diff --git a/SOURCES/cups-CVE-2018-4180.patch b/SOURCES/cups-CVE-2018-4180.patch
new file mode 100644
index 0000000..43090b7
--- /dev/null
+++ b/SOURCES/cups-CVE-2018-4180.patch
@@ -0,0 +1,406 @@
+diff --git a/man/cups-files.conf.man.in b/man/cups-files.conf.man.in
+index e34d7c4..1d0f51d 100644
+--- a/man/cups-files.conf.man.in
++++ b/man/cups-files.conf.man.in
+@@ -85,6 +85,11 @@ PageLog filename
+ PageLog syslog
+ .br
+ Specifies the page log filename.
++.\"#PassEnv
++.TP 5
++\fBPassEnv \fIvariable \fR[ ... \fIvariable \fR]
++Passes the specified environment variable(s) to child processes.
++Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive.
+ .TP 5
+ Printcap
+ .TP 5
+@@ -121,6 +126,11 @@ Specifies the encryption key to use.
+ ServerRoot directory
+ .br
+ Specifies the directory where the server configuration files can be found.
++.\"#SetEnv
++.TP 5
++\fBSetEnv \fIvariable value\fR
++Set the specified environment variable to be passed to child processes.
++Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive.
+ .TP 5
+ SyncOnClose Yes
+ .TP 5
+diff --git a/man/cupsd.conf.man.in b/man/cupsd.conf.man.in
+index 1a4f40a..583070e 100644
+--- a/man/cupsd.conf.man.in
++++ b/man/cupsd.conf.man.in
+@@ -380,10 +380,6 @@ PageLogFormat format string
+ .br
+ Specifies the format of page log lines.
+ .TP 5
+-PassEnv variable [... variable]
+-.br
+-Passes the specified environment variable(s) to child processes.
+-.TP 5
+ <Policy name> ... </Policy>
+ .br
+ Specifies access control for the named policy.
+@@ -470,10 +466,6 @@ ServerTokens ProductOnly
+ Specifies what information is included in the Server header of HTTP
+ responses.
+ .TP 5
+-SetEnv variable value
+-.br
+-Set the specified environment variable to be passed to child processes.
+-.TP 5
+ SSLListen
+ .br
+ Listens on the specified address and port for encrypted connections.
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index f8732d4..ac1d024 100644
+--- a/scheduler/conf.c
++++ b/scheduler/conf.c
+@@ -2935,13 +2935,10 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
+ /* Line from file */
+ temp[HTTP_MAX_BUFFER],
+ /* Temporary buffer for value */
+- *value, /* Pointer to value */
+- *valueptr; /* Pointer into value */
++ *value; /* Pointer to value */
+ int valuelen; /* Length of value */
+ http_addrlist_t *addrlist, /* Address list */
+ *addr; /* Current address */
+- cups_file_t *incfile; /* Include file */
+- char incname[1024]; /* Include filename */
+
+
+ /*
+@@ -2956,28 +2953,7 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
+ * Decode the directive...
+ */
+
+- if (!_cups_strcasecmp(line, "Include") && value)
+- {
+- /*
+- * Include filename
+- */
+-
+- if (value[0] == '/')
+- strlcpy(incname, value, sizeof(incname));
+- else
+- snprintf(incname, sizeof(incname), "%s/%s", ServerRoot, value);
+-
+- if ((incfile = cupsFileOpen(incname, "rb")) == NULL)
+- cupsdLogMessage(CUPSD_LOG_ERROR,
+- "Unable to include config file \"%s\" - %s",
+- incname, strerror(errno));
+- else
+- {
+- read_cupsd_conf(incfile);
+- cupsFileClose(incfile);
+- }
+- }
+- else if (!_cups_strcasecmp(line, "<Location") && value)
++ if (!_cups_strcasecmp(line, "<Location") && value)
+ {
+ /*
+ * <Location path>
+@@ -3302,31 +3278,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
+ cupsdLogMessage(CUPSD_LOG_WARN, "Unknown ServerTokens %s on line %d.",
+ value, linenum);
+ }
+- else if (!_cups_strcasecmp(line, "PassEnv") && value)
+- {
+- /*
+- * PassEnv variable [... variable]
+- */
+-
+- for (; *value;)
+- {
+- for (valuelen = 0; value[valuelen]; valuelen ++)
+- if (_cups_isspace(value[valuelen]) || value[valuelen] == ',')
+- break;
+-
+- if (value[valuelen])
+- {
+- value[valuelen] = '\0';
+- valuelen ++;
+- }
+-
+- cupsdSetEnv(value, NULL);
+-
+- for (value += valuelen; *value; value ++)
+- if (!_cups_isspace(*value) || *value != ',')
+- break;
+- }
+- }
+ else if (!_cups_strcasecmp(line, "ServerAlias") && value)
+ {
+ /*
+@@ -3355,30 +3306,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
+ break;
+ }
+ }
+- else if (!_cups_strcasecmp(line, "SetEnv") && value)
+- {
+- /*
+- * SetEnv variable value
+- */
+-
+- for (valueptr = value; *valueptr && !isspace(*valueptr & 255); valueptr ++);
+-
+- if (*valueptr)
+- {
+- /*
+- * Found a value...
+- */
+-
+- while (isspace(*valueptr & 255))
+- *valueptr++ = '\0';
+-
+- cupsdSetEnv(value, valueptr);
+- }
+- else
+- cupsdLogMessage(CUPSD_LOG_ERROR,
+- "Missing value for SetEnv directive on line %d.",
+- linenum);
+- }
+ #ifdef HAVE_SSL
+ else if (!_cups_strcasecmp(line, "SSLOptions"))
+ {
+@@ -3448,6 +3375,7 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
+ !_cups_strcasecmp(line, "LogFilePerm") ||
+ !_cups_strcasecmp(line, "LPDConfigFile") ||
+ !_cups_strcasecmp(line, "PageLog") ||
++ !_cups_strcasecmp(line, "PassEnv") ||
+ !_cups_strcasecmp(line, "Printcap") ||
+ !_cups_strcasecmp(line, "PrintcapFormat") ||
+ !_cups_strcasecmp(line, "RemoteRoot") ||
+@@ -3456,6 +3384,7 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
+ !_cups_strcasecmp(line, "ServerCertificate") ||
+ !_cups_strcasecmp(line, "ServerKey") ||
+ !_cups_strcasecmp(line, "ServerRoot") ||
++ !_cups_strcasecmp(line, "SetEnv") ||
+ !_cups_strcasecmp(line, "SMBConfigFile") ||
+ !_cups_strcasecmp(line, "StateDir") ||
+ !_cups_strcasecmp(line, "SystemGroup") ||
+@@ -3485,11 +3414,51 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
+ static int /* O - 1 on success, 0 on failure */
+ read_cups_files_conf(cups_file_t *fp) /* I - File to read from */
+ {
+- int linenum; /* Current line number */
++ int i, /* Looping var */
++ linenum; /* Current line number */
+ char line[HTTP_MAX_BUFFER], /* Line from file */
+ *value; /* Value from line */
+ struct group *group; /* Group */
+
++ static const char * const prohibited_env[] =
++ { /* Prohibited environment variables */
++ "APPLE_LANGUAGE",
++ "AUTH_DOMAIN",
++ "AUTH_INFO_REQUIRED",
++ "AUTH_NEGOTIATE",
++ "AUTH_PASSWORD",
++ "AUTH_UID",
++ "AUTH_USERNAME",
++ "CHARSET",
++ "CLASS",
++ "CLASSIFICATION",
++ "CONTENT_TYPE",
++ "CUPS_CACHEDIR",
++ "CUPS_DATADIR",
++ "CUPS_DOCROOT",
++ "CUPS_FILETYPE",
++ "CUPS_FONTPATH",
++ "CUPS_MAX_MESSAGE",
++ "CUPS_REQUESTROOT",
++ "CUPS_SERVERBIN",
++ "CUPS_SERVERROOT",
++ "CUPS_STATEDIR",
++ "DEVICE_URI",
++ "FINAL_CONTENT_TYPE",
++ "HOME",
++ "LANG",
++ "PPD",
++ "PRINTER",
++ "PRINTER_INFO",
++ "PRINTER_LOCATION",
++ "PRINTER_STATE_REASONS",
++ "RIP_CACHE",
++ "SERVER_ADMIN",
++ "SOFTWARE",
++ "TMPDIR",
++ "USER"
++ };
++
+
+ /*
+ * Loop through each line in the file...
+@@ -3526,6 +3495,87 @@ read_cups_files_conf(cups_file_t *fp) /* I - File to read from */
+ }
+ }
+ }
++ else if (!_cups_strcasecmp(line, "PassEnv") && value)
++ {
++ /*
++ * PassEnv variable [... variable]
++ */
++
++ int valuelen; /* Length of variable name */
++
++ for (; *value;)
++ {
++ for (valuelen = 0; value[valuelen]; valuelen ++)
++ if (_cups_isspace(value[valuelen]) || value[valuelen] == ',')
++ break;
++
++ if (value[valuelen])
++ {
++ value[valuelen] = '\0';
++ valuelen ++;
++ }
++
++ for (i = 0; i < (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0])); i ++)
++ {
++ if (!strcmp(value, prohibited_env[i]))
++ {
++ cupsdLogMessage(CUPSD_LOG_ERROR, "Environment variable \"%s\" cannot be passed through on line %d of %s.", value, linenum, CupsFilesFile);
++
++ if (FatalErrors & CUPSD_FATAL_CONFIG)
++ return (0);
++ else
++ break;
++ }
++ }
++
++ if (i >= (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0])))
++ cupsdSetEnv(value, NULL);
++
++ for (value += valuelen; *value; value ++)
++ if (!_cups_isspace(*value) || *value != ',')
++ break;
++ }
++ }
++ else if (!_cups_strcasecmp(line, "SetEnv") && value)
++ {
++ /*
++ * SetEnv variable value
++ */
++
++ char *valueptr; /* Pointer to environment variable value */
++
++ for (valueptr = value; *valueptr && !isspace(*valueptr & 255); valueptr ++);
++
++ if (*valueptr)
++ {
++ /*
++ * Found a value...
++ */
++
++ while (isspace(*valueptr & 255))
++ *valueptr++ = '\0';
++
++ for (i = 0; i < (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0])); i ++)
++ {
++ if (!strcmp(value, prohibited_env[i]))
++ {
++ cupsdLogMessage(CUPSD_LOG_ERROR, "Environment variable \"%s\" cannot be set on line %d of %s.", value, linenum, CupsFilesFile);
++
++ if (FatalErrors & CUPSD_FATAL_CONFIG)
++ return (0);
++ else
++ break;
++ }
++ }
++
++ if (i >= (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0])))
++ cupsdSetEnv(value, valueptr);
++ }
++ else
++ cupsdLogMessage(CUPSD_LOG_ERROR,
++ "Missing value for SetEnv directive on line %d of %s.",
++ linenum, ConfigurationFile);
++ }
+ else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)
+ {
+ /*
+diff --git a/scheduler/job.c b/scheduler/job.c
+index 48cc35d..0e1bca3 100644
+--- a/scheduler/job.c
++++ b/scheduler/job.c
+@@ -4761,6 +4761,18 @@ start_job(cupsd_job_t *job, /* I - Job ID */
+ job->status = 0;
+ job->profile = cupsdCreateProfile(job->id);
+
++ #ifdef HAVE_SANDBOX_H
++ if (!job->profile)
++ {
++ /*
++ * Failure to create the sandbox profile means something really bad has
++ * happened and we need to shutdown immediately.
++ */
++
++ return;
++ }
++ #endif /* HAVE_SANDBOX_H */
++
+ /*
+ * Create the status pipes and buffer...
+ */
+diff --git a/scheduler/process.c b/scheduler/process.c
+index 1782064..b460838 100644
+--- a/scheduler/process.c
++++ b/scheduler/process.c
+@@ -94,10 +94,14 @@ cupsdCreateProfile(int job_id) /* I - Job ID or 0 for none */
+
+ if ((fp = cupsTempFile2(profile, sizeof(profile))) == NULL)
+ {
++ /*
++ * This should never happen, and is fatal when sandboxing is enabled.
++ */
++
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = NULL",
+ job_id);
+- cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to create security profile: %s",
+- strerror(errno));
++ cupsdLogMessage(CUPSD_LOG_EMERG, "Unable to create security profile: %s", strerror(errno));
++ kill(getpid(), SIGTERM);
+ return (NULL);
+ }
+
+diff --git a/scheduler/server.c b/scheduler/server.c
+index a5a31c5..7a34891 100644
+--- a/scheduler/server.c
++++ b/scheduler/server.c
+@@ -44,17 +44,29 @@ static int started = 0; /* Did we start the server already? */
+ void
+ cupsdStartServer(void)
+ {
+- /*
+- * Start color management (as needed)...
++ /*
++ * Create the default security profile...
+ */
+
+- cupsdStartColor();
++ DefaultProfile = cupsdCreateProfile(0);
++
++ #ifdef HAVE_SANDBOX_H
++ if (!DefaultProfile)
++ {
++ /*
++ * Failure to create the sandbox profile means something really bad has
++ * happened and we need to shutdown immediately.
++ */
++
++ return;
++ }
++ #endif /* HAVE_SANDBOX_H */
+
+ /*
+- * Create the default security profile...
++ * Start color management (as needed)...
+ */
+
+- DefaultProfile = cupsdCreateProfile(0);
++ cupsdStartColor();
+
+ /*
+ * Startup all the networking stuff...
diff --git a/SOURCES/cups-CVE-2018-4700.patch b/SOURCES/cups-CVE-2018-4700.patch
new file mode 100644
index 0000000..8f9cce7
--- /dev/null
+++ b/SOURCES/cups-CVE-2018-4700.patch
@@ -0,0 +1,22 @@
+diff --git a/cgi-bin/var.c b/cgi-bin/var.c
+index 8b8c026..67175e9 100644
+--- a/cgi-bin/var.c
++++ b/cgi-bin/var.c
+@@ -1221,6 +1221,7 @@ cgi_set_sid(void)
+ const char *remote_addr, /* REMOTE_ADDR */
+ *server_name, /* SERVER_NAME */
+ *server_port; /* SERVER_PORT */
++ struct timeval curtime; /* Current time */
+
+
+ if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
+@@ -1230,7 +1231,8 @@ cgi_set_sid(void)
+ if ((server_port = getenv("SERVER_PORT")) == NULL)
+ server_port = "SERVER_PORT";
+
+- CUPS_SRAND(time(NULL));
++ gettimeofday(&curtime, NULL);
++ CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
+ snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
+ remote_addr, server_name, server_port,
+ (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
diff --git a/SOURCES/cups-unlink-filename.patch b/SOURCES/cups-unlink-filename.patch
new file mode 100644
index 0000000..f245bcc
--- /dev/null
+++ b/SOURCES/cups-unlink-filename.patch
@@ -0,0 +1,17 @@
+diff -Napur cups-1.6.3-sf02319920.old/scheduler/client.c cups-1.6.3-sf02319920.new/scheduler/client.c
+--- cups-1.6.3-sf02319920.old/scheduler/client.c 2019-03-08 12:25:45.194149311 -0800
++++ cups-1.6.3-sf02319920.new/scheduler/client.c 2019-03-08 12:28:28.658849320 -0800
+@@ -647,7 +647,12 @@ cupsdCloseClient(cupsd_client_t *con) /*
+ httpClearCookie(HTTP(con));
+ httpClearFields(HTTP(con));
+
+- cupsdClearString(&con->filename);
++ if (con->filename)
++ {
++ unlink(con->filename);
++ cupsdClearString(&con->filename);
++ }
++
+ cupsdClearString(&con->command);
+ cupsdClearString(&con->options);
+ cupsdClearString(&con->query_string);
diff --git a/SPECS/cups.spec b/SPECS/cups.spec
index d6ebbec..17b9c82 100644
--- a/SPECS/cups.spec
+++ b/SPECS/cups.spec
@@ -11,7 +11,7 @@ Summary: CUPS printing system
Name: cups
Epoch: 1
Version: 1.6.3
-Release: 40%{?dist}
+Release: 43%{?dist}
License: GPLv2
Group: System Environment/Daemons
Url: http://www.cups.org/
@@ -103,6 +103,9 @@ Patch72: cups-1.6.3-page-count.patch
Patch73: 0001-Fix-stuck-multi-file-jobs-Issue-5359-Issue-5413.patch
Patch74: 0001-The-scheduler-now-uses-the-getgrouplist-function-whe.patch
Patch75: cups-dont-send-http-options-field.patch
+Patch76: cups-CVE-2018-4180.patch
+Patch77: cups-CVE-2018-4700.patch
+Patch78: cups-unlink-filename.patch
Patch100: cups-lspp.patch
@@ -394,6 +397,16 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
%patch74 -p1 -b .getgrouplist
# 1700637 - Stop advertising the HTTP methods that are supported
%patch75 -p1 -b .dont-send-http-options-field
+# 1608764 - CVE-2018-4180 cups
+# 1607291 - CVE-2018-4181 cups
+# backported patch for multiple security issues
+# prevent passing malicious changes of for example printing backend
+# through configuration
+%patch76 -p1 -b .harden-env-var-parsing
+# 1651575 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection
+%patch77 -p1 -b .session-cookie-fix
+# 1687571 - cupsd doesn't clean up temp files if client connection is terminated abnormally
+%patch78 -p1 -b .unlink-tmp-file
sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
@@ -787,6 +800,16 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man5/ipptoolfile.5.gz
%changelog
+* Thu Aug 08 2019 Tomas Korbar <tkorbar@redhat.com> - 1:1.6.3-43
+- 1687571 - cupsd doesn't clean tmp files if client conn is terminated abnormally
+
+* Wed Jul 31 2019 Tomas Korbar <tkorbar@redhat.com> - 1:1.6.3-42
+- 1651575 - CVE-2018-4700 cups
+
+* Wed Jul 31 2019 Tomas Korbar <tkorbar@redhat.com> - 1:1.6.3-41
+- 1608764 - CVE-2018-4180 cups
+- 1607291 - CVE-2018-4181 cups
+
* Wed Apr 17 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1:1.6.3-40
- 1700637 - Stop advertising the HTTP methods that are supported