diff --git a/SOURCES/0001-Add-with-idle-exit-timeout-configure-option.patch b/SOURCES/0001-Add-with-idle-exit-timeout-configure-option.patch new file mode 100644 index 0000000..e310ea6 --- /dev/null +++ b/SOURCES/0001-Add-with-idle-exit-timeout-configure-option.patch @@ -0,0 +1,33 @@ +diff -up cups-2.3.3op2/conf/cupsd.conf.in.idleexittimeout cups-2.3.3op2/conf/cupsd.conf.in +--- cups-2.3.3op2/conf/cupsd.conf.in.idleexittimeout 2021-02-01 22:10:25.000000000 +0100 ++++ cups-2.3.3op2/conf/cupsd.conf.in 2021-11-29 11:37:02.426407322 +0100 +@@ -28,6 +28,9 @@ DefaultAuthType Basic + # Web interface setting... + WebInterface @CUPS_WEBIF@ + ++# Timeout after cupsd exits if idle (applied only if cupsd runs on-demand - with -l) ++IdleExitTimeout @EXIT_TIMEOUT@ ++ + # Restrict access to the server... + + Order allow,deny +diff -up cups-2.3.3op2/config-scripts/cups-defaults.m4.idleexittimeout cups-2.3.3op2/config-scripts/cups-defaults.m4 +--- cups-2.3.3op2/config-scripts/cups-defaults.m4.idleexittimeout 2021-11-29 11:37:02.426407322 +0100 ++++ cups-2.3.3op2/config-scripts/cups-defaults.m4 2021-11-29 11:39:16.629262421 +0100 +@@ -461,3 +461,16 @@ esac + + AC_SUBST(CUPS_WEBIF) + AC_DEFINE_UNQUOTED(CUPS_DEFAULT_WEBIF, $CUPS_DEFAULT_WEBIF) ++ ++dnl Set default value of IdleExitTimeout ++AC_ARG_WITH([idle_exit_timeout], AS_HELP_STRING([--with-idle-exit-timeout], [set the default value for IdleExitTimeout, default=60]), [ ++ AS_IF([test "x$withval" = "xno"], [ ++ EXIT_TIMEOUT=0 ++ ], [ ++ EXIT_TIMEOUT=$withval ++ ]) ++], [ ++ EXIT_TIMEOUT=60 ++]) ++ ++AC_SUBST([EXIT_TIMEOUT]) diff --git a/SOURCES/0001-Add-with-systemd-timeoutstartsec-configure-option.patch b/SOURCES/0001-Add-with-systemd-timeoutstartsec-configure-option.patch new file mode 100644 index 0000000..222e766 --- /dev/null +++ b/SOURCES/0001-Add-with-systemd-timeoutstartsec-configure-option.patch @@ -0,0 +1,33 @@ +diff -up cups-2.3.3op2/config-scripts/cups-defaults.m4.conf-timeoutstartsec cups-2.3.3op2/config-scripts/cups-defaults.m4 +--- cups-2.3.3op2/config-scripts/cups-defaults.m4.conf-timeoutstartsec 2021-11-29 13:50:14.568976028 +0100 ++++ cups-2.3.3op2/config-scripts/cups-defaults.m4 2021-11-29 13:51:02.785567762 +0100 +@@ -482,3 +482,18 @@ AC_ARG_WITH([idle_exit_timeout], AS_HELP + ]) + + AC_SUBST([EXIT_TIMEOUT]) ++ ++dnl set TimeoutStartSec for cups.service ++dnl - if used as --without-*, it sets TimeoutStartSec to infinity ++AC_ARG_WITH([systemd-timeoutstartsec], ++ AS_HELP_STRING([--with-systemd-timeoutstartsec], ++ [set TimeoutStartSec value in cups.service, default=default value in systemd]), [ ++ AS_IF([ test "x$withval" = "xno" ], [ ++ TIMEOUTSTARTSEC="TimeoutStartSec=infinity" ++ ], [ ++ TIMEOUTSTARTSEC="TimeoutStartSec=$withval" ++ ]) ++], [ ++ TIMEOUTSTARTSEC="" ++]) ++AC_SUBST([TIMEOUTSTARTSEC]) +diff -up cups-2.3.3op2/scheduler/cups.service.in.conf-timeoutstartsec cups-2.3.3op2/scheduler/cups.service.in +--- cups-2.3.3op2/scheduler/cups.service.in.conf-timeoutstartsec 2021-11-29 13:50:14.551976172 +0100 ++++ cups-2.3.3op2/scheduler/cups.service.in 2021-11-29 13:50:14.568976028 +0100 +@@ -8,6 +8,7 @@ Requires=cups.socket + ExecStart=@sbindir@/cupsd -l + Type=notify + Restart=on-failure ++@TIMEOUTSTARTSEC@ + + [Install] + Also=cups.socket cups.path diff --git a/SOURCES/cups-deprecate-drivers.patch b/SOURCES/cups-deprecate-drivers.patch new file mode 100644 index 0000000..afcfa59 --- /dev/null +++ b/SOURCES/cups-deprecate-drivers.patch @@ -0,0 +1,177 @@ +diff --git a/cgi-bin/admin.c b/cgi-bin/admin.c +index 02b9d9d..669cb65 100644 +--- a/cgi-bin/admin.c ++++ b/cgi-bin/admin.c +@@ -619,6 +619,7 @@ do_am_printer(http_t *http, /* I - HTTP connection */ + *oldinfo; /* Old printer information */ + const cgi_file_t *file; /* Uploaded file, if any */ + const char *var; /* CGI variable */ ++ char *ppd_name = NULL; /* Pointer to PPD name */ + char uri[HTTP_MAX_URI], /* Device or printer URI */ + *uriptr, /* Pointer into URI */ + evefile[1024] = ""; /* IPP Everywhere PPD file */ +@@ -1124,12 +1125,12 @@ do_am_printer(http_t *http, /* I - HTTP connection */ + + if (!file) + { +- var = cgiGetVariable("PPD_NAME"); +- if (!strcmp(var, "everywhere")) ++ ppd_name = cgiGetVariable("PPD_NAME"); ++ if (!strcmp(ppd_name, "everywhere")) + get_printer_ppd(cgiGetVariable("DEVICE_URI"), evefile, sizeof(evefile)); +- else if (strcmp(var, "__no_change__")) ++ else if (strcmp(ppd_name, "__no_change__")) + ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME, "ppd-name", +- NULL, var); ++ NULL, ppd_name); + } + + ippAddString(request, IPP_TAG_PRINTER, IPP_TAG_TEXT, "printer-location", +@@ -1219,7 +1220,7 @@ do_am_printer(http_t *http, /* I - HTTP connection */ + + cgiCopyTemplateLang("printer-modified.tmpl"); + } +- else ++ else if (ppd_name && (strcmp(ppd_name, "everywhere") == 0 || strstr(ppd_name, "driverless"))) + { + /* + * Set the printer options... +@@ -1229,6 +1230,16 @@ do_am_printer(http_t *http, /* I - HTTP connection */ + do_set_options(http, 0); + return; + } ++ else ++ { ++ /* ++ * If we don't have an everywhere model, show printer-added ++ * template with warning about drivers going away... ++ */ ++ ++ cgiStartHTML(title); ++ cgiCopyTemplateLang("printer-added.tmpl"); ++ } + + cgiEndHTML(); + } +diff --git a/scheduler/printers.c b/scheduler/printers.c +index 3bfe4a8..248bdba 100644 +--- a/scheduler/printers.c ++++ b/scheduler/printers.c +@@ -950,6 +950,8 @@ cupsdLoadAllPrinters(void) + *value, /* Pointer to value */ + *valueptr; /* Pointer into value */ + cupsd_printer_t *p; /* Current printer */ ++ int found_raw = 0; /* Flag whether raw queue is installed */ ++ int found_driver = 0; /* Flag whether queue with classic driver is installed */ + + + /* +@@ -1025,6 +1027,30 @@ cupsdLoadAllPrinters(void) + + cupsdSetPrinterAttrs(p); + ++ if ((p->device_uri && strncmp(p->device_uri, "ipp:", 4) && strncmp(p->device_uri, "ipps:", 5) && strncmp(p->device_uri, "implicitclass:", 14)) || ++ !p->make_model || ++ (p->make_model && strstr(p->make_model, "IPP Everywhere") == NULL && strstr(p->make_model, "driverless") == NULL)) ++ { ++ /* ++ * Warn users about printer drivers and raw queues will be deprecated. ++ * It will warn users in the following scenarios: ++ * - the queue doesn't use ipp, ipps or implicitclass backend, which means ++ * it doesn't communicate via IPP and is raw or uses a driver for sure ++ * - the queue doesn't have make_model - it is raw ++ * - the queue uses a correct backend, but the model is not IPP Everywhere/driverless ++ */ ++ if (!p->make_model) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, "Queue %s is a raw queue, which is deprecated.", p->name); ++ found_raw = 1; ++ } ++ else ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, "Queue %s uses a printer driver, which is deprecated.", p->name); ++ found_driver = 1; ++ } ++ } ++ + if (strncmp(p->device_uri, "file:", 5) && p->state != IPP_PRINTER_STOPPED) + { + /* +@@ -1415,6 +1441,12 @@ cupsdLoadAllPrinters(void) + } + } + ++ if (found_raw) ++ cupsdLogMessage(CUPSD_LOG_WARN, "Raw queues are deprecated and will stop working in a future version of CUPS. See https://github.com/OpenPrinting/cups/issues/103"); ++ ++ if (found_driver) ++ cupsdLogMessage(CUPSD_LOG_WARN, "Printer drivers are deprecated and will stop working in a future version of CUPS. See https://github.com/OpenPrinting/cups/issues/103"); ++ + cupsFileClose(fp); + } + +diff --git a/systemv/lpadmin.c b/systemv/lpadmin.c +index ca6d386..daf24d5 100644 +--- a/systemv/lpadmin.c ++++ b/systemv/lpadmin.c +@@ -632,7 +632,7 @@ main(int argc, /* I - Number of command-line arguments */ + + num_options = cupsRemoveOption("ppd-name", num_options, &options); + } +- else if (ppd_name || file) ++ else if ((ppd_name && strncmp(ppd_name, "driverless:", 11)) || file) + { + _cupsLangPuts(stderr, _("lpadmin: Printer drivers are deprecated and will stop working in a future version of CUPS.")); + } +diff --git a/templates/choose-model.tmpl b/templates/choose-model.tmpl +index e916cf8..9c9b71f 100644 +--- a/templates/choose-model.tmpl ++++ b/templates/choose-model.tmpl +@@ -39,7 +39,7 @@ + + + +diff --git a/templates/printer-added.tmpl b/templates/printer-added.tmpl +index 0ccf6d3..9ebc835 100644 +--- a/templates/printer-added.tmpl ++++ b/templates/printer-added.tmpl +@@ -1,4 +1,15 @@ +-

Add Printer

++

Add Printer {printer_name}

+ +

Printer {printer_name} has been added + successfully. ++ ++

++Note:Printer drivers and raw queues are deprecated and will stop working in a future version of CUPS. ++
++ ++
++ ++ ++ ++ ++
+diff --git a/test/run-stp-tests.sh b/test/run-stp-tests.sh +index 4498a8c..8776874 100755 +--- a/test/run-stp-tests.sh ++++ b/test/run-stp-tests.sh +@@ -1049,10 +1049,10 @@ fi + + # Warning log messages + count=`$GREP '^W ' $BASE/log/error_log | $GREP -v CreateProfile | $GREP -v 'libusb error' | $GREP -v ColorManager | $GREP -v 'Avahi client failed' | wc -l | awk '{print $1}'` +-if test $count != 8; then +- echo "FAIL: $count warning messages, expected 8." ++if test $count != 10; then ++ echo "FAIL: $count warning messages, expected 10." + $GREP '^W ' $BASE/log/error_log +- echo "

FAIL: $count warning messages, expected 8.

" >>$strfile ++ echo "

FAIL: $count warning messages, expected 10.

" >>$strfile + echo " 
" >>$strfile
+ 	$GREP '^W ' $BASE/log/error_log | sed -e '1,$s/&/&/g' -e '1,$s/>$strfile
+ 	echo "
" >>$strfile diff --git a/SOURCES/cups-fips-restrict-md5.patch b/SOURCES/cups-fips-restrict-md5.patch new file mode 100644 index 0000000..41223fa --- /dev/null +++ b/SOURCES/cups-fips-restrict-md5.patch @@ -0,0 +1,124 @@ +diff --git a/cups/http-support.c b/cups/http-support.c +index a4bc079..9ee2309 100644 +--- a/cups/http-support.c ++++ b/cups/http-support.c +@@ -1430,6 +1430,12 @@ _httpSetDigestAuthString( + * Use old RFC 2069 Digest method... + */ + ++ if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5) ++ { ++ DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled."); ++ return (0); ++ } ++ + /* H(A1) = H(username:realm:password) */ + snprintf(temp, sizeof(temp), "%s:%s:%s", username, http->realm, password); + hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash)); +diff --git a/cups/md5passwd.c b/cups/md5passwd.c +index 9af5de2..5c9a64e 100644 +--- a/cups/md5passwd.c ++++ b/cups/md5passwd.c +@@ -19,6 +19,9 @@ + /* + * 'httpMD5()' - Compute the MD5 sum of the username:group:password. + * ++ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0 ++ * it produces an empty string. Please use @link cupsDoAuthentication@ instead. ++ * + * @deprecated@ + */ + +@@ -28,22 +31,13 @@ httpMD5(const char *username, /* I - User name */ + const char *passwd, /* I - Password string */ + char md5[33]) /* O - MD5 string */ + { +- unsigned char sum[16]; /* Sum data */ +- char line[256]; /* Line to sum */ +- +- +- /* +- * Compute the MD5 sum of the user name, group name, and password. +- */ ++ (void)username; ++ (void)realm; ++ (void)passwd; + +- snprintf(line, sizeof(line), "%s:%s:%s", username, realm, passwd); +- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum)); ++ md5[0] = '\0'; + +- /* +- * Return the sum... +- */ +- +- return ((char *)cupsHashString(sum, sizeof(sum), md5, 33)); ++ return (NULL); + } + + +@@ -52,6 +46,9 @@ httpMD5(const char *username, /* I - User name */ + * with the server-supplied nonce value, method, and + * request-uri. + * ++ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0 ++ * it produces an empty string. Please use @link cupsDoAuthentication@ instead. ++ * + * @deprecated@ + */ + +@@ -61,35 +58,22 @@ httpMD5Final(const char *nonce, /* I - Server nonce value */ + const char *resource, /* I - Resource path */ + char md5[33]) /* IO - MD5 sum */ + { +- unsigned char sum[16]; /* Sum data */ +- char line[1024]; /* Line of data */ +- char a2[33]; /* Hash of method and resource */ +- ++ (void)nonce; ++ (void)method; ++ (void)resource; + +- /* +- * First compute the MD5 sum of the method and resource... +- */ ++ md5[0] = '\0'; + +- snprintf(line, sizeof(line), "%s:%s", method, resource); +- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum)); +- cupsHashString(sum, sizeof(sum), a2, sizeof(a2)); +- +- /* +- * Then combine A1 (MD5 of username, realm, and password) with the nonce +- * and A2 (method + resource) values to get the final MD5 sum for the +- * request... +- */ +- +- snprintf(line, sizeof(line), "%s:%s:%s", md5, nonce, a2); +- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum)); +- +- return ((char *)cupsHashString(sum, sizeof(sum), md5, 33)); ++ return (NULL); + } + + + /* + * 'httpMD5String()' - Convert an MD5 sum to a character string. + * ++ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0 ++ * it produces an empty string. Please use @link cupsDoAuthentication@ instead. ++ * + * @deprecated@ + */ + +@@ -98,5 +82,9 @@ httpMD5String(const unsigned char *sum, /* I - MD5 sum data */ + char md5[33]) + /* O - MD5 sum in hex */ + { +- return ((char *)cupsHashString(sum, 16, md5, 33)); ++ (void)sum; ++ ++ md5[0] = '\0'; ++ ++ return (NULL); + } diff --git a/SPECS/cups.spec b/SPECS/cups.spec index 42a2eed..c704557 100644 --- a/SPECS/cups.spec +++ b/SPECS/cups.spec @@ -17,7 +17,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 10%{?dist} +Release: 11%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -86,6 +86,15 @@ Patch19: 0001-scheduler-job.c-use-gziptoany-for-raw-files-not-just.patch Patch20: cups-restart-job-hold-until.patch # 2022365 - Annocheck fails due incorrect flags during compilation/linking Patch21: cups-fstack-strong.patch +# 2019842 - Add more warning messages about drivers going deprecated +Patch22: cups-deprecate-drivers.patch +# 2018955 - RFE: Implement IdleExitTimeout configuration during build +Patch23: 0001-Add-with-idle-exit-timeout-configure-option.patch +# 2018951 - RFE: Implement TimeoutStartSec configuration during build +Patch24: 0001-Add-with-systemd-timeoutstartsec-configure-option.patch +# 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5 +Patch25: cups-fips-restrict-md5.patch + ##### Patches removed because IMHO they aren't no longer needed ##### but still I'll leave them in git in case their removal @@ -303,6 +312,14 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch20 -p1 -b .restart-hold-job # 2022365 - Annocheck fails due incorrect flags during compilation/linking %patch21 -p1 -b .fstack-strong +# 2019842 - Add more warning messages about drivers going deprecated +%patch22 -p1 -b .deprecate-warnings +# 2018955 - RFE: Implement IdleExitTimeout configuration during build +%patch23 -p1 -b .idleexittimeout +# 2018951 - RFE: Implement TimeoutStartSec configuration during build +%patch24 -p1 -b .conf-timeoutstartsec +# 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5 +%patch25 -p1 -b .restrict-md5 %if %{lspp} @@ -352,6 +369,10 @@ export LDFLAGS="$LDFLAGS $RPM_LD_FLAGS -Wall -fstack-clash-protection -D_FORTIFY --enable-page-logging \ --with-rundir=%{_rundir}/cups \ --enable-sync-on-close \ +%if 0%{?rhel} + --without-idle-exit-timeout \ + --without-systemd-timeoutstartsec \ +%endif localedir=%{_datadir}/locale # If we got this far, all prerequisite libraries must be here. @@ -402,6 +423,18 @@ touch %{buildroot}%{_sysconfdir}/cups/client.conf touch %{buildroot}%{_sysconfdir}/cups/subscriptions.conf touch %{buildroot}%{_sysconfdir}/cups/lpoptions +# deny MD5 digest authentication by default in client.conf +cat > %{buildroot}%{_sysconfdir}/cups/client.conf < /dev/null || echo 'DigestOptions DenyMD5' \ +>> %{_sysconfdir}/cups/client.conf + # Because of moving logs to journal, we need to create placeholder files # at /var/log/cups for users, whose are going to install CUPS on new OS # machine with info message @@ -702,6 +744,18 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Mon Dec 06 2021 Zdenek Dohnal - 1:2.3.3op2-11 +- 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5 + +* Wed Dec 01 2021 Zdenek Dohnal - 1:2.3.3op2-11 +- 2018951 - RFE: Implement TimeoutStartSec configuration during build + +* Mon Nov 29 2021 Zdenek Dohnal - 1:2.3.3op2-11 +- 2018955 - RFE: Implement IdleExitTimeout configuration during build + +* Fri Nov 12 2021 Zdenek Dohnal - 1:2.3.3op2-11 +- 2019842 - Add more warning messages about drivers going deprecated + * Fri Nov 12 2021 Zdenek Dohnal - 1:2.3.3op2-10 - 2022365 - Annocheck fails due incorrect flags during compilation/linking