[oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7

All of lore.kernel.org
 help / color / mirror / Atom feed

* [oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7
@ 2023-11-12  1:36 Markus Volk
  2023-11-12 19:21 ` Alexandre Belloni
  0 siblings, 1 reply; 4+ messages in thread
From: Markus Volk @ 2023-11-12  1:36 UTC (permalink / raw)
  To: openembedded-core

Changes in CUPS v2.4.7 (2023-09-20)
-----------------------------------

- CVE-2023-4504 - Fixed Heap-based buffer overflow when reading Postscript
  in PPD files
- Added OpenSSL support for cupsHashData (Issue #762)
- Fixed delays in lpd backend (Issue #741)
- Fixed extensive logging in scheduler (Issue #604)
- Fixed hanging of `lpstat` on IBM AIX (Issue #773)
- Fixed hanging of `lpstat` on Solaris (Issue #156)
- Fixed printing to stderr if we can't open cups-files.conf (Issue #777)
- Fixed purging job files via `cancel -x` (Issue #742)
- Fixed RFC 1179 port reserving behavior in LPD backend (Issue #743)
- Fixed a bug in the PPD command interpretation code (Issue #768)

Signed-off-by: Markus Volk <f_l_k@t-online.de>
---
 meta/recipes-extended/cups/cups.inc           |  1 -
 .../cups/cups/CVE-2023-4504.patch             | 42 -------------------
 .../cups/{cups_2.4.6.bb => cups_2.4.7.bb}     |  2 +-
 3 files changed, 1 insertion(+), 44 deletions(-)
 delete mode 100644 meta/recipes-extended/cups/cups/CVE-2023-4504.patch
 rename meta/recipes-extended/cups/{cups_2.4.6.bb => cups_2.4.7.bb} (51%)

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index fa32c38549..36feaddcf8 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -15,7 +15,6 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
            file://0004-cups-fix-multilib-install-file-conflicts.patch \
            file://volatiles.99_cups \
            file://cups-volatiles.conf \
-           file://CVE-2023-4504.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
deleted file mode 100644
index e52e43a209..0000000000
--- a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-CVE: CVE-2023-4504
-Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31 ]
-Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
-
-From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 2001
-From: Zdenek Dohnal <zdohnal@redhat.com>
-Date: Wed, 20 Sep 2023 14:45:17 +0200
-Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
-
-We didn't check for end of buffer if it looks there is an escaped
-character - check for NULL terminator there and if found, return NULL
-as return value and in `ptr`, because a lone backslash is not
-a valid PostScript character.
----
- cups/raster-interpret.c | 14 +++++++++++++-
- 1 files changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
-index 6fcf731b5..b8655c8c6 100644
---- a/cups/raster-interpret.c
-+++ b/cups/raster-interpret.c
-@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
- 
- 	    cur ++;
- 
--            if (*cur == 'b')
-+	   /*
-+	    * Return NULL if we reached NULL terminator, a lone backslash
-+	    * is not a valid character in PostScript.
-+	    */
-+
-+	    if (!*cur)
-+	    {
-+	      *ptr = NULL;
-+
-+	      return (NULL);
-+	    }
-+
-+	    if (*cur == 'b')
- 	      *valptr++ = '\b';
- 	    else if (*cur == 'f')
- 	      *valptr++ = '\f';
diff --git a/meta/recipes-extended/cups/cups_2.4.6.bb b/meta/recipes-extended/cups/cups_2.4.7.bb
similarity index 51%
rename from meta/recipes-extended/cups/cups_2.4.6.bb
rename to meta/recipes-extended/cups/cups_2.4.7.bb
index 58029fdbd4..f4b0282e4c 100644
--- a/meta/recipes-extended/cups/cups_2.4.6.bb
+++ b/meta/recipes-extended/cups/cups_2.4.7.bb
@@ -2,4 +2,4 @@ require cups.inc
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 
-SRC_URI[sha256sum] = "58e970cf1955e1cc87d0847c32526d9c2ccee335e5f0e3882b283138ba0e7262"
+SRC_URI[sha256sum] = "dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c"
-- 
2.42.0



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7
  2023-11-12  1:36 [oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7 Markus Volk
@ 2023-11-12 19:21 ` Alexandre Belloni
  2023-11-12 20:59   ` Markus Volk
       [not found]   ` <1796FBC977914057.28092@lists.openembedded.org>
  0 siblings, 2 replies; 4+ messages in thread
From: Alexandre Belloni @ 2023-11-12 19:21 UTC (permalink / raw)
  To: Markus Volk; +Cc: openembedded-core

Hello,

This fails:

reproducible:
https://autobuilder.yoctoproject.org/typhoon/#/builders/117/builds/3912/steps/12/logs/errors

lib32:
https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/7998/steps/11/logs/stdio
https://autobuilder.yoctoproject.org/typhoon/#/builders/108/builds/5334/steps/11/logs/stdio


musl:
https://autobuilder.yoctoproject.org/typhoon/#/builders/64/builds/8115/steps/12/logs/stdio
https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/8143/steps/11/logs/stdio


no-x11:
https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/12/logs/stdio
https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/15/logs/stdio

On 12/11/2023 02:36:17+0100, Markus Volk wrote:
> Changes in CUPS v2.4.7 (2023-09-20)
> -----------------------------------
> 
> - CVE-2023-4504 - Fixed Heap-based buffer overflow when reading Postscript
>   in PPD files
> - Added OpenSSL support for cupsHashData (Issue #762)
> - Fixed delays in lpd backend (Issue #741)
> - Fixed extensive logging in scheduler (Issue #604)
> - Fixed hanging of `lpstat` on IBM AIX (Issue #773)
> - Fixed hanging of `lpstat` on Solaris (Issue #156)
> - Fixed printing to stderr if we can't open cups-files.conf (Issue #777)
> - Fixed purging job files via `cancel -x` (Issue #742)
> - Fixed RFC 1179 port reserving behavior in LPD backend (Issue #743)
> - Fixed a bug in the PPD command interpretation code (Issue #768)
> 
> Signed-off-by: Markus Volk <f_l_k@t-online.de>
> ---
>  meta/recipes-extended/cups/cups.inc           |  1 -
>  .../cups/cups/CVE-2023-4504.patch             | 42 -------------------
>  .../cups/{cups_2.4.6.bb => cups_2.4.7.bb}     |  2 +-
>  3 files changed, 1 insertion(+), 44 deletions(-)
>  delete mode 100644 meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>  rename meta/recipes-extended/cups/{cups_2.4.6.bb => cups_2.4.7.bb} (51%)
> 
> diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
> index fa32c38549..36feaddcf8 100644
> --- a/meta/recipes-extended/cups/cups.inc
> +++ b/meta/recipes-extended/cups/cups.inc
> @@ -15,7 +15,6 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
>             file://0004-cups-fix-multilib-install-file-conflicts.patch \
>             file://volatiles.99_cups \
>             file://cups-volatiles.conf \
> -           file://CVE-2023-4504.patch \
>             "
>  
>  GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
> diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
> deleted file mode 100644
> index e52e43a209..0000000000
> --- a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
> +++ /dev/null
> @@ -1,42 +0,0 @@
> -CVE: CVE-2023-4504
> -Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31 ]
> -Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
> -
> -From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 2001
> -From: Zdenek Dohnal <zdohnal@redhat.com>
> -Date: Wed, 20 Sep 2023 14:45:17 +0200
> -Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
> -
> -We didn't check for end of buffer if it looks there is an escaped
> -character - check for NULL terminator there and if found, return NULL
> -as return value and in `ptr`, because a lone backslash is not
> -a valid PostScript character.
> ----
> - cups/raster-interpret.c | 14 +++++++++++++-
> - 1 files changed, 13 insertions(+), 1 deletion(-)
> -
> -diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
> -index 6fcf731b5..b8655c8c6 100644
> ---- a/cups/raster-interpret.c
> -+++ b/cups/raster-interpret.c
> -@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
> - 
> - 	    cur ++;
> - 
> --            if (*cur == 'b')
> -+	   /*
> -+	    * Return NULL if we reached NULL terminator, a lone backslash
> -+	    * is not a valid character in PostScript.
> -+	    */
> -+
> -+	    if (!*cur)
> -+	    {
> -+	      *ptr = NULL;
> -+
> -+	      return (NULL);
> -+	    }
> -+
> -+	    if (*cur == 'b')
> - 	      *valptr++ = '\b';
> - 	    else if (*cur == 'f')
> - 	      *valptr++ = '\f';
> diff --git a/meta/recipes-extended/cups/cups_2.4.6.bb b/meta/recipes-extended/cups/cups_2.4.7.bb
> similarity index 51%
> rename from meta/recipes-extended/cups/cups_2.4.6.bb
> rename to meta/recipes-extended/cups/cups_2.4.7.bb
> index 58029fdbd4..f4b0282e4c 100644
> --- a/meta/recipes-extended/cups/cups_2.4.6.bb
> +++ b/meta/recipes-extended/cups/cups_2.4.7.bb
> @@ -2,4 +2,4 @@ require cups.inc
>  
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
>  
> -SRC_URI[sha256sum] = "58e970cf1955e1cc87d0847c32526d9c2ccee335e5f0e3882b283138ba0e7262"
> +SRC_URI[sha256sum] = "dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c"
> -- 
> 2.42.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#190442): https://lists.openembedded.org/g/openembedded-core/message/190442
> Mute This Topic: https://lists.openembedded.org/mt/102536625/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 


-- 
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7
  2023-11-12 19:21 ` Alexandre Belloni
@ 2023-11-12 20:59   ` Markus Volk
       [not found]   ` <1796FBC977914057.28092@lists.openembedded.org>
  1 sibling, 0 replies; 4+ messages in thread
From: Markus Volk @ 2023-11-12 20:59 UTC (permalink / raw)
  To: Alexandre Belloni; +Cc: Markus Volk, openembedded-core

[-- Attachment #1: Type: text/plain, Size: 7223 bytes --]

Hi,

| hash.c:16:12: fatal error: gnutls/crypto.h: No such file or directory
|    16 | #  include <gnutls/crypto.h>

it fails because there is no tls implementation activated by default. I 
do my builds with gnutls enabled and removing the bbappend that 
contains the packageconfig makes this problem reproducible for me. My 
question is, is it a reasonable standard to build without encryption? 
As I understand it, the correct solution would be to add tls support by 
default  (adding --with-tls=openssl also fixes the issue). Maybe we 
could do something like this?
PACKAGECONFIG[gnutls] = "--with-tls=gnutls,--with-tls=openssl,gnutls"

Which tls implementation should be used by default? I know oe-core 
prefers openssl, but there have been known issues with it recently:
<https://github.com/void-linux/void-packages/pull/41193>

On Sun, Nov 12 2023 at 08:21:35 PM +01:00:00, Alexandre Belloni 
<alexandre.belloni@bootlin.com> wrote:
> Hello,
> 
> This fails:
> 
> reproducible:
> <https://autobuilder.yoctoproject.org/typhoon/#/builders/117/builds/3912/steps/12/logs/errors>
> 
> lib32:
> <https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/7998/steps/11/logs/stdio>
> <https://autobuilder.yoctoproject.org/typhoon/#/builders/108/builds/5334/steps/11/logs/stdio>
> 
> 
> musl:
> <https://autobuilder.yoctoproject.org/typhoon/#/builders/64/builds/8115/steps/12/logs/stdio>
> <https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/8143/steps/11/logs/stdio>
> 
> 
> no-x11:
> <https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/12/logs/stdio>
> <https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/15/logs/stdio>
> 
> On 12/11/2023 02:36:17+0100, Markus Volk wrote:
>>  Changes in CUPS v2.4.7 (2023-09-20)
>>  -----------------------------------
>> 
>>  - CVE-2023-4504 - Fixed Heap-based buffer overflow when reading 
>> Postscript
>>    in PPD files
>>  - Added OpenSSL support for cupsHashData (Issue #762)
>>  - Fixed delays in lpd backend (Issue #741)
>>  - Fixed extensive logging in scheduler (Issue #604)
>>  - Fixed hanging of `lpstat` on IBM AIX (Issue #773)
>>  - Fixed hanging of `lpstat` on Solaris (Issue #156)
>>  - Fixed printing to stderr if we can't open cups-files.conf (Issue 
>> #777)
>>  - Fixed purging job files via `cancel -x` (Issue #742)
>>  - Fixed RFC 1179 port reserving behavior in LPD backend (Issue #743)
>>  - Fixed a bug in the PPD command interpretation code (Issue #768)
>> 
>>  Signed-off-by: Markus Volk <f_l_k@t-online.de 
>> <mailto:f_l_k@t-online.de>>
>>  ---
>>   meta/recipes-extended/cups/cups.inc           |  1 -
>>   .../cups/cups/CVE-2023-4504.patch             | 42 
>> -------------------
>>   .../cups/{cups_2.4.6.bb => cups_2.4.7.bb}     |  2 +-
>>   3 files changed, 1 insertion(+), 44 deletions(-)
>>   delete mode 100644 
>> meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>>   rename meta/recipes-extended/cups/{cups_2.4.6.bb => cups_2.4.7.bb} 
>> (51%)
>> 
>>  diff --git a/meta/recipes-extended/cups/cups.inc 
>> b/meta/recipes-extended/cups/cups.inc
>>  index fa32c38549..36feaddcf8 100644
>>  --- a/meta/recipes-extended/cups/cups.inc
>>  +++ b/meta/recipes-extended/cups/cups.inc
>>  @@ -15,7 +15,6 @@ SRC_URI = 
>> "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
>>              
>> file://0004-cups-fix-multilib-install-file-conflicts.patch 
>> <file://0004-cups-fix-multilib-install-file-conflicts.patch/> \
>>              file://volatiles.99_cups <file://volatiles.99_cups/> \
>>              file://cups-volatiles.conf 
>> <file://cups-volatiles.conf/> \
>>  -           file://CVE-2023-4504.patch 
>> <file://cve-2023-4504.patch/> \
>>              "
>> 
>>   GITHUB_BASE_URI = "<https://github.com/OpenPrinting/cups/releases>"
>>  diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch 
>> b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>>  deleted file mode 100644
>>  index e52e43a209..0000000000
>>  --- a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>>  +++ /dev/null
>>  @@ -1,42 +0,0 @@
>>  -CVE: CVE-2023-4504
>>  -Upstream-Status: Backport 
>> [<https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31> 
>> ]
>>  -Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com 
>> <mailto:chee.yang.lee@intel.com>>
>>  -
>>  -From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 
>> 2001
>>  -From: Zdenek Dohnal <zdohnal@redhat.com 
>> <mailto:zdohnal@redhat.com>>
>>  -Date: Wed, 20 Sep 2023 14:45:17 +0200
>>  -Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
>>  -
>>  -We didn't check for end of buffer if it looks there is an escaped
>>  -character - check for NULL terminator there and if found, return 
>> NULL
>>  -as return value and in `ptr`, because a lone backslash is not
>>  -a valid PostScript character.
>>  ----
>>  - cups/raster-interpret.c | 14 +++++++++++++-
>>  - 1 files changed, 13 insertions(+), 1 deletion(-)
>>  -
>>  -diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
>>  -index 6fcf731b5..b8655c8c6 100644
>>  ---- a/cups/raster-interpret.c
>>  -+++ b/cups/raster-interpret.c
>>  -@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - 
>> Stack */
>>  -
>>  - 	    cur ++;
>>  -
>>  --            if (*cur == 'b')
>>  -+	   /*
>>  -+	    * Return NULL if we reached NULL terminator, a lone backslash
>>  -+	    * is not a valid character in PostScript.
>>  -+	    */
>>  -+
>>  -+	    if (!*cur)
>>  -+	    {
>>  -+	      *ptr = NULL;
>>  -+
>>  -+	      return (NULL);
>>  -+	    }
>>  -+
>>  -+	    if (*cur == 'b')
>>  - 	      *valptr++ = '\b';
>>  - 	    else if (*cur == 'f')
>>  - 	      *valptr++ = '\f';
>>  diff --git a/meta/recipes-extended/cups/cups_2.4.6.bb 
>> b/meta/recipes-extended/cups/cups_2.4.7.bb
>>  similarity index 51%
>>  rename from meta/recipes-extended/cups/cups_2.4.6.bb
>>  rename to meta/recipes-extended/cups/cups_2.4.7.bb
>>  index 58029fdbd4..f4b0282e4c 100644
>>  --- a/meta/recipes-extended/cups/cups_2.4.6.bb
>>  +++ b/meta/recipes-extended/cups/cups_2.4.7.bb
>>  @@ -2,4 +2,4 @@ require cups.inc
>> 
>>   LIC_FILES_CHKSUM = 
>> "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" 
>> <file://license;md5=3b83ef96387f14655fc854ddc3c6bd57/>
>> 
>>  -SRC_URI[sha256sum] = 
>> "58e970cf1955e1cc87d0847c32526d9c2ccee335e5f0e3882b283138ba0e7262"
>>  +SRC_URI[sha256sum] = 
>> "dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c"
>>  --
>>  2.42.0
>> 
> 
>> 
>>  -=-=-=-=-=-=-=-=-=-=-=-
>>  Links: You receive all messages sent to this group.
>>  View/Reply Online (#190442): 
>> <https://lists.openembedded.org/g/openembedded-core/message/190442>
>>  Mute This Topic: 
>> <https://lists.openembedded.org/mt/102536625/3617179>
>>  Group Owner: openembedded-core+owner@lists.openembedded.org 
>> <mailto:openembedded-core+owner@lists.openembedded.org>
>>  Unsubscribe: 
>> <https://lists.openembedded.org/g/openembedded-core/unsub> 
>> [alexandre.belloni@bootlin.com 
>> <mailto:alexandre.belloni@bootlin.com>]
>>  -=-=-=-=-=-=-=-=-=-=-=-
>> 
> 
> 
> --
> Alexandre Belloni, co-owner and COO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com <https://bootlin.com/>


[-- Attachment #2: Type: text/html, Size: 9571 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

[parent not found: <1796FBC977914057.28092@lists.openembedded.org>]

* Re: [oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7
       [not found]   ` <1796FBC977914057.28092@lists.openembedded.org>
@ 2023-11-12 21:28     ` Markus Volk
  0 siblings, 0 replies; 4+ messages in thread
From: Markus Volk @ 2023-11-12 21:28 UTC (permalink / raw)
  To: Markus Volk; +Cc: Alexandre Belloni, openembedded-core

[-- Attachment #1: Type: text/plain, Size: 7086 bytes --]

I've sent a v2 that would fix the issue by adding openssl tls support 
by default. tls can be switched to gnutls by using PACKAGECONFIG

On Sun, Nov 12 2023 at 09:59:39 PM +01:00:00, Markus Volk 
<f_l_k@t-online.de> wrote:
> Hi,
> 
> | hash.c:16:12: fatal error: gnutls/crypto.h: No such file or 
> directory
> |    16 | #  include <gnutls/crypto.h>
> 
> it fails because there is no tls implementation activated by default. 
> I do my builds with gnutls enabled and removing the bbappend that 
> contains the packageconfig makes this problem reproducible for me. My 
> question is, is it a reasonable standard to build without encryption? 
> As I understand it, the correct solution would be to add tls support 
> by default  (adding --with-tls=openssl also fixes the issue). Maybe 
> we could do something like this?
> PACKAGECONFIG[gnutls] = "--with-tls=gnutls,--with-tls=openssl,gnutls"
> 
> Which tls implementation should be used by default? I know oe-core 
> prefers openssl, but there have been known issues with it recently:
> <https://github.com/void-linux/void-packages/pull/41193>
> 
> On Sun, Nov 12 2023 at 08:21:35 PM +01:00:00, Alexandre Belloni 
> <alexandre.belloni@bootlin.com> wrote:
>> Hello,
>> 
>> This fails:
>> 
>> reproducible:
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/117/builds/3912/steps/12/logs/errors>
>> 
>> lib32:
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/7998/steps/11/logs/stdio>
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/108/builds/5334/steps/11/logs/stdio>
>> 
>> 
>> musl:
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/64/builds/8115/steps/12/logs/stdio>
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/8143/steps/11/logs/stdio>
>> 
>> 
>> no-x11:
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/12/logs/stdio>
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/15/logs/stdio>
>> 
>> On 12/11/2023 02:36:17+0100, Markus Volk wrote:
>>>  Changes in CUPS v2.4.7 (2023-09-20)
>>>  -----------------------------------
>>> 
>>>  - CVE-2023-4504 - Fixed Heap-based buffer overflow when reading 
>>> Postscript
>>>    in PPD files
>>>  - Added OpenSSL support for cupsHashData (Issue #762)
>>>  - Fixed delays in lpd backend (Issue #741)
>>>  - Fixed extensive logging in scheduler (Issue #604)
>>>  - Fixed hanging of `lpstat` on IBM AIX (Issue #773)
>>>  - Fixed hanging of `lpstat` on Solaris (Issue #156)
>>>  - Fixed printing to stderr if we can't open cups-files.conf (Issue 
>>> #777)
>>>  - Fixed purging job files via `cancel -x` (Issue #742)
>>>  - Fixed RFC 1179 port reserving behavior in LPD backend (Issue 
>>> #743)
>>>  - Fixed a bug in the PPD command interpretation code (Issue #768)
>>> 
>>>  Signed-off-by: Markus Volk <f_l_k@t-online.de 
>>> <mailto:f_l_k@t-online.de>>
>>>  ---
>>>   meta/recipes-extended/cups/cups.inc           |  1 -
>>>   .../cups/cups/CVE-2023-4504.patch             | 42 
>>> -------------------
>>>   .../cups/{cups_2.4.6.bb => cups_2.4.7.bb}     |  2 +-
>>>   3 files changed, 1 insertion(+), 44 deletions(-)
>>>   delete mode 100644 
>>> meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>>>   rename meta/recipes-extended/cups/{cups_2.4.6.bb => 
>>> cups_2.4.7.bb} (51%)
>>> 
>>>  diff --git a/meta/recipes-extended/cups/cups.inc 
>>> b/meta/recipes-extended/cups/cups.inc
>>>  index fa32c38549..36feaddcf8 100644
>>>  --- a/meta/recipes-extended/cups/cups.inc
>>>  +++ b/meta/recipes-extended/cups/cups.inc
>>>  @@ -15,7 +15,6 @@ SRC_URI = 
>>> "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
>>>              
>>> file://0004-cups-fix-multilib-install-file-conflicts.patch 
>>> <file://0004-cups-fix-multilib-install-file-conflicts.patch/> \
>>>              file://volatiles.99_cups <file://volatiles.99_cups/> \
>>>              file://cups-volatiles.conf 
>>> <file://cups-volatiles.conf/> \
>>>  -           file://CVE-2023-4504.patch 
>>> <file://cve-2023-4504.patch/> \
>>>              "
>>> 
>>>   GITHUB_BASE_URI = 
>>> "<https://github.com/OpenPrinting/cups/releases>"
>>>  diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch 
>>> b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>>>  deleted file mode 100644
>>>  index e52e43a209..0000000000
>>>  --- a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>>>  +++ /dev/null
>>>  @@ -1,42 +0,0 @@
>>>  -CVE: CVE-2023-4504
>>>  -Upstream-Status: Backport 
>>> [<https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31> 
>>> ]
>>>  -Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com 
>>> <mailto:chee.yang.lee@intel.com>>
>>>  -
>>>  -From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 
>>> 2001
>>>  -From: Zdenek Dohnal <zdohnal@redhat.com 
>>> <mailto:zdohnal@redhat.com>>
>>>  -Date: Wed, 20 Sep 2023 14:45:17 +0200
>>>  -Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
>>>  -
>>>  -We didn't check for end of buffer if it looks there is an escaped
>>>  -character - check for NULL terminator there and if found, return 
>>> NULL
>>>  -as return value and in `ptr`, because a lone backslash is not
>>>  -a valid PostScript character.
>>>  ----
>>>  - cups/raster-interpret.c | 14 +++++++++++++-
>>>  - 1 files changed, 13 insertions(+), 1 deletion(-)
>>>  -
>>>  -diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
>>>  -index 6fcf731b5..b8655c8c6 100644
>>>  ---- a/cups/raster-interpret.c
>>>  -+++ b/cups/raster-interpret.c
>>>  -@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - 
>>> Stack */
>>>  -
>>>  - 	    cur ++;
>>>  -
>>>  --            if (*cur == 'b')
>>>  -+	   /*
>>>  -+	    * Return NULL if we reached NULL terminator, a lone 
>>> backslash
>>>  -+	    * is not a valid character in PostScript.
>>>  -+	    */
>>>  -+
>>>  -+	    if (!*cur)
>>>  -+	    {
>>>  -+	      *ptr = NULL;
>>>  -+
>>>  -+	      return (NULL);
>>>  -+	    }
>>>  -+
>>>  -+	    if (*cur == 'b')
>>>  - 	      *valptr++ = '\b';
>>>  - 	    else if (*cur == 'f')
>>>  - 	      *valptr++ = '\f';
>>>  diff --git a/meta/recipes-extended/cups/cups_2.4.6.bb 
>>> b/meta/recipes-extended/cups/cups_2.4.7.bb
>>>  similarity index 51%
>>>  rename from meta/recipes-extended/cups/cups_2.4.6.bb
>>>  rename to meta/recipes-extended/cups/cups_2.4.7.bb
>>>  index 58029fdbd4..f4b0282e4c 100644
>>>  --- a/meta/recipes-extended/cups/cups_2.4.6.bb
>>>  +++ b/meta/recipes-extended/cups/cups_2.4.7.bb
>>>  @@ -2,4 +2,4 @@ require cups.inc
>>> 
>>>   LIC_FILES_CHKSUM = 
>>> "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" 
>>> <file://license;md5=3b83ef96387f14655fc854ddc3c6bd57/>
>>> 
>>>  -SRC_URI[sha256sum] = 
>>> "58e970cf1955e1cc87d0847c32526d9c2ccee335e5f0e3882b283138ba0e7262"
>>>  +SRC_URI[sha256sum] = 
>>> "dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c"
>>>  --
>>>  2.42.0
>>> 
>> 
>>> 
>>> 
>>> 
>> 
>> 
>> --
>> Alexandre Belloni, co-owner and COO, Bootlin
>> Embedded Linux and Kernel engineering
>> https://bootlin.com <https://bootlin.com/>


[-- Attachment #2: Type: text/html, Size: 9163 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-11-12 21:28 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-12  1:36 [oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7 Markus Volk
2023-11-12 19:21 ` Alexandre Belloni
2023-11-12 20:59   ` Markus Volk
     [not found]   ` <1796FBC977914057.28092@lists.openembedded.org>
2023-11-12 21:28     ` Markus Volk

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.