[gentoo-commits] repo/gentoo:master commit in: net-print/libcupsfilters/, net-print/libcupsfilters/files/

[Sam James]

commit:     429f7f1f7ec1dd9e83c4b556e829f95f9e8c50f4
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Thu Sep 26 22:12:07 2024 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Thu Sep 26 22:12:07 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=429f7f1f

net-print/libcupsfilters: add 2.1_beta1

Similar rationale to 7eba3af91f1fd96ebb7491890479e7aef6c649ac in terms
of why a beta.

Bug: https://bugs.gentoo.org/940312
Bug: https://bugs.gentoo.org/940311
Bug: https://bugs.gentoo.org/940313
Bug: https://bugs.gentoo.org/940314
Bug: https://bugs.gentoo.org/940315
Bug: https://bugs.gentoo.org/940316
Signed-off-by: Sam James <sam <AT> gentoo.org>

 net-print/libcupsfilters/Manifest                  |  1 +
 .../libcupsfilters-2.1_beta1-CVE-2024-47076.patch  | 31 +++++++++
 .../libcupsfilters/libcupsfilters-2.1_beta1.ebuild | 75 ++++++++++++++++++++++
 3 files changed, 107 insertions(+)

diff --git a/net-print/libcupsfilters/Manifest 
b/net-print/libcupsfilters/Manifest
index 9145aecf6f6d..0ebcb3991370 100644
--- a/net-print/libcupsfilters/Manifest
+++ b/net-print/libcupsfilters/Manifest
@@ -1 +1,2 @@
 DIST libcupsfilters-2.0.0.tar.xz 1279856 BLAKE2B 
ce9d839bb700017c303c1301c7a97fd02e3657a908e685377be49557d995574a7fc5a31d4fcbda5eeb9ba2d3cd07858224540dbf0bc9fa078cfd25a58ee15a41
 SHA512 
279bff6dcfa76312b10dae97480914345defd90eab79c4716d4553870f73e0f9db404786fd7e2948a86ae5aedb10dca0c2984ccb4222acbd4e835cd572030d6a
+DIST libcupsfilters-2.1b1.tar.xz 1443976 BLAKE2B 
043174e47c6c5de5393cfb4d6f41e3839646932cff42cf677319b2ea22fe8408fbf1d1edfb3b99c1d2c36916a92993069a40ed5f75552d47d88300e283b6aa84
 SHA512 
5b0cd2472f54188dda13b091f82b257ba926e12065c225ddbde9cab97597baa6d855f09d7352b7d7ee4af8416fc9c3ddb3c75e0c6a0a201b366d047abe47ecef

diff --git 
a/net-print/libcupsfilters/files/libcupsfilters-2.1_beta1-CVE-2024-47076.patch 
b/net-print/libcupsfilters/files/libcupsfilters-2.1_beta1-CVE-2024-47076.patch
new file mode 100644
index 000000000000..016d086ea2b1
--- /dev/null
+++ 
b/net-print/libcupsfilters/files/libcupsfilters-2.1_beta1-CVE-2024-47076.patch
@@ -0,0 +1,31 @@
+https://bugs.gentoo.org/940313
+https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3d20c109332d14672a807353cdc551018
+
+From 95576ec3d20c109332d14672a807353cdc551018 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdoh...@redhat.com>
+Date: Thu, 26 Sep 2024 23:09:29 +0200
+Subject: [PATCH] cfGetPrinterAttributes5(): Validate response attributes
+ before return
+
+The destination can be corrupted or forged, so validate the response
+to strenghten security measures.
+
+Fixes CVE-2024-47076
+--- a/cupsfilters/ipp.c
++++ b/cupsfilters/ipp.c
+@@ -404,6 +404,14 @@ cfGetPrinterAttributes5(http_t *http_printer,
+           ippDelete(response2);
+         }
+       }
++
++      // Check if the response is valid
++      if (!ippValidateAttributes(response))
++      {
++        ippDelete(response);
++        response = NULL;
++      }
++
+       if (have_http == 0) httpClose(http_printer);
+       if (uri) free(uri);
+       return (response);
+

diff --git a/net-print/libcupsfilters/libcupsfilters-2.1_beta1.ebuild 
b/net-print/libcupsfilters/libcupsfilters-2.1_beta1.ebuild
new file mode 100644
index 000000000000..6fc8a01f0022
--- /dev/null
+++ b/net-print/libcupsfilters/libcupsfilters-2.1_beta1.ebuild
@@ -0,0 +1,75 @@
+# Copyright 2023-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit libtool
+
+DESCRIPTION="library for developing printing features, split out of 
cups-filters"
+HOMEPAGE="https://github.com/OpenPrinting/libcupsfilters";
+SRC_URI="https://github.com/OpenPrinting/libcupsfilters/releases/download/${PV/_beta/b}/${P/_beta/b}.tar.xz";
+S="${WORKDIR}"/${P/_beta/b}
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86"
+IUSE="dbus exif jpeg pdf +poppler +postscript png test tiff"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+       >=app-text/qpdf-8.3.0:=
+       media-libs/fontconfig
+       media-libs/lcms:2
+       >=net-print/cups-2
+       !<net-print/cups-filters-2.0.0
+
+       exif? ( media-libs/libexif )
+       dbus? ( sys-apps/dbus )
+       jpeg? ( media-libs/libjpeg-turbo:= )
+       pdf? ( app-text/mupdf )
+       postscript? ( app-text/ghostscript-gpl[cups] )
+       poppler? ( >=app-text/poppler-0.32:=[cxx] )
+       png? ( media-libs/libpng:= )
+       tiff? ( media-libs/tiff:= )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="
+       >=sys-devel/gettext-0.18.3
+       virtual/pkgconfig
+       test? ( media-fonts/dejavu )
+"
+
+PATCHES=(
+       "${FILESDIR}"/${P}-CVE-2024-47076.patch
+)
+
+src_prepare() {
+       default
+
+       # respect --as-needed
+       elibtoolize
+}
+
+src_configure() {
+       local myeconfargs=(
+               --enable-imagefilters
+               --localstatedir="${EPREFIX}"/var
+               --with-cups-rundir="${EPREFIX}"/run/cups
+
+               $(use_enable exif)
+               $(use_enable dbus)
+               $(use_enable poppler)
+               $(use_enable postscript ghostscript)
+               $(use_enable pdf mutool)
+               $(use_with jpeg)
+               $(use_with png)
+               $(use_with tiff)
+       )
+
+       econf "${myeconfargs[@]}"
+}
+
+src_install() {
+       default
+       find "${ED}" -name '*.la' -delete || die
+}