diff --git a/SOURCES/0001-cgi-bin-ipp-var.c-Use-guest-user-for-Move-Job-when-n.patch b/SOURCES/0001-cgi-bin-ipp-var.c-Use-guest-user-for-Move-Job-when-n.patch new file mode 100644 index 0000000..d2c0716 --- /dev/null +++ b/SOURCES/0001-cgi-bin-ipp-var.c-Use-guest-user-for-Move-Job-when-n.patch @@ -0,0 +1,16 @@ +diff --git a/cgi-bin/ipp-var.c b/cgi-bin/ipp-var.c +index 92f1501..7edc058 100644 +--- a/cgi-bin/ipp-var.c ++++ b/cgi-bin/ipp-var.c +@@ -275,10 +275,7 @@ cgiMoveJobs(http_t *http, /* I - Connection to server */ + */ + + if ((user = getenv("REMOTE_USER")) == NULL) +- { +- puts("Status: 401\n"); +- exit(0); +- } ++ user = "guest"; + + /* + * See if the user has already selected a new destination... diff --git a/SOURCES/0001-scheduler-job.c-use-gziptoany-for-raw-files-not-just.patch b/SOURCES/0001-scheduler-job.c-use-gziptoany-for-raw-files-not-just.patch new file mode 100644 index 0000000..025361f --- /dev/null +++ b/SOURCES/0001-scheduler-job.c-use-gziptoany-for-raw-files-not-just.patch @@ -0,0 +1,38 @@ +From 08e9b6e1f8497a8159d6bd7cd6dc96ae79a2e704 Mon Sep 17 00:00:00 2001 +From: Bryan Mason +Date: Thu, 15 Jul 2021 16:26:27 -0700 +Subject: [PATCH] scheduler/job.c: use gziptoany for raw files (not just raw + printers) + +--- + scheduler/job.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/scheduler/job.c b/scheduler/job.c +index d8c2efcc6..b448acda5 100644 +--- a/scheduler/job.c ++++ b/scheduler/job.c +@@ -501,6 +501,7 @@ cupsdContinueJob(cupsd_job_t *job) /* I - Job */ + int backroot; /* Run backend as root? */ + int pid; /* Process ID of new filter process */ + int banner_page; /* 1 if banner page, 0 otherwise */ ++ int raw_file; /* 1 if file type is vnd.cups-raw */ + int filterfds[2][2] = { { -1, -1 }, { -1, -1 } }; + /* Pipes used between filters */ + int envc; /* Number of environment variables */ +@@ -746,8 +747,11 @@ cupsdContinueJob(cupsd_job_t *job) /* I - Job */ + * Add decompression/raw filter as needed... + */ + ++ raw_file = !strcmp(job->filetypes[job->current_file]->super, "application") && ++ !strcmp(job->filetypes[job->current_file]->type, "vnd.cups-raw"); ++ + if ((job->compressions[job->current_file] && (!job->printer->remote || job->num_files == 1)) || +- (!job->printer->remote && job->printer->raw && job->num_files > 1)) ++ (!job->printer->remote && (job->printer->raw || raw_file) && job->num_files > 1)) + { + /* + * Add gziptoany filter to the front of the list... +-- +2.31.1 + diff --git a/SOURCES/cups-fstack-strong.patch b/SOURCES/cups-fstack-strong.patch new file mode 100644 index 0000000..0cdbcd5 --- /dev/null +++ b/SOURCES/cups-fstack-strong.patch @@ -0,0 +1,49 @@ +diff --git a/config-scripts/cups-compiler.m4 b/config-scripts/cups-compiler.m4 +index 733b06c..bb770f0 100644 +--- a/config-scripts/cups-compiler.m4 ++++ b/config-scripts/cups-compiler.m4 +@@ -123,21 +123,35 @@ if test -n "$GCC"; then + OPTIM="-fPIC $OPTIM" + fi + +- # The -fstack-protector option is available with some versions of +- # GCC and adds "stack canaries" which detect when the return address +- # has been overwritten, preventing many types of exploit attacks. +- AC_MSG_CHECKING(whether compiler supports -fstack-protector) ++ # The -fstack-protector-strong and -fstack-protector options are available ++ # with some versions of# GCC and adds "stack canaries" which detect ++ # when the return address has been overwritten, preventing many types of exploit attacks. ++ # First check for -fstack-protector-strong, then for -fstack-protector... ++ AC_MSG_CHECKING([whether compiler supports -fstack-protector-strong]) + OLDCFLAGS="$CFLAGS" +- CFLAGS="$CFLAGS -fstack-protector" +- AC_TRY_LINK(,, ++ CFLAGS="$CFLAGS -fstack-protector-strong" ++ AC_TRY_LINK(,,[ + if test "x$LSB_BUILD" = xy; then + # Can't use stack-protector with LSB binaries... + OPTIM="$OPTIM -fno-stack-protector" + else +- OPTIM="$OPTIM -fstack-protector" ++ OPTIM="$OPTIM -fstack-protector-strong" + fi +- AC_MSG_RESULT(yes), +- AC_MSG_RESULT(no)) ++ AC_MSG_RESULT(yes) ++ ], [ ++ AC_MSG_CHECKING([whether compiler supports -fstack-protector]) ++ CFLAGS="$OLDCFLAGS -fstack-protector" ++ AC_LINK_IFELSE([AC_LANG_PROGRAM()], [ ++ AS_IF([test "x$LSB_BUILD" = xy], [ ++ # Can't use stack-protector with LSB binaries... ++ OPTIM="$OPTIM -fno-stack-protector" ++ ], [ ++ OPTIM="$OPTIM -fstack-protector" ++ ]) ++ ], [ ++ AC_MSG_RESULT([no]) ++ ]) ++ ]) + CFLAGS="$OLDCFLAGS" + + if test "x$LSB_BUILD" != xy; then diff --git a/SOURCES/cups-restart-job-hold-until.patch b/SOURCES/cups-restart-job-hold-until.patch new file mode 100644 index 0000000..d235518 --- /dev/null +++ b/SOURCES/cups-restart-job-hold-until.patch @@ -0,0 +1,20 @@ +diff --git a/scheduler/ipp.c b/scheduler/ipp.c +index e0dbc4a..5e9a985 100644 +--- a/scheduler/ipp.c ++++ b/scheduler/ipp.c +@@ -9891,11 +9891,10 @@ restart_job(cupsd_client_t *con, /* I - Client connection */ + cupsdLogJob(job, CUPSD_LOG_DEBUG, + "Restarted by \"%s\" with job-hold-until=%s.", + username, attr->values[0].string.text); +- cupsdSetJobHoldUntil(job, attr->values[0].string.text, 0); +- +- cupsdAddEvent(CUPSD_EVENT_JOB_CONFIG_CHANGED | CUPSD_EVENT_JOB_STATE, +- NULL, job, "Job restarted by user with job-hold-until=%s", +- attr->values[0].string.text); ++ cupsdSetJobHoldUntil(job, attr->values[0].string.text, 1); ++ cupsdSetJobState(job, IPP_JOB_HELD, CUPSD_JOB_DEFAULT, ++ "Job restarted by user with job-hold-until=%s", ++ attr->values[0].string.text); + } + else + { diff --git a/SPECS/cups.spec b/SPECS/cups.spec index c37d6cc..42a2eed 100644 --- a/SPECS/cups.spec +++ b/SPECS/cups.spec @@ -17,7 +17,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 8%{?dist} +Release: 10%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -78,6 +78,14 @@ Patch15: cups-nssuserlookup-target.patch Patch16: cups-cleanfiles.patch # 1949067 - Print queue is paused after ipp backend ends with CUPS_BACKEND_STOP Patch17: cups-validate-1st.patch +# 2018948 - Unauthenticated users can't move print jobs in Web UI +Patch18: 0001-cgi-bin-ipp-var.c-Use-guest-user-for-Move-Job-when-n.patch +# 1999955 - Printing of banner before PCL file only prints banner +Patch19: 0001-scheduler-job.c-use-gziptoany-for-raw-files-not-just.patch +# 2006713 - Trying to restart and hold a job doesn't work +Patch20: cups-restart-job-hold-until.patch +# 2022365 - Annocheck fails due incorrect flags during compilation/linking +Patch21: cups-fstack-strong.patch ##### Patches removed because IMHO they aren't no longer needed ##### but still I'll leave them in git in case their removal @@ -287,6 +295,14 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch16 -p1 -b .cleanfiles # 1949067 - Print queue is paused after ipp backend ends with CUPS_BACKEND_STOP %patch17 -p1 -b .validate-retry +# 2018948 - Unauthenticated users can't move print jobs in Web UI +%patch18 -p1 -b .move-job +# 1999955 - Printing of banner before PCL file only prints banner +%patch19 -p1 -b .banner-rawfiles +# 2006713 - Trying to restart and hold a job doesn't work +%patch20 -p1 -b .restart-hold-job +# 2022365 - Annocheck fails due incorrect flags during compilation/linking +%patch21 -p1 -b .fstack-strong %if %{lspp} @@ -312,8 +328,10 @@ autoconf -f -I config-scripts export CC=%{__cc} export CXX=%{__cxx} # add Fedora specific flags to DSOFLAGS -export DSOFLAGS="$DSOFLAGS -L../cgi-bin -L../filter -L../ppdc -L../scheduler -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-z,relro,-z,now -fPIE -pie" -export CFLAGS="$RPM_OPT_FLAGS -fstack-protector-all -DLDAP_DEPRECATED=1" +export DSOFLAGS="$DSOFLAGS $RPM_LD_FLAGS" +export CFLAGS="$CFLAGS $RPM_OPT_FLAGS -DLDAP_DEPRECATED=1" +export CXXFLAGS="$CXXFLAGS $RPM_OPT_FLAGS -DLDAP_DEPRECATED=1" +export LDFLAGS="$LDFLAGS $RPM_LD_FLAGS -Wall -fstack-clash-protection -D_FORTIFY_SOURCE=2" # --enable-debug to avoid stripping binaries %configure --with-docdir=%{_datadir}/%{name}/www --enable-debug \ %if %{lspp} @@ -684,6 +702,14 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Fri Nov 12 2021 Zdenek Dohnal - 1:2.3.3op2-10 +- 2022365 - Annocheck fails due incorrect flags during compilation/linking + +* Wed Nov 03 2021 Zdenek Dohnal - 1:2.3.3op2-9 +- 2018948 - Unauthenticated users can't move print jobs in Web UI +- 1999955 - Printing of banner before PCL file only prints banner +- 2006713 - Trying to restart and hold a job doesn't work + * Mon Aug 09 2021 Mohan Boddu - 1:2.3.3op2-8 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688