guix_mirror_bot pushed a commit to branch mesa-updates
in repository guix.
commit 55f26e5fa21692b90d5c599676b69bbfd32f1c71
Author: Sergey Trofimov <[email protected]>
AuthorDate: Tue Jul 1 16:28:47 2025 +0200
gnu: cups: Don't enforce root ownership on supplementary files.
Printers managed by CUPS might require supplementary files to function,
such as color profiles or filters. CUPS checks permissions on such files
to prevent the execution of unsafe code. One of the conditions-that the
files are owned by root-must be short-circuited on Guix, because this
condition cannot be met on a system with an unprivileged daemon (where
store files are owned by `guix-daemon`).
* gnu/packages/patches/cups-relax-root-ownership-check.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/cups.scm (cups)[source]: Include it.
Change-Id: I77f67f996d057a34bd018ab97cda54577060b0c3
Signed-off-by: John Kehayias <[email protected]>
---
gnu/local.mk | 1 +
gnu/packages/cups.scm | 3 +-
.../patches/cups-relax-root-ownership-check.patch | 34 ++++++++++++++++++++++
3 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 229ae3a97b..ced14ff203 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1146,6 +1146,7 @@ dist_patch_DATA =
\
%D%/packages/patches/csvkit-set-locale-for-tests.patch
\
%D%/packages/patches/ctranslate2-local-build.patch \
%D%/packages/patches/cube-nocheck.patch \
+ %D%/packages/patches/cups-relax-root-ownership-check.patch \
%D%/packages/patches/cura-engine-gcc-14.patch \
%D%/packages/patches/curl-CVE-2024-8096.patch \
%D%/packages/patches/curl-use-ssl-cert-env.patch \
diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm
index b45cc3c6e5..90d57384ed 100644
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@@ -332,7 +332,8 @@ filters for the PDF-centric printing workflow introduced by
OpenPrinting.")
;; Avoid NAME confusion: these are the complete CUPS sources.
(file-name (git-file-name "cups" version))
(sha256
- (base32 "1dk5salizxy1qm19gw93ffdd34hsn1cd4s57nwl7nfhwwirkiri2"))))
+ (base32 "1dk5salizxy1qm19gw93ffdd34hsn1cd4s57nwl7nfhwwirkiri2"))
+ (patches (search-patches "cups-relax-root-ownership-check.patch"))))
(build-system gnu-build-system)
(arguments
(list #:configure-flags
diff --git a/gnu/packages/patches/cups-relax-root-ownership-check.patch
b/gnu/packages/patches/cups-relax-root-ownership-check.patch
new file mode 100644
index 0000000000..f24461153d
--- /dev/null
+++ b/gnu/packages/patches/cups-relax-root-ownership-check.patch
@@ -0,0 +1,34 @@
+From 943e44dafa192b54fadcbb24f5f87d62a22c9f84 Mon Sep 17 00:00:00 2001
+From: Sergey Trofimov <[email protected]>
+Date: Wed, 17 Sep 2025 12:09:34 +0200
+Subject: [PATCH] Exempt files in /gnu/store from root ownership check.
+
+---
+ cups/file.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/cups/file.c b/cups/file.c
+index 95054f3c8..9822619d4 100644
+--- a/cups/file.c
++++ b/cups/file.c
+@@ -159,7 +159,8 @@ _cupsFileCheck(
+ * 4. Must not be writable by others
+ */
+
+- if (fileinfo.st_uid || /* 1. Must be owned by root */
++ int in_gnu_store = !strncmp(filename, "/gnu/store/", 11);
++ if ((fileinfo.st_uid && !in_gnu_store) || /* 1. Must be owned by
root or be in /gnu/store */
+ (fileinfo.st_mode & S_IWGRP) || /* 2. Must not be writable by
group */
+ (fileinfo.st_mode & S_ISUID) || /* 3. Must not be setuid */
+ (fileinfo.st_mode & S_IWOTH)) /* 4. Must not be writable by others */
+@@ -198,7 +199,7 @@ _cupsFileCheck(
+ goto finishup;
+ }
+
+- if (fileinfo.st_uid || /* 1. Must be owned by root */
++ if ((fileinfo.st_uid && !in_gnu_store) || /* 1. Must be owned by
root or be in /gnu/store */
+ (fileinfo.st_mode & S_IWGRP) || /* 2. Must not be writable by group */
+ (fileinfo.st_mode & S_ISUID) || /* 3. Must not be setuid */
+ (fileinfo.st_mode & S_IWOTH)) /* 4. Must not be writable by others */
+--
+2.51.0
