* [oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7
@ 2023-11-12 1:36 Markus Volk
2023-11-12 19:21 ` Alexandre Belloni
0 siblings, 1 reply; 4+ messages in thread
From: Markus Volk @ 2023-11-12 1:36 UTC (permalink / raw)
To: openembedded-core
Changes in CUPS v2.4.7 (2023-09-20)
-----------------------------------
- CVE-2023-4504 - Fixed Heap-based buffer overflow when reading Postscript
in PPD files
- Added OpenSSL support for cupsHashData (Issue #762)
- Fixed delays in lpd backend (Issue #741)
- Fixed extensive logging in scheduler (Issue #604)
- Fixed hanging of `lpstat` on IBM AIX (Issue #773)
- Fixed hanging of `lpstat` on Solaris (Issue #156)
- Fixed printing to stderr if we can't open cups-files.conf (Issue #777)
- Fixed purging job files via `cancel -x` (Issue #742)
- Fixed RFC 1179 port reserving behavior in LPD backend (Issue #743)
- Fixed a bug in the PPD command interpretation code (Issue #768)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
---
meta/recipes-extended/cups/cups.inc | 1 -
.../cups/cups/CVE-2023-4504.patch | 42 -------------------
.../cups/{cups_2.4.6.bb => cups_2.4.7.bb} | 2 +-
3 files changed, 1 insertion(+), 44 deletions(-)
delete mode 100644 meta/recipes-extended/cups/cups/CVE-2023-4504.patch
rename meta/recipes-extended/cups/{cups_2.4.6.bb => cups_2.4.7.bb} (51%)
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index fa32c38549..36feaddcf8 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -15,7 +15,6 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://0004-cups-fix-multilib-install-file-conflicts.patch \
file://volatiles.99_cups \
file://cups-volatiles.conf \
- file://CVE-2023-4504.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
deleted file mode 100644
index e52e43a209..0000000000
--- a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-CVE: CVE-2023-4504
-Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31 ]
-Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
-
-From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 2001
-From: Zdenek Dohnal <zdohnal@redhat.com>
-Date: Wed, 20 Sep 2023 14:45:17 +0200
-Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
-
-We didn't check for end of buffer if it looks there is an escaped
-character - check for NULL terminator there and if found, return NULL
-as return value and in `ptr`, because a lone backslash is not
-a valid PostScript character.
----
- cups/raster-interpret.c | 14 +++++++++++++-
- 1 files changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
-index 6fcf731b5..b8655c8c6 100644
---- a/cups/raster-interpret.c
-+++ b/cups/raster-interpret.c
-@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */
-
- cur ++;
-
-- if (*cur == 'b')
-+ /*
-+ * Return NULL if we reached NULL terminator, a lone backslash
-+ * is not a valid character in PostScript.
-+ */
-+
-+ if (!*cur)
-+ {
-+ *ptr = NULL;
-+
-+ return (NULL);
-+ }
-+
-+ if (*cur == 'b')
- *valptr++ = '\b';
- else if (*cur == 'f')
- *valptr++ = '\f';
diff --git a/meta/recipes-extended/cups/cups_2.4.6.bb b/meta/recipes-extended/cups/cups_2.4.7.bb
similarity index 51%
rename from meta/recipes-extended/cups/cups_2.4.6.bb
rename to meta/recipes-extended/cups/cups_2.4.7.bb
index 58029fdbd4..f4b0282e4c 100644
--- a/meta/recipes-extended/cups/cups_2.4.6.bb
+++ b/meta/recipes-extended/cups/cups_2.4.7.bb
@@ -2,4 +2,4 @@ require cups.inc
LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
-SRC_URI[sha256sum] = "58e970cf1955e1cc87d0847c32526d9c2ccee335e5f0e3882b283138ba0e7262"
+SRC_URI[sha256sum] = "dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c"
--
2.42.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7
2023-11-12 1:36 [oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7 Markus Volk
@ 2023-11-12 19:21 ` Alexandre Belloni
2023-11-12 20:59 ` Markus Volk
[not found] ` <1796FBC977914057.28092@lists.openembedded.org>
0 siblings, 2 replies; 4+ messages in thread
From: Alexandre Belloni @ 2023-11-12 19:21 UTC (permalink / raw)
To: Markus Volk; +Cc: openembedded-core
Hello,
This fails:
reproducible:
https://autobuilder.yoctoproject.org/typhoon/#/builders/117/builds/3912/steps/12/logs/errors
lib32:
https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/7998/steps/11/logs/stdio
https://autobuilder.yoctoproject.org/typhoon/#/builders/108/builds/5334/steps/11/logs/stdio
musl:
https://autobuilder.yoctoproject.org/typhoon/#/builders/64/builds/8115/steps/12/logs/stdio
https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/8143/steps/11/logs/stdio
no-x11:
https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/12/logs/stdio
https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/15/logs/stdio
On 12/11/2023 02:36:17+0100, Markus Volk wrote:
> Changes in CUPS v2.4.7 (2023-09-20)
> -----------------------------------
>
> - CVE-2023-4504 - Fixed Heap-based buffer overflow when reading Postscript
> in PPD files
> - Added OpenSSL support for cupsHashData (Issue #762)
> - Fixed delays in lpd backend (Issue #741)
> - Fixed extensive logging in scheduler (Issue #604)
> - Fixed hanging of `lpstat` on IBM AIX (Issue #773)
> - Fixed hanging of `lpstat` on Solaris (Issue #156)
> - Fixed printing to stderr if we can't open cups-files.conf (Issue #777)
> - Fixed purging job files via `cancel -x` (Issue #742)
> - Fixed RFC 1179 port reserving behavior in LPD backend (Issue #743)
> - Fixed a bug in the PPD command interpretation code (Issue #768)
>
> Signed-off-by: Markus Volk <f_l_k@t-online.de>
> ---
> meta/recipes-extended/cups/cups.inc | 1 -
> .../cups/cups/CVE-2023-4504.patch | 42 -------------------
> .../cups/{cups_2.4.6.bb => cups_2.4.7.bb} | 2 +-
> 3 files changed, 1 insertion(+), 44 deletions(-)
> delete mode 100644 meta/recipes-extended/cups/cups/CVE-2023-4504.patch
> rename meta/recipes-extended/cups/{cups_2.4.6.bb => cups_2.4.7.bb} (51%)
>
> diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
> index fa32c38549..36feaddcf8 100644
> --- a/meta/recipes-extended/cups/cups.inc
> +++ b/meta/recipes-extended/cups/cups.inc
> @@ -15,7 +15,6 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
> file://0004-cups-fix-multilib-install-file-conflicts.patch \
> file://volatiles.99_cups \
> file://cups-volatiles.conf \
> - file://CVE-2023-4504.patch \
> "
>
> GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
> diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
> deleted file mode 100644
> index e52e43a209..0000000000
> --- a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
> +++ /dev/null
> @@ -1,42 +0,0 @@
> -CVE: CVE-2023-4504
> -Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31 ]
> -Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
> -
> -From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 2001
> -From: Zdenek Dohnal <zdohnal@redhat.com>
> -Date: Wed, 20 Sep 2023 14:45:17 +0200
> -Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
> -
> -We didn't check for end of buffer if it looks there is an escaped
> -character - check for NULL terminator there and if found, return NULL
> -as return value and in `ptr`, because a lone backslash is not
> -a valid PostScript character.
> ----
> - cups/raster-interpret.c | 14 +++++++++++++-
> - 1 files changed, 13 insertions(+), 1 deletion(-)
> -
> -diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
> -index 6fcf731b5..b8655c8c6 100644
> ---- a/cups/raster-interpret.c
> -+++ b/cups/raster-interpret.c
> -@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */
> -
> - cur ++;
> -
> -- if (*cur == 'b')
> -+ /*
> -+ * Return NULL if we reached NULL terminator, a lone backslash
> -+ * is not a valid character in PostScript.
> -+ */
> -+
> -+ if (!*cur)
> -+ {
> -+ *ptr = NULL;
> -+
> -+ return (NULL);
> -+ }
> -+
> -+ if (*cur == 'b')
> - *valptr++ = '\b';
> - else if (*cur == 'f')
> - *valptr++ = '\f';
> diff --git a/meta/recipes-extended/cups/cups_2.4.6.bb b/meta/recipes-extended/cups/cups_2.4.7.bb
> similarity index 51%
> rename from meta/recipes-extended/cups/cups_2.4.6.bb
> rename to meta/recipes-extended/cups/cups_2.4.7.bb
> index 58029fdbd4..f4b0282e4c 100644
> --- a/meta/recipes-extended/cups/cups_2.4.6.bb
> +++ b/meta/recipes-extended/cups/cups_2.4.7.bb
> @@ -2,4 +2,4 @@ require cups.inc
>
> LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
>
> -SRC_URI[sha256sum] = "58e970cf1955e1cc87d0847c32526d9c2ccee335e5f0e3882b283138ba0e7262"
> +SRC_URI[sha256sum] = "dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c"
> --
> 2.42.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#190442): https://lists.openembedded.org/g/openembedded-core/message/190442
> Mute This Topic: https://lists.openembedded.org/mt/102536625/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7
2023-11-12 19:21 ` Alexandre Belloni
@ 2023-11-12 20:59 ` Markus Volk
[not found] ` <1796FBC977914057.28092@lists.openembedded.org>
1 sibling, 0 replies; 4+ messages in thread
From: Markus Volk @ 2023-11-12 20:59 UTC (permalink / raw)
To: Alexandre Belloni; +Cc: Markus Volk, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 7223 bytes --]
Hi,
| hash.c:16:12: fatal error: gnutls/crypto.h: No such file or directory
| 16 | # include <gnutls/crypto.h>
it fails because there is no tls implementation activated by default. I
do my builds with gnutls enabled and removing the bbappend that
contains the packageconfig makes this problem reproducible for me. My
question is, is it a reasonable standard to build without encryption?
As I understand it, the correct solution would be to add tls support by
default (adding --with-tls=openssl also fixes the issue). Maybe we
could do something like this?
PACKAGECONFIG[gnutls] = "--with-tls=gnutls,--with-tls=openssl,gnutls"
Which tls implementation should be used by default? I know oe-core
prefers openssl, but there have been known issues with it recently:
<https://github.com/void-linux/void-packages/pull/41193>
On Sun, Nov 12 2023 at 08:21:35 PM +01:00:00, Alexandre Belloni
<alexandre.belloni@bootlin.com> wrote:
> Hello,
>
> This fails:
>
> reproducible:
> <https://autobuilder.yoctoproject.org/typhoon/#/builders/117/builds/3912/steps/12/logs/errors>
>
> lib32:
> <https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/7998/steps/11/logs/stdio>
> <https://autobuilder.yoctoproject.org/typhoon/#/builders/108/builds/5334/steps/11/logs/stdio>
>
>
> musl:
> <https://autobuilder.yoctoproject.org/typhoon/#/builders/64/builds/8115/steps/12/logs/stdio>
> <https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/8143/steps/11/logs/stdio>
>
>
> no-x11:
> <https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/12/logs/stdio>
> <https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/15/logs/stdio>
>
> On 12/11/2023 02:36:17+0100, Markus Volk wrote:
>> Changes in CUPS v2.4.7 (2023-09-20)
>> -----------------------------------
>>
>> - CVE-2023-4504 - Fixed Heap-based buffer overflow when reading
>> Postscript
>> in PPD files
>> - Added OpenSSL support for cupsHashData (Issue #762)
>> - Fixed delays in lpd backend (Issue #741)
>> - Fixed extensive logging in scheduler (Issue #604)
>> - Fixed hanging of `lpstat` on IBM AIX (Issue #773)
>> - Fixed hanging of `lpstat` on Solaris (Issue #156)
>> - Fixed printing to stderr if we can't open cups-files.conf (Issue
>> #777)
>> - Fixed purging job files via `cancel -x` (Issue #742)
>> - Fixed RFC 1179 port reserving behavior in LPD backend (Issue #743)
>> - Fixed a bug in the PPD command interpretation code (Issue #768)
>>
>> Signed-off-by: Markus Volk <f_l_k@t-online.de
>> <mailto:f_l_k@t-online.de>>
>> ---
>> meta/recipes-extended/cups/cups.inc | 1 -
>> .../cups/cups/CVE-2023-4504.patch | 42
>> -------------------
>> .../cups/{cups_2.4.6.bb => cups_2.4.7.bb} | 2 +-
>> 3 files changed, 1 insertion(+), 44 deletions(-)
>> delete mode 100644
>> meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>> rename meta/recipes-extended/cups/{cups_2.4.6.bb => cups_2.4.7.bb}
>> (51%)
>>
>> diff --git a/meta/recipes-extended/cups/cups.inc
>> b/meta/recipes-extended/cups/cups.inc
>> index fa32c38549..36feaddcf8 100644
>> --- a/meta/recipes-extended/cups/cups.inc
>> +++ b/meta/recipes-extended/cups/cups.inc
>> @@ -15,7 +15,6 @@ SRC_URI =
>> "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
>>
>> file://0004-cups-fix-multilib-install-file-conflicts.patch
>> <file://0004-cups-fix-multilib-install-file-conflicts.patch/> \
>> file://volatiles.99_cups <file://volatiles.99_cups/> \
>> file://cups-volatiles.conf
>> <file://cups-volatiles.conf/> \
>> - file://CVE-2023-4504.patch
>> <file://cve-2023-4504.patch/> \
>> "
>>
>> GITHUB_BASE_URI = "<https://github.com/OpenPrinting/cups/releases>"
>> diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>> b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>> deleted file mode 100644
>> index e52e43a209..0000000000
>> --- a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>> +++ /dev/null
>> @@ -1,42 +0,0 @@
>> -CVE: CVE-2023-4504
>> -Upstream-Status: Backport
>> [<https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31>
>> ]
>> -Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com
>> <mailto:chee.yang.lee@intel.com>>
>> -
>> -From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00
>> 2001
>> -From: Zdenek Dohnal <zdohnal@redhat.com
>> <mailto:zdohnal@redhat.com>>
>> -Date: Wed, 20 Sep 2023 14:45:17 +0200
>> -Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
>> -
>> -We didn't check for end of buffer if it looks there is an escaped
>> -character - check for NULL terminator there and if found, return
>> NULL
>> -as return value and in `ptr`, because a lone backslash is not
>> -a valid PostScript character.
>> ----
>> - cups/raster-interpret.c | 14 +++++++++++++-
>> - 1 files changed, 13 insertions(+), 1 deletion(-)
>> -
>> -diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
>> -index 6fcf731b5..b8655c8c6 100644
>> ---- a/cups/raster-interpret.c
>> -+++ b/cups/raster-interpret.c
>> -@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st, /* I -
>> Stack */
>> -
>> - cur ++;
>> -
>> -- if (*cur == 'b')
>> -+ /*
>> -+ * Return NULL if we reached NULL terminator, a lone backslash
>> -+ * is not a valid character in PostScript.
>> -+ */
>> -+
>> -+ if (!*cur)
>> -+ {
>> -+ *ptr = NULL;
>> -+
>> -+ return (NULL);
>> -+ }
>> -+
>> -+ if (*cur == 'b')
>> - *valptr++ = '\b';
>> - else if (*cur == 'f')
>> - *valptr++ = '\f';
>> diff --git a/meta/recipes-extended/cups/cups_2.4.6.bb
>> b/meta/recipes-extended/cups/cups_2.4.7.bb
>> similarity index 51%
>> rename from meta/recipes-extended/cups/cups_2.4.6.bb
>> rename to meta/recipes-extended/cups/cups_2.4.7.bb
>> index 58029fdbd4..f4b0282e4c 100644
>> --- a/meta/recipes-extended/cups/cups_2.4.6.bb
>> +++ b/meta/recipes-extended/cups/cups_2.4.7.bb
>> @@ -2,4 +2,4 @@ require cups.inc
>>
>> LIC_FILES_CHKSUM =
>> "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
>> <file://license;md5=3b83ef96387f14655fc854ddc3c6bd57/>
>>
>> -SRC_URI[sha256sum] =
>> "58e970cf1955e1cc87d0847c32526d9c2ccee335e5f0e3882b283138ba0e7262"
>> +SRC_URI[sha256sum] =
>> "dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c"
>> --
>> 2.42.0
>>
>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#190442):
>> <https://lists.openembedded.org/g/openembedded-core/message/190442>
>> Mute This Topic:
>> <https://lists.openembedded.org/mt/102536625/3617179>
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> <mailto:openembedded-core+owner@lists.openembedded.org>
>> Unsubscribe:
>> <https://lists.openembedded.org/g/openembedded-core/unsub>
>> [alexandre.belloni@bootlin.com
>> <mailto:alexandre.belloni@bootlin.com>]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
>
>
> --
> Alexandre Belloni, co-owner and COO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com <https://bootlin.com/>
[-- Attachment #2: Type: text/html, Size: 9571 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7
[not found] ` <1796FBC977914057.28092@lists.openembedded.org>
@ 2023-11-12 21:28 ` Markus Volk
0 siblings, 0 replies; 4+ messages in thread
From: Markus Volk @ 2023-11-12 21:28 UTC (permalink / raw)
To: Markus Volk; +Cc: Alexandre Belloni, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 7086 bytes --]
I've sent a v2 that would fix the issue by adding openssl tls support
by default. tls can be switched to gnutls by using PACKAGECONFIG
On Sun, Nov 12 2023 at 09:59:39 PM +01:00:00, Markus Volk
<f_l_k@t-online.de> wrote:
> Hi,
>
> | hash.c:16:12: fatal error: gnutls/crypto.h: No such file or
> directory
> | 16 | # include <gnutls/crypto.h>
>
> it fails because there is no tls implementation activated by default.
> I do my builds with gnutls enabled and removing the bbappend that
> contains the packageconfig makes this problem reproducible for me. My
> question is, is it a reasonable standard to build without encryption?
> As I understand it, the correct solution would be to add tls support
> by default (adding --with-tls=openssl also fixes the issue). Maybe
> we could do something like this?
> PACKAGECONFIG[gnutls] = "--with-tls=gnutls,--with-tls=openssl,gnutls"
>
> Which tls implementation should be used by default? I know oe-core
> prefers openssl, but there have been known issues with it recently:
> <https://github.com/void-linux/void-packages/pull/41193>
>
> On Sun, Nov 12 2023 at 08:21:35 PM +01:00:00, Alexandre Belloni
> <alexandre.belloni@bootlin.com> wrote:
>> Hello,
>>
>> This fails:
>>
>> reproducible:
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/117/builds/3912/steps/12/logs/errors>
>>
>> lib32:
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/7998/steps/11/logs/stdio>
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/108/builds/5334/steps/11/logs/stdio>
>>
>>
>> musl:
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/64/builds/8115/steps/12/logs/stdio>
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/8143/steps/11/logs/stdio>
>>
>>
>> no-x11:
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/12/logs/stdio>
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/15/logs/stdio>
>>
>> On 12/11/2023 02:36:17+0100, Markus Volk wrote:
>>> Changes in CUPS v2.4.7 (2023-09-20)
>>> -----------------------------------
>>>
>>> - CVE-2023-4504 - Fixed Heap-based buffer overflow when reading
>>> Postscript
>>> in PPD files
>>> - Added OpenSSL support for cupsHashData (Issue #762)
>>> - Fixed delays in lpd backend (Issue #741)
>>> - Fixed extensive logging in scheduler (Issue #604)
>>> - Fixed hanging of `lpstat` on IBM AIX (Issue #773)
>>> - Fixed hanging of `lpstat` on Solaris (Issue #156)
>>> - Fixed printing to stderr if we can't open cups-files.conf (Issue
>>> #777)
>>> - Fixed purging job files via `cancel -x` (Issue #742)
>>> - Fixed RFC 1179 port reserving behavior in LPD backend (Issue
>>> #743)
>>> - Fixed a bug in the PPD command interpretation code (Issue #768)
>>>
>>> Signed-off-by: Markus Volk <f_l_k@t-online.de
>>> <mailto:f_l_k@t-online.de>>
>>> ---
>>> meta/recipes-extended/cups/cups.inc | 1 -
>>> .../cups/cups/CVE-2023-4504.patch | 42
>>> -------------------
>>> .../cups/{cups_2.4.6.bb => cups_2.4.7.bb} | 2 +-
>>> 3 files changed, 1 insertion(+), 44 deletions(-)
>>> delete mode 100644
>>> meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>>> rename meta/recipes-extended/cups/{cups_2.4.6.bb =>
>>> cups_2.4.7.bb} (51%)
>>>
>>> diff --git a/meta/recipes-extended/cups/cups.inc
>>> b/meta/recipes-extended/cups/cups.inc
>>> index fa32c38549..36feaddcf8 100644
>>> --- a/meta/recipes-extended/cups/cups.inc
>>> +++ b/meta/recipes-extended/cups/cups.inc
>>> @@ -15,7 +15,6 @@ SRC_URI =
>>> "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
>>>
>>> file://0004-cups-fix-multilib-install-file-conflicts.patch
>>> <file://0004-cups-fix-multilib-install-file-conflicts.patch/> \
>>> file://volatiles.99_cups <file://volatiles.99_cups/> \
>>> file://cups-volatiles.conf
>>> <file://cups-volatiles.conf/> \
>>> - file://CVE-2023-4504.patch
>>> <file://cve-2023-4504.patch/> \
>>> "
>>>
>>> GITHUB_BASE_URI =
>>> "<https://github.com/OpenPrinting/cups/releases>"
>>> diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>>> b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>>> deleted file mode 100644
>>> index e52e43a209..0000000000
>>> --- a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>>> +++ /dev/null
>>> @@ -1,42 +0,0 @@
>>> -CVE: CVE-2023-4504
>>> -Upstream-Status: Backport
>>> [<https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31>
>>> ]
>>> -Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com
>>> <mailto:chee.yang.lee@intel.com>>
>>> -
>>> -From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00
>>> 2001
>>> -From: Zdenek Dohnal <zdohnal@redhat.com
>>> <mailto:zdohnal@redhat.com>>
>>> -Date: Wed, 20 Sep 2023 14:45:17 +0200
>>> -Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
>>> -
>>> -We didn't check for end of buffer if it looks there is an escaped
>>> -character - check for NULL terminator there and if found, return
>>> NULL
>>> -as return value and in `ptr`, because a lone backslash is not
>>> -a valid PostScript character.
>>> ----
>>> - cups/raster-interpret.c | 14 +++++++++++++-
>>> - 1 files changed, 13 insertions(+), 1 deletion(-)
>>> -
>>> -diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
>>> -index 6fcf731b5..b8655c8c6 100644
>>> ---- a/cups/raster-interpret.c
>>> -+++ b/cups/raster-interpret.c
>>> -@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st, /* I -
>>> Stack */
>>> -
>>> - cur ++;
>>> -
>>> -- if (*cur == 'b')
>>> -+ /*
>>> -+ * Return NULL if we reached NULL terminator, a lone
>>> backslash
>>> -+ * is not a valid character in PostScript.
>>> -+ */
>>> -+
>>> -+ if (!*cur)
>>> -+ {
>>> -+ *ptr = NULL;
>>> -+
>>> -+ return (NULL);
>>> -+ }
>>> -+
>>> -+ if (*cur == 'b')
>>> - *valptr++ = '\b';
>>> - else if (*cur == 'f')
>>> - *valptr++ = '\f';
>>> diff --git a/meta/recipes-extended/cups/cups_2.4.6.bb
>>> b/meta/recipes-extended/cups/cups_2.4.7.bb
>>> similarity index 51%
>>> rename from meta/recipes-extended/cups/cups_2.4.6.bb
>>> rename to meta/recipes-extended/cups/cups_2.4.7.bb
>>> index 58029fdbd4..f4b0282e4c 100644
>>> --- a/meta/recipes-extended/cups/cups_2.4.6.bb
>>> +++ b/meta/recipes-extended/cups/cups_2.4.7.bb
>>> @@ -2,4 +2,4 @@ require cups.inc
>>>
>>> LIC_FILES_CHKSUM =
>>> "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
>>> <file://license;md5=3b83ef96387f14655fc854ddc3c6bd57/>
>>>
>>> -SRC_URI[sha256sum] =
>>> "58e970cf1955e1cc87d0847c32526d9c2ccee335e5f0e3882b283138ba0e7262"
>>> +SRC_URI[sha256sum] =
>>> "dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c"
>>> --
>>> 2.42.0
>>>
>>
>>>
>>>
>>>
>>
>>
>> --
>> Alexandre Belloni, co-owner and COO, Bootlin
>> Embedded Linux and Kernel engineering
>> https://bootlin.com <https://bootlin.com/>
[-- Attachment #2: Type: text/html, Size: 9163 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-11-12 21:28 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-12 1:36 [oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7 Markus Volk
2023-11-12 19:21 ` Alexandre Belloni
2023-11-12 20:59 ` Markus Volk
[not found] ` <1796FBC977914057.28092@lists.openembedded.org>
2023-11-12 21:28 ` Markus Volk
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox