[PATCHv2] cups: Upgrade 2.4.6 -> 2.4.7

Message ID	20231112212327.82530-1-f_l_k@t-online.de
State	New
Headers	show Return-Path: <f_l_k@t-online.de> ip: 194.25.134.18, mailfrom: f_l_k@t-online.de) From: Markus Volk <f_l_k@t-online.de> To: openembedded-core@lists.openembedded.org Subject: [oe-core][PATCHv2] cups: Upgrade 2.4.6 -> 2.4.7 Date: Sun, 12 Nov 2023 22:23:27 +0100 Message-ID: <20231112212327.82530-1-f_l_k@t-online.de> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	[PATCHv2] cups: Upgrade 2.4.6 -> 2.4.7 \| expand [PATCHv2] cups: Upgrade 2.4.6 -> 2.4.7

Message ID

20231112212327.82530-1-f_l_k@t-online.de

State

New

Headers

From: Markus Volk <f_l_k@t-online.de>
To: openembedded-core@lists.openembedded.org
Subject: [oe-core][PATCHv2] cups: Upgrade 2.4.6 -> 2.4.7
Date: Sun, 12 Nov 2023 22:23:27 +0100
Message-ID: <20231112212327.82530-1-f_l_k@t-online.de>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

[PATCHv2] cups: Upgrade 2.4.6 -> 2.4.7 | expand

Commit Message

Markus Volk Nov. 12, 2023, 9:23 p.m. UTC

- enable tls by default to fix:
| hash.c:16:12: fatal error: gnutls/crypto.h: No such file or directory
|    16 | #  include <gnutls/crypto.h>

Changes in CUPS v2.4.7 (2023-09-20)
-----------------------------------

- CVE-2023-4504 - Fixed Heap-based buffer overflow when reading Postscript
  in PPD files
- Added OpenSSL support for cupsHashData (Issue #762)
- Fixed delays in lpd backend (Issue #741)
- Fixed extensive logging in scheduler (Issue #604)
- Fixed hanging of `lpstat` on IBM AIX (Issue #773)
- Fixed hanging of `lpstat` on Solaris (Issue #156)
- Fixed printing to stderr if we can't open cups-files.conf (Issue #777)
- Fixed purging job files via `cancel -x` (Issue #742)
- Fixed RFC 1179 port reserving behavior in LPD backend (Issue #743)
- Fixed a bug in the PPD command interpretation code (Issue #768)

Signed-off-by: Markus Volk <f_l_k@t-online.de>
---
 meta/recipes-extended/cups/cups.inc           |  5 +--
 .../cups/cups/CVE-2023-4504.patch             | 42 -------------------
 .../cups/{cups_2.4.6.bb => cups_2.4.7.bb}     |  2 +-
 3 files changed, 3 insertions(+), 46 deletions(-)
 delete mode 100644 meta/recipes-extended/cups/cups/CVE-2023-4504.patch
 rename meta/recipes-extended/cups/{cups_2.4.6.bb => cups_2.4.7.bb} (51%)

Comments

Ross Burton Nov. 13, 2023, 4:04 p.m. UTC | #1

On 12 Nov 2023, at 21:23, Markus Volk via lists.openembedded.org <f_l_k=t-online.de@lists.openembedded.org> wrote:
> -DEPENDS = "libpng jpeg dbus zlib libusb1"
> +DEPENDS = "libpng jpeg dbus zlib libusb1 ${@bb.utils.contains('PACKAGECONFIG', 'gnutls', 'gnutls', 'openssl', d)}"

That’s horrible, there’s a perfectly good way of specifying DEPENDS in PACKAGECONFIGs.

> -PACKAGECONFIG[gnutls] = "--with-tls=gnutls,--with-tls=no,gnutls"
> +PACKAGECONFIG[gnutls] = "--with-tls=gnutls,--with-tls=openssl"

I suggest using the lesser-known PACKAGECONFIG flags, specifically “options that conflict”:

https://docs.yoctoproject.org/ref-manual/variables.html#term-PACKAGECONFIG

OE doesn’t - currently - have any preference either way.  I raised this a while ago but obviously anyone who cares enough to have a strong opinion doesn’t agree with anyone else…

CUPS has two supported TLS backends, and it looks for openssl before gnutls.  So I suggest adding a packageconfig for each of those, defaulting to openssl, and make them mutually exclusive.

Ross

Markus Volk Nov. 13, 2023, 8:21 p.m. UTC | #2

On Mon, Nov 13 2023 at 04:04:46 PM +00:00:00, Ross Burton 
<Ross.Burton@arm.com> wrote:
> That’s horrible, there’s a perfectly good way of specifying 
> DEPENDS in PACKAGECONFIGs.

The reason I did it this way is because bb.utils.contains cannot be 
used in PACKAGECONFIGs depends field.

I know this conflict option and also have considered it, but I took the 
boolean either/or approach so that users don't have to use 
PACKAGECONFIG:remove to get rid of the openssl entry in order to  use 
gnutls.

I'll send an update with the requested change

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index fa32c38549..6be0e7c74a 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -6,7 +6,7 @@  document types."
 HOMEPAGE = "https://www.cups.org/"
 SECTION = "console/utils"
 LICENSE = "Apache-2.0"
-DEPENDS = "libpng jpeg dbus zlib libusb1"
+DEPENDS = "libpng jpeg dbus zlib libusb1 ${@bb.utils.contains('PACKAGECONFIG', 'gnutls', 'gnutls', 'openssl', d)}"
 
 SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
            file://0001-use-echo-only-in-init.patch \
@@ -15,7 +15,6 @@  SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
            file://0004-cups-fix-multilib-install-file-conflicts.patch \
            file://volatiles.99_cups \
            file://cups-volatiles.conf \
-           file://CVE-2023-4504.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
@@ -41,7 +40,7 @@  PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'zeroconf', 'avahi',
                    ${@bb.utils.filter('DISTRO_FEATURES', 'pam systemd', d)}"
 PACKAGECONFIG[avahi] = "--with-dnssd=avahi,--with-dnssd=no,avahi"
 PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl"
-PACKAGECONFIG[gnutls] = "--with-tls=gnutls,--with-tls=no,gnutls"
+PACKAGECONFIG[gnutls] = "--with-tls=gnutls,--with-tls=openssl"
 PACKAGECONFIG[pam] = "--enable-pam --with-pam-module=unix, --disable-pam, libpam"
 PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--without-systemd,systemd"
 PACKAGECONFIG[xinetd] = "--with-xinetd=${sysconfdir}/xinetd.d,--without-xinetd,xinetd"
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
deleted file mode 100644
index e52e43a209..0000000000
--- a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
+++ /dev/null
@@ -1,42 +0,0 @@ 
-CVE: CVE-2023-4504
-Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31 ]
-Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
-
-From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 2001
-From: Zdenek Dohnal <zdohnal@redhat.com>
-Date: Wed, 20 Sep 2023 14:45:17 +0200
-Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
-
-We didn't check for end of buffer if it looks there is an escaped
-character - check for NULL terminator there and if found, return NULL
-as return value and in `ptr`, because a lone backslash is not
-a valid PostScript character.
----
- cups/raster-interpret.c | 14 +++++++++++++-
- 1 files changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
-index 6fcf731b5..b8655c8c6 100644
---- a/cups/raster-interpret.c
-+++ b/cups/raster-interpret.c
-@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
- 
- 	    cur ++;
- 
--            if (*cur == 'b')
-+	   /*
-+	    * Return NULL if we reached NULL terminator, a lone backslash
-+	    * is not a valid character in PostScript.
-+	    */
-+
-+	    if (!*cur)
-+	    {
-+	      *ptr = NULL;
-+
-+	      return (NULL);
-+	    }
-+
-+	    if (*cur == 'b')
- 	      *valptr++ = '\b';
- 	    else if (*cur == 'f')
- 	      *valptr++ = '\f';
diff --git a/meta/recipes-extended/cups/cups_2.4.6.bb b/meta/recipes-extended/cups/cups_2.4.7.bb
similarity index 51%
rename from meta/recipes-extended/cups/cups_2.4.6.bb
rename to meta/recipes-extended/cups/cups_2.4.7.bb
index 58029fdbd4..f4b0282e4c 100644
--- a/meta/recipes-extended/cups/cups_2.4.6.bb
+++ b/meta/recipes-extended/cups/cups_2.4.7.bb
@@ -2,4 +2,4 @@  require cups.inc
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 
-SRC_URI[sha256sum] = "58e970cf1955e1cc87d0847c32526d9c2ccee335e5f0e3882b283138ba0e7262"
+SRC_URI[sha256sum] = "dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c"

[PATCHv2] cups: Upgrade 2.4.6 -> 2.4.7

Commit Message

Comments

Patch