Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cups for openSUSE:Factory checked in at 2023-09-22 21:47:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cups (Old) and /work/SRC/openSUSE:Factory/.cups.new.1770 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cups" Fri Sep 22 21:47:09 2023 rev:169 rq:1112570 version:2.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/cups/cups.changes 2023-06-23 21:52:09.214470457 +0200 +++ /work/SRC/openSUSE:Factory/.cups.new.1770/cups.changes 2023-09-22 21:47:56.278001388 +0200 @@ -1,0 +2,22 @@ +Wed Sep 20 13:01:03 UTC 2023 - Johannes Meixner <jsm...@suse.com> + +- cups-2.4.2-CVE-2023-4504.patch fixes CVE-2023-4504 + "CUPS PostScript Parsing Heap Overflow" + https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h + bsc#1215204 + +------------------------------------------------------------------- +Wed Sep 20 11:55:35 UTC 2023 - Johannes Meixner <jsm...@suse.com> + +- cups-2.4.2-CVE-2023-32360.patch fixes CVE-2023-32360 + "Information leak through Cups-Get-Document operation" + by requiring authentication for CUPS-Get-Document in cupsd.conf + https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 + https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g + bsc#1214254 +- cups-2.4.2-additional_policies.patch is an updated version + of cups-2.0.3-additional_policies.patch that replaces it + to add the 'allowallforanybody' policy to cupsd.conf + after cups-2.4.2-CVE-2023-32360.patch was applied + +------------------------------------------------------------------- Old: ---- cups-2.0.3-additional_policies.patch New: ---- cups-2.4.2-CVE-2023-32360.patch cups-2.4.2-CVE-2023-4504.patch cups-2.4.2-additional_policies.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cups.spec ++++++ --- /var/tmp/diff_new_pack.aE0rr0/_old 2023-09-22 21:47:58.486081548 +0200 +++ /var/tmp/diff_new_pack.aE0rr0/_new 2023-09-22 21:47:58.490081693 +0200 @@ -80,9 +80,6 @@ # Patch100...Patch999 is for private patches from SUSE which are not intended for upstream: # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE: Patch100: cups-pam.diff -# Patch101 cups-2.0.3-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf -# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309 -Patch101: cups-2.0.3-additional_policies.patch # Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch # reverts the change which was added by Michael Sweet in Jan 2007 # which strips the word "recommended" from NickName in PPDs because @@ -112,6 +109,19 @@ # https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25 # https://bugzilla.suse.com/show_bug.cgi?id=1212230 Patch110: cups-2.4.2-CVE-2023-34241.patch +# Patch111 cups-2.4.2-CVE-2023-32360.patch +# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation" +# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g +# https://bugzilla.suse.com/show_bug.cgi?id=1214254 +Patch111: cups-2.4.2-CVE-2023-32360.patch +# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf +# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309 +Patch112: cups-2.4.2-additional_policies.patch +# Patch113 cups-2.4.2-CVE-2023-4504.patch +# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow" +# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h +# https://bugzilla.suse.com/show_bug.cgi?id=1215204 +Patch113: cups-2.4.2-CVE-2023-4504.patch # Build Requirements: BuildRequires: dbus-1-devel BuildRequires: fdupes @@ -317,9 +327,6 @@ # Patch100...Patch999 is for private patches from SUSE which are not intended for upstream: # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE: %patch100 -b cups-pam.orig -# Patch101 cups-2.0.3-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf -# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309 -%patch101 -b additional_policies.orig # Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch # reverts the change which was added by Michael Sweet in Jan 2007 # which strips the word "recommended" from NickName in PPDs because @@ -349,6 +356,19 @@ # https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25 # https://bugzilla.suse.com/show_bug.cgi?id=1212230 %patch110 -b cups-2.4.2-CVE-2023-34241.orig +# Patch111 cups-2.4.2-CVE-2023-32360.patch +# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation" +# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g +# https://bugzilla.suse.com/show_bug.cgi?id=1214254 +%patch111 -b cups-2.4.2-CVE-2023-32360.orig +# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf +# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309 +%patch112 -b cups-2.4.2-additional_policies.orig +# Patch113 cups-2.4.2-CVE-2023-4504.patch +# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow" +# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h +# https://bugzilla.suse.com/show_bug.cgi?id=1215204 +%patch113 -b cups-2.4.2-CVE-2023-4504.orig %build # Remove ".SILENT" rule for verbose build output ++++++ cups-2.4.2-CVE-2023-32360.patch ++++++ --- conf/cupsd.conf.in.orig 2022-05-26 08:17:21.000000000 +0200 +++ conf/cupsd.conf.in 2023-09-20 13:39:53.316719260 +0200 @@ -68,7 +68,14 @@ IdleExitTimeout @EXIT_TIMEOUT@ Order deny,allow </Limit> - <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document> + <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job> + Require user @OWNER @SYSTEM + Order deny,allow + </Limit> + + # Require authentication for CUPS-Get-Document otherwise unauthenticated users could access print job documents: + <Limit CUPS-Get-Document> + AuthType Default Require user @OWNER @SYSTEM Order deny,allow </Limit> ++++++ cups-2.4.2-CVE-2023-4504.patch ++++++ --- cups/raster-interpret.c.orig 2022-05-26 08:17:21.000000000 +0200 +++ cups/raster-interpret.c 2023-09-20 14:56:44.666363324 +0200 @@ -1113,6 +1113,18 @@ scan_ps(_cups_ps_stack_t *st, /* I - S cur ++; + /* + * Return NULL if we reached NULL terminator, a lone backslash + * is not a valid character in PostScript. + */ + + if (!*cur) + { + *ptr = NULL; + + return (NULL); + } + if (*cur == 'b') *valptr++ = '\b'; else if (*cur == 'f') ++++++ cups-2.0.3-additional_policies.patch -> cups-2.4.2-additional_policies.patch ++++++ --- /work/SRC/openSUSE:Factory/cups/cups-2.0.3-additional_policies.patch 2015-07-16 17:15:21.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.cups.new.1770/cups-2.4.2-additional_policies.patch 2023-09-22 21:47:56.258000662 +0200 @@ -1,6 +1,6 @@ ---- conf/cupsd.conf.in.orig 2014-04-02 18:52:53.000000000 +0200 -+++ conf/cupsd.conf.in 2015-07-01 14:39:58.000000000 +0200 -@@ -127,3 +127,45 @@ WebInterface @CUPS_WEBIF@ +--- conf/cupsd.conf.in.CVE-2023-32360.patched 2023-09-20 13:39:53.316719260 +0200 ++++ conf/cupsd.conf.in 2023-09-20 13:46:48.474661749 +0200 +@@ -196,3 +196,45 @@ IdleExitTimeout @EXIT_TIMEOUT@ Order deny,allow </Limit> </Policy> @@ -15,7 +15,7 @@ +# print jobs from an internal network to any external destination, see +# http://en.opensuse.org/SDB:CUPS_in_a_Nutshell +# For documentation regarding 'Managing Operation Policies' see -+# http://www.cups.org/documentation.php/doc-1.7/policies.html ++# https://openprinting.github.io/cups/doc/policies.html +<Policy allowallforanybody> + # Allow anybody to access job's private values: + JobPrivateAccess all