Re: [oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7

[Markus Volk <f_l_k@t-online.de>]

[-- Attachment #1: Type: text/plain, Size: 7086 bytes --]

I've sent a v2 that would fix the issue by adding openssl tls support 
by default. tls can be switched to gnutls by using PACKAGECONFIG

On Sun, Nov 12 2023 at 09:59:39 PM +01:00:00, Markus Volk 
<f_l_k@t-online.de> wrote:
> Hi,
> 
> | hash.c:16:12: fatal error: gnutls/crypto.h: No such file or 
> directory
> |    16 | #  include <gnutls/crypto.h>
> 
> it fails because there is no tls implementation activated by default. 
> I do my builds with gnutls enabled and removing the bbappend that 
> contains the packageconfig makes this problem reproducible for me. My 
> question is, is it a reasonable standard to build without encryption? 
> As I understand it, the correct solution would be to add tls support 
> by default  (adding --with-tls=openssl also fixes the issue). Maybe 
> we could do something like this?
> PACKAGECONFIG[gnutls] = "--with-tls=gnutls,--with-tls=openssl,gnutls"
> 
> Which tls implementation should be used by default? I know oe-core 
> prefers openssl, but there have been known issues with it recently:
> <https://github.com/void-linux/void-packages/pull/41193>
> 
> On Sun, Nov 12 2023 at 08:21:35 PM +01:00:00, Alexandre Belloni 
> <alexandre.belloni@bootlin.com> wrote:
>> Hello,
>> 
>> This fails:
>> 
>> reproducible:
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/117/builds/3912/steps/12/logs/errors>
>> 
>> lib32:
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/7998/steps/11/logs/stdio>
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/108/builds/5334/steps/11/logs/stdio>
>> 
>> 
>> musl:
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/64/builds/8115/steps/12/logs/stdio>
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/8143/steps/11/logs/stdio>
>> 
>> 
>> no-x11:
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/12/logs/stdio>
>> <https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/15/logs/stdio>
>> 
>> On 12/11/2023 02:36:17+0100, Markus Volk wrote:
>>>  Changes in CUPS v2.4.7 (2023-09-20)
>>>  -----------------------------------
>>> 
>>>  - CVE-2023-4504 - Fixed Heap-based buffer overflow when reading 
>>> Postscript
>>>    in PPD files
>>>  - Added OpenSSL support for cupsHashData (Issue #762)
>>>  - Fixed delays in lpd backend (Issue #741)
>>>  - Fixed extensive logging in scheduler (Issue #604)
>>>  - Fixed hanging of `lpstat` on IBM AIX (Issue #773)
>>>  - Fixed hanging of `lpstat` on Solaris (Issue #156)
>>>  - Fixed printing to stderr if we can't open cups-files.conf (Issue 
>>> #777)
>>>  - Fixed purging job files via `cancel -x` (Issue #742)
>>>  - Fixed RFC 1179 port reserving behavior in LPD backend (Issue 
>>> #743)
>>>  - Fixed a bug in the PPD command interpretation code (Issue #768)
>>> 
>>>  Signed-off-by: Markus Volk <f_l_k@t-online.de 
>>> <mailto:f_l_k@t-online.de>>
>>>  ---
>>>   meta/recipes-extended/cups/cups.inc           |  1 -
>>>   .../cups/cups/CVE-2023-4504.patch             | 42 
>>> -------------------
>>>   .../cups/{cups_2.4.6.bb => cups_2.4.7.bb}     |  2 +-
>>>   3 files changed, 1 insertion(+), 44 deletions(-)
>>>   delete mode 100644 
>>> meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>>>   rename meta/recipes-extended/cups/{cups_2.4.6.bb => 
>>> cups_2.4.7.bb} (51%)
>>> 
>>>  diff --git a/meta/recipes-extended/cups/cups.inc 
>>> b/meta/recipes-extended/cups/cups.inc
>>>  index fa32c38549..36feaddcf8 100644
>>>  --- a/meta/recipes-extended/cups/cups.inc
>>>  +++ b/meta/recipes-extended/cups/cups.inc
>>>  @@ -15,7 +15,6 @@ SRC_URI = 
>>> "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
>>>              
>>> file://0004-cups-fix-multilib-install-file-conflicts.patch 
>>> <file://0004-cups-fix-multilib-install-file-conflicts.patch/> \
>>>              file://volatiles.99_cups <file://volatiles.99_cups/> \
>>>              file://cups-volatiles.conf 
>>> <file://cups-volatiles.conf/> \
>>>  -           file://CVE-2023-4504.patch 
>>> <file://cve-2023-4504.patch/> \
>>>              "
>>> 
>>>   GITHUB_BASE_URI = 
>>> "<https://github.com/OpenPrinting/cups/releases>"
>>>  diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch 
>>> b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>>>  deleted file mode 100644
>>>  index e52e43a209..0000000000
>>>  --- a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
>>>  +++ /dev/null
>>>  @@ -1,42 +0,0 @@
>>>  -CVE: CVE-2023-4504
>>>  -Upstream-Status: Backport 
>>> [<https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31> 
>>> ]
>>>  -Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com 
>>> <mailto:chee.yang.lee@intel.com>>
>>>  -
>>>  -From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 
>>> 2001
>>>  -From: Zdenek Dohnal <zdohnal@redhat.com 
>>> <mailto:zdohnal@redhat.com>>
>>>  -Date: Wed, 20 Sep 2023 14:45:17 +0200
>>>  -Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
>>>  -
>>>  -We didn't check for end of buffer if it looks there is an escaped
>>>  -character - check for NULL terminator there and if found, return 
>>> NULL
>>>  -as return value and in `ptr`, because a lone backslash is not
>>>  -a valid PostScript character.
>>>  ----
>>>  - cups/raster-interpret.c | 14 +++++++++++++-
>>>  - 1 files changed, 13 insertions(+), 1 deletion(-)
>>>  -
>>>  -diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
>>>  -index 6fcf731b5..b8655c8c6 100644
>>>  ---- a/cups/raster-interpret.c
>>>  -+++ b/cups/raster-interpret.c
>>>  -@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - 
>>> Stack */
>>>  -
>>>  - 	    cur ++;
>>>  -
>>>  --            if (*cur == 'b')
>>>  -+	   /*
>>>  -+	    * Return NULL if we reached NULL terminator, a lone 
>>> backslash
>>>  -+	    * is not a valid character in PostScript.
>>>  -+	    */
>>>  -+
>>>  -+	    if (!*cur)
>>>  -+	    {
>>>  -+	      *ptr = NULL;
>>>  -+
>>>  -+	      return (NULL);
>>>  -+	    }
>>>  -+
>>>  -+	    if (*cur == 'b')
>>>  - 	      *valptr++ = '\b';
>>>  - 	    else if (*cur == 'f')
>>>  - 	      *valptr++ = '\f';
>>>  diff --git a/meta/recipes-extended/cups/cups_2.4.6.bb 
>>> b/meta/recipes-extended/cups/cups_2.4.7.bb
>>>  similarity index 51%
>>>  rename from meta/recipes-extended/cups/cups_2.4.6.bb
>>>  rename to meta/recipes-extended/cups/cups_2.4.7.bb
>>>  index 58029fdbd4..f4b0282e4c 100644
>>>  --- a/meta/recipes-extended/cups/cups_2.4.6.bb
>>>  +++ b/meta/recipes-extended/cups/cups_2.4.7.bb
>>>  @@ -2,4 +2,4 @@ require cups.inc
>>> 
>>>   LIC_FILES_CHKSUM = 
>>> "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" 
>>> <file://license;md5=3b83ef96387f14655fc854ddc3c6bd57/>
>>> 
>>>  -SRC_URI[sha256sum] = 
>>> "58e970cf1955e1cc87d0847c32526d9c2ccee335e5f0e3882b283138ba0e7262"
>>>  +SRC_URI[sha256sum] = 
>>> "dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c"
>>>  --
>>>  2.42.0
>>> 
>> 
>>> 
>>> 
>>> 
>> 
>> 
>> --
>> Alexandre Belloni, co-owner and COO, Bootlin
>> Embedded Linux and Kernel engineering
>> https://bootlin.com <https://bootlin.com/>


[-- Attachment #2: Type: text/html, Size: 9163 bytes --]