--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package cups; it polishes the fix for one security bug
(STR#4223, CVE-2012-5519, #692791, privilege escalation) and one
important bug (#697970, usb quirk).
Here's the changelog:
cups (1.5.3-2.16) unstable; urgency=low
.
* Backport upstream documentation fix for STR#4223 "lpadmin to root
privilege escalation"
* Correct usb-backend quirk for Epson Stylus Photo 750, thanks to
Denis Prost (Closes: #697970)
debdiff is attached, thanks in advance, cheers!
OdyX
unblock cups/1.5.3-2.16
diff -Nru cups-1.5.3/debian/changelog cups-1.5.3/debian/changelog
--- cups-1.5.3/debian/changelog 2013-02-27 12:59:38.000000000 +0100
+++ cups-1.5.3/debian/changelog 2013-03-11 18:32:38.000000000 +0100
@@ -1,3 +1,12 @@
+cups (1.5.3-2.16) unstable; urgency=low
+
+ * Backport upstream documentation fix for STR#4223 "lpadmin to root
+ privilege escalation"
+ * Correct usb-backend quirk for Epson Stylus Photo 750, thanks to
+ Denis Prost (Closes: #697970)
+
+ -- Didier Raboud <o...@debian.org> Mon, 11 Mar 2013 10:18:37 +0100
+
cups (1.5.3-2.15) unstable; urgency=low
[ Till Kamppeter ]
diff -Nru cups-1.5.3/debian/patches/split-configuration-files-STR4223.patch cups-1.5.3/debian/patches/split-configuration-files-STR4223.patch
--- cups-1.5.3/debian/patches/split-configuration-files-STR4223.patch 2013-01-20 17:20:11.000000000 +0100
+++ cups-1.5.3/debian/patches/split-configuration-files-STR4223.patch 2013-03-11 18:32:38.000000000 +0100
@@ -230,7 +230,7 @@
man/cupsd.conf.man
--- /dev/null
+++ b/doc/help/ref-cups-files-conf.html.in
-@@ -0,0 +1,531 @@
+@@ -0,0 +1,513 @@
+<HTML>
+<!-- SECTION: References -->
+<HEAD>
@@ -307,24 +307,6 @@
+for data files.</P>
+
+
-+<H2 CLASS="title"><SPAN CLASS="info">CUPS 1.2/OS X 10.5</SPAN><A NAME="DefaultAuthType">DefaultAuthType</A></H2>
-+
-+<H3>Examples</H3>
-+
-+<PRE CLASS="command">
-+DefaultAuthType Basic
-+DefaultAuthType BasicDigest
-+DefaultAuthType Digest
-+DefaultAuthType Negotiate
-+</PRE>
-+
-+<H3>Description</H3>
-+
-+<P>The <CODE>DefaultAuthType</CODE> directive specifies the type
-+of authentication to use for IPP operations that require a
-+username. The default is <CODE>Basic</CODE>.</P>
-+
-+
+<H2 CLASS="title"><A NAME="DocumentRoot">DocumentRoot</A></H2>
+
+<H3>Examples</H3>
@@ -764,7 +746,44 @@
+</HTML>
--- a/doc/help/ref-cupsd-conf.html.in
+++ b/doc/help/ref-cupsd-conf.html.in
-@@ -191,82 +191,6 @@
+@@ -43,36 +43,6 @@
+ automatically handles restarting the scheduler.</P>
+
+
+-<H2 CLASS="title"><A NAME="AccessLog">AccessLog</A></H2>
+-
+-<H3>Examples</H3>
+-
+-<PRE CLASS="command">
+-AccessLog /var/log/cups/access_log
+-AccessLog /var/log/cups/access_log-%s
+-AccessLog syslog
+-</PRE>
+-
+-<H3>Description</H3>
+-
+-<P>The <CODE>AccessLog</CODE> directive sets the name of the
+-access log file. If the filename is not absolute then it is
+-assumed to be relative to the <A
+-HREF="#ServerRoot"><CODE>ServerRoot</CODE></A> directory. The
+-access log file is stored in "common log format" and can be used
+-by any web access reporting tool to generate a report on CUPS
+-server activity.</P>
+-
+-<P>The server name can be included in the filename by using
+-<CODE>%s</CODE> in the name.</P>
+-
+-<P>The special name "syslog" can be used to send the access
+-information to the system log instead of a plain file.</P>
+-
+-<P>The default access log file is
+-<VAR>@CUPS_LOGDIR@/access_log</VAR>.</P>
+-
+-
+ <H2 CLASS="title"><A NAME="AccessLogLevel">AccessLogLevel</A></H2>
+
+ <H3>Examples</H3>
+@@ -191,82 +161,6 @@
HREF="#Limit"><CODE>Limit</CODE></A> section.</P>
@@ -847,7 +866,317 @@
<H2 CLASS="title"><A NAME="AuthType">AuthType</A></H2>
<H3>Examples</H3>
-@@ -2544,65 +2468,6 @@
+@@ -898,40 +792,6 @@
+ <P>The default is to not allow classification overrides.</P>
+
+
+-<H2 CLASS="title"><SPAN CLASS="info">CUPS 1.1.15</SPAN><A NAME="ConfigFilePerm">ConfigFilePerm</A></H2>
+-
+-<H3>Examples</H3>
+-
+-<PRE CLASS="command">
+-ConfigFilePerm 0644
+-ConfigFilePerm 0640
+-</PRE>
+-
+-<H3>Description</H3>
+-
+-<P>The <CODE>ConfigFilePerm</CODE> directive specifies the permissions to use when the scheduler writes configuration and cache files, typically in response to IPP or HTTP requests. The default is @CUPS_CONFIG_FILE_PERM@.</P>
+-
+-<BLOCKQUOTE><B>Note:</B>
+-
+-<P>The permissions for the <VAR>printers.conf</VAR> file are always masked to only allow access from the scheduler user (typically root). This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system. There is no way to disable this security feature.</P>
+-
+-</BLOCKQUOTE>
+-
+-
+-<H2 CLASS="title"><A NAME="DataDir">DataDir</A></H2>
+-
+-<H3>Examples</H3>
+-
+-<PRE CLASS="command">
+-DataDir /usr/share/cups
+-</PRE>
+-
+-<H3>Description</H3>
+-
+-<P>The <CODE>DataDir</CODE> directive sets the directory to use
+-for data files.</P>
+-
+-
+ <H2 CLASS="title"><SPAN CLASS="info">CUPS 1.2/Mac OS X 10.5</SPAN><A NAME="DefaultAuthType">DefaultAuthType</A></H2>
+
+ <H3>Examples</H3>
+@@ -1113,32 +973,6 @@
+ milliseconds.</P>
+
+
+-<H2 CLASS="title"><A NAME="DocumentRoot">DocumentRoot</A></H2>
+-
+-<H3>Examples</H3>
+-
+-<PRE CLASS="command">
+-DocumentRoot /usr/share/doc/cups
+-DocumentRoot /foo/bar/doc/cups
+-</PRE>
+-
+-<H3>Description</H3>
+-
+-<P>The <CODE>DocumentRoot</CODE> directive specifies the location
+-of web content for the HTTP server in CUPS. If an absolute path
+-is not specified then it is assumed to be relative to the <A
+-HREF="#ServerRoot"><CODE>ServerRoot</CODE></A> directory. The
+-default directory is <VAR>@CUPS_DOCROOT@</VAR>.</P>
+-
+-<P>Documents are first looked up in a sub-directory for the
+-primary language requested by the client (e.g.
+-<VAR>@CUPS_DOCROOT@/fr/...</VAR>) and then directly under
+-the <CODE>DocumentRoot</CODE> directory (e.g.
+-<VAR>@CUPS_DOCROOT@/...</VAR>), so it is possible to
+-localize the web content by providing subdirectories for each
+-language needed.</P>
+-
+-
+ <H2 CLASS="title"><A NAME="Encryption">Encryption</A></H2>
+
+ <H3>Examples</H3>
+@@ -1161,31 +995,6 @@
+ <CODE>IfRequested</CODE> for all locations.</P>
+
+
+-<H2 CLASS="title"><A NAME="ErrorLog">ErrorLog</A></H2>
+-
+-<H3>Examples</H3>
+-
+-<PRE CLASS="command">
+-ErrorLog /var/log/cups/error_log
+-ErrorLog /var/log/cups/error_log-%s
+-ErrorLog syslog
+-</PRE>
+-
+-<H3>Description</H3>
+-
+-<P>The <CODE>ErrorLog</CODE> directive sets the name of the error
+-log file. If the filename is not absolute then it is assumed to
+-be relative to the <A
+-HREF="#ServerRoot"><CODE>ServerRoot</CODE></A> directory. The
+-default error log file is <VAR>@CUPS_LOGDIR@/error_log</VAR>.</P>
+-
+-<P>The server name can be included in the filename by using
+-<CODE>%s</CODE> in the name.</P>
+-
+-<P>The special name "syslog" can be used to send the error
+-information to the system log instead of a plain file.</P>
+-
+-
+ <H2 CLASS="title"><SPAN CLASS="info">CUPS 1.3/Mac OS X 10.5</SPAN><A NAME="ErrorPolicy">ErrorPolicy</A></H2>
+
+ <H3>Examples</H3>
+@@ -1225,90 +1034,6 @@
+
+
+
+-<H2 CLASS="title"><SPAN CLASS="info">CUPS 1.4/Mac OS X 10.6</SPAN><A NAME="FatalErrors">FatalErrors</A></H2>
+-
+-<H3>Examples</H3>
+-
+-<PRE CLASS="command">
+-FatalErrors none
+-FatalErrors all
+-FatalErrors browse
+-FatalErrors config
+-FatalErrors listen
+-FatalErrors log
+-FatalErrors permissions
+-FatalErrors all -permissions
+-FatalErrors config permissions log
+-</PRE>
+-
+-<H3>Description</H3>
+-
+-<P>The <CODE>FatalErrors</CODE> directive determines whether certain kinds of
+-errors are fatal. The following kinds of errors are currently recognized:</P>
+-
+-<UL>
+-
+- <LI><CODE>none</CODE> - No errors are fatal</LI>
+-
+- <LI><CODE>all</CODE> - All of the errors below are fatal</LI>
+-
+- <LI><CODE>browse</CODE> - Browsing initialization errors are fatal,
+- for example failed binding to the CUPS browse port or failed connections
+- to LDAP servers</LI>
+-
+- <LI><CODE>config</CODE> - Configuration file syntax errors are
+- fatal</LI>
+-
+- <LI><CODE>listen</CODE> - Listen or Port errors are fatal, except for
+- IPv6 failures on the loopback or "any" addresses</LI>
+-
+- <LI><CODE>log</CODE> - Log file creation or write errors are fatal</LI>
+-
+- <LI><CODE>permissions</CODE> - Bad startup file permissions are
+- fatal, for example shared SSL certificate and key files with world-
+- read permissions</LI>
+-
+-</UL>
+-
+-<P>Multiple errors can be listed, and the form "-kind" can be used with
+-<CODE>all</CODE> to remove specific kinds of errors. The default setting is
+-<CODE>@CUPS_FATAL_ERRORS@</CODE>.</P>
+-
+-
+-<H2 CLASS="title"><SPAN CLASS="info">CUPS 1.1.18</SPAN><A NAME="FileDevice">FileDevice</A></H2>
+-
+-<H3>Examples</H3>
+-
+-<PRE CLASS="command">
+-FileDevice Yes
+-FileDevice No
+-</PRE>
+-
+-<H3>Description</H3>
+-
+-<P>The <CODE>FileDevice</CODE> directive determines whether the
+-scheduler allows new printers to be added using device URIs of
+-the form <CODE>file:/filename</CODE>. File devices are most often
+-used to test new printer drivers and do not support raw file
+-printing.</P>
+-
+-<P>The default setting is <CODE>No</CODE>.</P>
+-
+-<BLOCKQUOTE><B>Note:</B>
+-
+-<P>File devices are managed by the scheduler. Since the
+-scheduler normally runs as the root user, file devices
+-can be used to overwrite system files and potentially
+-gain unauthorized access to the system. If you must
+-create printers using file devices, we recommend that
+-you set the <CODE>FileDevice</CODE> directive to
+-<CODE>Yes</CODE> for only as long as you need to add the
+-printers to the system, and then reset the directive to
+-<CODE>No</CODE>.</P>
+-
+-</BLOCKQUOTE>
+-
+-
+ <H2 CLASS="title"><SPAN CLASS="info">CUPS 1.1.3</SPAN><A NAME="FilterLimit">FilterLimit</A></H2>
+
+ <H3>Examples</H3>
+@@ -1353,39 +1078,6 @@
+ is 0.</P>
+
+
+-<H2 CLASS="title"><SPAN CLASS="info">CUPS 1.1.3</SPAN><A NAME="FontPath">FontPath</A></H2>
+-
+-<H3>Examples</H3>
+-
+-<PRE CLASS="command">
+-FontPath /foo/bar/fonts
+-FontPath /usr/share/cups/fonts:/foo/bar/fonts
+-</PRE>
+-
+-<H3>Description</H3>
+-
+-<P>The <CODE>FontPath</CODE> directive specifies the font path to
+-use when searching for fonts. The default font path is
+-<CODE>/usr/share/cups/fonts</CODE>.</P>
+-
+-
+-<H2 CLASS="title"><A NAME="Group">Group</A></H2>
+-
+-<H3>Examples</H3>
+-
+-<PRE CLASS="command">
+-Group lp
+-Group nobody
+-</PRE>
+-
+-<H3>Description</H3>
+-
+-<P>The <CODE>Group</CODE> directive specifies the UNIX group that
+-filter and CGI programs run as. The default group is
+-system-specific but is usually <CODE>lp</CODE> or
+-<CODE>nobody</CODE>.</P>
+-
+-
+ <H2 CLASS="title"><SPAN CLASS="info">CUPS 1.1.10</SPAN><A NAME="HideImplicitMembers">HideImplicitMembers</A></H2>
+
+ <H3>Examples</H3>
+@@ -1484,7 +1176,7 @@
+ <P>The <CODE>Include</CODE> directive includes the named file in
+ the <CODE>cupsd.conf</CODE> file. If no leading path is provided,
+ the file is assumed to be relative to the <A
+-HREF="#ServerRoot"><CODE>ServerRoot</CODE></A> directory.</P>
++HREF="ref-cups-files-conf.html#ServerRoot"><CODE>ServerRoot</CODE></A> directory.</P>
+
+
+ <H2 CLASS="title"><SPAN CLASS="info">CUPS 1.5</SPAN><A NAME="JobPrivateAccess">JobPrivateAccess</A></H2>
+@@ -2030,22 +1722,6 @@
+ disables debugging history entirely and is not recommended.</P>
+
+
+-<H2 CLASS="title"><SPAN CLASS="info">CUPS 1.1.15</SPAN><A NAME="LogFilePerm">LogFilePerm</A></H2>
+-
+-<H3>Examples</H3>
+-
+-<PRE CLASS="command">
+-LogFilePerm 0644
+-LogFilePerm 0600
+-</PRE>
+-
+-<H3>Description</H3>
+-
+-<P>The <CODE>LogFilePerm</CODE> directive specifies the
+-permissions to use when writing log files. The default
+-is @CUPS_LOG_FILE_PERM@.</P>
+-
+-
+ <H2 CLASS="title"><A NAME="LogLevel">LogLevel</A></H2>
+
+ <H3>Examples</H3>
+@@ -2066,7 +1742,7 @@
+ <H3>Description</H3>
+
+ <P>The <CODE>LogLevel</CODE> directive specifies the level of
+-logging for the <A HREF="#ErrorLog"><CODE>ErrorLog</CODE></A>
++logging for the <A HREF="ref-cups-files-conf.html#ErrorLog"><CODE>ErrorLog</CODE></A>
+ file. The following values are recognized (each level logs
+ everything under the preceding levels):</P>
+
+@@ -2350,31 +2026,6 @@
+ HREF="#Limit"><CODE>Limit</CODE></A> section.</P>
+
+
+-<H2 CLASS="title"><A NAME="PageLog">PageLog</A></H2>
+-
+-<H3>Examples</H3>
+-
+-<PRE CLASS="command">
+-PageLog /var/log/cups/page_log
+-PageLog /var/log/cups/page_log-%s
+-PageLog syslog
+-</PRE>
+-
+-<H3>Description</H3>
+-
+-<P>The <CODE>PageLog</CODE> directive sets the name of the page
+-log file. If the filename is not absolute then it is assumed to
+-be relative to the <A
+-HREF="#ServerRoot"><CODE>ServerRoot</CODE></A> directory. The
+-default page log file is <VAR>@CUPS_LOGDIR@/page_log</VAR>.</P>
+-
+-<P>The server name can be included in the filename by using
+-<CODE>%s</CODE> in the name.</P>
+-
+-<P>The special name "syslog" can be used to send the page
+-information to the system log instead of a plain file.</P>
+-
+-
+ <H2 CLASS="title"><A NAME="PageLogFormat">PageLogFormat</A></H2>
+
+ <H3>Examples</H3>
+@@ -2544,65 +2195,6 @@
files as soon as each job is completed, canceled, or aborted.</P>
@@ -913,7 +1242,7 @@
<H2 CLASS="title"><SPAN CLASS="info">CUPS 1.1.21</SPAN><A NAME="ReloadTimeout">ReloadTimeout</A></H2>
<H3>Examples</H3>
-@@ -2619,42 +2484,6 @@
+@@ -2619,42 +2211,6 @@
before doing a restart. The default is 30 seconds.</P>
@@ -956,7 +1285,7 @@
<H2 CLASS="title"><SPAN CLASS="info">CUPS 1.1.7</SPAN><A NAME="Require">Require</A></H2>
<H3>Examples</H3>
-@@ -2806,64 +2635,6 @@
+@@ -2806,64 +2362,6 @@
</BLOCKQUOTE>
@@ -1021,7 +1350,7 @@
<H2 CLASS="title"><A NAME="ServerName">ServerName</A></H2>
<H3>Examples</H3>
-@@ -2880,23 +2651,6 @@
+@@ -2880,23 +2378,6 @@
hostname.</P>
@@ -1045,7 +1374,7 @@
<H2 CLASS="title"><SPAN CLASS="info">CUPS 1.1.21</SPAN><A NAME="ServerTokens">ServerTokens</A></H2>
<H3>Examples</H3>
-@@ -3075,53 +2829,6 @@
+@@ -3075,53 +2556,6 @@
HREF="#Policy"><CODE>Policy</CODE></A> section.</P>
@@ -1099,7 +1428,7 @@
<H2 CLASS="title"><A NAME="Timeout">Timeout</A></H2>
<H3>Examples</H3>
-@@ -3138,53 +2845,6 @@
+@@ -3138,53 +2572,6 @@
default timeout is 300 seconds.</P>
diff -Nru cups-1.5.3/debian/patches/usb-backend-epson-stylus-photo-750.patch cups-1.5.3/debian/patches/usb-backend-epson-stylus-photo-750.patch
--- cups-1.5.3/debian/patches/usb-backend-epson-stylus-photo-750.patch 2013-02-24 16:32:09.000000000 +0100
+++ cups-1.5.3/debian/patches/usb-backend-epson-stylus-photo-750.patch 2013-03-11 18:32:38.000000000 +0100
@@ -1,15 +1,16 @@
Description: USB backend quirk rule for Epson Stylus Photo 750 (and maybe others)
Author: Didier Raboud <o...@debian.org>
Bugs-Debian: http://bugs.debian.org/697970
-Last-Update: 2013-02-14
+Last-Update: 2013-03-11
--- a/backend/usb-libusb.c
+++ b/backend/usb-libusb.c
-@@ -167,6 +167,8 @@
+@@ -167,6 +167,9 @@
https://bugs.launchpad.net/bugs/872483 */
{ 0x06bc, 0x01c7, USBLP_QUIRK_NO_REATTACH }, /* Oki Data Corp. B410d,
https://bugs.launchpad.net/bugs/872483 */
-+ { 0x04b8, 0x0001, USBLP_QUIRK_BIDIR }, /* Seiko Epson Corp. Stylus Color 740 / Photo 750,
++ { 0x04b8, 0x0001, USBLP_QUIRK_BIDIR |
++ USBLP_QUIRK_NO_REATTACH }, /* Seiko Epson Corp. Stylus Color 740 / Photo 750,
+ http://bugs.debian.org/697970 */
{ 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt
Printer M129C */
--- End Message ---