPort
|
||||
.TP 5
|
||||
\fBSSLPort \fIport\fR
|
||||
diff -up cups-2.2.6/scheduler/conf.c.remove-weak-ciphers cups-2.2.6/scheduler/conf.c
|
||||
--- cups-2.2.6/scheduler/conf.c.remove-weak-ciphers 2018-08-07 11:53:54.981633991 +0200
|
||||
+++ cups-2.2.6/scheduler/conf.c 2018-08-07 11:53:54.988633934 +0200
|
||||
@@ -630,7 +630,7 @@ cupsdReadConfiguration(void)
|
||||
cupsdSetString(&ServerKeychain, "/Library/Keychains/System.keychain");
|
||||
# endif /* HAVE_GNUTLS */
|
||||
|
||||
- _httpTLSSetOptions(0);
|
||||
+ _httpTLSSetOptions(_HTTP_TLS_NONE, _HTTP_TLS_1_0, _HTTP_TLS_MAX);
|
||||
#endif /* HAVE_SSL */
|
||||
|
||||
language = cupsLangDefault();
|
||||
@@ -3024,7 +3024,9 @@ read_cupsd_conf(cups_file_t *fp) /* I -
|
||||
* SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyCBC] [DenyTLS1.0] [None]
|
||||
*/
|
||||
|
||||
- int options = 0; /* SSL/TLS options */
|
||||
+ int options = _HTTP_TLS_NONE,/* SSL/TLS options */
|
||||
+ min_version = _HTTP_TLS_1_0,
|
||||
+ max_version = _HTTP_TLS_MAX;
|
||||
|
||||
if (value)
|
||||
{
|
||||
@@ -3048,24 +3050,40 @@ read_cupsd_conf(cups_file_t *fp) /* I -
|
||||
* Compare...
|
||||
*/
|
||||
|
||||
- if (!_cups_strcasecmp(start, "AllowRC4"))
|
||||
+ if (!_cups_strcasecmp(start, "AllowRC4"))
|
||||
options |= _HTTP_TLS_ALLOW_RC4;
|
||||
- else if (!_cups_strcasecmp(start, "AllowSSL3"))
|
||||
- options |= _HTTP_TLS_ALLOW_SSL3;
|
||||
+ else if (!_cups_strcasecmp(start, "AllowSSL3"))
|
||||
+ min_version = _HTTP_TLS_SSL3;
|
||||
else if (!_cups_strcasecmp(start, "AllowDH"))
|
||||
options |= _HTTP_TLS_ALLOW_DH;
|
||||
else if (!_cups_strcasecmp(start, "DenyCBC"))
|
||||
options |= _HTTP_TLS_DENY_CBC;
|
||||
else if (!_cups_strcasecmp(start, "DenyTLS1.0"))
|
||||
- options |= _HTTP_TLS_DENY_TLS10;
|
||||
- else if (!_cups_strcasecmp(start, "None"))
|
||||
- options = 0;
|
||||
+ min_version = _HTTP_TLS_1_1;
|
||||
+ else if (!_cups_strcasecmp(start, "MaxTLS1.0"))
|
||||
+ max_version = _HTTP_TLS_1_0;
|
||||
+ else if (!_cups_strcasecmp(start, "MaxTLS1.1"))
|
||||
+ max_version = _HTTP_TLS_1_1;
|
||||
+ else if (!_cups_strcasecmp(start, "MaxTLS1.2"))
|
||||
+ max_version = _HTTP_TLS_1_2;
|
||||
+ else if (!_cups_strcasecmp(start, "MaxTLS1.3"))
|
||||
+ max_version = _HTTP_TLS_1_3;
|
||||
+ else if (!_cups_strcasecmp(start, "MinTLS1.0"))
|
||||
+ min_version = _HTTP_TLS_1_0;
|
||||
+ else if (!_cups_strcasecmp(start, "MinTLS1.1"))
|
||||
+ min_version = _HTTP_TLS_1_1;
|
||||
+ else if (!_cups_strcasecmp(start, "MinTLS1.2"))
|
||||
+ min_version = _HTTP_TLS_1_2;
|
||||
+ else if (!_cups_strcasecmp(start, "MinTLS1.3"))
|
||||
+ min_version = _HTTP_TLS_1_3;
|
||||
+ else if (!_cups_strcasecmp(start, "None"))
|
||||
+ options = _HTTP_TLS_NONE;
|
||||
else if (_cups_strcasecmp(start, "NoEmptyFragments"))
|
||||
cupsdLogMessage(CUPSD_LOG_WARN, "Unknown SSL option %s at line %d.", start, linenum);
|
||||
}
|
||||
}
|
||||
|
||||
- _httpTLSSetOptions(options);
|
||||
+ _httpTLSSetOptions(options, min_version, max_version);
|
||||
}
|
||||
#endif /* HAVE_SSL */
|
||||
else if ((!_cups_strcasecmp(line, "Port") || !_cups_strcasecmp(line, "Listen")
|
|
@ -0,0 +1,22 @@
|
|||
diff --git a/cgi-bin/var.c b/cgi-bin/var.c
|
||||
index 316b67f05..12f3c8344 100644
|
||||
--- a/cgi-bin/var.c
|
||||
+++ b/cgi-bin/var.c
|
||||
@@ -1186,6 +1186,7 @@ cgi_set_sid(void)
|
||||
const char *remote_addr, /* REMOTE_ADDR */
|
||||
*server_name, /* SERVER_NAME */
|
||||
*server_port; /* SERVER_PORT */
|
||||
+ struct timeval curtime; /* Current time */
|
||||
|
||||
|
||||
if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
|
||||
@@ -1195,7 +1196,8 @@ cgi_set_sid(void)
|
||||
if ((server_port = getenv("SERVER_PORT")) == NULL)
|
||||
server_port = "SERVER_PORT";
|
||||
|
||||
- CUPS_SRAND(time(NULL));
|
||||
+ gettimeofday(&curtime, NULL);
|
||||
+ CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
|
||||
snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
|
||||
remote_addr, server_name, server_port,
|
||||
(unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
|
|
@ -0,0 +1,532 @@
|
|||
diff -up cups-2.2.6/cups/cups-private.h.oldcupsservers2 cups-2.2.6/cups/cups-private.h
|
||||
--- cups-2.2.6/cups/cups-private.h.oldcupsservers2 2017-11-01 15:57:53.000000000 +0100
|
||||
+++ cups-2.2.6/cups/cups-private.h 2018-09-06 10:24:15.128367008 +0200
|
||||
@@ -237,13 +237,9 @@ extern void _cupsBufferRelease(char *b)
|
||||
|
||||
extern http_t *_cupsConnect(void);
|
||||
extern char *_cupsCreateDest(const char *name, const char *info, const char *device_id, const char *device_uri, char *uri, size_t urisize);
|
||||
-extern int _cupsGet1284Values(const char *device_id,
|
||||
- cups_option_t **values);
|
||||
-extern const char *_cupsGetDestResource(cups_dest_t *dest, char *resource,
|
||||
- size_t resourcesize);
|
||||
-extern int _cupsGetDests(http_t *http, ipp_op_t op,
|
||||
- const char *name, cups_dest_t **dests,
|
||||
- cups_ptype_t type, cups_ptype_t mask);
|
||||
+extern int _cupsGet1284Values(const char *device_id, cups_option_t **values);
|
||||
+extern const char *_cupsGetDestResource(cups_dest_t *dest, unsigned flags, char *resource, size_t resourcesize);
|
||||
+extern int _cupsGetDests(http_t *http, ipp_op_t op, const char *name, cups_dest_t **dests, cups_ptype_t type, cups_ptype_t mask);
|
||||
extern const char *_cupsGetPassword(const char *prompt);
|
||||
extern void _cupsGlobalLock(void);
|
||||
extern _cups_globals_t *_cupsGlobals(void);
|
||||
@@ -253,13 +249,10 @@ extern const char *_cupsGSSServiceName(v
|
||||
# endif /* HAVE_GSSAPI */
|
||||
extern int _cupsNextDelay(int current, int *previous);
|
||||
extern void _cupsSetDefaults(void);
|
||||
-extern void _cupsSetError(ipp_status_t status, const char *message,
|
||||
- int localize);
|
||||
+extern void _cupsSetError(ipp_status_t status, const char *message, int localize);
|
||||
extern void _cupsSetHTTPError(http_status_t status);
|
||||
# ifdef HAVE_GSSAPI
|
||||
-extern int _cupsSetNegotiateAuthString(http_t *http,
|
||||
- const char *method,
|
||||
- const char *resource);
|
||||
+extern int _cupsSetNegotiateAuthString(http_t *http, const char *method, const char *resource);
|
||||
# endif /* HAVE_GSSAPI */
|
||||
extern char *_cupsUserDefault(char *name, size_t namesize);
|
||||
|
||||
diff -up cups-2.2.6/cups/dest.c.oldcupsservers2 cups-2.2.6/cups/dest.c
|
||||
--- cups-2.2.6/cups/dest.c.oldcupsservers2 2017-11-01 15:57:53.000000000 +0100
|
||||
+++ cups-2.2.6/cups/dest.c 2018-09-06 10:21:28.510749030 +0200
|
||||
@@ -1106,6 +1106,7 @@ cupsGetDest(const char *name, /* I - D
|
||||
const char * /* O - Printer URI */
|
||||
_cupsGetDestResource(
|
||||
cups_dest_t *dest, /* I - Destination */
|
||||
+ unsigned flags, /* I - Destination flags */
|
||||
char *resource, /* I - Resource buffer */
|
||||
size_t resourcesize) /* I - Size of resource buffer */
|
||||
{
|
||||
@@ -1135,52 +1136,64 @@ _cupsGetDestResource(
|
||||
* Grab the printer URI...
|
||||
*/
|
||||
|
||||
- if ((uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options)) == NULL)
|
||||
+ if (!(flags & CUPS_DEST_FLAGS_DEVICE))
|
||||
+ uri = NULL;
|
||||
+ else
|
||||
+ uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options);
|
||||
+
|
||||
+ if (uri)
|
||||
+ {
|
||||
+ DEBUG_printf(("1_cupsGetDestResource: printer-uri-supported=\"%s\"", uri));
|
||||
+ }
|
||||
+ else
|
||||
{
|
||||
if ((uri = cupsGetOption("device-uri", dest->num_options, dest->options)) != NULL)
|
||||
{
|
||||
#if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
|
||||
if (strstr(uri, "._tcp"))
|
||||
+ {
|
||||
uri = cups_dnssd_resolve(dest, uri, 5000, NULL, NULL, NULL);
|
||||
+
|
||||
+ if (uri)
|
||||
+ DEBUG_printf(("1_cupsGetDestResource: Resolved device-uri=\"%s\"", uri));
|
||||
+ }
|
||||
+ else
|
||||
#endif /* HAVE_DNSSD || HAVE_AVAHI */
|
||||
+
|
||||
+ DEBUG_printf(("1_cupsGetDestResource: device-uri=\"%s\"", uri));
|
||||
}
|
||||
|
||||
- if (uri)
|
||||
+ if (uri && !(flags & CUPS_DEST_FLAGS_DEVICE))
|
||||
{
|
||||
- DEBUG_printf(("1_cupsGetDestResource: Resolved printer-uri-supported=\"%s\"", uri));
|
||||
-
|
||||
uri = _cupsCreateDest(dest->name, cupsGetOption("printer-info", dest->num_options, dest->options), NULL, uri, resource, resourcesize);
|
||||
- }
|
||||
|
||||
- if (uri)
|
||||
- {
|
||||
- DEBUG_printf(("1_cupsGetDestResource: Local printer-uri-supported=\"%s\"", uri));
|
||||
+ if (uri)
|
||||
+ {
|
||||
+ DEBUG_printf(("1_cupsGetDestResource: Local printer-uri-supported=\"%s\"", uri));
|
||||
|
||||
- dest->num_options = cupsAddOption("printer-uri-supported", uri, dest->num_options, &dest->options);
|
||||
+ dest->num_options = cupsAddOption("printer-uri-supported", uri, dest->num_options, &dest->options);
|
||||
|
||||
- uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options);
|
||||
+ uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options);
|
||||
+ }
|
||||
}
|
||||
- else
|
||||
- {
|
||||
- DEBUG_puts("1_cupsGetDestResource: No printer-uri-supported found.");
|
||||
+ }
|
||||
|
||||
- if (resource)
|
||||
- *resource = '\0';
|
||||
+ if (!uri)
|
||||
+ {
|
||||
+ DEBUG_puts("1_cupsGetDestResource: No printer-uri-supported or device-uri found.");
|
||||
|
||||
- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(ENOENT), 0);
|
||||
+ if (resource)
|
||||
+ *resource = '\0';
|
||||
|
||||
- return (NULL);
|
||||
- }
|
||||
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(ENOENT), 0);
|
||||
+
|
||||
+ return (NULL);
|
||||
}
|
||||
else
|
||||
{
|
||||
- DEBUG_printf(("1_cupsGetDestResource: printer-uri-supported=\"%s\"", uri));
|
||||
-
|
||||
- if (httpSeparateURI(HTTP_URI_CODING_ALL, uri, scheme, sizeof(scheme),
|
||||
- userpass, sizeof(userpass), hostname, sizeof(hostname),
|
||||
- &port, resource, (int)resourcesize) < HTTP_URI_STATUS_OK)
|
||||
+ if (httpSeparateURI(HTTP_URI_CODING_ALL, uri, scheme, sizeof(scheme), userpass, sizeof(userpass), hostname, sizeof(hostname), &port, resource, (int)resourcesize) < HTTP_URI_STATUS_OK)
|
||||
{
|
||||
- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad printer-uri."), 1);
|
||||
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad URI."), 1);
|
||||
|
||||
return (NULL);
|
||||
}
|
||||
diff -up cups-2.2.6/cups/dest-options.c.oldcupsservers2 cups-2.2.6/cups/dest-options.c
|
||||
--- cups-2.2.6/cups/dest-options.c.oldcupsservers2 2018-09-06 10:21:28.507749055 +0200
|
||||
+++ cups-2.2.6/cups/dest-options.c 2018-09-06 10:21:28.510749030 +0200
|
||||
@@ -572,6 +572,7 @@ cupsCopyDestInfo(
|
||||
cups_dest_t *dest) /* I - Destination */
|
||||
{
|
||||
cups_dinfo_t *dinfo; /* Destination information */
|
||||
+ unsigned dflags; /* Destination flags */
|
||||
ipp_t *request, /* Get-Printer-Attributes request */
|
||||
*response; /* Supported attributes */
|
||||
int tries, /* Number of tries so far */
|
||||
@@ -581,6 +582,7 @@ cupsCopyDestInfo(
|
||||
char resource[1024]; /* Resource path */
|
||||
int version; /* IPP version */
|
||||
ipp_status_t status; /* Status of request */
|
||||
+ _cups_globals_t *cg = _cupsGlobals(); /* Pointer to library globals */
|
||||
static const char * const requested_attrs[] =
|
||||
{ /* Requested attributes */
|
||||
"job-template",
|
||||
@@ -589,14 +591,25 @@ cupsCopyDestInfo(
|
||||
};
|
||||
|
||||
|
||||
- DEBUG_printf(("cupsCopyDestSupported(http=%p, dest=%p(%s))", (void *)http, (void *)dest, dest ? dest->name : ""));
|
||||
+ DEBUG_printf(("cupsCopyDestInfo(http=%p, dest=%p(%s))", (void *)http, (void *)dest, dest ? dest->name : ""));
|
||||
|
||||
/*
|
||||
* Get the default connection as needed...
|
||||
*/
|
||||
|
||||
if (!http)
|
||||
- http = _cupsConnect();
|
||||
+ {
|
||||
+ http = _cupsConnect();
|
||||
+ dflags = CUPS_DEST_FLAGS_NONE;
|
||||
+ }
|
||||
+#ifdef AF_LOCAL
|
||||
+ else if (strcmp(http->hostname, cg->server) || (httpAddrFamily(http->hostaddr) != AF_LOCAL && cg->ipp_port != httpAddrPort(http->hostaddr)))
|
||||
+#else
|
||||
+ else if (strcmp(http->hostname, cg->server) || cg->ipp_port != httpAddrPort(http->hostaddr))
|
||||
+#endif /* AF_LOCAL */
|
||||
+ dflags = CUPS_DEST_FLAGS_DEVICE;
|
||||
+ else
|
||||
+ dflags = CUPS_DEST_FLAGS_NONE;
|
||||
|
||||
/*
|
||||
* Range check input...
|
||||
@@ -609,8 +622,11 @@ cupsCopyDestInfo(
|
||||
* Get the printer URI and resource path...
|
||||
*/
|
||||
|
||||
- if ((uri = _cupsGetDestResource(dest, resource, sizeof(resource))) == NULL)
|
||||
+ if ((uri = _cupsGetDestResource(dest, dflags, resource, sizeof(resource))) == NULL)
|
||||
+ {
|
||||
+ DEBUG_puts("1cupsCopyDestInfo: Unable to get resource.");
|
||||
return (NULL);
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Get the supported attributes...
|
||||
@@ -630,28 +646,23 @@ cupsCopyDestInfo(
|
||||
request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES);
|
||||
|
||||
ippSetVersion(request, version / 10, version % 10);
|
||||
- ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri", NULL,
|
||||
- uri);
|
||||
- ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME,
|
||||
- "requesting-user-name", NULL, cupsUser());
|
||||
- ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD,
|
||||
- "requested-attributes",
|
||||
- (int)(sizeof(requested_attrs) / sizeof(requested_attrs[0])),
|
||||
- NULL, requested_attrs);
|
||||
+ ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri", NULL, uri);
|
||||
+ ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME, "requesting-user-name", NULL, cupsUser());
|
||||
+ ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD, "requested-attributes", (int)(sizeof(requested_attrs) / sizeof(requested_attrs[0])), NULL, requested_attrs);
|
||||
response = cupsDoRequest(http, request, resource);
|
||||
status = cupsLastError();
|
||||
|
||||
if (status > IPP_STATUS_OK_IGNORED_OR_SUBSTITUTED)
|
||||
{
|
||||
- DEBUG_printf(("cupsCopyDestSupported: Get-Printer-Attributes for '%s' "
|
||||
- "returned %s (%s)", dest->name, ippErrorString(status),
|
||||
- cupsLastErrorString()));
|
||||
+ DEBUG_printf(("1cupsCopyDestInfo: Get-Printer-Attributes for '%s' returned %s (%s)", dest->name, ippErrorString(status), cupsLastErrorString()));
|
||||
|
||||
ippDelete(response);
|
||||
response = NULL;
|
||||
|
||||
- if (status == IPP_STATUS_ERROR_VERSION_NOT_SUPPORTED && version > 11)
|
||||
+ if ((status == IPP_STATUS_ERROR_BAD_REQUEST || status == IPP_STATUS_ERROR_VERSION_NOT_SUPPORTED) && version > 11)
|
||||
+ {
|
||||
version = 11;
|
||||
+ }
|
||||
else if (status == IPP_STATUS_ERROR_BUSY)
|
||||
{
|
||||
sleep((unsigned)delay);
|
||||
@@ -667,7 +678,10 @@ cupsCopyDestInfo(
|
||||
while (!response && tries < 10);
|
||||
|
||||
if (!response)
|
||||
+ {
|
||||
+ DEBUG_puts("1cupsCopyDestInfo: Unable to get printer attributes.");
|
||||
return (NULL);
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Allocate a cups_dinfo_t structure and return it...
|
||||
@@ -680,6 +694,8 @@ cupsCopyDestInfo(
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
+ DEBUG_printf(("1cupsCopyDestInfo: version=%d, uri=\"%s\", resource=\"%s\".", version, uri, resource));
|
||||
+
|
||||
dinfo->version = version;
|
||||
dinfo->uri = uri;
|
||||
dinfo->resource = _cupsStrAlloc(resource);
|
||||
diff -up cups-2.2.6/cups/testdest.c.oldcupsservers2 cups-2.2.6/cups/testdest.c
|
||||
--- cups-2.2.6/cups/testdest.c.oldcupsservers2 2017-11-01 15:57:53.000000000 +0100
|
||||
+++ cups-2.2.6/cups/testdest.c 2018-09-06 10:25:48.271585277 +0200
|
||||
@@ -43,9 +43,12 @@ int /* O - Exit status */
|
||||
main(int argc, /* I - Number of command-line arguments */
|
||||
char *argv[]) /* I - Command-line arguments */
|
||||
{
|
||||
+ int i; /* Looping var */
|
||||
http_t *http; /* Connection to destination */
|
||||
cups_dest_t *dest = NULL; /* Destination */
|
||||
cups_dinfo_t *dinfo; /* Destination info */
|
||||
+ unsigned dflags = CUPS_DEST_FLAGS_NONE;
|
||||
+ /* Destination flags */
|
||||
|
||||
|
||||
if (argc < 2)
|
||||
@@ -103,9 +106,17 @@ main(int argc, /* I - Number of comm
|
||||
|
||||
return (0);
|
||||
}
|
||||
- else if (!strncmp(argv[1], "ipp://", 6) || !strncmp(argv[1], "ipps://", 7))
|
||||
- dest = cupsGetDestWithURI(NULL, argv[1]);
|
||||
- else if (!strcmp(argv[1], "default"))
|
||||
+
|
||||
+ i = 1;
|
||||
+ if (!strcmp(argv[i], "--device"))
|
||||
+ {
|
||||
+ dflags = CUPS_DEST_FLAGS_DEVICE;
|
||||
+ i ++;
|
||||
+ }
|
||||
+
|
||||
+ if (!strncmp(argv[i], "ipp://", 6) || !strncmp(argv[i], "ipps://", 7))
|
||||
+ dest = cupsGetDestWithURI(NULL, argv[i]);
|
||||
+ else if (!strcmp(argv[i], "default"))
|
||||
{
|
||||
dest = cupsGetNamedDest(CUPS_HTTP_DEFAULT, NULL, NULL);
|
||||
if (dest && dest->instance)
|
||||
@@ -114,67 +125,70 @@ main(int argc, /* I - Number of comm
|
||||
printf("default is \"%s\".\n", dest->name);
|
||||
}
|
||||
else
|
||||
- dest = cupsGetNamedDest(CUPS_HTTP_DEFAULT, argv[1], NULL);
|
||||
+ dest = cupsGetNamedDest(CUPS_HTTP_DEFAULT, argv[i], NULL);
|
||||
|
||||
if (!dest)
|
||||
{
|
||||
- printf("testdest: Unable to get destination \"%s\": %s\n", argv[1], cupsLastErrorString());
|
||||
+ printf("testdest: Unable to get destination \"%s\": %s\n", argv[i], cupsLastErrorString());
|
||||
return (1);
|
||||
}
|
||||
|
||||
- if ((http = cupsConnectDest(dest, CUPS_DEST_FLAGS_NONE, 30000, NULL, NULL, 0, NULL, NULL)) == NULL)
|
||||
+ i ++;
|
||||
+
|
||||
+ if ((http = cupsConnectDest(dest, dflags, 30000, NULL, NULL, 0, NULL, NULL)) == NULL)
|
||||
{
|
||||
- printf("testdest: Unable to connect to destination \"%s\": %s\n", argv[1], cupsLastErrorString());
|
||||
+ printf("testdest: Unable to connect to destination \"%s\": %s\n", dest->name, cupsLastErrorString());
|
||||
return (1);
|
||||
}
|
||||
|
||||
if ((dinfo = cupsCopyDestInfo(http, dest)) == NULL)
|
||||
{
|
||||
- printf("testdest: Unable to get information for destination \"%s\": %s\n", argv[1], cupsLastErrorString());
|
||||
+ printf("testdest: Unable to get information for destination \"%s\": %s\n", dest->name, cupsLastErrorString());
|
||||
return (1);
|
||||
}
|
||||
|
||||
- if (argc == 2 || (!strcmp(argv[2], "supported") && argc < 6))
|
||||
+ if (i == argc || !strcmp(argv[i], "supported"))
|
||||
{
|
||||
- if (argc > 3)
|
||||
- show_supported(http, dest, dinfo, argv[3], argv[4]);
|
||||
+ i ++;
|
||||
+
|
||||
+ if ((i + 1) < argc)
|
||||
+ show_supported(http, dest, dinfo, argv[i], argv[i + 1]);
|
||||
else if (argc > 2)
|
||||
- show_supported(http, dest, dinfo, argv[3], NULL);
|
||||
+ show_supported(http, dest, dinfo, argv[i], NULL);
|
||||
else
|
||||
show_supported(http, dest, dinfo, NULL, NULL);
|
||||
}
|
||||
- else if (!strcmp(argv[2], "conflicts") && argc > 3)
|
||||
+ else if (!strcmp(argv[i], "conflicts") && (i + 1) < argc)
|
||||
{
|
||||
- int i, /* Looping var */
|
||||
- num_options = 0;/* Number of options */
|
||||
+ int num_options = 0;/* Number of options */
|
||||
cups_option_t *options = NULL;/* Options */
|
||||
|
||||
- for (i = 3; i < argc; i ++)
|
||||
+ for (i ++; i < argc; i ++)
|
||||
num_options = cupsParseOptions(argv[i], num_options, &options);
|
||||
|
||||
show_conflicts(http, dest, dinfo, num_options, options);
|
||||
}
|
||||
- else if (!strcmp(argv[2], "default") && argc == 4)
|
||||
+ else if (!strcmp(argv[i], "default") && (i + 1) < argc)
|
||||
{
|
||||
- show_default(http, dest, dinfo, argv[3]);
|
||||
+ show_default(http, dest, dinfo, argv[i + 1]);
|
||||
}
|
||||
- else if (!strcmp(argv[2], "localize") && argc < 6)
|
||||
+ else if (!strcmp(argv[i], "localize"))
|
||||
{
|
||||
- if (argc > 3)
|
||||
- localize(http, dest, dinfo, argv[3], argv[4]);
|
||||
+ i ++;
|
||||
+ if ((i + 1) < argc)
|
||||
+ localize(http, dest, dinfo, argv[i], argv[i + 1]);
|
||||
else if (argc > 2)
|
||||
- localize(http, dest, dinfo, argv[3], NULL);
|
||||
+ localize(http, dest, dinfo, argv[i], NULL);
|
||||
else
|
||||
localize(http, dest, dinfo, NULL, NULL);
|
||||
}
|
||||
- else if (!strcmp(argv[2], "media"))
|
||||
+ else if (!strcmp(argv[i], "media"))
|
||||
{
|
||||
- int i; /* Looping var */
|
||||
const char *name = NULL; /* Media name, if any */
|
||||
unsigned flags = CUPS_MEDIA_FLAGS_DEFAULT;
|
||||
/* Media selection flags */
|
||||
|
||||
- for (i = 3; i < argc; i ++)
|
||||
+ for (i ++; i < argc; i ++)
|
||||
{
|
||||
if (!strcmp(argv[i], "borderless"))
|
||||
flags = CUPS_MEDIA_FLAGS_BORDERLESS;
|
||||
@@ -192,19 +206,19 @@ main(int argc, /* I - Number of comm
|
||||
|
||||
show_media(http, dest, dinfo, flags, name);
|
||||
}
|
||||
- else if (!strcmp(argv[2], "print") && argc > 3)
|
||||
+ else if (!strcmp(argv[i], "print") && (i + 1) < argc)
|
||||
{
|
||||
- int i, /* Looping var */
|
||||
- num_options = 0;/* Number of options */
|
||||
+ int num_options = 0;/* Number of options */
|
||||
cups_option_t *options = NULL;/* Options */
|
||||
+ const char *filename = argv[i + 1];
|
||||
|
||||
- for (i = 4; i < argc; i ++)
|
||||
+ for (i += 2; i < argc; i ++)
|
||||
num_options = cupsParseOptions(argv[i], num_options, &options);
|
||||
|
||||
- print_file(http, dest, dinfo, argv[3], num_options, options);
|
||||
+ print_file(http, dest, dinfo, filename, num_options, options);
|
||||
}
|
||||
else
|
||||
- usage(argv[2]);
|
||||
+ usage(argv[i]);
|
||||
|
||||
return (0);
|
||||
}
|
||||
@@ -740,9 +754,9 @@ usage(const char *arg) /* I - Argument
|
||||
printf("testdest: Unknown option \"%s\".\n", arg);
|
||||
|
||||
puts("Usage:");
|
||||
- puts(" ./testdest name [operation ...]");
|
||||
- puts(" ./testdest ipp://... [operation ...]");
|
||||
- puts(" ./testdest ipps://... [operation ...]");
|
||||
+ puts(" ./testdest [--device] name [operation ...]");
|
||||
+ puts(" ./testdest [--device] ipp://... [operation ...]");
|
||||
+ puts(" ./testdest [--device] ipps://... [operation ...]");
|
||||
puts(" ./testdest --enum [grayscale] [color] [duplex] [staple] [small]\n"
|
||||
" [medium] [large]");
|
||||
puts("");
|
||||
diff -up cups-2.2.6/test/ippserver.c.oldcupsservers2 cups-2.2.6/test/ippserver.c
|
||||
--- cups-2.2.6/test/ippserver.c.oldcupsservers2 2017-11-01 15:57:53.000000000 +0100
|
||||
+++ cups-2.2.6/test/ippserver.c 2018-09-06 10:21:28.512749014 +0200
|
||||
@@ -461,6 +461,7 @@ static AvahiClient *DNSSDClient = NULL;
|
||||
#endif /* HAVE_DNSSD */
|
||||
|
||||
static int KeepFiles = 0,
|
||||
+ MaxVersion = 20,
|
||||
Verbosity = 0;
|
||||
|
||||
|
||||
@@ -533,6 +534,23 @@ main(int argc, /* I - Number of comm
|
||||
pin = 1;
|
||||
break;
|
||||
|
||||
+ case 'V' : /* -V max-version */
|
||||
+ i ++;
|
||||
+ if (i >= argc)
|
||||
+ usage(1);
|
||||
+
|
||||
+ if (!strcmp(argv[i], "2.2"))
|
||||
+ MaxVersion = 22;
|
||||
+ else if (!strcmp(argv[i], "2.1"))
|
||||
+ MaxVersion = 21;
|
||||
+ else if (!strcmp(argv[i], "2.0"))
|
||||
+ MaxVersion = 20;
|
||||
+ else if (!strcmp(argv[i], "1.1"))
|
||||
+ MaxVersion = 11;
|
||||
+ else
|
||||
+ usage(1);
|
||||
+ break;
|
||||
+
|
||||
case 'a' : /* -a attributes-file */
|
||||
i ++;
|
||||
if (i >= argc)
|
||||
@@ -1324,9 +1342,10 @@ create_printer(const char *servername, /
|
||||
};
|
||||
static const char * const versions[] =/* ipp-versions-supported values */
|
||||
{
|
||||
- "1.0",
|
||||
"1.1",
|
||||
- "2.0"
|
||||
+ "2.0",
|
||||
+ "2.1",
|
||||
+ "2.2"
|
||||
};
|
||||
static const char * const features[] =/* ipp-features-supported values */
|
||||
{
|
||||
@@ -1738,7 +1757,12 @@ create_printer(const char *servername, /
|
||||
|
||||
/* ipp-versions-supported */
|
||||
if (!ippFindAttribute(printer->attrs, "ipp-versions-supported", IPP_TAG_ZERO))
|
||||
- ippAddStrings(printer->attrs, IPP_TAG_PRINTER, IPP_CONST_TAG(IPP_TAG_KEYWORD), "ipp-versions-supported", sizeof(versions) / sizeof(versions[0]), NULL, versions);
|
||||
+ {
|
||||
+ int num_versions = MaxVersion == 11 ? 1 : MaxVersion == 20 ? 2 : MaxVersion == 21 ? 3 : 4;
|
||||
+ /* Number of supported versions */
|
||||
+
|
||||
+ ippAddStrings(printer->attrs, IPP_TAG_PRINTER, IPP_CONST_TAG(IPP_TAG_KEYWORD), "ipp-versions-supported", num_versions, NULL, versions);
|
||||
+ }
|
||||
|
||||
/* job-account-id-default */
|
||||
if (!ippFindAttribute(printer->attrs, "job-account-id-default", IPP_TAG_ZERO))
|
||||
@@ -5800,15 +5824,24 @@ process_ipp(_ipp_client_t *client) /* I
|
||||
* Return an error, since we only support IPP 1.x and 2.x.
|
||||
*/
|
||||
|
||||
- respond_ipp(client, IPP_STATUS_ERROR_VERSION_NOT_SUPPORTED,
|
||||
- "Bad request version number %d.%d.", major, minor);
|
||||
+ respond_ipp(client, IPP_STATUS_ERROR_VERSION_NOT_SUPPORTED, "Bad request version number %d.%d.", major, minor);
|
||||
+ }
|
||||
+ else if ((major * 10 + minor) > MaxVersion)
|
||||
+ {
|
||||
+ if (httpGetState(client->http) != HTTP_STATE_POST_SEND)
|
||||
+ httpFlush(client->http); /* Flush trailing (junk) data */
|
||||
+
|
||||
+ respond_http(client, HTTP_STATUS_BAD_REQUEST, NULL, NULL, 0);
|
||||
+ return (0);
|
||||
}
|
||||
else if (ippGetRequestId(client->request) <= 0)
|
||||
- respond_ipp(client, IPP_STATUS_ERROR_BAD_REQUEST, "Bad request-id %d.",
|
||||
- ippGetRequestId(client->request));
|
||||
+ {
|
||||
+ respond_ipp(client, IPP_STATUS_ERROR_BAD_REQUEST, "Bad request-id %d.", ippGetRequestId(client->request));
|
||||
+ }
|
||||
else if (!ippFirstAttribute(client->request))
|
||||
- respond_ipp(client, IPP_STATUS_ERROR_BAD_REQUEST,
|
||||
- "No attributes in request.");
|
||||
+ {
|
||||
+ respond_ipp(client, IPP_STATUS_ERROR_BAD_REQUEST, "No attributes in request.");
|
||||
+ }
|
||||
else
|
||||
{
|
||||
/*
|
||||
@@ -6877,8 +6910,7 @@ usage(int status) /* O - Exit status *
|
||||
{
|
||||
if (!status)
|
||||
{
|
||||
- puts(CUPS_SVERSION " - Copyright 2010-2015 by Apple Inc. All rights "
|
||||
- "reserved.");
|
||||
+ puts(CUPS_SVERSION " - Copyright (c) 2010-2018 by Apple Inc. All rights reserved.");
|
||||
puts("");
|
||||
}
|
||||
|
||||
@@ -6888,6 +6920,7 @@ usage(int status) /* O - Exit status *
|
||||
puts("-2 Supports 2-sided printing (default=1-sided)");
|
||||
puts("-M manufacturer Manufacturer name (default=Test)");
|
||||
puts("-P PIN printing mode");
|
||||
+ puts("-V max-version Set maximum supported IPP version");
|
||||
puts("-a attributes-file Load printer attributes from file");
|
||||
puts("-c command Run command for every print job");
|
||||
printf("-d spool-directory Spool directory "
|
|
@ -0,0 +1,25 @@
|
|||
diff -up cups-2.2.6/cups/usersys.c.defaulttls cups-2.2.6/cups/usersys.c
|
||||
--- cups-2.2.6/cups/usersys.c.defaulttls 2018-09-03 12:10:36.111230611 +0200
|
||||
+++ cups-2.2.6/cups/usersys.c 2018-09-03 12:12:41.307074414 +0200
|
||||
@@ -1166,11 +1166,16 @@ cups_init_client_conf(
|
||||
|
||||
memset(cc, 0, sizeof(_cups_client_conf_t));
|
||||
|
||||
- cc->encryption = (http_encryption_t)-1;
|
||||
- cc->trust_first = -1;
|
||||
- cc->any_root = -1;
|
||||
- cc->expired_certs = -1;
|
||||
- cc->validate_certs = -1;
|
||||
+#ifdef HAVE_SSL
|
||||
+ cc->ssl_options = _HTTP_TLS_NONE;
|
||||
+ cc->ssl_min_version = _HTTP_TLS_1_0;
|
||||
+ cc->ssl_max_version = _HTTP_TLS_MAX;
|
||||
+#endif /* HAVE_SSL */
|
||||
+ cc->encryption = (http_encryption_t)-1;
|
||||
+ cc->trust_first = -1;
|
||||
+ cc->any_root = -1;
|
||||
+ cc->expired_certs = -1;
|
||||
+ cc->validate_certs = -1;
|
||||
|
||||
/*
|
||||
* Load settings from the org.cups.PrintingPrefs plist (which trump
|
|
@ -0,0 +1,481 @@
|
|||
From d47f6aec436e0e9df6554436e391471097686ecc Mon Sep 17 00:00:00 2001
|
||||
From: Michael R Sweet <michael.r.sweet@gmail.com>
|
||||
Date: Tue, 8 May 2018 15:24:21 -0700
|
||||
Subject: [PATCH] Fix local privilege escalation to root and sandbox bypasses
|
||||
in scheduler (rdar://37836779, rdar://37836995, rdar://37837252,
|
||||
rdar://37837581)
|
||||
|
||||
---
|
||||
man/cups-files.conf.man.in | 10 ++
|
||||
man/cupsd.conf.man.in | 8 --
|
||||
scheduler/conf.c | 201 +++++++++++++++++++++++--------------
|
||||
scheduler/job.c | 12 +++
|
||||
scheduler/process.c | 16 +--
|
||||
scheduler/server.c | 20 +++-
|
||||
test/run-stp-tests.sh | 11 +-
|
||||
7 files changed, 179 insertions(+), 99 deletions(-)
|
||||
|
||||
diff --git a/man/cups-files.conf.man.in b/man/cups-files.conf.man.in
|
||||
index 7b96d687d..baf3cb6af 100644
|
||||
--- a/man/cups-files.conf.man.in
|
||||
+++ b/man/cups-files.conf.man.in
|
||||
@@ -153,6 +153,11 @@ The server name may be included in filenames using the string "%s", for example:
|
||||
|
||||
.fi
|
||||
The default is "/var/log/cups/page_log".
|
||||
+.\"#PassEnv
|
||||
+.TP 5
|
||||
+\fBPassEnv \fIvariable \fR[ ... \fIvariable \fR]
|
||||
+Passes the specified environment variable(s) to child processes.
|
||||
+Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive.
|
||||
.\"#RemoteRoot
|
||||
.TP 5
|
||||
\fBRemoteRoot \fIusername\fR
|
||||
@@ -187,6 +192,11 @@ macOS uses its keychain database to store certificates and keys while other plat
|
||||
\fBServerRoot \fIdirectory\fR
|
||||
Specifies the directory containing the server configuration files.
|
||||
The default is "/etc/cups".
|
||||
+.\"#SetEnv
|
||||
+.TP 5
|
||||
+\fBSetEnv \fIvariable value\fR
|
||||
+Set the specified environment variable to be passed to child processes.
|
||||
+Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive.
|
||||
.\"#StateDir
|
||||
.TP 5
|
||||
\fBStateDir \fIdirectory\fR
|
||||
diff --git a/man/cupsd.conf.man.in b/man/cupsd.conf.man.in
|
||||
index 3ffc80e42..36c849398 100644
|
||||
--- a/man/cupsd.conf.man.in
|
||||
+++ b/man/cupsd.conf.man.in
|
||||
@@ -349,10 +349,6 @@ The default is "1048576" (1MB).
|
||||
\fBMultipleOperationTimeout \fIseconds\fR
|
||||
Specifies the maximum amount of time to allow between files in a multiple file print job.
|
||||
The default is "300" (5 minutes).
|
||||
-.\"#PassEnv
|
||||
-.TP 5
|
||||
-\fBPassEnv \fIvariable \fR[ ... \fIvariable \fR]
|
||||
-Passes the specified environment variable(s) to child processes.
|
||||
.\"#Policy
|
||||
.TP 5
|
||||
\fB<Policy \fIname\fB> \fR... \fB</Policy>\fR
|
||||
@@ -433,10 +429,6 @@ Specifies what information is included in the Server header of HTTP responses.
|
||||
command.
|
||||
"Full" reports "CUPS 2.0.0 (UNAME) IPP/2.0".
|
||||
The default is "Minimal".
|
||||
-.\"#SetEnv
|
||||
-.TP 5
|
||||
-\fBSetEnv \fIvariable value\fR
|
||||
-Set the specified environment variable to be passed to child processes.
|
||||
.\"#SSLListen
|
||||
.TP 5
|
||||
\fBSSLListen \fIipv4-address\fB:\fIport\fR
|
||||
diff --git a/scheduler/conf.c b/scheduler/conf.c
|
||||
index 67a91e7a6..b51c6060c 100644
|
||||
--- a/scheduler/conf.c
|
||||
+++ b/scheduler/conf.c
|
||||
@@ -2929,13 +2929,10 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
|
||||
/* Line from file */
|
||||
temp[HTTP_MAX_BUFFER],
|
||||
/* Temporary buffer for value */
|
||||
- *value, /* Pointer to value */
|
||||
- *valueptr; /* Pointer into value */
|
||||
+ *value; /* Pointer to value */
|
||||
int valuelen; /* Length of value */
|
||||
http_addrlist_t *addrlist, /* Address list */
|
||||
*addr; /* Current address */
|
||||
- cups_file_t *incfile; /* Include file */
|
||||
- char incname[1024]; /* Include filename */
|
||||
|
||||
|
||||
/*
|
||||
@@ -2950,28 +2947,7 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
|
||||
* Decode the directive...
|
||||
*/
|
||||
|
||||
- if (!_cups_strcasecmp(line, "Include") && value)
|
||||
- {
|
||||
- /*
|
||||
- * Include filename
|
||||
- */
|
||||
-
|
||||
- if (value[0] == '/')
|
||||
- strlcpy(incname, value, sizeof(incname));
|
||||
- else
|
||||
- snprintf(incname, sizeof(incname), "%s/%s", ServerRoot, value);
|
||||
-
|
||||
- if ((incfile = cupsFileOpen(incname, "rb")) == NULL)
|
||||
- cupsdLogMessage(CUPSD_LOG_ERROR,
|
||||
- "Unable to include config file \"%s\" - %s",
|
||||
- incname, strerror(errno));
|
||||
- else
|
||||
- {
|
||||
- read_cupsd_conf(incfile);
|
||||
- cupsFileClose(incfile);
|
||||
- }
|
||||
- }
|
||||
- else if (!_cups_strcasecmp(line, "<Location") && value)
|
||||
+ if (!_cups_strcasecmp(line, "<Location") && value)
|
||||
{
|
||||
/*
|
||||
* <Location path>
|
||||
@@ -3367,31 +3343,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
|
||||
cupsdLogMessage(CUPSD_LOG_WARN, "Unknown ServerTokens %s on line %d of %s.",
|
||||
value, linenum, ConfigurationFile);
|
||||
}
|
||||
- else if (!_cups_strcasecmp(line, "PassEnv") && value)
|
||||
- {
|
||||
- /*
|
||||
- * PassEnv variable [... variable]
|
||||
- */
|
||||
-
|
||||
- for (; *value;)
|
||||
- {
|
||||
- for (valuelen = 0; value[valuelen]; valuelen ++)
|
||||
- if (_cups_isspace(value[valuelen]) || value[valuelen] == ',')
|
||||
- break;
|
||||
-
|
||||
- if (value[valuelen])
|
||||
- {
|
||||
- value[valuelen] = '\0';
|
||||
- valuelen ++;
|
||||
- }
|
||||
-
|
||||
- cupsdSetEnv(value, NULL);
|
||||
-
|
||||
- for (value += valuelen; *value; value ++)
|
||||
- if (!_cups_isspace(*value) || *value != ',')
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
else if (!_cups_strcasecmp(line, "ServerAlias") && value)
|
||||
{
|
||||
/*
|
||||
@@ -3420,30 +3371,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
|
||||
break;
|
||||
}
|
||||
}
|
||||
- else if (!_cups_strcasecmp(line, "SetEnv") && value)
|
||||
- {
|
||||
- /*
|
||||
- * SetEnv variable value
|
||||
- */
|
||||
-
|
||||
- for (valueptr = value; *valueptr && !isspace(*valueptr & 255); valueptr ++);
|
||||
-
|
||||
- if (*valueptr)
|
||||
- {
|
||||
- /*
|
||||
- * Found a value...
|
||||
- */
|
||||
-
|
||||
- while (isspace(*valueptr & 255))
|
||||
- *valueptr++ = '\0';
|
||||
-
|
||||
- cupsdSetEnv(value, valueptr);
|
||||
- }
|
||||
- else
|
||||
- cupsdLogMessage(CUPSD_LOG_ERROR,
|
||||
- "Missing value for SetEnv directive on line %d of %s.",
|
||||
- linenum, ConfigurationFile);
|
||||
- }
|
||||
else if (!_cups_strcasecmp(line, "AccessLog") ||
|
||||
!_cups_strcasecmp(line, "CacheDir") ||
|
||||
!_cups_strcasecmp(line, "ConfigFilePerm") ||
|
||||
@@ -3457,6 +3384,7 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
|
||||
!_cups_strcasecmp(line, "LogFilePerm") ||
|
||||
!_cups_strcasecmp(line, "LPDConfigFile") ||
|
||||
!_cups_strcasecmp(line, "PageLog") ||
|
||||
+ !_cups_strcasecmp(line, "PassEnv") ||
|
||||
!_cups_strcasecmp(line, "Printcap") ||
|
||||
!_cups_strcasecmp(line, "PrintcapFormat") ||
|
||||
!_cups_strcasecmp(line, "RemoteRoot") ||
|
||||
@@ -3466,6 +3394,7 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
|
||||
!_cups_strcasecmp(line, "ServerKey") ||
|
||||
!_cups_strcasecmp(line, "ServerKeychain") ||
|
||||
!_cups_strcasecmp(line, "ServerRoot") ||
|
||||
+ !_cups_strcasecmp(line, "SetEnv") ||
|
||||
!_cups_strcasecmp(line, "SMBConfigFile") ||
|
||||
!_cups_strcasecmp(line, "StateDir") ||
|
||||
!_cups_strcasecmp(line, "SystemGroup") ||
|
||||
@@ -3495,10 +3424,49 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
|
||||
static int /* O - 1 on success, 0 on failure */
|
||||
read_cups_files_conf(cups_file_t *fp) /* I - File to read from */
|
||||
{
|
||||
- int linenum; /* Current line number */
|
||||
+ int i, /* Looping var */
|
||||
+ linenum; /* Current line number */
|
||||
char line[HTTP_MAX_BUFFER], /* Line from file */
|
||||
*value; /* Value from line */
|
||||
struct group *group; /* Group */
|
||||
+ static const char * const prohibited_env[] =
|
||||
+ { /* Prohibited environment variables */
|
||||
+ "APPLE_LANGUAGE",
|
||||
+ "AUTH_DOMAIN",
|
||||
+ "AUTH_INFO_REQUIRED",
|
||||
+ "AUTH_NEGOTIATE",
|
||||
+ "AUTH_PASSWORD",
|
||||
+ "AUTH_UID",
|
||||
+ "AUTH_USERNAME",
|
||||
+ "CHARSET",
|
||||
+ "CLASS",
|
||||
+ "CLASSIFICATION",
|
||||
+ "CONTENT_TYPE",
|
||||
+ "CUPS_CACHEDIR",
|
||||
+ "CUPS_DATADIR",
|
||||
+ "CUPS_DOCROOT",
|
||||
+ "CUPS_FILETYPE",
|
||||
+ "CUPS_FONTPATH",
|
||||
+ "CUPS_MAX_MESSAGE",
|
||||
+ "CUPS_REQUESTROOT",
|
||||
+ "CUPS_SERVERBIN",
|
||||
+ "CUPS_SERVERROOT",
|
||||
+ "CUPS_STATEDIR",
|
||||
+ "DEVICE_URI",
|
||||
+ "FINAL_CONTENT_TYPE",
|
||||
+ "HOME",
|
||||
+ "LANG",
|
||||
+ "PPD",
|
||||
+ "PRINTER",
|
||||
+ "PRINTER_INFO",
|
||||
+ "PRINTER_LOCATION",
|
||||
+ "PRINTER_STATE_REASONS",
|
||||
+ "RIP_CACHE",
|
||||
+ "SERVER_ADMIN",
|
||||
+ "SOFTWARE",
|
||||
+ "TMPDIR",
|
||||
+ "USER"
|
||||
+ };
|
||||
|
||||
|
||||
/*
|
||||
@@ -3536,6 +3504,47 @@ read_cups_files_conf(cups_file_t *fp) /* I - File to read from */
|
||||
}
|
||||
}
|
||||
}
|
||||
+ else if (!_cups_strcasecmp(line, "PassEnv") && value)
|
||||
+ {
|
||||
+ /*
|
||||
+ * PassEnv variable [... variable]
|
||||
+ */
|
||||
+
|
||||
+ int valuelen; /* Length of variable name */
|
||||
+
|
||||
+ for (; *value;)
|
||||
+ {
|
||||
+ for (valuelen = 0; value[valuelen]; valuelen ++)
|
||||
+ if (_cups_isspace(value[valuelen]) || value[valuelen] == ',')
|
||||
+ break;
|
||||
+
|
||||
+ if (value[valuelen])
|
||||
+ {
|
||||
+ value[valuelen] = '\0';
|
||||
+ valuelen ++;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0])); i ++)
|
||||
+ {
|
||||
+ if (!strcmp(value, prohibited_env[i]))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Environment variable \"%s\" cannot be passed through on line %d of %s.", value, linenum, CupsFilesFile);
|
||||
+
|
||||
+ if (FatalErrors & CUPSD_FATAL_CONFIG)
|
||||
+ return (0);
|
||||
+ else
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (i >= (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0])))
|
||||
+ cupsdSetEnv(value, NULL);
|
||||
+
|
||||
+ for (value += valuelen; *value; value ++)
|
||||
+ if (!_cups_isspace(*value) || *value != ',')
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)
|
||||
{
|
||||
/*
|
||||
@@ -3581,6 +3590,46 @@ read_cups_files_conf(cups_file_t *fp) /* I - File to read from */
|
||||
return (0);
|
||||
}
|
||||
}
|
||||
+ else if (!_cups_strcasecmp(line, "SetEnv") && value)
|
||||
+ {
|
||||
+ /*
|
||||
+ * SetEnv variable value
|
||||
+ */
|
||||
+
|
||||
+ char *valueptr; /* Pointer to environment variable value */
|
||||
+
|
||||
+ for (valueptr = value; *valueptr && !isspace(*valueptr & 255); valueptr ++);
|
||||
+
|
||||
+ if (*valueptr)
|
||||
+ {
|
||||
+ /*
|
||||
+ * Found a value...
|
||||
+ */
|
||||
+
|
||||
+ while (isspace(*valueptr & 255))
|
||||
+ *valueptr++ = '\0';
|
||||
+
|
||||
+ for (i = 0; i < (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0])); i ++)
|
||||
+ {
|
||||
+ if (!strcmp(value, prohibited_env[i]))
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Environment variable \"%s\" cannot be set on line %d of %s.", value, linenum, CupsFilesFile);
|
||||
+
|
||||
+ if (FatalErrors & CUPSD_FATAL_CONFIG)
|
||||
+ return (0);
|
||||
+ else
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (i >= (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0])))
|
||||
+ cupsdSetEnv(value, valueptr);
|
||||
+ }
|
||||
+ else
|
||||
+ cupsdLogMessage(CUPSD_LOG_ERROR,
|
||||
+ "Missing value for SetEnv directive on line %d of %s.",
|
||||
+ linenum, ConfigurationFile);
|
||||
+ }
|
||||
else if (!_cups_strcasecmp(line, "SystemGroup") && value)
|
||||
{
|
||||
/*
|
||||
diff --git a/scheduler/job.c b/scheduler/job.c
|
||||
index 61cda44e2..5ced0b9d1 100644
|
||||
--- a/scheduler/job.c
|
||||
+++ b/scheduler/job.c
|
||||
@@ -4779,6 +4779,18 @@ start_job(cupsd_job_t *job, /* I - Job ID */
|
||||
job->profile = cupsdCreateProfile(job->id, 0);
|
||||
job->bprofile = cupsdCreateProfile(job->id, 1);
|
||||
|
||||
+#ifdef HAVE_SANDBOX_H
|
||||
+ if ((!job->profile || !job->bprofile) && UseSandboxing && Sandboxing != CUPSD_SANDBOXING_OFF)
|
||||
+ {
|
||||
+ /*
|
||||
+ * Failure to create the sandbox profile means something really bad has
|
||||
+ * happened and we need to shutdown immediately.
|
||||
+ */
|
||||
+
|
||||
+ return;
|
||||
+ }
|
||||
+#endif /* HAVE_SANDBOX_H */
|
||||
+
|
||||
/*
|
||||
* Create the status pipes and buffer...
|
||||
*/
|
||||
diff --git a/scheduler/process.c b/scheduler/process.c
|
||||
index b8d49d8f0..3c1c6ba4f 100644
|
||||
--- a/scheduler/process.c
|
||||
+++ b/scheduler/process.c
|
||||
@@ -98,9 +98,13 @@ cupsdCreateProfile(int job_id, /* I - Job ID or 0 for none */
|
||||
|
||||
if ((fp = cupsTempFile2(profile, sizeof(profile))) == NULL)
|
||||
{
|
||||
+ /*
|
||||
+ * This should never happen, and is fatal when sandboxing is enabled.
|
||||
+ */
|
||||
+
|
||||
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d, allow_networking=%d) = NULL", job_id, allow_networking);
|
||||
- cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to create security profile: %s",
|
||||
- strerror(errno));
|
||||
+ cupsdLogMessage(CUPSD_LOG_EMERG, "Unable to create security profile: %s", strerror(errno));
|
||||
+ kill(getpid(), SIGTERM);
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
@@ -197,10 +201,8 @@ cupsdCreateProfile(int job_id, /* I - Job ID or 0 for none */
|
||||
" #\"^%s/\"" /* TempDir/... */
|
||||
" #\"^%s$\"" /* CacheDir */
|
||||
" #\"^%s/\"" /* CacheDir/... */
|
||||
- " #\"^%s$\"" /* StateDir */
|
||||
- " #\"^%s/\"" /* StateDir/... */
|
||||
"))\n",
|
||||
- temp, temp, cache, cache, state, state);
|
||||
+ temp, temp, cache, cache);
|
||||
/* Read common folders */
|
||||
cupsFilePrintf(fp,
|
||||
"(allow file-read-data file-read-metadata\n"
|
||||
@@ -242,8 +244,10 @@ cupsdCreateProfile(int job_id, /* I - Job ID or 0 for none */
|
||||
" #\"^%s/\"" /* ServerBin/... */
|
||||
" #\"^%s$\"" /* ServerRoot */
|
||||
" #\"^%s/\"" /* ServerRoot/... */
|
||||
+ " #\"^%s$\"" /* StateDir */
|
||||
+ " #\"^%s/\"" /* StateDir/... */
|
||||
"))\n",
|
||||
- request, request, bin, bin, root, root);
|
||||
+ request, request, bin, bin, root, root, state, state);
|
||||
if (Sandboxing == CUPSD_SANDBOXING_RELAXED)
|
||||
{
|
||||
/* Limited write access to /Library/Printers/... */
|
||||
diff --git a/scheduler/server.c b/scheduler/server.c
|
||||
index cecbabe67..a4033791b 100644
|
||||
--- a/scheduler/server.c
|
||||
+++ b/scheduler/server.c
|
||||
@@ -34,16 +34,28 @@ void
|
||||
cupsdStartServer(void)
|
||||
{
|
||||
/*
|
||||
- * Start color management (as needed)...
|
||||
+ * Create the default security profile...
|
||||
*/
|
||||
|
||||
- cupsdStartColor();
|
||||
+ DefaultProfile = cupsdCreateProfile(0, 1);
|
||||
+
|
||||
+#ifdef HAVE_SANDBOX_H
|
||||
+ if (!DefaultProfile && UseSandboxing && Sandboxing != CUPSD_SANDBOXING_OFF)
|
||||
+ {
|
||||
+ /*
|
||||
+ * Failure to create the sandbox profile means something really bad has
|
||||
+ * happened and we need to shutdown immediately.
|
||||
+ */
|
||||
+
|
||||
+ return;
|
||||
+ }
|
||||
+#endif /* HAVE_SANDBOX_H */
|
||||
|
||||
/*
|
||||
- * Create the default security profile...
|
||||
+ * Start color management (as needed)...
|
||||
*/
|
||||
|
||||
- DefaultProfile = cupsdCreateProfile(0, 1);
|
||||
+ cupsdStartColor();
|
||||
|
||||
/*
|
||||
* Startup all the networking stuff...
|
||||
diff --git a/test/run-stp-tests.sh b/test/run-stp-tests.sh
|
||||
index 7eb269a67..f83bd5d91 100755
|
||||
--- a/test/run-stp-tests.sh
|
||||
+++ b/test/run-stp-tests.sh
|
||||
@@ -489,11 +489,6 @@ StrictConformance Yes
|
||||
Browsing Off
|
||||
Listen localhost:$port
|
||||
Listen $BASE/sock
|
||||
-PassEnv DYLD_LIBRARY_PATH
|
||||
-PassEnv LD_LIBRARY_PATH
|
||||
-PassEnv LD_PRELOAD
|
||||
-PassEnv LOCALEDIR
|
||||
-PassEnv SHLIB_PATH
|
||||
MaxSubscriptions 3
|
||||
MaxLogSize 0
|
||||
AccessLogLevel actions
|
||||
@@ -529,6 +524,12 @@ TempDir $BASE/spool/temp
|
||||
AccessLog $BASE/log/access_log
|
||||
ErrorLog $BASE/log/error_log
|
||||
PageLog $BASE/log/page_log
|
||||
+
|
||||
+PassEnv DYLD_LIBRARY_PATH
|
||||
+PassEnv LD_LIBRARY_PATH
|
||||
+PassEnv LD_PRELOAD
|
||||
+PassEnv LOCALEDIR
|
||||
+PassEnv SHLIB_PATH
|
||||
EOF
|
||||
|
||||
if test $ssltype != 0 -a `uname` = Darwin; then
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -0,0 +1,206 @@
|
|||
diff --git a/backend/ipp.c b/backend/ipp.c
|
||||
index 32eb3aaa4..2a880bd75 100644
|
||||
--- a/backend/ipp.c
|
||||
+++ b/backend/ipp.c
|
||||
@@ -3612,6 +3612,8 @@ update_reasons(ipp_attribute_t *attr, /* I - printer-state-reasons or NULL */
|
||||
}
|
||||
}
|
||||
|
||||
+ cupsArrayDelete(new_reasons);
|
||||
+
|
||||
_cupsMutexUnlock(&report_mutex);
|
||||
|
||||
/*
|
||||
diff --git a/cgi-bin/search.c b/cgi-bin/search.c
|
||||
index 3956afc33..ad1f5ed0e 100644
|
||||
--- a/cgi-bin/search.c
|
||||
+++ b/cgi-bin/search.c
|
||||
@@ -361,4 +362,5 @@ void
|
||||
cgiFreeSearch(void *search) /* I - Search context */
|
||||
{
|
||||
regfree((regex_t *)search);
|
||||
+ free(search);
|
||||
}
|
||||
diff --git a/cups/http-addrlist.c b/cups/http-addrlist.c
|
||||
index 5d510140b..688901a7d 100644
|
||||
--- a/cups/http-addrlist.c
|
||||
+++ b/cups/http-addrlist.c
|
||||
@@ -612,6 +613,7 @@ httpAddrGetList(const char *hostname, /* I - Hostname, IP address, or NULL for p
|
||||
if (!temp)
|
||||
{
|
||||
httpAddrFreeList(first);
|
||||
+ freeaddrinfo(results);
|
||||
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
|
||||
return (NULL);
|
||||
}
|
||||
diff --git a/cups/http.c b/cups/http.c
|
||||
index a9235b087..d9332cc83 100644
|
||||
--- a/cups/http.c
|
||||
+++ b/cups/http.c
|
||||
@@ -3915,7 +3915,7 @@ http_create(
|
||||
if ((http = calloc(sizeof(http_t), 1)) == NULL)
|
||||
{
|
||||
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
|
||||
- httpAddrFreeList(addrlist);
|
||||
+ httpAddrFreeList(myaddrlist);
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
|
||||
index be24cebae..4e8cba7bb 100644
|
||||
--- a/ppdc/ppdc-source.cxx
|
||||
+++ b/ppdc/ppdc-source.cxx
|
||||
@@ -2665,6 +2666,7 @@ ppdcSource::scan_file(ppdcFile *fp, // I - File to read
|
||||
// Add it to the current option...
|
||||
if (!o)
|
||||
{
|
||||
+ c->release();
|
||||
_cupsLangPrintf(stderr,
|
||||
_("ppdc: Choice found on line %d of %s with no "
|
||||
"Option."), fp->line, fp->filename);
|
||||
diff --git a/scheduler/cups-driverd.cxx b/scheduler/cups-driverd.cxx
|
||||
index 657eee0a0..b518a9325 100644
|
||||
--- a/scheduler/cups-driverd.cxx
|
||||
+++ b/scheduler/cups-driverd.cxx
|
||||
@@ -153,7 +153,7 @@ static ppd_info_t *add_ppd(const char *filename, const char *name,
|
||||
size_t size, int model_number, int type,
|
||||
const char *scheme);
|
||||
static int cat_drv(const char *name, int request_id);
|
||||
-static int cat_ppd(const char *name, int request_id);
|
||||
+static void cat_ppd(const char *name, int request_id);
|
||||
static int cat_static(const char *name, int request_id);
|
||||
static int cat_tar(const char *name, int request_id);
|
||||
static int compare_inodes(struct stat *a, struct stat *b);
|
||||
@@ -163,12 +163,12 @@ static int compare_names(const ppd_info_t *p0,
|
||||
const ppd_info_t *p1);
|
||||
static int compare_ppds(const ppd_info_t *p0,
|
||||
const ppd_info_t *p1);
|
||||
-static int dump_ppds_dat(const char *filename);
|
||||
+static void dump_ppds_dat(const char *filename);
|
||||
static void free_array(cups_array_t *a);
|
||||
static cups_file_t *get_file(const char *name, int request_id,
|
||||
const char *subdir, char *buffer,
|
||||
size_t bufsize, char **subfile);
|
||||
-static int list_ppds(int request_id, int limit, const char *opt);
|
||||
+static void list_ppds(int request_id, int limit, const char *opt);
|
||||
static int load_drivers(cups_array_t *include,
|
||||
cups_array_t *exclude);
|
||||
static int load_drv(const char *filename, const char *name,
|
||||
@@ -204,13 +204,13 @@ main(int argc, /* I - Number of command-line args */
|
||||
*/
|
||||
|
||||
if (argc == 3 && !strcmp(argv[1], "cat"))
|
||||
- return (cat_ppd(argv[2], 0));
|
||||
+ cat_ppd(argv[2], 0);
|
||||
else if ((argc == 2 || argc == 3) && !strcmp(argv[1], "dump"))
|
||||
- return (dump_ppds_dat(argv[2]));
|
||||
+ dump_ppds_dat(argv[2]);
|
||||
else if (argc == 4 && !strcmp(argv[1], "get"))
|
||||
- return (cat_ppd(argv[3], atoi(argv[2])));
|
||||
+ cat_ppd(argv[3], atoi(argv[2]));
|
||||
else if (argc == 5 && !strcmp(argv[1], "list"))
|
||||
- return (list_ppds(atoi(argv[2]), atoi(argv[3]), argv[4]));
|
||||
+ list_ppds(atoi(argv[2]), atoi(argv[3]), argv[4]);
|
||||
else
|
||||
{
|
||||
fputs("Usage: cups-driverd cat ppd-name\n", stderr);
|
||||
@@ -428,7 +428,7 @@ cat_drv(const char *name, /* I - PPD name */
|
||||
* 'cat_ppd()' - Copy a PPD file to stdout.
|
||||
*/
|
||||
|
||||
-static int /* O - Exit code */
|
||||
+static void
|
||||
cat_ppd(const char *name, /* I - PPD name */
|
||||
int request_id) /* I - Request ID for response? */
|
||||
{
|
||||
@@ -445,7 +445,7 @@ cat_ppd(const char *name, /* I - PPD name */
|
||||
if (strstr(name, "../"))
|
||||
{
|
||||
fputs("ERROR: Invalid PPD name.\n", stderr);
|
||||
- return (1);
|
||||
+ exit(1);
|
||||
}
|
||||
|
||||
strlcpy(scheme, name, sizeof(scheme));
|
||||
@@ -475,11 +475,11 @@ cat_ppd(const char *name, /* I - PPD name */
|
||||
puts("Content-Type: application/ipp\n");
|
||||
|
||||
if (!scheme[0])
|
||||
- return (cat_static(name, request_id));
|
||||
+ exit(cat_static(name, request_id));
|
||||
else if (!strcmp(scheme, "drv"))
|
||||
- return (cat_drv(name, request_id));
|
||||
+ exit(cat_drv(name, request_id));
|
||||
else if (!strcmp(scheme, "file"))
|
||||
- return (cat_tar(name, request_id));
|
||||
+ exit(cat_tar(name, request_id));
|
||||
else
|
||||
{
|
||||
/*
|
||||
@@ -517,7 +517,7 @@ cat_ppd(const char *name, /* I - PPD name */
|
||||
cupsdSendIPPTrailer();
|
||||
}
|
||||
|
||||
- return (1);
|
||||
+ exit(1);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -547,15 +547,15 @@ cat_ppd(const char *name, /* I - PPD name */
|
||||
|
||||
fprintf(stderr, "ERROR: [cups-driverd] Unable to execute \"%s\" - %s\n",
|
||||
line, strerror(errno));
|
||||
- return (1);
|
||||
+ exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
- * Return with no errors...
|
||||
+ * Exit with no errors...
|
||||
*/
|
||||
|
||||
- return (0);
|
||||
+ exit(0);
|
||||
}
|
||||
|
||||
|
||||
@@ -778,7 +778,7 @@ compare_ppds(const ppd_info_t *p0, /* I - First PPD file */
|
||||
* 'dump_ppds_dat()' - Dump the contents of the ppds.dat file.
|
||||
*/
|
||||
|
||||
-static int /* O - Exit status */
|
||||
+static void
|
||||
dump_ppds_dat(const char *filename) /* I - Filename */
|
||||
{
|
||||
char temp[1024]; /* ppds.dat filename */
|
||||
@@ -810,7 +810,7 @@ dump_ppds_dat(const char *filename) /* I - Filename */
|
||||
ppd->record.make_and_model, ppd->record.device_id,
|
||||
ppd->record.scheme);
|
||||
|
||||
- return (0);
|
||||
+ exit(0);
|
||||
}
|
||||
|
||||
|
||||
@@ -1004,7 +1004,7 @@ get_file(const char *name, /* I - Name */
|
||||
* 'list_ppds()' - List PPD files.
|
||||
*/
|
||||
|
||||
-static int /* O - Exit code */
|
||||
+static void
|
||||
list_ppds(int request_id, /* I - Request ID */
|
||||
int limit, /* I - Limit */
|
||||
const char *opt) /* I - Option argument */
|
||||
@@ -1566,7 +1566,7 @@ list_ppds(int request_id, /* I - Request ID */
|
||||
if (request_id)
|
||||
cupsdSendIPPTrailer();
|
||||
|
||||
- return (0);
|
||||
+ exit(0);
|
||||
}
|
||||
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -0,0 +1,56 @@
|
|||
diff --git a/backend/socket.c b/backend/socket.c
|
||||
index 675061dd9..68379e95b 100644
|
||||
--- a/backend/socket.c
|
||||
+++ b/backend/socket.c
|
||||
@@ -397,8 +397,10 @@ main(int argc, /* I - Number of command-line arguments (6 or 7) */
|
||||
lseek(print_fd, 0, SEEK_SET);
|
||||
}
|
||||
|
||||
- tbytes = backendRunLoop(print_fd, device_fd, snmp_fd, &(addrlist->addr), 1,
|
||||
- 0, backendNetworkSideCB);
|
||||
+ if ((bytes = backendRunLoop(print_fd, device_fd, snmp_fd, &(addrlist->addr), 1, 0, backendNetworkSideCB)) < 0)
|
||||
+ tbytes = -1;
|
||||
+ else
|
||||
+ tbytes = bytes;
|
||||
|
||||
if (print_fd != 0 && tbytes >= 0)
|
||||
_cupsLangPrintFilter(stderr, "INFO", _("Print file sent."));
|
||||
@@ -406,7 +408,7 @@ main(int argc, /* I - Number of command-line arguments (6 or 7) */
|
||||
|
||||
fputs("STATE: +cups-waiting-for-job-completed\n", stderr);
|
||||
|
||||
- if (waiteof)
|
||||
+ if (waiteof && tbytes >= 0)
|
||||
{
|
||||
/*
|
||||
* Shutdown the socket and wait for the other end to finish...
|
||||
@@ -443,7 +445,7 @@ main(int argc, /* I - Number of command-line arguments (6 or 7) */
|
||||
if (print_fd != 0)
|
||||
close(print_fd);
|
||||
|
||||
- return (CUPS_BACKEND_OK);
|
||||
+ return (tbytes >= 0 ? CUPS_BACKEND_OK : CUPS_BACKEND_FAILED);
|
||||
}
|
||||
|
||||
|
||||
diff --git a/scheduler/main.c b/scheduler/main.c
|
||||
index 4b3914ade..472b9946d 100644
|
||||
--- a/scheduler/main.c
|
||||
+++ b/scheduler/main.c
|
||||
@@ -1472,9 +1472,16 @@ process_children(void)
|
||||
(!job->filters[i] && WIFEXITED(old_status)))
|
||||
{ /* Backend and filter didn't crash */
|
||||
if (job->filters[i])
|
||||
+ {
|
||||
job->status = status; /* Filter failed */
|
||||
+ }
|
||||
else
|
||||
+ {
|
||||
job->status = -status; /* Backend failed */
|
||||
+
|
||||
+ if (job->current_file < job->num_files)
|
||||
+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_FORCE, "Canceling multi-file job due to backend failure.");
|
||||
+ }
|
||||
}
|
||||
|
||||
if (job->state_value == IPP_JOB_PROCESSING &&
|
|
@ -0,0 +1,138 @@
|
|||
From 27551f043a74fdba2817ec77519e1226c16ccc1b Mon Sep 17 00:00:00 2001
|
||||
From: Michael R Sweet <michael.r.sweet@gmail.com>
|
||||
Date: Wed, 31 Jan 2018 20:21:26 -0500
|
||||
Subject: [PATCH] One more fix for _cupsGetDestResource (Issue #5211)
|
||||
|
||||
---
|
||||
cups/dest.c | 81 ++++++++++++++++++++++++++++-------------------------
|
||||
1 file changed, 43 insertions(+), 38 deletions(-)
|
||||
|
||||
diff --git a/cups/dest.c b/cups/dest.c
|
||||
index b90be7b3a..090970c79 100644
|
||||
--- a/cups/dest.c
|
||||
+++ b/cups/dest.c
|
||||
@@ -1094,14 +1094,16 @@ cupsGetDest(const char *name, /* I - Destination name or @code NULL@ for the d
|
||||
* '_cupsGetDestResource()' - Get the resource path and URI for a destination.
|
||||
*/
|
||||
|
||||
-const char * /* O - Printer URI */
|
||||
+const char * /* O - URI */
|
||||
_cupsGetDestResource(
|
||||
cups_dest_t *dest, /* I - Destination */
|
||||
unsigned flags, /* I - Destination flags */
|
||||
char *resource, /* I - Resource buffer */
|
||||
size_t resourcesize) /* I - Size of resource buffer */
|
||||
{
|
||||
- const char *uri; /* Printer URI */
|
||||
+ const char *uri, /* URI */
|
||||
+ *device_uri, /* Device URI */
|
||||
+ *printer_uri; /* Printer URI */
|
||||
char scheme[32], /* URI scheme */
|
||||
userpass[256], /* Username and password (unused) */
|
||||
hostname[256]; /* Hostname */
|
||||
@@ -1124,48 +1126,54 @@ _cupsGetDestResource(
|
||||
}
|
||||
|
||||
/*
|
||||
- * Grab the printer URI...
|
||||
+ * Grab the printer and device URIs...
|
||||
*/
|
||||
|
||||
- if (!(flags & CUPS_DEST_FLAGS_DEVICE))
|
||||
- uri = NULL;
|
||||
- else
|
||||
- uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options);
|
||||
+ device_uri = cupsGetOption("device-uri", dest->num_options, dest->options);
|
||||
+ printer_uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options);
|
||||
|
||||
- if (uri)
|
||||
- {
|
||||
- DEBUG_printf(("1_cupsGetDestResource: printer-uri-supported=\"%s\"", uri));
|
||||
- }
|
||||
- else
|
||||
+ DEBUG_printf(("1_cupsGetDestResource: device-uri=\"%s\", printer-uri-supported=\"%s\".", device_uri, printer_uri));
|
||||
+
|
||||
+#if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
|
||||
+ if (((flags & CUPS_DEST_FLAGS_DEVICE) || !printer_uri) && strstr(device_uri, "._tcp"))
|
||||
{
|
||||
- if ((uri = cupsGetOption("device-uri", dest->num_options, dest->options)) != NULL)
|
||||
+ if ((device_uri = cups_dnssd_resolve(dest, device_uri, 5000, NULL, NULL, NULL)) != NULL)
|
||||
{
|
||||
-#if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
|
||||
- if (strstr(uri, "._tcp"))
|
||||
- {
|
||||
- uri = cups_dnssd_resolve(dest, uri, 5000, NULL, NULL, NULL);
|
||||
+ DEBUG_printf(("1_cupsGetDestResource: Resolved device-uri=\"%s\".", device_uri));
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ DEBUG_puts("1_cupsGetDestResource: Unable to resolve device.");
|
||||
|
||||
- if (uri)
|
||||
- DEBUG_printf(("1_cupsGetDestResource: Resolved device-uri=\"%s\"", uri));
|
||||
- }
|
||||
- else
|
||||
-#endif /* HAVE_DNSSD || HAVE_AVAHI */
|
||||
+ if (resource)
|
||||
+ *resource = '\0';
|
||||
+
|
||||
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(ENOENT), 0);
|
||||
|
||||
- DEBUG_printf(("1_cupsGetDestResource: device-uri=\"%s\"", uri));
|
||||
+ return (NULL);
|
||||
}
|
||||
+ }
|
||||
+#endif /* HAVE_DNSSD || HAVE_AVAHI */
|
||||
|
||||
- if (uri && !(flags & CUPS_DEST_FLAGS_DEVICE))
|
||||
- {
|
||||
- uri = _cupsCreateDest(dest->name, cupsGetOption("printer-info", dest->num_options, dest->options), NULL, uri, resource, resourcesize);
|
||||
+ if (flags & CUPS_DEST_FLAGS_DEVICE)
|
||||
+ {
|
||||
+ uri = device_uri;
|
||||
+ }
|
||||
+ else if (printer_uri)
|
||||
+ {
|
||||
+ uri = printer_uri;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ uri = _cupsCreateDest(dest->name, cupsGetOption("printer-info", dest->num_options, dest->options), NULL, device_uri, resource, resourcesize);
|
||||
|
||||
- if (uri)
|
||||
- {
|
||||
- DEBUG_printf(("1_cupsGetDestResource: Local printer-uri-supported=\"%s\"", uri));
|
||||
+ if (uri)
|
||||
+ {
|
||||
+ DEBUG_printf(("1_cupsGetDestResource: Local printer-uri-supported=\"%s\"", uri));
|
||||
|
||||
- dest->num_options = cupsAddOption("printer-uri-supported", uri, dest->num_options, &dest->options);
|
||||
+ dest->num_options = cupsAddOption("printer-uri-supported", uri, dest->num_options, &dest->options);
|
||||
|
||||
- uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options);
|
||||
- }
|
||||
+ uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1180,14 +1188,11 @@ _cupsGetDestResource(
|
||||
|
||||
return (NULL);
|
||||
}
|
||||
- else
|
||||
+ else if (httpSeparateURI(HTTP_URI_CODING_ALL, uri, scheme, sizeof(scheme), userpass, sizeof(userpass), hostname, sizeof(hostname), &port, resource, (int)resourcesize) < HTTP_URI_STATUS_OK)
|
||||
{
|
||||
- if (httpSeparateURI(HTTP_URI_CODING_ALL, uri, scheme, sizeof(scheme), userpass, sizeof(userpass), hostname, sizeof(hostname), &port, resource, (int)resourcesize) < HTTP_URI_STATUS_OK)
|
||||
- {
|
||||
- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad URI."), 1);
|
||||
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad URI."), 1);
|
||||
|
||||
- return (NULL);
|
||||
- }
|
||||
+ return (NULL);
|
||||
}
|
||||
|
||||
DEBUG_printf(("1_cupsGetDestResource: resource=\"%s\"", resource));
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
From 6a3d63e63841e91e75ca2e3e7626f8785da758dc Mon Sep 17 00:00:00 2001
|
||||
From: Michael R Sweet <michaelrsweet@gmail.com>
|
||||
Date: Thu, 11 Jan 2018 11:32:01 -0500
|
||||
Subject: [PATCH] Printing to old CUPS servers has been fixed (Issue #5211)
|
||||
|
||||
cups/dest-options.c:
|
||||
- Fix IPP version check in cupsCopyDestInfo.
|
||||
---
|
||||
cups/dest-options.c | 4 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/cups/dest-options.c b/cups/dest-options.c
|
||||
index 18abebf06..11a1b10fb 100644
|
||||
--- a/cups/dest-options.c
|
||||
+++ b/cups/dest-options.c
|
||||
@@ -722,6 +722,8 @@ cupsCopyDestInfo(
|
||||
*/
|
||||
|
||||
request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES);
|
||||
+
|
||||
+ ippSetVersion(request, version / 10, version % 10);
|
||||
ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri", NULL,
|
||||
uri);
|
||||
ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME,
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
diff --git a/scheduler/ipp.c b/scheduler/ipp.c
|
||||
index 649995bb5..2396c9b58 100644
|
||||
--- a/scheduler/ipp.c
|
||||
+++ b/scheduler/ipp.c
|
||||
@@ -4873,6 +4873,8 @@ copy_printer_attrs(
|
||||
* and document-format attributes that may be provided by the client.
|
||||
*/
|
||||
|
||||
+ _cupsRWLockRead(&printer->lock);
|
||||
+
|
||||
curtime = time(NULL);
|
||||
|
||||
if (!ra || cupsArrayFind(ra, "marker-change-time"))
|
||||
@@ -5034,6 +5036,8 @@ copy_printer_attrs(
|
||||
if (printer->ppd_attrs)
|
||||
copy_attrs(con->response, printer->ppd_attrs, ra, IPP_TAG_ZERO, 0, NULL);
|
||||
copy_attrs(con->response, CommonData, ra, IPP_TAG_ZERO, IPP_TAG_COPY, NULL);
|
||||
+
|
||||
+ _cupsRWUnlock(&printer->lock);
|
||||
}
|
||||
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
diff --git a/scheduler/ipp.c b/scheduler/ipp.c
|
||||
index 02dc392..9aa8b80 100644
|
||||
--- a/scheduler/ipp.c
|
||||
+++ b/scheduler/ipp.c
|
||||
@@ -1636,6 +1636,14 @@ add_job(cupsd_client_t *con, /* I - Client connection */
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
+ if (attr && !ippValidateAttribute(attr))
|
||||
+ {
|
||||
+ send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString());
|
||||
+ if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
|
||||
+ attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
|
||||
+ return (NULL);
|
||||
+ }
|
||||
+
|
||||
#ifdef WITH_LSPP
|
||||
if (is_lspp_config())
|
||||
{
|
||||
@@ -1736,6 +1744,8 @@ add_job(cupsd_client_t *con, /* I - Client connection */
|
||||
}
|
||||
#endif /* WITH_LSPP */
|
||||
|
||||
+
|
||||
+
|
||||
if ((job = cupsdAddJob(priority, printer->name)) == NULL)
|
||||
{
|
||||
send_ipp_status(con, IPP_INTERNAL_ERROR,
|
|
@ -0,0 +1,111 @@
|
|||
diff -up cups-2.2.6/scheduler/log.c.journal-history cups-2.2.6/scheduler/log.c
|
||||
--- cups-2.2.6/scheduler/log.c.journal-history 2018-06-11 16:39:09.323688006 +0200
|
||||
+++ cups-2.2.6/scheduler/log.c 2018-06-11 17:08:17.393764901 +0200
|
||||
@@ -598,48 +598,17 @@ cupsdLogJob(cupsd_job_t *job, /* I - Jo
|
||||
return (1);
|
||||
|
||||
#ifdef HAVE_SYSTEMD_SD_JOURNAL_H
|
||||
- if (!strcmp(ErrorLog, "syslog"))
|
||||
- {
|
||||
- cupsd_printer_t *printer = job ? (job->printer ? job->printer : (job->dest ? cupsdFindDest(job->dest) : NULL)) : NULL;
|
||||
- static const char * const job_states[] =
|
||||
- { /* job-state strings */
|
||||
- "Pending",
|
||||
- "PendingHeld",
|
||||
- "Processing",
|
||||
- "ProcessingStopped",
|
||||
- "Canceled",
|
||||
- "Aborted",
|
||||
- "Completed"
|
||||
- };
|
||||
-
|
||||
- va_start(ap, message);
|
||||
-
|
||||
- do
|
||||
- {
|
||||
- va_copy(ap2, ap);
|
||||
- status = format_log_line(message, ap2);
|
||||
- va_end(ap2);
|
||||
- }
|
||||
- while (status == 0);
|
||||
-
|
||||
- va_end(ap);
|
||||
-
|
||||
- if (job)
|
||||
- sd_journal_send("MESSAGE=%s", log_line,
|
||||
- "PRIORITY=%i", log_levels[level],
|
||||
- PWG_Event"=JobStateChanged",
|
||||
- PWG_ServiceURI"=%s", printer ? printer->uri : "",
|
||||
- PWG_JobID"=%d", job->id,
|
||||
- PWG_JobState"=%s", job->state_value < IPP_JSTATE_PENDING ? "" : job_states[job->state_value - IPP_JSTATE_PENDING],
|
||||
- PWG_JobImpressionsCompleted"=%d", ippGetInteger(job->impressions, 0),
|
||||
- NULL);
|
||||
- else
|
||||
- sd_journal_send("MESSAGE=%s", log_line,
|
||||
- "PRIORITY=%i", log_levels[level],
|
||||
- NULL);
|
||||
-
|
||||
- return (1);
|
||||
- }
|
||||
+ cupsd_printer_t *printer = job ? (job->printer ? job->printer : (job->dest ? cupsdFindDest(job->dest) : NULL)) : NULL;
|
||||
+ static const char * const job_states[] =
|
||||
+ { /* job-state strings */
|
||||
+ "Pending",
|
||||
+ "PendingHeld",
|
||||
+ "Processing",
|
||||
+ "ProcessingStopped",
|
||||
+ "Canceled",
|
||||
+ "Aborted",
|
||||
+ "Completed"
|
||||
+ };
|
||||
#endif /* HAVE_SYSTEMD_SD_JOURNAL_H */
|
||||
|
||||
/*
|
||||
@@ -705,7 +674,29 @@ cupsdLogJob(cupsd_job_t *job, /* I - Jo
|
||||
return (1);
|
||||
}
|
||||
else if (level <= LogLevel)
|
||||
+ {
|
||||
+#ifdef HAVE_SYSTEMD_SD_JOURNAL_H
|
||||
+ if (!strcmp(ErrorLog, "syslog"))
|
||||
+ {
|
||||
+ if (job)
|
||||
+ sd_journal_send("MESSAGE=%s", log_line,
|
||||
+ "PRIORITY=%i", log_levels[level],
|
||||
+ PWG_Event"=JobStateChanged",
|
||||
+ PWG_ServiceURI"=%s", printer ? printer->uri : "",
|
||||
+ PWG_JobID"=%d", job->id,
|
||||
+ PWG_JobState"=%s", job->state_value < IPP_JSTATE_PENDING ? "" : job_states[job->state_value - IPP_JSTATE_PENDING],
|
||||
+ PWG_JobImpressionsCompleted"=%d", ippGetInteger(job->impressions, 0),
|
||||
+ NULL);
|
||||
+ else
|
||||
+ sd_journal_send("MESSAGE=%s", log_line,
|
||||
+ "PRIORITY=%i", log_levels[level],
|
||||
+ NULL);
|
||||
+
|
||||
+ return (1);
|
||||
+ }
|
||||
+#endif /* HAVE_SYSTEMD_SD_JOURNAL_H */
|
||||
return (cupsdWriteErrorLog(level, log_line));
|
||||
+ }
|
||||
else
|
||||
return (1);
|
||||
}
|
||||
@@ -989,7 +980,7 @@ cupsdLogPage(cupsd_job_t *job, /* I - J
|
||||
*bufptr = '\0';
|
||||
|
||||
#ifdef HAVE_SYSTEMD_SD_JOURNAL_H
|
||||
- if (!strcmp(ErrorLog, "syslog"))
|
||||
+ if (!strcmp(PageLog, "syslog"))
|
||||
{
|
||||
static const char * const job_states[] =
|
||||
{ /* job-state strings */
|
||||
@@ -1186,7 +1177,7 @@ cupsdLogRequest(cupsd_client_t *con, /*
|
||||
}
|
||||
|
||||
#ifdef HAVE_SYSTEMD_SD_JOURNAL_H
|
||||
- if (!strcmp(ErrorLog, "syslog"))
|
||||
+ if (!strcmp(AccessLog, "syslog"))
|
||||
{
|
||||
sd_journal_print(LOG_INFO, "REQUEST %s - %s \"%s %s HTTP/%d.%d\" %d " CUPS_LLFMT " %s %s", con->http->hostname, con->username[0] != '\0' ? con->username : "-", states[con->operation], _httpEncodeURI(temp, con->uri, sizeof(temp)), con->http->version / 100, con->http->version % 100, code, CUPS_LLCAST con->bytes, con->request ? ippOpString(con->request->request.op.operation_id) : "-", con->response ? ippErrorString(con->response->request.status.status_code) : "-");
|
||||
return (1);
|
|
@ -0,0 +1,141 @@
|
|||
diff -up cups-2.2.7/scheduler/ipp.c.substitute-bad-attrs cups-2.2.7/scheduler/ipp.c
|
||||
--- cups-2.2.7/scheduler/ipp.c.substitute-bad-attrs 2018-04-03 15:55:45.974344993 +0200
|
||||
+++ cups-2.2.7/scheduler/ipp.c 2018-04-03 16:15:06.723859881 +0200
|
||||
@@ -164,6 +164,7 @@ cupsdProcessIPPRequest(
|
||||
ipp_attribute_t *uri = NULL; /* Printer or job URI attribute */
|
||||
ipp_attribute_t *username; /* requesting-user-name attr */
|
||||
int sub_id; /* Subscription ID */
|
||||
+ int valid = 1; /* Valid request? */
|
||||
|
||||
|
||||
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdProcessIPPRequest(%p[%d]): operation_id=%04x(%s)", con, con->number, con->request->request.op.operation_id, ippOpString(con->request->request.op.operation_id));
|
||||
@@ -423,20 +424,55 @@ cupsdProcessIPPRequest(
|
||||
else
|
||||
{
|
||||
/*
|
||||
- * OK, all the checks pass so far; make sure requesting-user-name is
|
||||
- * not "root" from a remote host...
|
||||
+ * OK, all the checks pass so far; validate "requesting-user-name"
|
||||
+ * attribute value...
|
||||
*/
|
||||
|
||||
- if ((username = ippFindAttribute(con->request, "requesting-user-name",
|
||||
- IPP_TAG_NAME)) != NULL)
|
||||
- {
|
||||
- /*
|
||||
- * Check for root user...
|
||||
- */
|
||||
-
|
||||
- if (!strcmp(username->values[0].string.text, "root") &&
|
||||
- _cups_strcasecmp(con->http->hostname, "localhost") &&
|
||||
- strcmp(con->username, "root"))
|
||||
+ if ((username = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_ZERO)) != NULL)
|
||||
+ {
|
||||
+ /*
|
||||
+ * Validate "requesting-user-name"...
|
||||
+ */
|
||||
+
|
||||
+ if (username->group_tag != IPP_TAG_OPERATION && StrictConformance)
|
||||
+ {
|
||||
+ cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute in wrong group.", IPP_STATUS_ERROR_BAD_REQUEST, con->http->hostname);
|
||||
+ send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("\"requesting-user-name\" attribute in wrong group."));
|
||||
+ valid = 0;
|
||||
+ }
|
||||
+ else if (username->value_tag != IPP_TAG_NAME && username->value_tag != IPP_TAG_NAMELANG)
|
||||
+ {
|
||||
+ cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute with wrong syntax.", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, con->http->hostname);
|
||||
+ send_ipp_status(con, IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, _("\"requesting-user-name\" attribute with wrong syntax."));
|
||||
+ if ((attr = ippCopyAttribute(con->response, username, 0)) != NULL)
|
||||
+ attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
|
||||
+ valid = 0;
|
||||
+ }
|
||||
+ else if (!ippValidateAttribute(username))
|
||||
+ {
|
||||
+ cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute with bad value.", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, con->http->hostname);
|
||||
+
|
||||
+ if (StrictConformance)
|
||||
+ {
|
||||
+ /*
|
||||
+ * Throw an error...
|
||||
+ */
|
||||
+
|
||||
+ send_ipp_status(con, IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, _("\"requesting-user-name\" attribute with wrong syntax."));
|
||||
+ if ((attr = ippCopyAttribute(con->response, username, 0)) != NULL)
|
||||
+ attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
|
||||
+ valid = 0;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ /*
|
||||
+ * Map bad "requesting-user-name" to 'anonymous'...
|
||||
+ */
|
||||
+
|
||||
+ ippSetString(con->request, &username, 0, "anonymous");
|
||||
+ }
|
||||
+ }
|
||||
+ else if (!strcmp(username->values[0].string.text, "root") && _cups_strcasecmp(con->http->hostname, "localhost") && strcmp(con->username, "root"))
|
||||
{
|
||||
/*
|
||||
* Remote unauthenticated user masquerading as local root...
|
||||
@@ -452,6 +488,8 @@ cupsdProcessIPPRequest(
|
||||
else
|
||||
sub_id = 0;
|
||||
|
||||
+ if (valid)
|
||||
+ {
|
||||
/*
|
||||
* Then try processing the operation...
|
||||
*/
|
||||
@@ -655,6 +693,7 @@ cupsdProcessIPPRequest(
|
||||
ippOpString(
|
||||
con->request->request.op.operation_id));
|
||||
break;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1615,27 +1654,34 @@ add_job(cupsd_client_t *con, /* I - Cl
|
||||
_("Bad job-name value: Wrong type or count."));
|
||||
if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
|
||||
attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
|
||||
- return (NULL);
|
||||
+
|
||||
+ if (StrictConformance)
|
||||
+ return (NULL);
|
||||
+
|
||||
+ /* Don't use invalid attribute */
|
||||
+ ippDeleteAttribute(con->request, attr);
|
||||
+
|
||||
+ ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "job-name", NULL, "Untitled");
|
||||
}
|
||||
else if (!ippValidateAttribute(attr))
|
||||
{
|
||||
send_ipp_status(con, IPP_ATTRIBUTES, _("Bad job-name value: %s"),
|
||||
cupsLastErrorString());
|
||||
+
|
||||
if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
|
||||
attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
|
||||
- return (NULL);
|
||||
- }
|
||||
|
||||
- attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
|
||||
+ if (StrictConformance)
|
||||
+ return (NULL);
|
||||
|
||||
- if (attr && !ippValidateAttribute(attr))
|
||||
- {
|
||||
- send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString());
|
||||
- if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
|
||||
- attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
|
||||
- return (NULL);
|
||||
+ /* Don't use invalid attribute */
|
||||
+ ippDeleteAttribute(con->request, attr);
|
||||
+
|
||||
+ ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "job-name", NULL, "Untitled");
|
||||
}
|
||||
|
||||
+ attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
|
||||
+
|
||||
#ifdef WITH_LSPP
|
||||
if (is_lspp_config())
|
||||
{
|
|
@ -1,6 +1,6 @@
|
|||
diff -up cups-2.2.5/scheduler/main.c.systemd-socket cups-2.2.5/scheduler/main.c
|
||||
--- cups-2.2.5/scheduler/main.c.systemd-socket 2017-10-17 18:59:53.732431498 +0200
|
||||
+++ cups-2.2.5/scheduler/main.c 2017-10-17 19:02:13.132275861 +0200
|
||||
diff -up cups-2.2.6/scheduler/main.c.systemd-socket cups-2.2.6/scheduler/main.c
|
||||
--- cups-2.2.6/scheduler/main.c.systemd-socket 2018-09-19 12:38:00.602843492 +0200
|
||||
+++ cups-2.2.6/scheduler/main.c 2018-09-19 12:38:00.629843255 +0200
|
||||
@@ -691,8 +691,16 @@ main(int argc, /* I - Number of comm
|
||||
|
||||
#ifdef HAVE_ONDEMAND
|
||||
|
@ -19,22 +19,21 @@ diff -up cups-2.2.5/scheduler/main.c.systemd-socket cups-2.2.5/scheduler/main.c
|
|||
#endif /* HAVE_ONDEMAND */
|
||||
if (fg)
|
||||
cupsdAddEvent(CUPSD_EVENT_SERVER_STARTED, NULL, NULL, "Scheduler started in foreground.");
|
||||
diff -up cups-2.2.5/scheduler/org.cups.cupsd.path.in.systemd-socket cups-2.2.5/scheduler/org.cups.cupsd.path.in
|
||||
--- cups-2.2.5/scheduler/org.cups.cupsd.path.in.systemd-socket 2017-10-13 20:22:26.000000000 +0200
|
||||
+++ cups-2.2.5/scheduler/org.cups.cupsd.path.in 2017-10-17 18:59:53.732431498 +0200
|
||||
@@ -3,7 +3,7 @@ Description=CUPS Scheduler
|
||||
PartOf=org.cups.cupsd.service
|
||||
diff -up cups-2.2.6/scheduler/org.cups.cupsd.path.in.systemd-socket cups-2.2.6/scheduler/org.cups.cupsd.path.in
|
||||
--- cups-2.2.6/scheduler/org.cups.cupsd.path.in.systemd-socket 2017-11-01 15:57:53.000000000 +0100
|
||||
+++ cups-2.2.6/scheduler/org.cups.cupsd.path.in 2018-09-19 12:38:00.630843246 +0200
|
||||
@@ -1,6 +1,6 @@
|
||||
[Unit]
|
||||
Description=CUPS Scheduler
|
||||
-PartOf=org.cups.cupsd.service
|
||||
+PartOf=cups.service
|
||||
|
||||
[Path]
|
||||
-PathExists=@CUPS_CACHEDIR@/org.cups.cupsd
|
||||
+PathExistsGlob=@CUPS_REQUESTS@/d*
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
diff -up cups-2.2.5/scheduler/org.cups.cupsd.service.in.systemd-socket cups-2.2.5/scheduler/org.cups.cupsd.service.in
|
||||
--- cups-2.2.5/scheduler/org.cups.cupsd.service.in.systemd-socket 2017-10-13 20:22:26.000000000 +0200
|
||||
+++ cups-2.2.5/scheduler/org.cups.cupsd.service.in 2017-10-17 18:59:53.732431498 +0200
|
||||
@@ -1,10 +1,11 @@
|
||||
PathExists=@CUPS_CACHEDIR@/org.cups.cupsd
|
||||
diff -up cups-2.2.6/scheduler/org.cups.cupsd.service.in.systemd-socket cups-2.2.6/scheduler/org.cups.cupsd.service.in
|
||||
--- cups-2.2.6/scheduler/org.cups.cupsd.service.in.systemd-socket 2018-09-19 12:38:00.630843246 +0200
|
||||
+++ cups-2.2.6/scheduler/org.cups.cupsd.service.in 2018-09-19 12:39:39.550975966 +0200
|
||||
@@ -1,11 +1,13 @@
|
||||
[Unit]
|
||||
Description=CUPS Scheduler
|
||||
Documentation=man:cupsd(8)
|
||||
|
@ -44,6 +43,31 @@ diff -up cups-2.2.5/scheduler/org.cups.cupsd.service.in.systemd-socket cups-2.2.
|
|||
ExecStart=@sbindir@/cupsd -l
|
||||
-Type=simple
|
||||
+Type=notify
|
||||
+Restart=on-failure
|
||||
|
||||
[Install]
|
||||
Also=org.cups.cupsd.socket org.cups.cupsd.path
|
||||
-Also=org.cups.cupsd.socket org.cups.cupsd.path
|
||||
+Also=cups.socket cups.path
|
||||
WantedBy=printer.target
|
||||
diff -up cups-2.2.6/scheduler/org.cups.cupsd.socket.in.systemd-socket cups-2.2.6/scheduler/org.cups.cupsd.socket.in
|
||||
--- cups-2.2.6/scheduler/org.cups.cupsd.socket.in.systemd-socket 2017-11-01 15:57:53.000000000 +0100
|
||||
+++ cups-2.2.6/scheduler/org.cups.cupsd.socket.in 2018-09-19 12:38:00.630843246 +0200
|
||||
@@ -1,6 +1,6 @@
|
||||
[Unit]
|
||||
Description=CUPS Scheduler
|
||||
-PartOf=org.cups.cupsd.service
|
||||
+PartOf=cups.service
|
||||
|
||||
[Socket]
|
||||
ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@
|
||||
diff -up cups-2.2.6/scheduler/org.cups.cups-lpd.socket.systemd-socket cups-2.2.6/scheduler/org.cups.cups-lpd.socket
|
||||
--- cups-2.2.6/scheduler/org.cups.cups-lpd.socket.systemd-socket 2017-11-01 15:57:53.000000000 +0100
|
||||
+++ cups-2.2.6/scheduler/org.cups.cups-lpd.socket 2018-09-19 12:38:00.630843246 +0200
|
||||
@@ -1,6 +1,6 @@
|
||||
[Unit]
|
||||
Description=CUPS LPD Server Socket
|
||||
-PartOf=org.cups.cups-lpd.service
|
||||
+PartOf=cups-lpd.service
|
||||
|
||||
[Socket]
|
||||
ListenStream=515
|
||||
|
|
144
cups.spec
144
cups.spec
|
@ -15,7 +15,7 @@ Summary: CUPS printing system
|
|||
Name: cups
|
||||
Epoch: 1
|
||||
Version: 2.2.6
|
||||
Release: 13%{?dist}
|
||||
Release: 31%{?dist}
|
||||
License: GPLv2
|
||||
Url: http://www.cups.org/
|
||||
Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
|
||||
|
@ -61,14 +61,33 @@ Patch35: cups-ipp-multifile.patch
|
|||
Patch36: cups-web-devices-timeout.patch
|
||||
Patch37: cups-synconclose.patch
|
||||
Patch38: cups-ypbind.patch
|
||||
Patch39: cups-moved-logs.patch
|
||||
Patch40: cups-dbus_crash.patch
|
||||
Patch39: cups-substitute-bad-attrs.patch
|
||||
# 1589593 - cupsd LogLevel ignored when logging to journald (syslog)
|
||||
Patch40: cups-journal-history.patch
|
||||
# 1607293 - CVE-2018-4180 CVE-2018-4181 CVE-2018-4182 CVE-2018-4183 cups: various flaws [fedora-all]
|
||||
Patch41: 0001-Fix-local-privilege-escalation-to-root-and-sandbox-b.patch
|
||||
# 1613251 - Remove weak SSL/TLS ciphers from CUPS
|
||||
Patch42: 0001-Add-support-for-MinTLS-and-MaxTLS-options-Issue-5119.patch
|
||||
# 1625296 - newer cups clients fails to connect to older cups servers (<1.4)
|
||||
# from upstream issue https://github.com/apple/cups/issues/5211 - 3 patches
|
||||
Patch43: 0001-Printing-to-old-CUPS-servers-has-been-fixed-Issue-52.patch
|
||||
Patch44: 0001-Fix-additional-IPP-1.1-issues-with-cupsCopyDestInfo-.patch
|
||||
Patch45: 0001-One-more-fix-for-_cupsGetDestResource-Issue-5211.patch
|
||||
# 1621949, 1620114, 1619240 - TLS versions and options needs to be initialized all the time
|
||||
# from upstream
|
||||
Patch46: 0001-Fix-default-TLS-versions.patch
|
||||
# coverity scan fixes from upstream
|
||||
Patch47: 0001-Fix-memory-leaks-found-by-Coverity-Issue-5375.patch
|
||||
Patch48: 0001-Fix-stuck-multi-file-jobs-Issue-5359-Issue-5413.patch
|
||||
Patch49: 0001-The-scheduler-could-crash-while-adding-an-IPP-Everyw.patch
|
||||
Patch50: 0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
|
||||
|
||||
Patch100: cups-lspp.patch
|
||||
|
||||
Requires: %{name}-filesystem = %{epoch}:%{version}-%{release}
|
||||
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: %{name}-client%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: %{name}-ipptool%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
||||
Provides: cupsddk cupsddk-drivers
|
||||
|
||||
|
@ -83,6 +102,8 @@ BuildRequires: systemd
|
|||
BuildRequires: pkgconfig(libsystemd)
|
||||
BuildRequires: pkgconfig(dbus-1)
|
||||
BuildRequires: automake
|
||||
# needed for decompressing functions for opening gzipped ppds
|
||||
BuildRequires: zlib-devel
|
||||
|
||||
# gcc and gcc-c++ is no longer in buildroot by default
|
||||
# gcc for most of files
|
||||
|
@ -264,10 +285,29 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
|
|||
%patch100 -p1 -b .lspp
|
||||
%endif
|
||||
|
||||
# Move log files into journal (bug #1519331)
|
||||
%patch39 -p1 -b .moved-logs
|
||||
|
||||
%patch40 -p1 -b .dbus_notify
|
||||
# substitute default values for invalid job attributes (upstream #5186 and #5229)
|
||||
%patch39 -p1 -b .substitute-bad-attrs
|
||||
# 1589593 - cupsd LogLevel ignored when logging to journald (syslog)
|
||||
%patch40 -p1 -b .journal-history
|
||||
# 1607293 - CVE-2018-4180 CVE-2018-4181 CVE-2018-4182 CVE-2018-4183 cups: various flaws [fedora-all]
|
||||
%patch41 -p1 -b .privilege-escalation
|
||||
# 1613251 - Remove weak SSL/TLS ciphers from CUPS
|
||||
%patch42 -p1 -b .remove-weak-ciphers
|
||||
# 1625296 - newer cups client doesn't communicate with old cups servers < 1.4,
|
||||
# 3 patches from upstream
|
||||
%patch43 -p1 -b .oldcupsservers1
|
||||
%patch44 -p1 -b .oldcupsservers2
|
||||
%patch45 -p1 -b .oldcupsservers3
|
||||
# 1621949, 1620114. 1619240 - TLS versions and options needs to be initiliazed everytime
|
||||
# part of the patch is from upstream, other is reported to upstream https://github.com/apple/cups/pull/5393
|
||||
%patch46 -p1 -b .defaulttls
|
||||
# covscan fixes from upstream
|
||||
%patch47 -p1 -b .covscan
|
||||
%patch48 -p1 -b .multifile-stuck
|
||||
# cupsd can crash when adding ipp everywhere printer
|
||||
%patch49 -p1 -b .ipp-eve-add-crash
|
||||
# 1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all]
|
||||
%patch50 -p1 -b .predictable-cookie
|
||||
|
||||
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
|
||||
|
||||
|
@ -291,7 +331,7 @@ iconv -f MACINTOSH -t UTF-8 "$f"~ > "$f"
|
|||
rm -f "$f"~
|
||||
|
||||
aclocal -I config-scripts
|
||||
autoconf -I config-scripts
|
||||
autoconf -f -I config-scripts
|
||||
|
||||
%build
|
||||
# add Fedora specific flags to DSOFLAGS
|
||||
|
@ -435,14 +475,24 @@ lognames=( "error_log" "access_log" "page_log" )
|
|||
message="This CUPS log has been moved into journal by default unless changes have been made in /etc/cups/cups-files.conf. Log messages can be got by \"$ journalctl -u cups -e\""
|
||||
for ((i=0;i<${#confignames[@]};i++));
|
||||
do
|
||||
found=`grep -i "${confignames[i]} syslog" /etc/cups/cups-files.conf`
|
||||
found=`%{_bindir}/grep -i "${confignames[i]} syslog" /etc/cups/cups-files.conf`
|
||||
if [ ! -z "$found" ]
|
||||
then
|
||||
if [ ! -f %{_localstatedir}/log/cups/${lognames[i]} ]
|
||||
then
|
||||
%{_bindir}/touch %{_localstatedir}/log/cups/${lognames[i]} || :
|
||||
fi
|
||||
lastmessage=`%{_bindir}/tail -n 1 %{_localstatedir}/log/cups/${lognames[i]} | grep "$message"`
|
||||
perms=`%{_bindir}/ls -lah %{_localstatedir}/log/cups/${lognames[i]} | %{_bindir}/grep -v -e "\-rw-------" -e "root lp"`
|
||||
if [ ! -z "$perms" ]
|
||||
then
|
||||
# we need to set correct permissions and ownership because of possible
|
||||
# security issues
|
||||
# we need to have it here, because previous CUPS releases had the bug.
|
||||
# Checking permissions and ownership here fixes it.
|
||||
%{_bindir}/chown root:lp %{_localstatedir}/log/cups/${lognames[i]} || :
|
||||
%{_bindir}/chmod 600 %{_localstatedir}/log/cups/${lognames[i]} || :
|
||||
fi
|
||||
lastmessage=`%{_bindir}/tail -n 1 %{_localstatedir}/log/cups/${lognames[i]} | %{_bindir}/grep "$message"`
|
||||
if [ -z "$lastmessage" ]
|
||||
then
|
||||
%{_bindir}/echo $message >> %{_localstatedir}/log/cups/${lognames[i]} || :
|
||||
|
@ -540,15 +590,18 @@ rm -f %{cups_serverbin}/backend/smb
|
|||
%dir %{_datadir}/%{name}/www/ru
|
||||
%{_datadir}/%{name}/www/images
|
||||
%{_datadir}/%{name}/www/*.css
|
||||
%doc %{_datadir}/%{name}/www/index.html
|
||||
%doc %{_datadir}/%{name}/www/help
|
||||
%doc %{_datadir}/%{name}/www/robots.txt
|
||||
%doc %{_datadir}/%{name}/www/de/index.html
|
||||
%doc %{_datadir}/%{name}/www/es/index.html
|
||||
%doc %{_datadir}/%{name}/www/ja/index.html
|
||||
%doc %{_datadir}/%{name}/www/ru/index.html
|
||||
%doc %{_datadir}/%{name}/www/pt_BR/index.html
|
||||
%doc %{_datadir}/%{name}/www/apple-touch-icon.png
|
||||
# 1658673 - html files cannot be docs, because CUPS web ui will not have
|
||||
# introduction page on Fedora Docker image (because rpms are installed
|
||||
# without docs there because of space reasons)
|
||||
%{_datadir}/%{name}/www/index.html
|
||||
%{_datadir}/%{name}/www/help
|
||||
%{_datadir}/%{name}/www/robots.txt
|
||||
%{_datadir}/%{name}/www/de/index.html
|
||||
%{_datadir}/%{name}/www/es/index.html
|
||||
%{_datadir}/%{name}/www/ja/index.html
|
||||
%{_datadir}/%{name}/www/ru/index.html
|
||||
%{_datadir}/%{name}/www/pt_BR/index.html
|
||||
%{_datadir}/%{name}/www/apple-touch-icon.png
|
||||
%dir %{_datadir}/%{name}/usb
|
||||
%{_datadir}/%{name}/usb/org.cups.usb-quirks
|
||||
%{_unitdir}/%{name}.service
|
||||
|
@ -659,6 +712,59 @@ rm -f %{cups_serverbin}/backend/smb
|
|||
%{_mandir}/man5/ipptoolfile.5.gz
|
||||
|
||||
%changelog
|
||||
* Tue Feb 19 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-31
|
||||
- automake sometimes do not generate correct macros - force it
|
||||
|
||||
* Fri Dec 14 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-30
|
||||
- previous commit - fix for previous releases
|
||||
|
||||
* Thu Dec 13 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-29
|
||||
- logs need to have correct permissions
|
||||
|
||||
* Thu Dec 13 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-28
|
||||
- 1658673 - Main index.html of web interface doesn't get installed when not installing documentation
|
||||
|
||||
* Mon Dec 10 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-27
|
||||
- 1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all]
|
||||
|
||||
* Mon Dec 03 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-26
|
||||
- 1654827 - cupsd crash on startup in ippCopyAttribute
|
||||
|
||||
* Fri Nov 09 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-25
|
||||
- 1622432 - Jobs with multiple files don't complete when backend fails
|
||||
- 1648396 - 'cupsd[998]: [CGI] Unable to execute ippfind utility: No such file or directory' in journal
|
||||
|
||||
* Fri Sep 21 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-24
|
||||
- fixing coverity issues
|
||||
|
||||
* Wed Sep 19 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-23
|
||||
- 1618018 - Make cups systemd unit files more upstream-like
|
||||
|
||||
* Thu Sep 06 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-22
|
||||
- 1621949, 1620114 and 1619240 - TLS versions and options need to be initialized everytime
|
||||
|
||||
* Thu Sep 06 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-20
|
||||
- 1625296 - cups 2.2.6 lpr command fails against old cups 1.3.9 server
|
||||
|
||||
* Fri Aug 31 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-19
|
||||
- remove previous patch for now, it issues several connection problems - #1621949, #1620114 and #1619240
|
||||
|
||||
* Tue Aug 07 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-18
|
||||
- 1613251 - Remove weak SSL/TLS ciphers from CUPS
|
||||
|
||||
* Mon Aug 06 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-17
|
||||
- 1612935 - cups doesn't restart after cupsctl command
|
||||
|
||||
* Mon Jul 23 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-16
|
||||
- 1607293 - CVE-2018-4180 CVE-2018-4181 CVE-2018-4182 CVE-2018-4183 cups: various flaws [fedora-all]
|
||||
|
||||
* Tue Jun 12 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-15
|
||||
- 1589593 - cupsd LogLevel ignored when logging to journald (syslog)
|
||||
- 1590123 - cups-driverd doesn't recognize static gzipped ppds
|
||||
|
||||
* Tue Apr 03 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-14
|
||||
- substitute default values for invalid job attributes (upstream #5186 and #5229)
|
||||
|
||||
* Thu Mar 29 2018 Pavel Zhukov <pzhukov@redhat.com> - 1:2.2.6-13
|
||||
- Use dbus fix instead of general attr delete (upstream)
|
||||
|
||||
|
|
Loading…
Reference in New Issue