Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package cups for openSUSE:Factory checked in 
at 2023-09-22 21:47:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cups (Old)
 and      /work/SRC/openSUSE:Factory/.cups.new.1770 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "cups"

Fri Sep 22 21:47:09 2023 rev:169 rq:1112570 version:2.4.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/cups/cups.changes        2023-06-23 
21:52:09.214470457 +0200
+++ /work/SRC/openSUSE:Factory/.cups.new.1770/cups.changes      2023-09-22 
21:47:56.278001388 +0200
@@ -1,0 +2,22 @@
+Wed Sep 20 13:01:03 UTC 2023 - Johannes Meixner <jsm...@suse.com>
+
+- cups-2.4.2-CVE-2023-4504.patch fixes CVE-2023-4504
+  "CUPS PostScript Parsing Heap Overflow"
+  https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
+  bsc#1215204
+
+-------------------------------------------------------------------
+Wed Sep 20 11:55:35 UTC 2023 - Johannes Meixner <jsm...@suse.com>
+
+- cups-2.4.2-CVE-2023-32360.patch fixes CVE-2023-32360
+  "Information leak through Cups-Get-Document operation"
+  by requiring authentication for CUPS-Get-Document in cupsd.conf
+  
https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
+  https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
+  bsc#1214254
+- cups-2.4.2-additional_policies.patch is an updated version
+  of cups-2.0.3-additional_policies.patch that replaces it
+  to add the 'allowallforanybody' policy to cupsd.conf
+  after cups-2.4.2-CVE-2023-32360.patch was applied
+
+-------------------------------------------------------------------

Old:
----
  cups-2.0.3-additional_policies.patch

New:
----
  cups-2.4.2-CVE-2023-32360.patch
  cups-2.4.2-CVE-2023-4504.patch
  cups-2.4.2-additional_policies.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ cups.spec ++++++
--- /var/tmp/diff_new_pack.aE0rr0/_old  2023-09-22 21:47:58.486081548 +0200
+++ /var/tmp/diff_new_pack.aE0rr0/_new  2023-09-22 21:47:58.490081693 +0200
@@ -80,9 +80,6 @@
 # Patch100...Patch999 is for private patches from SUSE which are not intended 
for upstream:
 # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
 Patch100:       cups-pam.diff
-# Patch101 cups-2.0.3-additional_policies.patch adds the 'allowallforanybody' 
policy to cupsd.conf
-# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
-Patch101:       cups-2.0.3-additional_policies.patch
 # Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch
 # reverts the change which was added by Michael Sweet in Jan 2007
 # which strips the word "recommended" from NickName in PPDs because
@@ -112,6 +109,19 @@
 # https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
 # https://bugzilla.suse.com/show_bug.cgi?id=1212230
 Patch110:       cups-2.4.2-CVE-2023-34241.patch
+# Patch111 cups-2.4.2-CVE-2023-32360.patch
+# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation"
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
+# https://bugzilla.suse.com/show_bug.cgi?id=1214254
+Patch111:       cups-2.4.2-CVE-2023-32360.patch
+# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' 
policy to cupsd.conf
+# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
+Patch112:       cups-2.4.2-additional_policies.patch
+# Patch113 cups-2.4.2-CVE-2023-4504.patch
+# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
+# https://bugzilla.suse.com/show_bug.cgi?id=1215204
+Patch113:       cups-2.4.2-CVE-2023-4504.patch
 # Build Requirements:
 BuildRequires:  dbus-1-devel
 BuildRequires:  fdupes
@@ -317,9 +327,6 @@
 # Patch100...Patch999 is for private patches from SUSE which are not intended 
for upstream:
 # Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
 %patch100 -b cups-pam.orig
-# Patch101 cups-2.0.3-additional_policies.patch adds the 'allowallforanybody' 
policy to cupsd.conf
-# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
-%patch101 -b additional_policies.orig
 # Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch
 # reverts the change which was added by Michael Sweet in Jan 2007
 # which strips the word "recommended" from NickName in PPDs because
@@ -349,6 +356,19 @@
 # https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
 # https://bugzilla.suse.com/show_bug.cgi?id=1212230
 %patch110 -b cups-2.4.2-CVE-2023-34241.orig
+# Patch111 cups-2.4.2-CVE-2023-32360.patch
+# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation"
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
+# https://bugzilla.suse.com/show_bug.cgi?id=1214254
+%patch111 -b cups-2.4.2-CVE-2023-32360.orig
+# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' 
policy to cupsd.conf
+# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
+%patch112 -b cups-2.4.2-additional_policies.orig
+# Patch113 cups-2.4.2-CVE-2023-4504.patch
+# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
+# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
+# https://bugzilla.suse.com/show_bug.cgi?id=1215204
+%patch113 -b cups-2.4.2-CVE-2023-4504.orig
 
 %build
 # Remove ".SILENT" rule for verbose build output




++++++ cups-2.4.2-CVE-2023-32360.patch ++++++
--- conf/cupsd.conf.in.orig     2022-05-26 08:17:21.000000000 +0200
+++ conf/cupsd.conf.in  2023-09-20 13:39:53.316719260 +0200
@@ -68,7 +68,14 @@ IdleExitTimeout @EXIT_TIMEOUT@
     Order deny,allow
   </Limit>
 
-  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs 
Set-Job-Attributes Create-Job-Subscription Renew-Subscription 
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job 
Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job 
CUPS-Get-Document>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs 
Set-Job-Attributes Create-Job-Subscription Renew-Subscription 
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job 
Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Require authentication for CUPS-Get-Document otherwise unauthenticated 
users could access print job documents:
+  <Limit CUPS-Get-Document>
+    AuthType Default
     Require user @OWNER @SYSTEM
     Order deny,allow
   </Limit>

++++++ cups-2.4.2-CVE-2023-4504.patch ++++++
--- cups/raster-interpret.c.orig        2022-05-26 08:17:21.000000000 +0200
+++ cups/raster-interpret.c     2023-09-20 14:56:44.666363324 +0200
@@ -1113,6 +1113,18 @@ scan_ps(_cups_ps_stack_t *st,            /* I  - S
 
            cur ++;
 
+          /*
+           * Return NULL if we reached NULL terminator, a lone backslash
+           * is not a valid character in PostScript.
+           */
+
+           if (!*cur)
+           {
+             *ptr = NULL;
+
+             return (NULL);
+           }
+
             if (*cur == 'b')
              *valptr++ = '\b';
            else if (*cur == 'f')

++++++ cups-2.0.3-additional_policies.patch -> 
cups-2.4.2-additional_policies.patch ++++++
--- /work/SRC/openSUSE:Factory/cups/cups-2.0.3-additional_policies.patch        
2015-07-16 17:15:21.000000000 +0200
+++ 
/work/SRC/openSUSE:Factory/.cups.new.1770/cups-2.4.2-additional_policies.patch  
    2023-09-22 21:47:56.258000662 +0200
@@ -1,6 +1,6 @@
---- conf/cupsd.conf.in.orig    2014-04-02 18:52:53.000000000 +0200
-+++ conf/cupsd.conf.in 2015-07-01 14:39:58.000000000 +0200
-@@ -127,3 +127,45 @@ WebInterface @CUPS_WEBIF@
+--- conf/cupsd.conf.in.CVE-2023-32360.patched  2023-09-20 13:39:53.316719260 
+0200
++++ conf/cupsd.conf.in 2023-09-20 13:46:48.474661749 +0200
+@@ -196,3 +196,45 @@ IdleExitTimeout @EXIT_TIMEOUT@
      Order deny,allow
    </Limit>
  </Policy>
@@ -15,7 +15,7 @@
 +# print jobs from an internal network to any external destination, see
 +# http://en.opensuse.org/SDB:CUPS_in_a_Nutshell
 +# For documentation regarding 'Managing Operation Policies' see
-+# http://www.cups.org/documentation.php/doc-1.7/policies.html
++# https://openprinting.github.io/cups/doc/policies.html
 +<Policy allowallforanybody>
 +  # Allow anybody to access job's private values:
 +  JobPrivateAccess all

Reply via email to