guix_mirror_bot pushed a commit to branch mesa-updates
in repository guix.
commit 1eb7ac987911a8dc8284753842977eb92787eb0d
Author: Sergey Trofimov <[email protected]>
AuthorDate: Tue Jul 1 16:28:47 2025 +0200
gnu: cups: Don't enforce root ownership on supplementary files.
Printers managed by CUPS might require supplementary files to function,
such as color profiles or filters. CUPS checks permissions on such files
to prevent the execution of unsafe code. One of the conditions-that the
files are owned by root-must be short-circuited on Guix, because this
condition cannot be met on a system with an unprivileged daemon (where
store files are owned by `guix-daemon`).
* gnu/packages/patches/cups-relax-root-ownership-check.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/cups.scm (cups)[source]: Include it.
Change-Id: I77f67f996d057a34bd018ab97cda54577060b0c3
Signed-off-by: John Kehayias <[email protected]>
---
gnu/local.mk | 1 +
gnu/packages/cups.scm | 3 +-
.../patches/cups-relax-root-ownership-check.patch | 34 ++++++++++++++++++++++
3 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 8a795f3395..d6685038c1 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1136,6 +1136,7 @@ dist_patch_DATA =
\
%D%/packages/patches/csvkit-set-locale-for-tests.patch
\
%D%/packages/patches/ctranslate2-local-build.patch \
%D%/packages/patches/cube-nocheck.patch \
+ %D%/packages/patches/cups-relax-root-ownership-check.patch \
%D%/packages/patches/cura-engine-gcc-14.patch \
%D%/packages/patches/curl-CVE-2024-8096.patch \
%D%/packages/patches/curl-use-ssl-cert-env.patch \
diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm
index 7f9cedd2f2..5bed058031 100644
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@@ -332,7 +332,8 @@ filters for the PDF-centric printing workflow introduced by
OpenPrinting.")
;; Avoid NAME confusion: these are the complete CUPS sources.
(file-name (git-file-name "cups" version))
(sha256
- (base32 "1dk5salizxy1qm19gw93ffdd34hsn1cd4s57nwl7nfhwwirkiri2"))))
+ (base32 "1dk5salizxy1qm19gw93ffdd34hsn1cd4s57nwl7nfhwwirkiri2"))
+ (patches (search-patches "cups-relax-root-ownership-check.patch"))))
(build-system gnu-build-system)
(arguments
(list #:configure-flags
diff --git a/gnu/packages/patches/cups-relax-root-ownership-check.patch
b/gnu/packages/patches/cups-relax-root-ownership-check.patch
new file mode 100644
index 0000000000..f24461153d
--- /dev/null
+++ b/gnu/packages/patches/cups-relax-root-ownership-check.patch
@@ -0,0 +1,34 @@
+From 943e44dafa192b54fadcbb24f5f87d62a22c9f84 Mon Sep 17 00:00:00 2001
+From: Sergey Trofimov <[email protected]>
+Date: Wed, 17 Sep 2025 12:09:34 +0200
+Subject: [PATCH] Exempt files in /gnu/store from root ownership check.
+
+---
+ cups/file.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/cups/file.c b/cups/file.c
+index 95054f3c8..9822619d4 100644
+--- a/cups/file.c
++++ b/cups/file.c
+@@ -159,7 +159,8 @@ _cupsFileCheck(
+ * 4. Must not be writable by others
+ */
+
+- if (fileinfo.st_uid || /* 1. Must be owned by root */
++ int in_gnu_store = !strncmp(filename, "/gnu/store/", 11);
++ if ((fileinfo.st_uid && !in_gnu_store) || /* 1. Must be owned by
root or be in /gnu/store */
+ (fileinfo.st_mode & S_IWGRP) || /* 2. Must not be writable by
group */
+ (fileinfo.st_mode & S_ISUID) || /* 3. Must not be setuid */
+ (fileinfo.st_mode & S_IWOTH)) /* 4. Must not be writable by others */
+@@ -198,7 +199,7 @@ _cupsFileCheck(
+ goto finishup;
+ }
+
+- if (fileinfo.st_uid || /* 1. Must be owned by root */
++ if ((fileinfo.st_uid && !in_gnu_store) || /* 1. Must be owned by
root or be in /gnu/store */
+ (fileinfo.st_mode & S_IWGRP) || /* 2. Must not be writable by group */
+ (fileinfo.st_mode & S_ISUID) || /* 3. Must not be setuid */
+ (fileinfo.st_mode & S_IWOTH)) /* 4. Must not be writable by others */
+--
+2.51.0
