diff --git a/SOURCES/cups-start-service.patch b/SOURCES/cups-start-service.patch new file mode 100644 index 0000000..26952cf --- /dev/null +++ b/SOURCES/cups-start-service.patch @@ -0,0 +1,9 @@ +diff -up cups-1.6.3/data/cups.service.in.start-service cups-1.6.3/data/cups.service.in +--- cups-1.6.3/data/cups.service.in.start-service 2015-07-21 16:14:18.837479112 +0100 ++++ cups-1.6.3/data/cups.service.in 2015-07-21 16:14:42.965396925 +0100 +@@ -8,4 +8,4 @@ PrivateTmp=true + + [Install] + Also=cups.socket cups.path +-WantedBy=printer.target ++WantedBy=multi-user.target printer.target diff --git a/SOURCES/cups-str4476.patch b/SOURCES/cups-str4476.patch new file mode 100644 index 0000000..25b76f8 --- /dev/null +++ b/SOURCES/cups-str4476.patch @@ -0,0 +1,504 @@ +diff -up cups-1.6.3/cups/http.c.str4476 cups-1.6.3/cups/http.c +--- cups-1.6.3/cups/http.c.str4476 2013-06-07 02:12:52.000000000 +0100 ++++ cups-1.6.3/cups/http.c 2015-06-23 14:05:39.872805417 +0100 +@@ -175,6 +175,8 @@ static int http_write_ssl(http_t *http, + * Local globals... + */ + ++static int tls_options = 0; /* Options for TLS connections */ ++ + static const char * const http_fields[] = + { + "Accept-Language", +@@ -3722,7 +3724,10 @@ http_send(http_t *http, /* I - Con + if (http->encryption == HTTP_ENCRYPT_REQUIRED && !http->tls) + { + httpSetField(http, HTTP_FIELD_CONNECTION, "Upgrade"); +- httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.0,SSL/2.0,SSL/3.0"); ++ if (tls_options & _HTTP_TLS_ALLOW_SSL3) ++ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0,SSL/3.0"); ++ else ++ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0"); + } + #endif /* HAVE_SSL */ + +@@ -3959,6 +3964,10 @@ http_setup_ssl(http_t *http) /* I - Con + context = SSL_CTX_new(SSLv23_client_method()); + + SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */ ++ if (!(tls_options & _HTTP_TLS_ALLOW_SSL3)) ++ SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */ ++ if (!(tls_options & _HTTP_TLS_ALLOW_RC4)) ++ SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4"); + + bio = BIO_new(_httpBIOMethods()); + BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http); +@@ -4018,7 +4027,16 @@ http_setup_ssl(http_t *http) /* I - Con + gnutls_certificate_allocate_credentials(credentials); + + gnutls_init(&http->tls, GNUTLS_CLIENT); +- gnutls_set_default_priority(http->tls); ++ if (!tls_options) ++ gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL); ++ else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) && ++ (tls_options & _HTTP_TLS_ALLOW_RC4)) ++ gnutls_priority_set_direct(http->tls, "NORMAL", NULL); ++ else if (tls_options & _HTTP_TLS_ALLOW_SSL3) ++ gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128", NULL); ++ else ++ gnutls_priority_set_direct(http->tls, "NORMAL:-VERS-SSL3.0", NULL); ++ + gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname, + strlen(hostname)); + gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials); +@@ -4433,7 +4451,10 @@ http_upgrade(http_t *http) /* I - Conne + + httpClearFields(http); + httpSetField(http, HTTP_FIELD_CONNECTION, "upgrade"); +- httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0, SSL/3.0"); ++ if (tls_options & _HTTP_TLS_ALLOW_SSL3) ++ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0, SSL/3.0"); ++ else ++ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0"); + + if ((ret = httpOptions(http, "*")) == 0) + { +@@ -4764,6 +4785,16 @@ http_write_ssl(http_t *http, /* I - + } + #endif /* HAVE_SSL */ + ++/* ++ * '_httpTLSSetOptions()' - Set TLS/SSL options. ++ */ ++ ++void ++_httpTLSSetOptions(int options) ++{ ++ tls_options = options; ++} ++ + + /* + * End of "$Id: http.c 7850 2008-08-20 00:07:25Z mike $". +diff -up cups-1.6.3/cups/http-private.h.str4476 cups-1.6.3/cups/http-private.h +--- cups-1.6.3/cups/http-private.h.str4476 2015-06-23 14:04:45.244230171 +0100 ++++ cups-1.6.3/cups/http-private.h 2015-06-23 14:05:39.873805409 +0100 +@@ -140,6 +140,10 @@ extern "C" { + #define _HTTP_RESOLVE_FQDN 2 /* Resolve to a FQDN */ + #define _HTTP_RESOLVE_FAXOUT 4 /* Resolve FaxOut service? */ + ++/* care - these should be the same values as the CUPSD_SSL_* equivalents */ ++#define _HTTP_TLS_ALLOW_RC4 2 ++#define _HTTP_TLS_ALLOW_SSL3 4 ++ + + /* + * Types and functions for SSL support... +@@ -377,6 +381,8 @@ extern const char *_httpResolveURI(const + extern int _httpUpdate(http_t *http, http_status_t *status); + extern int _httpWait(http_t *http, int msec, int usessl); + ++extern void _httpTLSSetOptions(int options); ++ + + /* + * C++ magic... +diff -up cups-1.6.3/cups/usersys.c.str4476 cups-1.6.3/cups/usersys.c +--- cups-1.6.3/cups/usersys.c.str4476 2015-06-23 14:04:45.268229986 +0100 ++++ cups-1.6.3/cups/usersys.c 2015-06-23 14:05:39.873805409 +0100 +@@ -72,7 +72,8 @@ static void cups_read_client_conf(cups_f + #endif /* HAVE_GSSAPI */ + const char *cups_anyroot, + const char *cups_expiredroot, +- const char *cups_expiredcerts); ++ const char *cups_expiredcerts, ++ int ssl_options); + + + /* +@@ -257,6 +258,9 @@ cupsSetEncryption(http_encryption_t e) / + _cups_globals_t *cg = _cupsGlobals(); /* Pointer to library globals */ + + ++ if (cg->encryption == (http_encryption_t)-1) ++ _cupsSetDefaults(); ++ + cg->encryption = e; + + if (cg->http) +@@ -823,7 +827,36 @@ _cupsSetDefaults(void) + if (cg->encryption == (http_encryption_t)-1 || !cg->server[0] || + !cg->user[0] || !cg->ipp_port) + { ++ /* ++ * Look for CUPS_SERVERROOT/client.conf... ++ */ ++ ++ snprintf(filename, sizeof(filename), "%s/client.conf", ++ cg->cups_serverroot); ++ fp = cupsFileOpen(filename, "r"); ++ ++ /* ++ * Read the configuration file and apply any environment variables; both ++ * functions handle NULL cups_file_t pointers... ++ */ ++ ++ cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user, ++#ifdef HAVE_GSSAPI ++ cups_gssservicename, ++#endif /* HAVE_GSSAPI */ ++ cups_anyroot, cups_expiredroot, ++ cups_expiredcerts, 1); ++ ++ /* ++ * Then user defaults, if it is safe to do so... ++ */ ++ ++#ifdef HAVE_GETEUID ++ if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() && ++ (home = getenv("HOME")) != NULL) ++#else + if ((home = getenv("HOME")) != NULL) ++#endif + { + /* + * Look for ~/.cups/client.conf... +@@ -831,33 +864,20 @@ _cupsSetDefaults(void) + + snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home); + fp = cupsFileOpen(filename, "r"); +- } +- else +- fp = NULL; + +- if (!fp) +- { + /* +- * Look for CUPS_SERVERROOT/client.conf... ++ * Read the configuration file and apply any environment variables; both ++ * functions handle NULL cups_file_t pointers... + */ + +- snprintf(filename, sizeof(filename), "%s/client.conf", +- cg->cups_serverroot); +- fp = cupsFileOpen(filename, "r"); +- } +- +- /* +- * Read the configuration file and apply any environment variables; both +- * functions handle NULL cups_file_t pointers... +- */ +- +- cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user, ++ cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user, + #ifdef HAVE_GSSAPI +- cups_gssservicename, ++ cups_gssservicename, + #endif /* HAVE_GSSAPI */ +- cups_anyroot, cups_expiredroot, +- cups_expiredcerts); +- cupsFileClose(fp); ++ cups_anyroot, cups_expiredroot, ++ cups_expiredcerts, 0); ++ cupsFileClose(fp); ++ } + } + } + +@@ -879,7 +899,8 @@ cups_read_client_conf( + #endif /* HAVE_GSSAPI */ + const char *cups_anyroot, /* I - CUPS_ANYROOT env var */ + const char *cups_expiredroot, /* I - CUPS_EXPIREDROOT env var */ +- const char *cups_expiredcerts) /* I - CUPS_EXPIREDCERTS env var */ ++ const char *cups_expiredcerts, /* I - CUPS_EXPIREDCERTS env var */ ++ int ssl_options) /* I - Allow setting of SSLOptions? */ + { + int linenum; /* Current line number */ + char line[1024], /* Line from file */ +@@ -952,6 +973,43 @@ cups_read_client_conf( + cups_gssservicename = gss_service_name; + } + #endif /* HAVE_GSSAPI */ ++ else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value) ++ { ++ /* ++ * SSLOptions [AllowRC4] [AllowSSL3] [None] ++ */ ++ ++ int options = 0; /* SSL/TLS options */ ++ char *start, /* Start of option */ ++ *end; /* End of option */ ++ ++ for (start = value; *start; start = end) ++ { ++ /* ++ * Find end of keyword... ++ */ ++ ++ end = start; ++ while (*end && !_cups_isspace(*end)) ++ end++; ++ ++ if (*end) ++ *end++ = '\0'; ++ ++ /* ++ * Compare... ++ */ ++ ++ if (!_cups_strcasecmp(start, "AllowRC4")) ++ options |= _HTTP_TLS_ALLOW_RC4; ++ else if (!_cups_strcasecmp(start, "AllowSSL3")) ++ options |= _HTTP_TLS_ALLOW_SSL3; ++ else if (!_cups_strcasecmp(start, "None")) ++ options = 0; ++ } ++ ++ _httpTLSSetOptions(options); ++ } + } + + /* +diff -up cups-1.6.3/doc/help/ref-client-conf.html.str4476 cups-1.6.3/doc/help/ref-client-conf.html +--- cups-1.6.3/doc/help/ref-client-conf.html.str4476 2013-06-25 15:38:12.000000000 +0100 ++++ cups-1.6.3/doc/help/ref-client-conf.html 2015-06-23 14:05:39.873805409 +0100 +@@ -76,6 +76,26 @@ present, only the last one is used. This + + + ++

SSLOptions

++ ++

Examples

++ ++
++SSLOptions None
++SSLOptions AllowSSL3
++SSLOptions AllowRC4
++
++ ++

Description

++ ++

Sets encryption options (only in /etc/cups/client.conf). By ++default, CUPS only supports encryption using TLS v1.0 or higher using ++known secure cipher suites. The AllowRC4 option enables the ++128-bit RC4 cipher suites, which are required for some older clients ++that do not implement newer ones. The AllowSSL3 option enables ++SSL v3.0, which is required for some older clients that do not support ++TLS v1.0.

++ +

CUPS 1.6/OS X 10.8User

+ +

Examples

+diff -up cups-1.6.3/doc/help/ref-cupsd-conf.html.in.str4476 cups-1.6.3/doc/help/ref-cupsd-conf.html.in +--- cups-1.6.3/doc/help/ref-cupsd-conf.html.in.str4476 2013-05-10 17:52:10.000000000 +0100 ++++ cups-1.6.3/doc/help/ref-cupsd-conf.html.in 2015-06-23 14:05:39.873805409 +0100 +@@ -2011,23 +2011,23 @@ SetEnv MY_ENV_VAR foo + variable that should be passed to child processes.

+ + +-

SSLListen

++

SSLOptions

+ +

Examples

+ +
+-SSLListen 127.0.0.1:443
+-SSLListen 192.0.2.1:443
++SSLOptions 127.0.0.1:443
++SSLOptions 192.0.2.1:443
+ 
+ +

Description

+ +-

The SSLListen directive specifies a network ++

The SSLOptions directive specifies a network + address and port to listen for secure connections. Multiple +-SSLListen directives can be provided to listen on ++SSLOptions directives can be provided to listen on + multiple addresses.

+ +-

The SSLListen directive is similar to the The SSLOptions directive is similar to the SSLPort directive but allows you + to restrict access to specific interfaces or networks.

+ +@@ -2039,15 +2039,22 @@ to restrict access to specific interface +
+ SSLOptions None
+ SSLOptions NoEmptyFragments
++SSLOptions AllowSSL3
++SSLOptions AllowRC4
+ 
+ +

Description

+ +

The SSLOptions directive specifies additional SSL/TLS +-protocol options to use for encrypted connected. Currently only two +-options are supported - None (the default) for the most +-secure mode and NoEmptyFragments to allow CUPS to work with +-Microsoft Windows with the FIPS conformance mode enabled.

++protocol options to use for encrypted connected. By default, CUPS only ++supports encryption using TLS v1.0 or higher using known secure cipher ++suites. The NoEmptyFragments option allows CUPS to work ++with Microsoft Windows with the FIPS conformance mode ++enabled. The AllowRC4 option enables the 128-bit RC4 ++cipher suites, which are required for some older clients that do not ++implement newer ones. The AllowSSL3 option enables SSL ++v3.0, which is required for some older clients that do not support TLS ++v1.0.

+ + +

SSLPort

+diff -up cups-1.6.3/man/client.conf.man.in.str4476 cups-1.6.3/man/client.conf.man.in +--- cups-1.6.3/man/client.conf.man.in.str4476 2013-06-25 15:38:12.000000000 +0100 ++++ cups-1.6.3/man/client.conf.man.in 2015-06-23 14:05:39.874805401 +0100 +@@ -53,6 +53,15 @@ Specifies the address and optionally the + server running CUPS 1.3.12 and earlier. \fBNote: Not supported on OS X 10.7 or + later.\fR + .TP 5 ++SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR] ++.br ++Sets SSL/TLS protocol options for encrypted connections. By default, ++CUPS only supports encryption using TLS v1.0 or higher using known ++secure cipher suites. The \fIAllowRC4\fR option enables the 128-bit ++RC4 cipher suites, which are required for some older clients that do ++not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0, ++which is required for some older clients that do not support TLS v1.0. ++.TP 5 + User name + .br + Specifies the default user name to use for requests. +diff -up cups-1.6.3/man/cupsd.conf.man.in.str4476 cups-1.6.3/man/cupsd.conf.man.in +--- cups-1.6.3/man/cupsd.conf.man.in.str4476 2015-06-23 14:04:45.278229909 +0100 ++++ cups-1.6.3/man/cupsd.conf.man.in 2015-06-23 14:05:39.874805401 +0100 +@@ -480,9 +480,16 @@ Listens on the specified address and por + .TP 5 + SSLOptions None + .TP 5 +-SSLOptions NoEmptyFragments ++SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR] + .br +-Sets SSL/TLS protocol options for encrypted connections. ++Sets SSL/TLS protocol options for encrypted connections. By default, ++CUPS only supports encryption using TLS v1.0 or higher using known ++secure cipher suites. The \fINoEmptyFragments\fR option allows CUPS to ++work with Microsoft Windows with the FIPS conformance mode ++enabled. The \fIAllowRC4\fR option enables the 128-bit RC4 cipher ++suites, which are required for some older clients that do not ++implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0, ++which is required for some older clients that do not support TLS v1.0. + .TP 5 + SSLPort + .br +diff -up cups-1.6.3/scheduler/conf.c.str4476 cups-1.6.3/scheduler/conf.c +--- cups-1.6.3/scheduler/conf.c.str4476 2015-06-23 14:04:45.298229754 +0100 ++++ cups-1.6.3/scheduler/conf.c 2015-06-23 14:05:39.874805401 +0100 +@@ -3361,17 +3361,54 @@ read_cupsd_conf(cups_file_t *fp) /* I - + else if (!_cups_strcasecmp(line, "SSLOptions")) + { + /* ++ * SSLOptions [AllowRC4] [AllowSSL3] [NoEmptyFragments] [None] ++ */ ++ ++ int options = 0; /* SSL/TLS options */ ++ ++ /* + * SSLOptions options + */ + +- if (!value || !_cups_strcasecmp(value, "none")) +- SSLOptions = CUPSD_SSL_NONE; +- else if (!_cups_strcasecmp(value, "noemptyfragments")) +- SSLOptions = CUPSD_SSL_NOEMPTY; +- else +- cupsdLogMessage(CUPSD_LOG_ERROR, +- "Unknown value \"%s\" for SSLOptions directive on " +- "line %d.", value, linenum); ++ if (value) ++ { ++ char *start, /* Start of option */ ++ *end; /* End of option */ ++ ++ for (start = value; *start; start = end) ++ { ++ /* ++ * Find end of keyword... ++ */ ++ ++ end = start; ++ while (*end && !_cups_isspace(*end)) ++ end++; ++ ++ if (*end) ++ *end++ = '\0'; ++ ++ /* ++ * Compare... ++ */ ++ ++ if (!_cups_strcasecmp(start, "NoEmptyFragments")) ++ options |= CUPSD_SSL_NOEMPTY; ++ else if (!_cups_strcasecmp(start, "AllowRC4")) ++ options |= CUPSD_SSL_ALLOW_RC4; ++ else if (!_cups_strcasecmp(start, "AllowSSL3")) ++ options |= CUPSD_SSL_ALLOW_SSL3; ++ else if (!_cups_strcasecmp(start, "None")) ++ options = 0; ++ else ++ cupsdLogMessage(CUPSD_LOG_ERROR, ++ "Unknown value \"%s\" for SSLOptions directive on " ++ "line %d.", start, linenum); ++ } ++ } ++ ++ SSLOptions = options; ++ _httpTLSSetOptions (SSLOptions & ~CUPSD_SSL_NOEMPTY); + } + #endif /* HAVE_SSL */ + else if (!_cups_strcasecmp(line, "AccessLog") || +diff -up cups-1.6.3/scheduler/conf.h.str4476 cups-1.6.3/scheduler/conf.h +--- cups-1.6.3/scheduler/conf.h.str4476 2015-06-23 14:04:45.298229754 +0100 ++++ cups-1.6.3/scheduler/conf.h 2015-06-23 14:05:39.874805401 +0100 +@@ -78,6 +78,8 @@ typedef enum + + #define CUPSD_SSL_NONE 0 /* No special options */ + #define CUPSD_SSL_NOEMPTY 1 /* Do not insert empty fragments */ ++#define CUPSD_SSL_ALLOW_RC4 2 /* Allow RC4 cipher suites */ ++#define CUPSD_SSL_ALLOW_SSL3 4 /* Allow SSL 3.0 */ + + + /* +diff -up cups-1.6.3/scheduler/tls-gnutls.c.str4476 cups-1.6.3/scheduler/tls-gnutls.c +--- cups-1.6.3/scheduler/tls-gnutls.c.str4476 2013-06-07 02:12:52.000000000 +0100 ++++ cups-1.6.3/scheduler/tls-gnutls.c 2015-06-23 14:05:39.874805401 +0100 +@@ -114,7 +114,15 @@ cupsdStartTLS(cupsd_client_t *con) /* I + ServerKey, GNUTLS_X509_FMT_PEM); + + gnutls_init(&con->http.tls, GNUTLS_SERVER); +- gnutls_set_default_priority(con->http.tls); ++ if (!SSLOptions) ++ gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL); ++ else if ((SSLOptions & CUPSD_SSL_ALLOW_SSL3) && ++ (SSLOptions & CUPSD_SSL_ALLOW_RC4)) ++ gnutls_priority_set_direct(con->http.tls, "NORMAL", NULL); ++ else if (SSLOptions & CUPSD_SSL_ALLOW_SSL3) ++ gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128", NULL); ++ else ++ gnutls_priority_set_direct(con->http.tls, "NORMAL:-VERS-SSL3.0", NULL); + + gnutls_credentials_set(con->http.tls, GNUTLS_CRD_CERTIFICATE, *credentials); + gnutls_transport_set_ptr(con->http.tls, (gnutls_transport_ptr)HTTP(con)); +diff -up cups-1.6.3/scheduler/tls-openssl.c.str4476 cups-1.6.3/scheduler/tls-openssl.c +--- cups-1.6.3/scheduler/tls-openssl.c.str4476 2013-06-07 02:12:52.000000000 +0100 ++++ cups-1.6.3/scheduler/tls-openssl.c 2015-06-23 14:05:39.875805393 +0100 +@@ -107,6 +107,10 @@ cupsdStartTLS(cupsd_client_t *con) /* I + SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */ + if (SSLOptions & CUPSD_SSL_NOEMPTY) + SSL_CTX_set_options(context, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); ++ if (!(SSLOptions & CUPSD_SSL_ALLOW_SSL3)) ++ SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */ ++ if (!(SSLOptions & CUPSD_SSL_ALLOW_RC4)) ++ SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4"); + SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM); + SSL_CTX_use_certificate_chain_file(context, ServerCertificate); + diff --git a/SOURCES/cups-str4591.patch b/SOURCES/cups-str4591.patch new file mode 100644 index 0000000..69bd762 --- /dev/null +++ b/SOURCES/cups-str4591.patch @@ -0,0 +1,56 @@ +diff -up cups-1.6.3/scheduler/conf.c.str4591 cups-1.6.3/scheduler/conf.c +--- cups-1.6.3/scheduler/conf.c.str4591 2015-06-23 14:05:39.874805401 +0100 ++++ cups-1.6.3/scheduler/conf.c 2015-06-23 14:10:38.364395201 +0100 +@@ -1245,6 +1245,19 @@ cupsdReadConfiguration(void) + + cupsdUpdateEnv(); + ++ /* ++ * Validate the default error policy... ++ */ ++ ++ if (strcmp(ErrorPolicy, "retry-current-job") && ++ strcmp(ErrorPolicy, "abort-job") && ++ strcmp(ErrorPolicy, "retry-job") && ++ strcmp(ErrorPolicy, "stop-printer")) ++ { ++ cupsdLogMessage(CUPSD_LOG_ALERT, "Invalid ErrorPolicy \"%s\", resetting to \"stop-printer\".", ErrorPolicy); ++ cupsdSetString(&ErrorPolicy, "stop-printer"); ++ } ++ + /* + * Update default paper size setting as needed... + */ +diff -up cups-1.6.3/scheduler/printers.c.str4591 cups-1.6.3/scheduler/printers.c +--- cups-1.6.3/scheduler/printers.c.str4591 2015-06-23 14:04:45.301229731 +0100 ++++ cups-1.6.3/scheduler/printers.c 2015-06-23 14:10:52.717276314 +0100 +@@ -3,7 +3,7 @@ + * + * Printer routines for the CUPS scheduler. + * +- * Copyright 2007-2012 by Apple Inc. ++ * Copyright 2007-2015 by Apple Inc. + * Copyright 1997-2007 by Easy Software Products, all rights reserved. + * + * These coded instructions, statements, and computer programs are the +@@ -1303,10 +1303,17 @@ cupsdLoadAllPrinters(void) + else if (!_cups_strcasecmp(line, "ErrorPolicy")) + { + if (value) +- cupsdSetString(&p->error_policy, value); ++ { ++ if (strcmp(value, "retry-current-job") && ++ strcmp(value, "abort-job") && ++ strcmp(value, "retry-job") && ++ strcmp(value, "stop-printer")) ++ cupsdLogMessage(CUPSD_LOG_ALERT, "Invalid ErrorPolicy \"%s\" on line %d or printers.conf.", ErrorPolicy, linenum); ++ else ++ cupsdSetString(&p->error_policy, value); ++ } + else +- cupsdLogMessage(CUPSD_LOG_ERROR, +- "Syntax error on line %d of printers.conf.", linenum); ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Syntax error on line %d of printers.conf.", linenum); + } + else if (!_cups_strcasecmp(line, "Attribute") && value) + { diff --git a/SOURCES/cups-str4646.patch b/SOURCES/cups-str4646.patch new file mode 100644 index 0000000..b0f15c3 --- /dev/null +++ b/SOURCES/cups-str4646.patch @@ -0,0 +1,13 @@ +diff -up cups-1.6.3/scheduler/job.c.str4646 cups-1.6.3/scheduler/job.c +--- cups-1.6.3/scheduler/job.c.str4646 2015-06-29 10:03:10.922536717 +0100 ++++ cups-1.6.3/scheduler/job.c 2015-06-29 10:03:16.930638827 +0100 +@@ -456,7 +456,9 @@ cupsdCheckJobs(void) + * Start the job... + */ + ++ cupsArraySave(ActiveJobs); + start_job(job, printer); ++ cupsArrayRestore(ActiveJobs); + } + } + } diff --git a/SOURCES/cups-str4648.patch b/SOURCES/cups-str4648.patch new file mode 100644 index 0000000..0072bae --- /dev/null +++ b/SOURCES/cups-str4648.patch @@ -0,0 +1,61 @@ +diff -up cups-1.6.3/scheduler/ipp.c.str4648 cups-1.6.3/scheduler/ipp.c +--- cups-1.6.3/scheduler/ipp.c.str4648 2015-07-08 10:24:31.389942557 +0100 ++++ cups-1.6.3/scheduler/ipp.c 2015-07-08 10:24:51.042104284 +0100 +@@ -3392,6 +3392,8 @@ cancel_all_jobs(cupsd_client_t *con, /* + } + + con->response->request.status.status_code = IPP_OK; ++ ++ cupsdCheckJobs(); + } + + +diff -up cups-1.6.3/scheduler/job.c.str4648 cups-1.6.3/scheduler/job.c +--- cups-1.6.3/scheduler/job.c.str4648 2015-07-08 10:24:31.399942636 +0100 ++++ cups-1.6.3/scheduler/job.c 2015-07-08 10:24:51.043104293 +0100 +@@ -267,8 +267,6 @@ cupsdCancelJobs(const char *dest, /* I - + "Job canceled by user."); + } + } +- +- cupsdCheckJobs(); + } + + +@@ -3488,13 +3486,6 @@ finalize_job(cupsd_job_t *job, /* I - J + + job->printer->job = NULL; + job->printer = NULL; +- +- /* +- * Try printing another job... +- */ +- +- if (printer_state != IPP_PRINTER_STOPPED) +- cupsdCheckJobs(); + } + + +@@ -4744,6 +4735,8 @@ update_job(cupsd_job_t *job) /* I - Job + *ptr; /* Pointer update... */ + int loglevel, /* Log level for message */ + event = 0; /* Events? */ ++ cupsd_printer_t *printer = job->printer; ++ /* Printer */ + static const char * const levels[] = /* Log levels */ + { + "NONE", +@@ -5063,10 +5056,11 @@ update_job(cupsd_job_t *job) /* I - Job + finalize_job(job, 1); + + /* +- * Check for new jobs... ++ * Try printing another job... + */ + +- cupsdCheckJobs(); ++ if (printer->state != IPP_PRINTER_STOPPED) ++ cupsdCheckJobs(); + } + } + diff --git a/SPECS/cups.spec b/SPECS/cups.spec index bb0a912..d346be9 100644 --- a/SPECS/cups.spec +++ b/SPECS/cups.spec @@ -11,7 +11,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 1.6.3 -Release: 17%{?dist}.1 +Release: 22%{?dist} License: GPLv2 Group: System Environment/Daemons Url: http://www.cups.org/ @@ -85,6 +85,11 @@ Patch54: cups-str4475.patch Patch55: cups-failover-backend.patch Patch56: cups-str4609.patch Patch57: cups-str4551.patch +Patch58: cups-str4476.patch +Patch59: cups-str4591.patch +Patch60: cups-str4646.patch +Patch61: cups-str4648.patch +Patch62: cups-start-service.patch Patch100: cups-lspp.patch @@ -330,10 +335,20 @@ Sends IPP requests to the specified URI and tests and/or displays the results. %patch55 -p1 -b .failover-backend # Improper Update of Reference Count -- CVE-2015-1158 # Cross-Site Scripting -- CVE-2015-1159 -# (bug #1229984) +# (bug #1229985) %patch56 -p1 -b .str4609 -# cupsRasterReadPixels buffer overflow -- CVE-2014-9679 (bug #1229984). +# cupsRasterReadPixels buffer overflow -- CVE-2014-9679 (bug #1229985). %patch57 -p1 -b .str4551 +# Don't use SSLv3 by default (bug #1161172, STR #4476). +%patch58 -p1 -b .str4476 +# Validate ErrorPolicy in configuration (bug #1196218, STR #4591). +%patch59 -p1 -b .str4591 +# Fix slow resume of jobs after restart (bug #1233006, STR #4646). +%patch60 -p1 -b .str4646 +# Don't start jobs while cancelling others (bug #1233002, STR #4648). +%patch61 -p1 -b .str4648 +# Start cups.service in multi-user target by default (bug #1236184). +%patch62 -p1 -b .start-service %if %lspp # LSPP support. @@ -479,14 +494,14 @@ for keyword in AccessLog CacheDir ConfigFilePerm \ RemoteRoot RequestRoot ServerBin ServerCertificate \ ServerKey ServerRoot SMBConfigFile StateDir \ SystemGroup SystemGroupAuthKey TempDir User; do - if ! [ -f "$IN" ] || ! /bin/grep -iq ^$keyword "$IN"; then continue; fi + if ! [ -f "$IN" ] || ! /bin/grep -wiq ^$keyword "$IN"; then continue; fi copy=yes - if /bin/grep -iq ^$keyword "$OUT"; then - if [ "`/bin/grep -i ^$keyword "$IN"`" == \ - "`/bin/grep -i ^$keyword "$OUT"`" ]; then + if /bin/grep -wiq ^$keyword "$OUT"; then + if [ "`/bin/grep -wi ^$keyword "$IN"`" == \ + "`/bin/grep -wi ^$keyword "$OUT"`" ]; then copy=no else - /bin/sed -i -e "s,^$keyword,#$keyword,i" "$OUT" || : + /bin/sed -i -e "s,^$keyword\b,#$keyword,i" "$OUT" || : fi fi if [ "$copy" == "yes" ]; then @@ -498,11 +513,17 @@ EOF ) || : fi - (/bin/grep -i ^$keyword "$IN" >> "$OUT") || : + (/bin/grep -wi ^$keyword "$IN" >> "$OUT") || : copiedany=yes fi - /bin/sed -i -e "s,^$keyword,#$keyword,i" "$IN" || : + /bin/sed -i -e "s,^$keyword\b,#$keyword,i" "$IN" || : +done + +# Comment out mistaken move of AccessLogLevel to +# cups-files.conf (bug #1235035). +for keyword in AccessLogLevel PageLogFormat; do + /bin/sed -i -e "s,^$keyword\b,#$keyword,i" "$OUT" || : done exit 0 @@ -738,8 +759,24 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog -* Wed Jun 10 2015 Jiri Popelka - 1:1.6.3-17.1 -- CVE-2015-1158, CVE-2015-1159, CVE-2014-9679 (bug #1229984). +* Tue Jul 21 2015 Tim Waugh - 1:1.6.3-22 +- Start cups.service in multi-user target by default (bug #1236184), + not just cups.socket. + +* Wed Jul 8 2015 Tim Waugh - 1:1.6.3-21 +- Use upstream patch for STR #4648 (bug #1233002). + +* Tue Jun 30 2015 Tim Waugh - 1:1.6.3-20 +- Don't start jobs while cancelling others (bug #1233002, STR #4648). +- Fix slow resume of jobs after restart (bug #1233006, STR #4646). +- Fixes for post-install scriptlet (bug #1235035). + +* Tue Jun 23 2015 Tim Waugh - 1:1.6.3-19 +- Validate ErrorPolicy in configuration (bug #1196218, STR #4591). +- Don't use SSLv3 by default (bug #1161172, STR #4476). + +* Wed Jun 10 2015 Jiri Popelka - 1:1.6.3-18 +- CVE-2015-1158, CVE-2015-1159, CVE-2014-9679 (bug #1229985). * Tue Oct 21 2014 Tim Waugh - 1:1.6.3-17 - Support for failover without load-balancing (bug #1115219).