Patch for CVE-2025-61915 by mistake causes fatal error on unknown
directives in configuration files.
The default configuration already contains unknown directive in
non-systemd setups:
Unknown directive IdleExitTimeout on line 32 of /etc/cups/cupsd.conf
Backport fix for this from 2.4.x branch which reverts this behavior.
(From OE-Core rev: 6faf1266813efa21503511834cbb12f0d63c82fe)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Typo prevents cupsd to start correctly with following error:
Unable to read "/etc/cups/cupsd.conf" due to errors.
Using `/usr/sbin/cupsd -t` to check the configuration:
Unknown authorization type Defaul on line 77 of /etc/cups/cupsd.conf.
Unknown Policy Limit directive AuthType on line 77 of /etc/cups/cupsd.conf.
(From OE-Core rev: eab100205bc5cdffc5ccc7752e1ee5abd9ebb58a)
Signed-off-by: Jonathan GUILLOT <jonathan@joggee.fr>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(From OE-Core rev: dc5c06da7a793e85276ce8ce9de1c06decb6e133)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
OpenPrinting CUPS is an open source printing system. In versions 2.4.2
and prior, a heap buffer overflow vulnerability would allow a remote
attacker to launch a denial of service (DoS) attack. A buffer overflow
vulnerability in the function `format_log_line` could allow remote
attackers to cause a DoS on the affected system. Exploitation of the
vulnerability can be triggered when the configuration file `cupsd.conf`
sets the value of `loglevel `to `DEBUG`. No known patches or
workarounds exist at time of publication.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-32324https://security-tracker.debian.org/tracker/CVE-2023-32324
Upstream Patch:
https://github.com/OpenPrinting/cups/commit/fd8bc2d32589
(From OE-Core rev: cf741646f41835024c7e53234cfd527ff3f8542b)
Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
cups includes a web server. Users can surf to port 631 (default) of a
machine running cups to (potentially, based on configuration, default off)
view jobs, add printers, and perform other forms of administration.
The location of the various resources that are used by the built-in web server
(e.g. index.html) are installed under ${datadir}/doc/cups. By default these
artifacts would be included in the ${PN}-doc package. The comments in this
recipe, however, would suggest an attempt was made to have them added to
${PN}; albeit unsuccessfully.
These resources add roughly 1.8M to an image.
Since cups does include a configuration option to disable the web interface
(--enable-webif), add a PACKAGECONFIG (default off) to allow the user to
decide whether or not they would like the web interface configured and its
pieces added to the image. Enabling this PACKAGECONFIG both enables the
web interface to be configured and built into cups, and also adds (by way
of a recommendation) the web interface package to the image. Considering
that the previous intention was not working, defaulting this option to off
preserves the existing behaviour. Previously in order to have the web
interface data included in an image, a user would have needed to explicitly
add the ${PN}-doc package to their image.
(From OE-Core rev: 18194378508beda1ca1fee84e10351b5bf0d86a5)
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 2c9bd267ec532cd86a4a1be1d4e499e2aae89aba)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The cups' PACKAGECONFIG is populated based on DISTRO_FEATURES, but a user
is free to enable or disable PACKAGECONFIGs at will. In theory it is
possible that pam is enabled globally in DISTRO_FEATURES but disabled in
cups' PACKAGECONFIG. Checking the PACKAGECONFIG to determine whether or not
pam is enabled would be a safer check rather than relying on DISTRO_FEATURES.
(From OE-Core rev: 7b23927a72a1f8b91802f5b2ca10f2cea239bd47)
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit a053dd177ddc99ced11e68914079be0ffe261262)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The cups documentation is clear that the correct way to install into an
alternate root directory is to use the BUILDROOT variable. From INSTALL.md:
Use the `BUILDROOT` variable to install to an alternate root directory:
make BUILDROOT=/some/other/root/directory install
DESTDIR works, but we should use the mechanism the project specifically
created for this purpose.
(From OE-Core rev: a42066657c002679adcb471f329f09c8996e1b64)
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit f8fc70674e0ea5df46969a06da62f8ed135cae4e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is fixed in 2.4.2, which we have, but the complex CPE in that CVE
isn't parsed by cve-check correctly so it thinks that we're vulnerable.
(From OE-Core rev: 8eb224d3160e8483c2bc6ffa207a2b6fc8644c6f)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b40dd920f8b40eabe78db363249257818c63c074)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
- Fixed certificate strings comparison for Local authorization (CVE-2022-26691)
- The cupsFileOpen function no longer opens files for append in read-write
mode (Issue #291)
- The cupsd daemon removed processing temporary queue (Issue #364)
- Fixed delay in IPP backend if GNUTLS is used and endpoint doesn't confirm
closing the connection (Issue #365)
- Fixed conditional jump based on uninitialized value in cups/ppd.c (Issue #329)
- Fixed CSS related issues in CUPS Web UI (Issue #344)
- Fixed copyright in CUPS Web UI trailer template (Issue #346)
- mDNS hostname in device uri is not resolved when installaling a permanent
- IPP Everywhere queue (Issues #340, #343)
- The lpstat command now reports when the scheduler is not running
(Issue #352)
- Updated the man pages concerning the -h option (Issue #357)
- Re-added LibreSSL/OpenSSL support (Issue #362)
- Updated the Solaris smf service file (Issue #368)
- Fixed a regression in lpoptions option support (Issue #370)
- The scheduler now regenerates the PPD cache information after changing the
"cupsd.conf" file (Issue #371)
- Updated the scheduler to set "auth-info-required" to "username,password" if a
backend reports it needs authentication info but doesn't set a method for
authentication (Issue #373)
- Updated the configure script to look for the OpenSSL library the old way if
pkg-config is not available (Issue #375)
- Fixed the prototype for the httpWriteResponse function (Issue #380)
- Brought back minimal AIX support (Issue #389)
cupsGetResponse did not always set the last error.
- Fixed a number of old references to the Apple CUPS web page.
- Restored the default/generic printer icon file for the web interface.
- Removed old stylesheet classes that are no longer used by the web
interface.
(From OE-Core rev: af7048c4b7daabc237b1b8f2982d67cb1fd88b4c)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6f4131e73553f47709e19871c23a411275ab3857)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The configure checks /etc/dbus-1 and set DBUSDIR is null:
if test -d /etc/dbus-1 -a "x$DBUSDIR" = x; then
DBUSDIR="/etc/dbus-1"
fi
So that the build resutl would be different w/o /etc/dbus-1:
/etc/dbus-1/system.d/cups.conf (Only exists when DBUSDIR is set)
Add --with-dbusdir to EXTRA_OECONF to fix the issue
(From OE-Core rev: 0e4b2464138601c4c20882c001ef11eef5100395)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
one too many 's': dnsssd -> dnssd
(From OE-Core rev: 88da9b61b469654805fd51869790b1fd6d34c5a3)
Signed-off-by: S. Lockwood-Childs <sjl@vctlabs.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Mark no-hardcode-lib patch as upstreamable.
(From OE-Core rev: 2d0475f9575a6679b4a9d5400220584597b84887)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The packageconfig needs to be --disable-systemd as documented in
configure file for cups. With the current value "--without-systemd" the
SYSTEM_DIR variable ends up being set to "no"
It is caused by the --without-* section in configure file resulting in
eval with_$ac_useropt=no ;;
$ac_useropt is "systemd" causing the variable $with_systemd to be set
to "no", because of below test
if test ${with_systemd+y}
then :
withval=$with_systemd; SYSTEMD_DIR="$withval"
else $as_nop
SYSTEMD_DIR=""
fi
cups configure test for i if SYSTEMD_DIR is empty to decide if the init
scripts need to be installed. A value of "no" results in that no init
scripts is installed.
With --disable-systemd it works as expected - installing the init files.
Though cups should properly improve their configure script.
(From OE-Core rev: 967fdd2ba12f22d8e46600ff085833993a32cfeb)
Signed-off-by: Claus Stovgaard <clst@ambu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Apple are no longer maintaining CUPS, and future development is now
happening under the OpenPrinting project:
https://ftp.pwg.org/pub/pwg/liaison/openprinting/presentations/cups-plenary-may-2021.pdf
Also stop disabling the manpage installation as manpages are useful, and
remove some patch chunks that are not required.
The CVE-2020-10001 patch is dropped as this is incorporated into 2.3.3op2.
(From OE-Core rev: 53bd9a96a003a7103b8475f9c1ad7ef999e34f87)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE relates to bad ownership of /var/log/cups, which we don't have.
(From OE-Core rev: 0792312f3637ec160d2ef90781a8cb1f75b84940)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
configure inspects the host's /etc/group for these configuration
options, fix this to the correct values by using configure options.
(From OE-Core rev: f16f9c727569414cd52862dcba18d8e423f4e961)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It only applies to MacOS.
(From OE-Core rev: cad1162f41c4c060744b98109514f761aa64d34a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE was against a cups plugin which is obsolete and we don't include.
(From OE-Core rev: 5f7cb9f6ec4b14f992d265b8c67a9f5589f9b842)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This an Ububtu specific issue:
The CUPS AppArmor profile incorrectly confined the dnssd backend
due to use of hard links. A local attacker could possibly use this
issue to escape confinement. This flaw affects versions prior to
2.2.7-1ubuntu2.1 in Ubuntu 18.04 LTS, prior to 2.2.4-7ubuntu3.1
in Ubuntu 17.10, prior to 2.1.3-4ubuntu0.5 in Ubuntu 16.04 LTS,
and prior to 1.7.2-0ubuntu1.10 in Ubuntu 14.04 LTS
(From OE-Core rev: 22e89983a8f83a369d83bc67e4f3492bc50db648)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
/var/run has been deprecated by systemd, so use /run instead,
as suggested by systemd.
(From OE-Core rev: 6c3f56020da7a26c2daea73e39c2f324f1f597db)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
this template service need to triggered by org.cups.cups-lpd.socket,
which will assigned an instance id for org.cups.cups-lpd@.service,
like org.cups.cups-lpd@0.service. add this in SYSTEMD_SERVICE will
cause post scriptlet fail as:
Failed to start org.cups.cups-lpd@.service: Unit name org.cups.cups-lpd@.service is missing the instance name.
See system logs and 'systemctl status org.cups.cups-lpd@.service' for details.
(From OE-Core rev: 4bb87c8b28b58a469c01f4a051361aa099cdfe1a)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add volatiles files to create /var/log/cups directory rather than create
it directly when do_install.
(From OE-Core rev: 315689f58536dec4042ef9880c227a69e71e749d)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
cups-config encodes the library dir in the script.
(From OE-Core rev: 0e19b25fbf1d760c06dd6a2cb8e291c7482330c4)
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix crossscripts to report the correct "serverbin" value.
While the packaged "cups-config --serverbin" reported
"/usr/libexec/cups" the crossscripts version reported
"/usr/lib/cups", causing packaging issues when building for example
cups-filters.
Also fix FILES_${PN} to use ${libexecdir}; previously it was working
just because "${libexecdir}/*" was part of the default values in
bitbake.conf.
(From OE-Core rev: 2ce6ef29b9bb4f16ed9d78e166d455b7a6d968bf)
Signed-off-by: Diego Rondini <diego.rondini@kynetics.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Redefine CUPS_SERVERBIN to "$libexecdir/cups" for cups which solves file
confliction when multilib is enabled.
| Error: Transaction check error:
| file /lib/systemd/system/org.cups.cups-lpd@.service conflicts between
attempted installs of cups-2.2.11-r0.core2_64 and lib32-cups-2.2.11-r0.core2_32
(From OE-Core rev: 274bed042b9c2b50a8bdd11b42f1a62405fb5b11)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CUPS 2.2.11 is a bug fix release that addresses issues in the scheduler,
IPP Everywhere support, CUPS library, and USB printer support.
(From OE-Core rev: 2904ffdffc829ee7a0f0228babe392535fb5e544)
Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When pam PACKAGECONFIG is enabled a cups "pam.d" configuration file is
installed. The default configuration file uses a non-existing "pam_unknown.so",
but a different existing module can be selected by passing the
--with-pam-module parameter. Use the unix pam module when pam is enabled.
(From OE-Core rev: a7fb921e16e2eb4fa5a799b556d23d79801720b0)
Signed-off-by: Diego Rondini <diego.rondini@kynetics.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The following patch is rebased.
0001-don-t-try-to-run-generated-binaries.patch
(From OE-Core rev: ee57d79aec06e9b160cf2713636cda650ba68d5a)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A comment line of conf file cups-files.conf refers to var @CUPS_SERVERBIN@
is ${libdir} related and then it causes multilib install file conflict.
Remove @CUPS_SERVERBIN@ from the comment line to avoid the conflict.
(From OE-Core rev: ac4df3f83fccfa7dd75d6a913b7ab75e49a7b986)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is no need to depend on the compatibility library libusb-compat, as CUPS
links directly to libusb1.
(From OE-Core rev: feead64ac6df31d9b9499b232631aeb0edad3af0)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
