From ece398cccc66af939f1df96fbee005744d52528b Mon Sep 17 00:00:00 2001 From: Tianyu Chen Date: Fri, 12 Sep 2025 10:06:50 +0800 Subject: [PATCH 1/8] Format debian/patches --- debian/changelog | 6 ++++++ ...1-fix-Refactor-part-of-server-settings-code.patch | 10 +++------- debian/patches/0002-CVE-2023-4504.patch | 8 ++------ debian/patches/0003-CVE-2023-32360.patch | 6 +----- .../0004-check-colormodel-also-for-CMYK.patch | 6 +----- .../0005-feat-enable-lpd-to-encode-title.patch | 8 ++------ debian/patches/0006-fixed-CVE-2024-47175.patch | 8 ++------ debian/patches/0007-Feat-add-audit-log-to-CUPS.patch | 12 ++++-------- ...tible-with-printer-driver-which-runs-on-V20.patch | 8 ++------ 9 files changed, 23 insertions(+), 49 deletions(-) diff --git a/debian/changelog b/debian/changelog index 6460a33..34e31f1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +cups (2.4.2-5deepin4) UNRELEASED; urgency=medium + + * Format debian/patches. + + -- Tianyu Chen Fri, 12 Sep 2025 10:06:24 +0800 + cups (2.4.2-5deepin3) unstable; urgency=medium * Fix bug diff --git a/debian/patches/0001-fix-Refactor-part-of-server-settings-code.patch b/debian/patches/0001-fix-Refactor-part-of-server-settings-code.patch index c0929e7..5b58e15 100644 --- a/debian/patches/0001-fix-Refactor-part-of-server-settings-code.patch +++ b/debian/patches/0001-fix-Refactor-part-of-server-settings-code.patch @@ -1,5 +1,4 @@ -From fd2567c66b7f38e1d9f2608d5de91f6a9ddd962a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=E5=88=98=E8=8E=89?= +From: =?utf-8?b?5YiY6I6J?= Date: Mon, 20 Jun 2022 16:39:30 +0800 Subject: [PATCH] fix: Refactor part of server settings code @@ -17,11 +16,11 @@ share_printers remote_any remote_admin Listen Browsering Location-/ L Change-Id: Id3347d31c1885397b5908a79c1a18e02300784a4 --- - cups/adminutil.c | 193 ++++++++++++++--------------------------------- + cups/adminutil.c | 193 ++++++++++++++++--------------------------------------- 1 file changed, 57 insertions(+), 136 deletions(-) diff --git a/cups/adminutil.c b/cups/adminutil.c -index d66918cb7..ccb669a5d 100644 +index d66918c..ccb669a 100644 --- a/cups/adminutil.c +++ b/cups/adminutil.c @@ -1,7 +1,7 @@ @@ -421,6 +420,3 @@ index d66918cb7..ccb669a5d 100644 /* * Save the new values... --- -2.20.1 - diff --git a/debian/patches/0002-CVE-2023-4504.patch b/debian/patches/0002-CVE-2023-4504.patch index d4649bd..b72b40c 100644 --- a/debian/patches/0002-CVE-2023-4504.patch +++ b/debian/patches/0002-CVE-2023-4504.patch @@ -1,4 +1,3 @@ -From 61ecf34f141cf792814717d7a102f512920c734c Mon Sep 17 00:00:00 2001 From: Thorsten Alteholz Date: Wed, 20 Sep 2023 04:55:44 +0200 Subject: [PATCH] CVE-2023-4504 @@ -9,10 +8,10 @@ Change-Id: I6bd8eef98676057722d9b35e58045642b491431d 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c -index 8727ad576..473d73367 100644 +index fbe52f3..89ef158 100644 --- a/cups/raster-interpret.c +++ b/cups/raster-interpret.c -@@ -1115,7 +1115,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */ +@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */ cur ++; @@ -33,6 +32,3 @@ index 8727ad576..473d73367 100644 *valptr++ = '\b'; else if (*cur == 'f') *valptr++ = '\f'; --- -2.20.1 - diff --git a/debian/patches/0003-CVE-2023-32360.patch b/debian/patches/0003-CVE-2023-32360.patch index d415468..eaaab97 100644 --- a/debian/patches/0003-CVE-2023-32360.patch +++ b/debian/patches/0003-CVE-2023-32360.patch @@ -1,4 +1,3 @@ -From 0f28d2acb84ff87ebb2b770946e64a6b7d3feac1 Mon Sep 17 00:00:00 2001 From: Thorsten Alteholz Date: Wed, 20 Sep 2023 04:56:47 +0200 Subject: [PATCH] CVE-2023-32360 @@ -9,7 +8,7 @@ Change-Id: Ifd31ea60022da94db1f83b2ab33245377fd69094 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in -index b25884907..a07536f3e 100644 +index b258849..a07536f 100644 --- a/conf/cupsd.conf.in +++ b/conf/cupsd.conf.in @@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@ @@ -27,6 +26,3 @@ index b25884907..a07536f3e 100644 Require user @OWNER @SYSTEM Order deny,allow --- -2.20.1 - diff --git a/debian/patches/0004-check-colormodel-also-for-CMYK.patch b/debian/patches/0004-check-colormodel-also-for-CMYK.patch index 15e37ef..56992f4 100644 --- a/debian/patches/0004-check-colormodel-also-for-CMYK.patch +++ b/debian/patches/0004-check-colormodel-also-for-CMYK.patch @@ -1,4 +1,3 @@ -From 15105e805ea7a8e50041f3026b9c9c924f3e86ee Mon Sep 17 00:00:00 2001 From: Thorsten Alteholz Date: Sat, 2 Dec 2023 00:00:38 +0100 Subject: [PATCH] check colormodel also for CMYK @@ -9,7 +8,7 @@ Change-Id: I83d593f217415c00fd32e4cbaf8c821796373090 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scheduler/printers.c b/scheduler/printers.c -index 4efa613f3..2fbdaad5b 100644 +index 4efa613..2fbdaad 100644 --- a/scheduler/printers.c +++ b/scheduler/printers.c @@ -4509,7 +4509,7 @@ load_ppd(cupsd_printer_t *p) /* I - Printer */ @@ -21,6 +20,3 @@ index 4efa613f3..2fbdaad5b 100644 p->num_options = cupsAddOption("print-color-mode", "monochrome", p->num_options, &p->options); } } --- -2.20.1 - diff --git a/debian/patches/0005-feat-enable-lpd-to-encode-title.patch b/debian/patches/0005-feat-enable-lpd-to-encode-title.patch index 5cd64bd..8ac78d1 100644 --- a/debian/patches/0005-feat-enable-lpd-to-encode-title.patch +++ b/debian/patches/0005-feat-enable-lpd-to-encode-title.patch @@ -1,4 +1,3 @@ -From 5e5615eec66839b24306e0f4b117b726cef8ae8c Mon Sep 17 00:00:00 2001 From: LIU Li Date: Thu, 6 Jun 2024 10:40:03 +0800 Subject: [PATCH] feat: enable lpd to encode title @@ -6,11 +5,11 @@ Subject: [PATCH] feat: enable lpd to encode title Signed-off-by: LIU Li Change-Id: I93edcea9103926db3cc8ea1e865bd5ee514f6d78 --- - backend/lpd.c | 202 +++++++++++++++++++++++++++++++++++++++++++++++++- + backend/lpd.c | 202 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 200 insertions(+), 2 deletions(-) diff --git a/backend/lpd.c b/backend/lpd.c -index c4aab8b98..7bb4269ac 100644 +index c4aab8b..7bb4269 100644 --- a/backend/lpd.c +++ b/backend/lpd.c @@ -32,6 +32,7 @@ @@ -267,6 +266,3 @@ index c4aab8b98..7bb4269ac 100644 /* * 'lpd_command()' - Send an LPR command sequence and wait for a reply. --- -2.20.1 - diff --git a/debian/patches/0006-fixed-CVE-2024-47175.patch b/debian/patches/0006-fixed-CVE-2024-47175.patch index 48a488a..d422711 100644 --- a/debian/patches/0006-fixed-CVE-2024-47175.patch +++ b/debian/patches/0006-fixed-CVE-2024-47175.patch @@ -1,4 +1,3 @@ -From 3cc9627beec09bd6516de8ec287e7c74fec3a694 Mon Sep 17 00:00:00 2001 From: angie_j_dou Date: Sat, 28 Sep 2024 12:12:46 +0800 Subject: [PATCH] fixed: CVE-2024-47175 @@ -8,11 +7,11 @@ Subject: [PATCH] fixed: CVE-2024-47175 Logs: Change-Id: Ieb8ab6bebd369aecb1ab9788dcd480ddaab62997 --- - cups/ppd-cache.c | 153 +++++++++++++++++++++++++++++++++++++---------- + cups/ppd-cache.c | 153 ++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 123 insertions(+), 30 deletions(-) diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c -index 886181319..05babe983 100644 +index 8861813..05babe9 100644 --- a/cups/ppd-cache.c +++ b/cups/ppd-cache.c @@ -42,6 +42,7 @@ static void pwg_ppdize_resolution(ipp_attribute_t *attr, int element, int *xres, @@ -289,6 +288,3 @@ index 886181319..05babe983 100644 + } + cupsFilePuts(fp, ": \"\"\n"); +} --- -2.20.1 - diff --git a/debian/patches/0007-Feat-add-audit-log-to-CUPS.patch b/debian/patches/0007-Feat-add-audit-log-to-CUPS.patch index acb2c79..31b56f4 100644 --- a/debian/patches/0007-Feat-add-audit-log-to-CUPS.patch +++ b/debian/patches/0007-Feat-add-audit-log-to-CUPS.patch @@ -1,9 +1,8 @@ -From c224a7dff8fb6d03d34fb1bf8085dd6fffaf293a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=E5=88=98=E8=8E=89?= +From: =?utf-8?b?5YiY6I6J?= Date: Tue, 12 Jul 2022 15:14:53 +0800 Subject: [PATCH] Feat: add audit log to CUPS MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 +Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit log to /var/log/cups/os_audit.log @@ -11,11 +10,11 @@ log to /var/log/cups/os_audit.log Signed-off-by: 刘莉 Change-Id: I9e3ee7176b158a381db9274f11aeb34ab5bc62b9 --- - scheduler/subscriptions.c | 160 +++++++++++++++++++++++++++++++++++++- + scheduler/subscriptions.c | 160 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 156 insertions(+), 4 deletions(-) diff --git a/scheduler/subscriptions.c b/scheduler/subscriptions.c -index 2dbb28f85..0bcdfe457 100644 +index 2dbb28f..0bcdfe4 100644 --- a/scheduler/subscriptions.c +++ b/scheduler/subscriptions.c @@ -39,8 +39,157 @@ static void cupsd_send_notification(cupsd_subscription_t *sub, @@ -204,6 +203,3 @@ index 2dbb28f85..0bcdfe457 100644 ippAddString(temp->attrs, IPP_TAG_EVENT_NOTIFICATION, IPP_TAG_TEXT, "notify-text", NULL, ftext); --- -2.20.1 - diff --git a/debian/patches/0017-Compatible-with-printer-driver-which-runs-on-V20.patch b/debian/patches/0017-Compatible-with-printer-driver-which-runs-on-V20.patch index 3c620c3..dc16a1a 100644 --- a/debian/patches/0017-Compatible-with-printer-driver-which-runs-on-V20.patch +++ b/debian/patches/0017-Compatible-with-printer-driver-which-runs-on-V20.patch @@ -1,4 +1,3 @@ -From 6fb8a6f40e09b068780ac7ecdf0b68886015096e Mon Sep 17 00:00:00 2001 From: reddevillg Date: Wed, 4 Dec 2024 15:28:30 +0800 Subject: [PATCH] Compatible with printer driver which runs on V20 @@ -7,11 +6,11 @@ If deepin-compatible-ctl exist, use it to run external process. Change-Id: Ifa668bb6dae6f6ff311dd2ec43a68737b8885516 --- - scheduler/process.c | 47 ++++++++++++++++++++++++++++++++------------- + scheduler/process.c | 47 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 34 insertions(+), 13 deletions(-) diff --git a/scheduler/process.c b/scheduler/process.c -index 1492e767d..b2158d4e4 100644 +index 1492e76..b2158d4 100644 --- a/scheduler/process.c +++ b/scheduler/process.c @@ -478,7 +478,10 @@ cupsdStartProcess( @@ -87,6 +86,3 @@ index 1492e767d..b2158d4e4 100644 } if (LogLevel == CUPSD_LOG_DEBUG2) --- -2.20.1 - From 1e9a5044440da31b2b594bab87c70e3164eac98f Mon Sep 17 00:00:00 2001 From: Tianyu Chen Date: Fri, 12 Sep 2025 14:49:59 +0800 Subject: [PATCH 2/8] Set Author to Zdenek Dohnal in debian/patches/0013-CVE-2023-32324.patch --- debian/patches/0013-CVE-2023-32324.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/patches/0013-CVE-2023-32324.patch b/debian/patches/0013-CVE-2023-32324.patch index c21f1a2..2bc6e4c 100644 --- a/debian/patches/0013-CVE-2023-32324.patch +++ b/debian/patches/0013-CVE-2023-32324.patch @@ -1,6 +1,6 @@ -From: Thorsten Alteholz -Date: Wed, 31 May 2023 23:08:29 +0200 -Subject: CVE-2023-32324 +From: Zdenek Dohnal +Date: Thu, 1 Jun 2023 12:04:00 +0200 +Subject: cups/string.c: Return if `size` is 0 (fixes CVE-2023-32324) --- cups/string.c | 3 +++ From 3d9e414100cf9d5794f54d9c316d47264721e54d Mon Sep 17 00:00:00 2001 From: Tianyu Chen Date: Fri, 12 Sep 2025 15:38:03 +0800 Subject: [PATCH 3/8] 0023-Fix-OpenSSL-crash-bug-tls-pointer-wasn-t-cleared-aft.patch --- ...h-bug-tls-pointer-wasn-t-cleared-aft.patch | 22 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 23 insertions(+) create mode 100644 debian/patches/0023-Fix-OpenSSL-crash-bug-tls-pointer-wasn-t-cleared-aft.patch diff --git a/debian/patches/0023-Fix-OpenSSL-crash-bug-tls-pointer-wasn-t-cleared-aft.patch b/debian/patches/0023-Fix-OpenSSL-crash-bug-tls-pointer-wasn-t-cleared-aft.patch new file mode 100644 index 0000000..f521cf3 --- /dev/null +++ b/debian/patches/0023-Fix-OpenSSL-crash-bug-tls-pointer-wasn-t-cleared-aft.patch @@ -0,0 +1,22 @@ +From: Michael R Sweet +Date: Tue, 7 Jun 2022 13:45:29 -0400 +Subject: Fix OpenSSL crash bug - "tls" pointer wasn't cleared after freeing + it (Issue #409) + +--- + cups/tls-openssl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c +index c3e5774..6db9f8a 100644 +--- a/cups/tls-openssl.c ++++ b/cups/tls-openssl.c +@@ -1152,6 +1152,8 @@ _httpTLSStop(http_t *http) // I - Connection to server + SSL_shutdown(http->tls); + SSL_CTX_free(context); + SSL_free(http->tls); ++ ++ http->tls = NULL; + } + + diff --git a/debian/patches/series b/debian/patches/series index a519b58..f4ac6ad 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -20,3 +20,4 @@ 0006-fixed-CVE-2024-47175.patch 0007-Feat-add-audit-log-to-CUPS.patch 0017-Compatible-with-printer-driver-which-runs-on-V20.patch +0023-Fix-OpenSSL-crash-bug-tls-pointer-wasn-t-cleared-aft.patch From 7a9b54dc15ca0ca52e7c793cddd65b74175404c8 Mon Sep 17 00:00:00 2001 From: Tianyu Chen Date: Fri, 12 Sep 2025 15:35:31 +0800 Subject: [PATCH 4/8] CVE-2024-35235 --- ...socket-handling-fixes-CVE-2024-35235.patch | 96 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 97 insertions(+) create mode 100644 debian/patches/0024-Fix-domain-socket-handling-fixes-CVE-2024-35235.patch diff --git a/debian/patches/0024-Fix-domain-socket-handling-fixes-CVE-2024-35235.patch b/debian/patches/0024-Fix-domain-socket-handling-fixes-CVE-2024-35235.patch new file mode 100644 index 0000000..f033582 --- /dev/null +++ b/debian/patches/0024-Fix-domain-socket-handling-fixes-CVE-2024-35235.patch @@ -0,0 +1,96 @@ +From: Zdenek Dohnal +Date: Tue, 11 Jun 2024 16:19:11 +0200 +Subject: Fix domain socket handling (fixes CVE-2024-35235) + +- Check status of unlink and bind system calls. +- Don't allow extra domain sockets when running from launchd/systemd. +- Validate length of domain socket path (< sizeof(sun_path)) + +Fixes CVE-2024-35235, written by Mike Sweet +--- + cups/http-addr.c | 36 +++++++++++++++++++----------------- + scheduler/conf.c | 20 ++++++++++++++++++++ + 2 files changed, 39 insertions(+), 17 deletions(-) + +diff --git a/cups/http-addr.c b/cups/http-addr.c +index 114a644..3d3b6b9 100644 +--- a/cups/http-addr.c ++++ b/cups/http-addr.c +@@ -206,27 +206,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */ + * Remove any existing domain socket file... + */ + +- unlink(addr->un.sun_path); +- +- /* +- * Save the current umask and set it to 0 so that all users can access +- * the domain socket... +- */ +- +- mask = umask(0); ++ if ((status = unlink(addr->un.sun_path)) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); + +- /* +- * Bind the domain socket... +- */ ++ if (errno == ENOENT) ++ status = 0; ++ } + +- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); ++ if (!status) ++ { ++ // Save the current umask and set it to 0 so that all users can access ++ // the domain socket... ++ mask = umask(0); + +- /* +- * Restore the umask and fix permissions... +- */ ++ // Bind the domain socket... ++ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ } + +- umask(mask); +- chmod(addr->un.sun_path, 0140777); ++ // Restore the umask... ++ umask(mask); ++ } + } + else + #endif /* AF_LOCAL */ +diff --git a/scheduler/conf.c b/scheduler/conf.c +index cb49078..fc0cec7 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -3076,6 +3076,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + cupsd_listener_t *lis; /* New listeners array */ + + ++ /* ++ * If we are launched on-demand, do not use domain sockets from the config ++ * file. Also check that the domain socket path is not too long... ++ */ ++ ++#ifdef HAVE_ONDEMAND ++ if (*value == '/' && OnDemand) ++ { ++ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); ++ continue; ++ } ++#endif // HAVE_ONDEMAND ++ ++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) ++ { ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); ++ continue; ++ } ++ + /* + * Get the address list... + */ diff --git a/debian/patches/series b/debian/patches/series index f4ac6ad..62ec780 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -21,3 +21,4 @@ 0007-Feat-add-audit-log-to-CUPS.patch 0017-Compatible-with-printer-driver-which-runs-on-V20.patch 0023-Fix-OpenSSL-crash-bug-tls-pointer-wasn-t-cleared-aft.patch +0024-Fix-domain-socket-handling-fixes-CVE-2024-35235.patch From 7a799ee663274b65a1adfd6ce2fefc6ac38b249f Mon Sep 17 00:00:00 2001 From: Tianyu Chen Date: Fri, 12 Sep 2025 16:01:06 +0800 Subject: [PATCH 5/8] regression of fix for CVE-2024-35235 --- ...y-if-there-are-no-listen-sockets-aft.patch | 51 +++++++++ ...Fix-builds-without-on-demand-support.patch | 24 +++++ ...isteners-message-for-service_checkin.patch | 23 ++++ ...cupsd-activated-on-demand-via-socket.patch | 102 ++++++++++++++++++ debian/patches/series | 4 + 5 files changed, 204 insertions(+) create mode 100644 debian/patches/0025-Don-t-abort-early-if-there-are-no-listen-sockets-aft.patch create mode 100644 debian/patches/0026-Fix-builds-without-on-demand-support.patch create mode 100644 debian/patches/0027-Update-no-listeners-message-for-service_checkin.patch create mode 100644 debian/patches/0028-scheduler-Fix-cupsd-activated-on-demand-via-socket.patch diff --git a/debian/patches/0025-Don-t-abort-early-if-there-are-no-listen-sockets-aft.patch b/debian/patches/0025-Don-t-abort-early-if-there-are-no-listen-sockets-aft.patch new file mode 100644 index 0000000..21b03ff --- /dev/null +++ b/debian/patches/0025-Don-t-abort-early-if-there-are-no-listen-sockets-aft.patch @@ -0,0 +1,51 @@ +From: Michael R Sweet +Date: Fri, 14 Jun 2024 15:10:21 -0400 +Subject: Don't abort early if there are no listen sockets after loading + cupsd.conf (Issue #985) + +--- + scheduler/conf.c | 2 +- + scheduler/main.c | 17 +++++++++++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/scheduler/conf.c b/scheduler/conf.c +index fc0cec7..9fc988e 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -1052,7 +1052,7 @@ cupsdReadConfiguration(void) + * as an error and exit! + */ + +- if (cupsArrayCount(Listeners) == 0) ++ if (cupsArrayCount(Listeners) == 0 && !OnDemand) + { + /* + * No listeners! +diff --git a/scheduler/main.c b/scheduler/main.c +index 0380faa..ef3c7e0 100644 +--- a/scheduler/main.c ++++ b/scheduler/main.c +@@ -2037,6 +2037,23 @@ service_checkin(void) + service_add_listener(fd, 0); + } + #endif /* HAVE_LAUNCHD */ ++ ++ if (cupsArrayCount(Listeners) == 0) ++ { ++ /* ++ * No listeners! ++ */ ++ ++ cupsdLogMessage(CUPSD_LOG_EMERG, ++ "No valid Listen or Port lines were found in the " ++ "configuration file."); ++ ++ /* ++ * Commit suicide... ++ */ ++ ++ cupsdEndProcess(getpid(), 0); ++ } + } + + diff --git a/debian/patches/0026-Fix-builds-without-on-demand-support.patch b/debian/patches/0026-Fix-builds-without-on-demand-support.patch new file mode 100644 index 0000000..bd3f479 --- /dev/null +++ b/debian/patches/0026-Fix-builds-without-on-demand-support.patch @@ -0,0 +1,24 @@ +From: Michael R Sweet +Date: Fri, 14 Jun 2024 15:16:02 -0400 +Subject: Fix builds without on-demand support. + +--- + scheduler/conf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/scheduler/conf.c b/scheduler/conf.c +index 9fc988e..adeef50 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -1052,7 +1052,11 @@ cupsdReadConfiguration(void) + * as an error and exit! + */ + ++#ifdef HAVE_ONDEMAND + if (cupsArrayCount(Listeners) == 0 && !OnDemand) ++#else ++ if (cupsArrayCount(Listeners) == 0) ++#endif // HAVE_ONDEMAND + { + /* + * No listeners! diff --git a/debian/patches/0027-Update-no-listeners-message-for-service_checkin.patch b/debian/patches/0027-Update-no-listeners-message-for-service_checkin.patch new file mode 100644 index 0000000..23a4fc8 --- /dev/null +++ b/debian/patches/0027-Update-no-listeners-message-for-service_checkin.patch @@ -0,0 +1,23 @@ +From: Michael R Sweet +Date: Mon, 17 Jun 2024 09:18:08 -0400 +Subject: Update "no listeners" message for service_checkin. + +--- + scheduler/main.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/scheduler/main.c b/scheduler/main.c +index ef3c7e0..f0d9409 100644 +--- a/scheduler/main.c ++++ b/scheduler/main.c +@@ -2044,9 +2044,7 @@ service_checkin(void) + * No listeners! + */ + +- cupsdLogMessage(CUPSD_LOG_EMERG, +- "No valid Listen or Port lines were found in the " +- "configuration file."); ++ cupsdLogMessage(CUPSD_LOG_EMERG, "service_checkin: No listener sockets present."); + + /* + * Commit suicide... diff --git a/debian/patches/0028-scheduler-Fix-cupsd-activated-on-demand-via-socket.patch b/debian/patches/0028-scheduler-Fix-cupsd-activated-on-demand-via-socket.patch new file mode 100644 index 0000000..79f3964 --- /dev/null +++ b/debian/patches/0028-scheduler-Fix-cupsd-activated-on-demand-via-socket.patch @@ -0,0 +1,102 @@ +From: Zdenek Dohnal +Date: Tue, 18 Jun 2024 10:38:48 +0200 +Subject: scheduler: Fix cupsd activated on-demand via socket + +If only the expected cups.sock is set as listener in cupsd.conf, the +array Listeners was NULL. To prevent copying the code, do the array +allocation earlier and have only one check for Listeners, in +service_checkin() which is run every time cupsd starts. + +Fixes #985 +--- + scheduler/conf.c | 49 ++++++++++++------------------------------------- + scheduler/main.c | 2 +- + 2 files changed, 13 insertions(+), 38 deletions(-) + +diff --git a/scheduler/conf.c b/scheduler/conf.c +index adeef50..8914904 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -558,6 +558,18 @@ cupsdReadConfiguration(void) + + cupsdDeleteAllListeners(); + ++ /* ++ * Allocate array Listeners ++ */ ++ ++ Listeners = cupsArrayNew(NULL, NULL); ++ ++ if (!Listeners) ++ { ++ fprintf(stderr, "Unable to allocate memory for array Listeners."); ++ return (0); ++ } ++ + old_remote_port = RemotePort; + RemotePort = 0; + +@@ -1047,32 +1059,6 @@ cupsdReadConfiguration(void) + } + } + +- /* +- * Check that we have at least one listen/port line; if not, report this +- * as an error and exit! +- */ +- +-#ifdef HAVE_ONDEMAND +- if (cupsArrayCount(Listeners) == 0 && !OnDemand) +-#else +- if (cupsArrayCount(Listeners) == 0) +-#endif // HAVE_ONDEMAND +- { +- /* +- * No listeners! +- */ +- +- cupsdLogMessage(CUPSD_LOG_EMERG, +- "No valid Listen or Port lines were found in the " +- "configuration file."); +- +- /* +- * Commit suicide... +- */ +- +- cupsdEndProcess(getpid(), 0); +- } +- + /* + * Set the default locale using the language and charset... + */ +@@ -3148,17 +3134,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + * Allocate another listener... + */ + +- if (!Listeners) +- Listeners = cupsArrayNew(NULL, NULL); +- +- if (!Listeners) +- { +- cupsdLogMessage(CUPSD_LOG_ERROR, +- "Unable to allocate %s at line %d - %s.", +- line, linenum, strerror(errno)); +- break; +- } +- + if ((lis = calloc(1, sizeof(cupsd_listener_t))) == NULL) + { + cupsdLogMessage(CUPSD_LOG_ERROR, +diff --git a/scheduler/main.c b/scheduler/main.c +index f0d9409..63bee60 100644 +--- a/scheduler/main.c ++++ b/scheduler/main.c +@@ -2044,7 +2044,7 @@ service_checkin(void) + * No listeners! + */ + +- cupsdLogMessage(CUPSD_LOG_EMERG, "service_checkin: No listener sockets present."); ++ cupsdLogMessage(CUPSD_LOG_EMERG, "No listener sockets present."); + + /* + * Commit suicide... diff --git a/debian/patches/series b/debian/patches/series index 62ec780..5955f47 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -22,3 +22,7 @@ 0017-Compatible-with-printer-driver-which-runs-on-V20.patch 0023-Fix-OpenSSL-crash-bug-tls-pointer-wasn-t-cleared-aft.patch 0024-Fix-domain-socket-handling-fixes-CVE-2024-35235.patch +0025-Don-t-abort-early-if-there-are-no-listen-sockets-aft.patch +0026-Fix-builds-without-on-demand-support.patch +0027-Update-no-listeners-message-for-service_checkin.patch +0028-scheduler-Fix-cupsd-activated-on-demand-via-socket.patch From c7934fde2f427b8cd3b05339df3716f06a1c558c Mon Sep 17 00:00:00 2001 From: Tianyu Chen Date: Fri, 12 Sep 2025 16:01:56 +0800 Subject: [PATCH 6/8] CVE-2025-58060 --- .../0029-Eliminate-trivial-switch-s.patch | 366 ++++++++++++++++++ ...uthentication-using-alternate-method.patch | 55 +++ debian/patches/series | 2 + 3 files changed, 423 insertions(+) create mode 100644 debian/patches/0029-Eliminate-trivial-switch-s.patch create mode 100644 debian/patches/0030-cupsd-Block-authentication-using-alternate-method.patch diff --git a/debian/patches/0029-Eliminate-trivial-switch-s.patch b/debian/patches/0029-Eliminate-trivial-switch-s.patch new file mode 100644 index 0000000..e27f6ad --- /dev/null +++ b/debian/patches/0029-Eliminate-trivial-switch-s.patch @@ -0,0 +1,366 @@ +From: Michael R Sweet +Date: Sat, 21 Jan 2023 17:14:29 -0500 +Subject: Eliminate trivial switch's. + +--- + cups/file.c | 19 ++--- + scheduler/auth.c | 216 ++++++++++++++++++++++++-------------------------- + tools/ippeveprinter.c | 22 +++-- + 3 files changed, 123 insertions(+), 134 deletions(-) + +diff --git a/cups/file.c b/cups/file.c +index 48969e6..ce54ff9 100644 +--- a/cups/file.c ++++ b/cups/file.c +@@ -6,7 +6,7 @@ + * our own file functions allows us to provide transparent support of + * different line endings, gzip'd print files, PPD files, etc. + * +- * Copyright © 2021-2022 by OpenPrinting. ++ * Copyright © 2021-2023 by OpenPrinting. + * Copyright © 2007-2019 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products, all rights reserved. + * +@@ -124,17 +124,14 @@ _cupsFileCheck( + + result = _CUPS_FILE_CHECK_OK; + +- switch (filetype) ++ if (filetype == _CUPS_FILE_CHECK_DIRECTORY) + { +- case _CUPS_FILE_CHECK_DIRECTORY : +- if (!S_ISDIR(fileinfo.st_mode)) +- result = _CUPS_FILE_CHECK_WRONG_TYPE; +- break; +- +- default : +- if (!S_ISREG(fileinfo.st_mode)) +- result = _CUPS_FILE_CHECK_WRONG_TYPE; +- break; ++ if (!S_ISDIR(fileinfo.st_mode)) ++ result = _CUPS_FILE_CHECK_WRONG_TYPE; ++ } ++ else if (!S_ISREG(fileinfo.st_mode)) ++ { ++ result = _CUPS_FILE_CHECK_WRONG_TYPE; + } + + if (result) +diff --git a/scheduler/auth.c b/scheduler/auth.c +index aa773f9..7f6c3f6 100644 +--- a/scheduler/auth.c ++++ b/scheduler/auth.c +@@ -1,7 +1,7 @@ + /* + * Authorization routines for the CUPS scheduler. + * +- * Copyright © 2021-2022 by OpenPrinting. ++ * Copyright © 2021-2023 by OpenPrinting. + * Copyright © 2007-2019 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products, all rights reserved. + * +@@ -558,166 +558,160 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + * Validate the username and password... + */ + +- switch (type) ++ if (type == CUPSD_AUTH_BASIC) + { +- default : +- case CUPSD_AUTH_BASIC : +- { + #if HAVE_LIBPAM +- /* +- * Only use PAM to do authentication. This supports MD5 +- * passwords, among other things... +- */ ++ /* ++ * Only use PAM to do authentication. This supports MD5 ++ * passwords, among other things... ++ */ + +- pam_handle_t *pamh; /* PAM authentication handle */ +- int pamerr; /* PAM error code */ +- struct pam_conv pamdata;/* PAM conversation data */ +- cupsd_authdata_t data; /* Authentication data */ ++ pam_handle_t *pamh; /* PAM authentication handle */ ++ int pamerr; /* PAM error code */ ++ struct pam_conv pamdata; /* PAM conversation data */ ++ cupsd_authdata_t data; /* Authentication data */ + + +- strlcpy(data.username, username, sizeof(data.username)); +- strlcpy(data.password, password, sizeof(data.password)); ++ strlcpy(data.username, username, sizeof(data.username)); ++ strlcpy(data.password, password, sizeof(data.password)); + + # ifdef __sun +- pamdata.conv = (int (*)(int, struct pam_message **, +- struct pam_response **, +- void *))pam_func; ++ pamdata.conv = (int (*)(int, struct pam_message **, ++ struct pam_response **, ++ void *))pam_func; + # else +- pamdata.conv = pam_func; ++ pamdata.conv = pam_func; + # endif /* __sun */ +- pamdata.appdata_ptr = &data; ++ pamdata.appdata_ptr = &data; + +- pamerr = pam_start("cups", username, &pamdata, &pamh); +- if (pamerr != PAM_SUCCESS) +- { +- cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_start() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); +- return; +- } ++ pamerr = pam_start("cups", username, &pamdata, &pamh); ++ if (pamerr != PAM_SUCCESS) ++ { ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_start() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); ++ return; ++ } + + # ifdef HAVE_PAM_SET_ITEM + # ifdef PAM_RHOST +- pamerr = pam_set_item(pamh, PAM_RHOST, con->http->hostname); +- if (pamerr != PAM_SUCCESS) +- cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_RHOST) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); ++ pamerr = pam_set_item(pamh, PAM_RHOST, con->http->hostname); ++ if (pamerr != PAM_SUCCESS) ++ cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_RHOST) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); + # endif /* PAM_RHOST */ + + # ifdef PAM_TTY +- pamerr = pam_set_item(pamh, PAM_TTY, "cups"); +- if (pamerr != PAM_SUCCESS) +- cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_TTY) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); ++ pamerr = pam_set_item(pamh, PAM_TTY, "cups"); ++ if (pamerr != PAM_SUCCESS) ++ cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_TTY) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); + # endif /* PAM_TTY */ + # endif /* HAVE_PAM_SET_ITEM */ + +- pamerr = pam_authenticate(pamh, PAM_SILENT); +- if (pamerr != PAM_SUCCESS) +- { +- cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_authenticate() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); +- pam_end(pamh, 0); +- return; +- } ++ pamerr = pam_authenticate(pamh, PAM_SILENT); ++ if (pamerr != PAM_SUCCESS) ++ { ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_authenticate() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); ++ pam_end(pamh, 0); ++ return; ++ } + + # ifdef HAVE_PAM_SETCRED +- pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); +- if (pamerr != PAM_SUCCESS) +- cupsdLogClient(con, CUPSD_LOG_WARN, "pam_setcred() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); ++ pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); ++ if (pamerr != PAM_SUCCESS) ++ cupsdLogClient(con, CUPSD_LOG_WARN, "pam_setcred() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); + # endif /* HAVE_PAM_SETCRED */ + +- pamerr = pam_acct_mgmt(pamh, PAM_SILENT); +- if (pamerr != PAM_SUCCESS) +- { +- cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_acct_mgmt() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); +- pam_end(pamh, 0); +- return; +- } ++ pamerr = pam_acct_mgmt(pamh, PAM_SILENT); ++ if (pamerr != PAM_SUCCESS) ++ { ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_acct_mgmt() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); ++ pam_end(pamh, 0); ++ return; ++ } + +- pam_end(pamh, PAM_SUCCESS); ++ pam_end(pamh, PAM_SUCCESS); + + #else +- /* +- * Use normal UNIX password file-based authentication... +- */ ++ /* ++ * Use normal UNIX password file-based authentication... ++ */ + +- char *pass; /* Encrypted password */ +- struct passwd *pw; /* User password data */ ++ char *pass; /* Encrypted password */ ++ struct passwd *pw; /* User password data */ + # ifdef HAVE_SHADOW_H +- struct spwd *spw; /* Shadow password data */ ++ struct spwd *spw; /* Shadow password data */ + # endif /* HAVE_SHADOW_H */ + + +- pw = getpwnam(username); /* Get the current password */ +- endpwent(); /* Close the password file */ ++ pw = getpwnam(username); /* Get the current password */ ++ endpwent(); /* Close the password file */ + +- if (!pw) +- { +- /* +- * No such user... +- */ ++ if (!pw) ++ { ++ /* ++ * No such user... ++ */ + +- cupsdLogClient(con, CUPSD_LOG_ERROR, "Unknown username \"%s\".", username); +- return; +- } ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Unknown username \"%s\".", username); ++ return; ++ } + + # ifdef HAVE_SHADOW_H +- spw = getspnam(username); +- endspent(); ++ spw = getspnam(username); ++ endspent(); + +- if (!spw && !strcmp(pw->pw_passwd, "x")) +- { +- /* +- * Don't allow blank passwords! +- */ ++ if (!spw && !strcmp(pw->pw_passwd, "x")) ++ { ++ /* ++ * Don't allow blank passwords! ++ */ + +- cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no shadow password.", username); +- return; +- } ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no shadow password.", username); ++ return; ++ } + +- if (spw && !spw->sp_pwdp[0] && !pw->pw_passwd[0]) ++ if (spw && !spw->sp_pwdp[0] && !pw->pw_passwd[0]) + # else +- if (!pw->pw_passwd[0]) ++ if (!pw->pw_passwd[0]) + # endif /* HAVE_SHADOW_H */ +- { +- /* +- * Don't allow blank passwords! +- */ ++ { ++ /* ++ * Don't allow blank passwords! ++ */ + +- cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no password.", username); +- return; +- } ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no password.", username); ++ return; ++ } + +- /* +- * OK, the password isn't blank, so compare with what came from the +- * client... +- */ ++ /* ++ * OK, the password isn't blank, so compare with what came from the ++ * client... ++ */ + +- pass = crypt(password, pw->pw_passwd); ++ pass = crypt(password, pw->pw_passwd); + +- if (!pass || strcmp(pw->pw_passwd, pass)) +- { ++ if (!pass || strcmp(pw->pw_passwd, pass)) ++ { + # ifdef HAVE_SHADOW_H +- if (spw) +- { +- pass = crypt(password, spw->sp_pwdp); ++ if (spw) ++ { ++ pass = crypt(password, spw->sp_pwdp); + +- if (pass == NULL || strcmp(spw->sp_pwdp, pass)) +- { +- cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username); +- return; +- } +- } +- else ++ if (pass == NULL || strcmp(spw->sp_pwdp, pass)) ++ { ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username); ++ return; ++ } ++ } ++ else + # endif /* HAVE_SHADOW_H */ +- { +- cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username); +- return; +- } +- } ++ { ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username); ++ return; ++ } ++ } + #endif /* HAVE_LIBPAM */ +- } +- +- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username); +- break; + } + ++ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username); + con->type = type; + } + #ifdef HAVE_GSSAPI +diff --git a/tools/ippeveprinter.c b/tools/ippeveprinter.c +index f819a6a..66d765b 100644 +--- a/tools/ippeveprinter.c ++++ b/tools/ippeveprinter.c +@@ -2269,19 +2269,17 @@ dnssd_client_cb( + if (!c) + return; + +- switch (state) ++ if (state == AVAHI_CLIENT_FAILURE) + { +- default : +- fprintf(stderr, "Ignored Avahi state %d.\n", state); +- break; +- +- case AVAHI_CLIENT_FAILURE: +- if (avahi_client_errno(c) == AVAHI_ERR_DISCONNECTED) +- { +- fputs("Avahi server crashed, exiting.\n", stderr); +- exit(1); +- } +- break; ++ if (avahi_client_errno(c) == AVAHI_ERR_DISCONNECTED) ++ { ++ fputs("Avahi server crashed, exiting.\n", stderr); ++ exit(1); ++ } ++ } ++ else ++ { ++ fprintf(stderr, "Ignored Avahi state %d.\n", state); + } + } + #endif /* HAVE_MDNSRESPONDER */ diff --git a/debian/patches/0030-cupsd-Block-authentication-using-alternate-method.patch b/debian/patches/0030-cupsd-Block-authentication-using-alternate-method.patch new file mode 100644 index 0000000..97da49c --- /dev/null +++ b/debian/patches/0030-cupsd-Block-authentication-using-alternate-method.patch @@ -0,0 +1,55 @@ +From: Zdenek Dohnal +Date: Thu, 11 Sep 2025 14:44:59 +0200 +Subject: cupsd: Block authentication using alternate method + +Fixes: CVE-2025-58060 +--- + scheduler/auth.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/scheduler/auth.c b/scheduler/auth.c +index 7f6c3f6..6fe5e0c 100644 +--- a/scheduler/auth.c ++++ b/scheduler/auth.c +@@ -513,6 +513,16 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + int userlen; /* Username:password length */ + + ++ /* ++ * Only allow Basic if enabled... ++ */ ++ ++ if (type != CUPSD_AUTH_BASIC) ++ { ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled."); ++ return; ++ } ++ + authorization += 5; + while (isspace(*authorization & 255)) + authorization ++; +@@ -558,7 +568,6 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + * Validate the username and password... + */ + +- if (type == CUPSD_AUTH_BASIC) + { + #if HAVE_LIBPAM + /* +@@ -727,6 +736,16 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + /* Output token for username */ + gss_name_t client_name; /* Client name */ + ++ /* ++ * Only allow Kerberos if enabled... ++ */ ++ ++ if (type != CUPSD_AUTH_NEGOTIATE) ++ { ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled."); ++ return; ++ } ++ + # ifdef __APPLE__ + /* + * If the weak-linked GSSAPI/Kerberos library is not present, don't try diff --git a/debian/patches/series b/debian/patches/series index 5955f47..362aebf 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -26,3 +26,5 @@ 0026-Fix-builds-without-on-demand-support.patch 0027-Update-no-listeners-message-for-service_checkin.patch 0028-scheduler-Fix-cupsd-activated-on-demand-via-socket.patch +0029-Eliminate-trivial-switch-s.patch +0030-cupsd-Block-authentication-using-alternate-method.patch From 49a36d4952d60f8771f46c7f07d1db62d9214371 Mon Sep 17 00:00:00 2001 From: Tianyu Chen Date: Fri, 12 Sep 2025 16:02:32 +0800 Subject: [PATCH 7/8] CVE-2025-58364 --- ...ling-of-extension-tag-in-ipp_read_io.patch | 46 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 47 insertions(+) create mode 100644 debian/patches/0031-libcups-Fix-handling-of-extension-tag-in-ipp_read_io.patch diff --git a/debian/patches/0031-libcups-Fix-handling-of-extension-tag-in-ipp_read_io.patch b/debian/patches/0031-libcups-Fix-handling-of-extension-tag-in-ipp_read_io.patch new file mode 100644 index 0000000..b593592 --- /dev/null +++ b/debian/patches/0031-libcups-Fix-handling-of-extension-tag-in-ipp_read_io.patch @@ -0,0 +1,46 @@ +From: Zdenek Dohnal +Date: Fri, 12 Sep 2025 15:25:24 +0800 +Subject: libcups: Fix handling of extension tag in `ipp_read_io()` + +Fixes: CVE-2025-58364 +--- + cups/ipp.c | 26 -------------------------- + 1 file changed, 26 deletions(-) + +diff --git a/cups/ipp.c b/cups/ipp.c +index 42cf2fc..960e3a5 100644 +--- a/cups/ipp.c ++++ b/cups/ipp.c +@@ -2949,32 +2949,6 @@ ippReadIO(void *src, /* I - Data source */ + */ + + tag = (ipp_tag_t)buffer[0]; +- if (tag == IPP_TAG_EXTENSION) +- { +- /* +- * Read 32-bit "extension" tag... +- */ +- +- if ((*cb)(src, buffer, 4) < 4) +- { +- DEBUG_puts("1ippReadIO: Callback returned EOF/error"); +- goto rollback; +- } +- +- tag = (ipp_tag_t)((((((buffer[0] << 8) | buffer[1]) << 8) | +- buffer[2]) << 8) | buffer[3]); +- +- if (tag & IPP_TAG_CUPS_CONST) +- { +- /* +- * Fail if the high bit is set in the tag... +- */ +- +- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1); +- DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag)); +- goto rollback; +- } +- } + + if (tag == IPP_TAG_END) + { diff --git a/debian/patches/series b/debian/patches/series index 362aebf..ea3ccb4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -28,3 +28,4 @@ 0028-scheduler-Fix-cupsd-activated-on-demand-via-socket.patch 0029-Eliminate-trivial-switch-s.patch 0030-cupsd-Block-authentication-using-alternate-method.patch +0031-libcups-Fix-handling-of-extension-tag-in-ipp_read_io.patch From f80e65dadee8e5e04a494b36adc525f78ce4c8cd Mon Sep 17 00:00:00 2001 From: Tianyu Chen Date: Mon, 15 Sep 2025 10:31:10 +0800 Subject: [PATCH 8/8] Release to unstable --- debian/changelog | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 34e31f1..db2d0c4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,14 @@ -cups (2.4.2-5deepin4) UNRELEASED; urgency=medium +cups (2.4.2-5deepin4) unstable; urgency=medium * Format debian/patches. - - -- Tianyu Chen Fri, 12 Sep 2025 10:06:24 +0800 + * Set Author to Zdenek Dohnal in debian/patches/0013-CVE-2023-32324.patch + * 0023-Fix-OpenSSL-crash-bug-tls-pointer-wasn-t-cleared-aft.patch + * CVE-2024-35235 + * regression of fix for CVE-2024-35235 + * CVE-2025-58060 + * CVE-2025-58364 + + -- Tianyu Chen Mon, 15 Sep 2025 10:30:43 +0800 cups (2.4.2-5deepin3) unstable; urgency=medium