commit bd15159fbeb423459b3d909ed157e4133ee40f7c Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 10:36:23 2019 -0400 Package init diff --git a/0001-Fix-memory-leaks-found-by-Coverity-Issue-5375.patch b/0001-Fix-memory-leaks-found-by-Coverity-Issue-5375.patch new file mode 100644 index 00000000..ec224c3f --- /dev/null +++ b/0001-Fix-memory-leaks-found-by-Coverity-Issue-5375.patch @@ -0,0 +1,206 @@ +diff --git a/backend/ipp.c b/backend/ipp.c +index 32eb3aaa4..2a880bd75 100644 +--- a/backend/ipp.c ++++ b/backend/ipp.c +@@ -3612,6 +3612,8 @@ update_reasons(ipp_attribute_t *attr, /* I - printer-state-reasons or NULL */ + } + } + ++ cupsArrayDelete(new_reasons); ++ + _cupsMutexUnlock(&report_mutex); + + /* +diff --git a/cgi-bin/search.c b/cgi-bin/search.c +index 3956afc33..ad1f5ed0e 100644 +--- a/cgi-bin/search.c ++++ b/cgi-bin/search.c +@@ -361,4 +362,5 @@ void + cgiFreeSearch(void *search) /* I - Search context */ + { + regfree((regex_t *)search); ++ free(search); + } +diff --git a/cups/http-addrlist.c b/cups/http-addrlist.c +index 5d510140b..688901a7d 100644 +--- a/cups/http-addrlist.c ++++ b/cups/http-addrlist.c +@@ -612,6 +613,7 @@ httpAddrGetList(const char *hostname, /* I - Hostname, IP address, or NULL for p + if (!temp) + { + httpAddrFreeList(first); ++ freeaddrinfo(results); + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0); + return (NULL); + } +diff --git a/cups/http.c b/cups/http.c +index a9235b087..d9332cc83 100644 +--- a/cups/http.c ++++ b/cups/http.c +@@ -3915,7 +3915,7 @@ http_create( + if ((http = calloc(sizeof(http_t), 1)) == NULL) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0); +- httpAddrFreeList(addrlist); ++ httpAddrFreeList(myaddrlist); + return (NULL); + } + +diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx +index be24cebae..4e8cba7bb 100644 +--- a/ppdc/ppdc-source.cxx ++++ b/ppdc/ppdc-source.cxx +@@ -2665,6 +2666,7 @@ ppdcSource::scan_file(ppdcFile *fp, // I - File to read + // Add it to the current option... + if (!o) + { ++ c->release(); + _cupsLangPrintf(stderr, + _("ppdc: Choice found on line %d of %s with no " + "Option."), fp->line, fp->filename); +diff --git a/scheduler/cups-driverd.cxx b/scheduler/cups-driverd.cxx +index 657eee0a0..b518a9325 100644 +--- a/scheduler/cups-driverd.cxx ++++ b/scheduler/cups-driverd.cxx +@@ -153,7 +153,7 @@ static ppd_info_t *add_ppd(const char *filename, const char *name, + size_t size, int model_number, int type, + const char *scheme); + static int cat_drv(const char *name, int request_id); +-static int cat_ppd(const char *name, int request_id); ++static void cat_ppd(const char *name, int request_id); + static int cat_static(const char *name, int request_id); + static int cat_tar(const char *name, int request_id); + static int compare_inodes(struct stat *a, struct stat *b); +@@ -163,12 +163,12 @@ static int compare_names(const ppd_info_t *p0, + const ppd_info_t *p1); + static int compare_ppds(const ppd_info_t *p0, + const ppd_info_t *p1); +-static int dump_ppds_dat(const char *filename); ++static void dump_ppds_dat(const char *filename); + static void free_array(cups_array_t *a); + static cups_file_t *get_file(const char *name, int request_id, + const char *subdir, char *buffer, + size_t bufsize, char **subfile); +-static int list_ppds(int request_id, int limit, const char *opt); ++static void list_ppds(int request_id, int limit, const char *opt); + static int load_drivers(cups_array_t *include, + cups_array_t *exclude); + static int load_drv(const char *filename, const char *name, +@@ -204,13 +204,13 @@ main(int argc, /* I - Number of command-line args */ + */ + + if (argc == 3 && !strcmp(argv[1], "cat")) +- return (cat_ppd(argv[2], 0)); ++ cat_ppd(argv[2], 0); + else if ((argc == 2 || argc == 3) && !strcmp(argv[1], "dump")) +- return (dump_ppds_dat(argv[2])); ++ dump_ppds_dat(argv[2]); + else if (argc == 4 && !strcmp(argv[1], "get")) +- return (cat_ppd(argv[3], atoi(argv[2]))); ++ cat_ppd(argv[3], atoi(argv[2])); + else if (argc == 5 && !strcmp(argv[1], "list")) +- return (list_ppds(atoi(argv[2]), atoi(argv[3]), argv[4])); ++ list_ppds(atoi(argv[2]), atoi(argv[3]), argv[4]); + else + { + fputs("Usage: cups-driverd cat ppd-name\n", stderr); +@@ -428,7 +428,7 @@ cat_drv(const char *name, /* I - PPD name */ + * 'cat_ppd()' - Copy a PPD file to stdout. + */ + +-static int /* O - Exit code */ ++static void + cat_ppd(const char *name, /* I - PPD name */ + int request_id) /* I - Request ID for response? */ + { +@@ -445,7 +445,7 @@ cat_ppd(const char *name, /* I - PPD name */ + if (strstr(name, "../")) + { + fputs("ERROR: Invalid PPD name.\n", stderr); +- return (1); ++ exit(1); + } + + strlcpy(scheme, name, sizeof(scheme)); +@@ -475,11 +475,11 @@ cat_ppd(const char *name, /* I - PPD name */ + puts("Content-Type: application/ipp\n"); + + if (!scheme[0]) +- return (cat_static(name, request_id)); ++ exit(cat_static(name, request_id)); + else if (!strcmp(scheme, "drv")) +- return (cat_drv(name, request_id)); ++ exit(cat_drv(name, request_id)); + else if (!strcmp(scheme, "file")) +- return (cat_tar(name, request_id)); ++ exit(cat_tar(name, request_id)); + else + { + /* +@@ -517,7 +517,7 @@ cat_ppd(const char *name, /* I - PPD name */ + cupsdSendIPPTrailer(); + } + +- return (1); ++ exit(1); + } + + /* +@@ -547,15 +547,15 @@ cat_ppd(const char *name, /* I - PPD name */ + + fprintf(stderr, "ERROR: [cups-driverd] Unable to execute \"%s\" - %s\n", + line, strerror(errno)); +- return (1); ++ exit(1); + } + } + + /* +- * Return with no errors... ++ * Exit with no errors... + */ + +- return (0); ++ exit(0); + } + + +@@ -778,7 +778,7 @@ compare_ppds(const ppd_info_t *p0, /* I - First PPD file */ + * 'dump_ppds_dat()' - Dump the contents of the ppds.dat file. + */ + +-static int /* O - Exit status */ ++static void + dump_ppds_dat(const char *filename) /* I - Filename */ + { + char temp[1024]; /* ppds.dat filename */ +@@ -810,7 +810,7 @@ dump_ppds_dat(const char *filename) /* I - Filename */ + ppd->record.make_and_model, ppd->record.device_id, + ppd->record.scheme); + +- return (0); ++ exit(0); + } + + +@@ -1004,7 +1004,7 @@ get_file(const char *name, /* I - Name */ + * 'list_ppds()' - List PPD files. + */ + +-static int /* O - Exit code */ ++static void + list_ppds(int request_id, /* I - Request ID */ + int limit, /* I - Limit */ + const char *opt) /* I - Option argument */ +@@ -1566,7 +1566,7 @@ list_ppds(int request_id, /* I - Request ID */ + if (request_id) + cupsdSendIPPTrailer(); + +- return (0); ++ exit(0); + } + + +-- +2.17.1 + diff --git a/CVE-2018-4300.patch b/CVE-2018-4300.patch new file mode 100644 index 00000000..20ff3229 --- /dev/null +++ b/CVE-2018-4300.patch @@ -0,0 +1,20 @@ +--- a/cgi-bin/var.c 2013-06-07 09:12:52.000000000 +0800 ++++ b/cgi-bin/var.c 2019-04-20 18:23:17.835000000 +0800 +@@ -1222,6 +1222,7 @@ cgi_set_sid(void) + *server_name, /* SERVER_NAME */ + *server_port; /* SERVER_PORT */ + ++ struct timeval curtime; /* Current time */ + + if ((remote_addr = getenv("REMOTE_ADDR")) == NULL) + remote_addr = "REMOTE_ADDR"; +@@ -1230,7 +1231,8 @@ cgi_set_sid(void) + if ((server_port = getenv("SERVER_PORT")) == NULL) + server_port = "SERVER_PORT"; + +- CUPS_SRAND(time(NULL)); ++ gettimeofday(&curtime, NULL); ++ CUPS_SRAND(curtime.tv_sec + curtime.tv_usec); + snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X", + remote_addr, server_name, server_port, + (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255, diff --git a/CVE-2019-8675-CVE-2019-8696.patch b/CVE-2019-8675-CVE-2019-8696.patch new file mode 100644 index 00000000..08d1ebce --- /dev/null +++ b/CVE-2019-8675-CVE-2019-8696.patch @@ -0,0 +1,187 @@ +From f24e6cf6a39300ad0c3726a41a4aab51ad54c109 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Thu, 15 Aug 2019 14:08:31 -0400 +Subject: [PATCH] Fix multiple security/disclosure issues: + +- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251) +- Fixed IPP buffer overflow (rdar://50035411) +- Fixed memory disclosure issue in the scheduler (rdar://51373853) +- Fixed DoS issues in the scheduler (rdar://51373929) +--- + CHANGES.md | 6 +++++- + cups/http.c | 9 +++++++-- + cups/ipp.c | 9 ++------- + cups/snmp.c | 20 +++++++++++++++++++- + scheduler/client.c | 23 ++++++++++++----------- + 5 files changed, 45 insertions(+), 22 deletions(-) + +diff --git a/cups/http.c b/cups/http.c +index 5c14ef68e..3fadb5acb 100644 +--- a/cups/http.c ++++ b/cups/http.c +@@ -1905,7 +1905,7 @@ httpPrintf(http_t *http, /* I - HTTP connection */ + ...) /* I - Additional args as needed */ + { + ssize_t bytes; /* Number of bytes to write */ +- char buf[16384]; /* Buffer for formatted string */ ++ char buf[65536]; /* Buffer for formatted string */ + va_list ap; /* Variable argument pointer */ + + +@@ -1917,7 +1917,12 @@ httpPrintf(http_t *http, /* I - HTTP connection */ + + DEBUG_printf(("3httpPrintf: (" CUPS_LLFMT " bytes) %s", CUPS_LLCAST bytes, buf)); + +- if (http->data_encoding == HTTP_ENCODING_FIELDS) ++ if (bytes > (ssize_t)(sizeof(buf) - 1)) ++ { ++ http->error = ENOMEM; ++ return (-1); ++ } ++ else if (http->data_encoding == HTTP_ENCODING_FIELDS) + return ((int)httpWrite2(http, buf, (size_t)bytes)); + else + { +diff --git a/cups/ipp.c b/cups/ipp.c +index eaa8c78ca..b0762fdcb 100644 +--- a/cups/ipp.c ++++ b/cups/ipp.c +@@ -4553,9 +4553,7 @@ ippSetValueTag( + break; + + case IPP_TAG_NAME : +- if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI && +- temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE && +- temp_tag != IPP_TAG_MIMETYPE) ++ if (temp_tag != IPP_TAG_KEYWORD) + return (0); + + (*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST)); +@@ -4563,10 +4561,7 @@ ippSetValueTag( + + case IPP_TAG_NAMELANG : + case IPP_TAG_TEXTLANG : +- if (value_tag == IPP_TAG_NAMELANG && +- (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD && +- temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME && +- temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE)) ++ if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD)) + return (0); + + if (value_tag == IPP_TAG_TEXTLANG && temp_tag != IPP_TAG_TEXT) +diff --git a/cups/snmp.c b/cups/snmp.c +index 8437528dd..fc9396177 100644 +--- a/cups/snmp.c ++++ b/cups/snmp.c +@@ -1233,6 +1233,9 @@ asn1_get_integer( + int value; /* Integer value */ + + ++ if (*buffer >= bufend) ++ return (0); ++ + if (length > sizeof(int)) + { + (*buffer) += length; +@@ -1259,6 +1262,9 @@ asn1_get_length(unsigned char **buffer, /* IO - Pointer in buffer */ + unsigned length; /* Length */ + + ++ if (*buffer >= bufend) ++ return (0); ++ + length = **buffer; + (*buffer) ++; + +@@ -1301,6 +1307,9 @@ asn1_get_oid( + int number; /* OID number */ + + ++ if (*buffer >= bufend) ++ return (0); ++ + valend = *buffer + length; + oidptr = oid; + oidend = oid + oidsize - 1; +@@ -1349,9 +1358,12 @@ asn1_get_packed( + int value; /* Value */ + + ++ if (*buffer >= bufend) ++ return (0); ++ + value = 0; + +- while ((**buffer & 128) && *buffer < bufend) ++ while (*buffer < bufend && (**buffer & 128)) + { + value = (value << 7) | (**buffer & 127); + (*buffer) ++; +@@ -1379,6 +1391,9 @@ asn1_get_string( + char *string, /* I - String buffer */ + size_t strsize) /* I - String buffer size */ + { ++ if (*buffer >= bufend) ++ return (NULL); ++ + if (length > (unsigned)(bufend - *buffer)) + length = (unsigned)(bufend - *buffer); + +@@ -1421,6 +1436,9 @@ asn1_get_type(unsigned char **buffer, /* IO - Pointer in buffer */ + int type; /* Type */ + + ++ if (*buffer >= bufend) ++ return (0); ++ + type = **buffer; + (*buffer) ++; + +diff --git a/scheduler/client.c b/scheduler/client.c +index a21b909a8..680508047 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -568,6 +568,17 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ + + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cupsdReadClient: error=%d, used=%d, state=%s, data_encoding=HTTP_ENCODING_%s, data_remaining=" CUPS_LLFMT ", request=%p(%s), file=%d", httpError(con->http), (int)httpGetReady(con->http), httpStateString(httpGetState(con->http)), httpIsChunked(con->http) ? "CHUNKED" : "LENGTH", CUPS_LLCAST httpGetRemaining(con->http), con->request, con->request ? ippStateString(ippGetState(con->request)) : "", con->file); + ++ if (httpError(con->http) == EPIPE && !httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1) ++ { ++ /* ++ * Connection closed... ++ */ ++ ++ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF."); ++ cupsdCloseClient(con); ++ return; ++ } ++ + if (httpGetState(con->http) == HTTP_STATE_GET_SEND || + httpGetState(con->http) == HTTP_STATE_POST_SEND || + httpGetState(con->http) == HTTP_STATE_STATUS) +@@ -577,17 +588,6 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ + * connection and we need to shut it down... + */ + +- if (!httpGetReady(con->http) && recv(httpGetFd(con->http), buf, 1, MSG_PEEK) < 1) +- { +- /* +- * Connection closed... +- */ +- +- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on EOF."); +- cupsdCloseClient(con); +- return; +- } +- + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Closing on unexpected HTTP read state %s.", httpStateString(httpGetState(con->http))); + cupsdCloseClient(con); + return; +@@ -2209,6 +2209,7 @@ cupsdSendError(cupsd_client_t *con, /* I - Connection */ + strlcpy(location, httpGetField(con->http, HTTP_FIELD_LOCATION), sizeof(location)); + + httpClearFields(con->http); ++ httpClearCookie(con->http); + + httpSetField(con->http, HTTP_FIELD_LOCATION, location); + diff --git a/cups-2.2.8-source.tar.gz b/cups-2.2.8-source.tar.gz new file mode 100644 index 00000000..cb0b749e Binary files /dev/null and b/cups-2.2.8-source.tar.gz differ diff --git a/cups-accesslog-null.patch b/cups-accesslog-null.patch new file mode 100644 index 00000000..fdb7d613 --- /dev/null +++ b/cups-accesslog-null.patch @@ -0,0 +1,13 @@ +diff --git a/scheduler/log.c b/scheduler/log.c +index 74790dc35..b6226201f 100644 +--- a/scheduler/log.c ++++ b/scheduler/log.c +@@ -1046,7 +1047,7 @@ cupsdLogRequest(cupsd_client_t *con, /* I - Request to log */ + * Filter requests as needed... + */ + +- if (AccessLogLevel == CUPSD_ACCESSLOG_NONE) ++ if (AccessLogLevel == CUPSD_ACCESSLOG_NONE || !AccessLog) + return (1); + else if (AccessLogLevel < CUPSD_ACCESSLOG_ALL) + { diff --git a/cups-banners.patch b/cups-banners.patch new file mode 100644 index 00000000..aa19282a --- /dev/null +++ b/cups-banners.patch @@ -0,0 +1,12 @@ +diff -up cups-1.5b1/scheduler/banners.c.banners cups-1.5b1/scheduler/banners.c +--- cups-1.5b1/scheduler/banners.c.banners 2011-05-20 05:49:49.000000000 +0200 ++++ cups-1.5b1/scheduler/banners.c 2011-05-23 17:35:30.000000000 +0200 +@@ -110,6 +110,8 @@ cupsdLoadBanners(const char *d) /* I - + if ((ext = strrchr(dent->filename, '.')) != NULL) + if (!strcmp(ext, ".bck") || + !strcmp(ext, ".bak") || ++ !strcmp(ext, ".rpmnew") || ++ !strcmp(ext, ".rpmsave") || + !strcmp(ext, ".sav")) + continue; + diff --git a/cups-direct-usb.patch b/cups-direct-usb.patch new file mode 100644 index 00000000..4e25ce7d --- /dev/null +++ b/cups-direct-usb.patch @@ -0,0 +1,27 @@ +diff -up cups-1.5b1/backend/usb-unix.c.direct-usb cups-1.5b1/backend/usb-unix.c +--- cups-1.5b1/backend/usb-unix.c.direct-usb 2011-05-20 05:49:49.000000000 +0200 ++++ cups-1.5b1/backend/usb-unix.c 2011-05-23 17:52:14.000000000 +0200 +@@ -102,6 +102,9 @@ print_device(const char *uri, /* I - De + _cups_strncasecmp(hostname, "Minolta", 7); + #endif /* __FreeBSD__ || __NetBSD__ || __OpenBSD__ || __DragonFly__ */ + ++ if (use_bc && !strncmp(uri, "usb:/dev/", 9)) ++ use_bc = 0; ++ + if ((device_fd = open_device(uri, &use_bc)) == -1) + { + if (getenv("CLASS") != NULL) +@@ -331,12 +334,7 @@ open_device(const char *uri, /* I - Dev + if (!strncmp(uri, "usb:/dev/", 9)) + #ifdef __linux + { +- /* +- * Do not allow direct devices anymore... +- */ +- +- errno = ENODEV; +- return (-1); ++ return (open(uri + 4, O_RDWR | O_EXCL)); + } + else if (!strncmp(uri, "usb://", 6)) + { diff --git a/cups-driverd-timeout.patch b/cups-driverd-timeout.patch new file mode 100644 index 00000000..b7240a34 --- /dev/null +++ b/cups-driverd-timeout.patch @@ -0,0 +1,21 @@ +diff -up cups-1.7b1/scheduler/ipp.c.driverd-timeout cups-1.7b1/scheduler/ipp.c +--- cups-1.7b1/scheduler/ipp.c.driverd-timeout 2013-04-19 12:24:43.003841810 +0200 ++++ cups-1.7b1/scheduler/ipp.c 2013-04-19 12:24:43.204839107 +0200 +@@ -4556,7 +4556,7 @@ copy_model(cupsd_client_t *con, /* I - + close(temppipe[1]); + + /* +- * Wait up to 30 seconds for the PPD file to be copied... ++ * Wait up to 70 seconds for the PPD file to be copied... + */ + + total = 0; +@@ -4576,7 +4576,7 @@ copy_model(cupsd_client_t *con, /* I - + FD_SET(temppipe[0], &input); + FD_SET(CGIPipes[0], &input); + +- timeout.tv_sec = 30; ++ timeout.tv_sec = 70; + timeout.tv_usec = 0; + + if ((i = select(maxfd, &input, NULL, NULL, &timeout)) < 0) diff --git a/cups-dymo-deviceid.patch b/cups-dymo-deviceid.patch new file mode 100644 index 00000000..cc2995d7 --- /dev/null +++ b/cups-dymo-deviceid.patch @@ -0,0 +1,11 @@ +diff -up cups-1.6.2/ppdc/sample.drv.dymo-deviceid cups-1.6.2/ppdc/sample.drv +--- cups-1.6.2/ppdc/sample.drv.dymo-deviceid 2013-06-18 16:57:02.110662953 +0100 ++++ cups-1.6.2/ppdc/sample.drv 2013-06-18 16:58:56.513989117 +0100 +@@ -125,6 +125,7 @@ Version "1.5" + { + Manufacturer "Dymo" + ModelName "Label Printer" ++ Attribute "1284DeviceID" "" "MFG:DYMO;MDL:LabelWriter 400;" + Attribute NickName "" "Dymo Label Printer" + PCFileName "dymo.ppd" + DriverType label diff --git a/cups-eggcups.patch b/cups-eggcups.patch new file mode 100644 index 00000000..b1eb2184 --- /dev/null +++ b/cups-eggcups.patch @@ -0,0 +1,130 @@ +diff -up cups-2.2.5/backend/ipp.c.eggcups cups-2.2.5/backend/ipp.c +--- cups-2.2.5/backend/ipp.c.eggcups 2017-10-13 20:22:26.000000000 +0200 ++++ cups-2.2.5/backend/ipp.c 2017-10-17 18:56:42.409024451 +0200 +@@ -149,6 +149,70 @@ static char tmpfilename[1024] = ""; + static char mandatory_attrs[1024] = ""; + /* cupsMandatory value */ + ++#if HAVE_DBUS ++#include ++ ++static DBusConnection *dbus_connection = NULL; ++ ++static int ++init_dbus (void) ++{ ++ DBusConnection *connection; ++ DBusError error; ++ ++ if (dbus_connection && ++ !dbus_connection_get_is_connected (dbus_connection)) { ++ dbus_connection_unref (dbus_connection); ++ dbus_connection = NULL; ++ } ++ ++ dbus_error_init (&error); ++ connection = dbus_bus_get (getuid () ? DBUS_BUS_SESSION : DBUS_BUS_SYSTEM, &error); ++ if (connection == NULL) { ++ dbus_error_free (&error); ++ return -1; ++ } ++ ++ dbus_connection = connection; ++ return 0; ++} ++ ++int ++dbus_broadcast_queued_remote (const char *printer_uri, ++ ipp_status_t status, ++ unsigned int local_job_id, ++ unsigned int remote_job_id, ++ const char *username, ++ const char *printer_name) ++{ ++ DBusMessage *message; ++ DBusMessageIter iter; ++ const char *errstr; ++ ++ if (!dbus_connection || !dbus_connection_get_is_connected (dbus_connection)) { ++ if (init_dbus () || !dbus_connection) ++ return -1; ++ } ++ ++ errstr = ippErrorString (status); ++ message = dbus_message_new_signal ("/com/redhat/PrinterSpooler", ++ "com.redhat.PrinterSpooler", ++ "JobQueuedRemote"); ++ dbus_message_iter_init_append (message, &iter); ++ dbus_message_iter_append_basic (&iter, DBUS_TYPE_STRING, &printer_uri); ++ dbus_message_iter_append_basic (&iter, DBUS_TYPE_STRING, &errstr); ++ dbus_message_iter_append_basic (&iter, DBUS_TYPE_UINT32, &local_job_id); ++ dbus_message_iter_append_basic (&iter, DBUS_TYPE_UINT32, &remote_job_id); ++ dbus_message_iter_append_basic (&iter, DBUS_TYPE_STRING, &username); ++ dbus_message_iter_append_basic (&iter, DBUS_TYPE_STRING, &printer_name); ++ ++ dbus_connection_send (dbus_connection, message, NULL); ++ dbus_connection_flush (dbus_connection); ++ dbus_message_unref (message); ++ ++ return 0; ++} ++#endif /* HAVE_DBUS */ + + /* + * Local functions... +@@ -1743,6 +1807,15 @@ main(int argc, /* I - Number of comm + fprintf(stderr, "DEBUG: Print job accepted - job ID %d.\n", job_id); + } + ++#if HAVE_DBUS ++ dbus_broadcast_queued_remote (argv[0], ++ ipp_status, ++ atoi (argv[1]), ++ job_id, ++ argv[2], ++ getenv ("PRINTER")); ++#endif /* HAVE_DBUS */ ++ + ippDelete(response); + + if (job_canceled) +diff -up cups-2.2.5/backend/Makefile.eggcups cups-2.2.5/backend/Makefile +--- cups-2.2.5/backend/Makefile.eggcups 2017-10-17 18:56:42.409024451 +0200 ++++ cups-2.2.5/backend/Makefile 2017-10-17 18:59:11.696781116 +0200 +@@ -262,7 +262,7 @@ dnssd: dnssd.o ../cups/$(LIBCUPS) libbac + + ipp: ipp.o ../cups/$(LIBCUPS) libbackend.a + echo Linking $@... +- $(LD_CC) $(LDFLAGS) -o ipp ipp.o libbackend.a $(LIBS) ++ $(LD_CC) $(LDFLAGS) -o ipp ipp.o libbackend.a $(LIBS) $(SERVERLIBS) + $(RM) http + $(LN) ipp http + +diff -up cups-2.2.5/scheduler/subscriptions.c.eggcups cups-2.2.5/scheduler/subscriptions.c +--- cups-2.2.5/scheduler/subscriptions.c.eggcups 2017-10-13 20:22:26.000000000 +0200 ++++ cups-2.2.5/scheduler/subscriptions.c 2017-10-17 18:56:42.409024451 +0200 +@@ -1291,13 +1291,13 @@ cupsd_send_dbus(cupsd_eventmask_t event, + what = "PrinterAdded"; + else if (event & CUPSD_EVENT_PRINTER_DELETED) + what = "PrinterRemoved"; +- else if (event & CUPSD_EVENT_PRINTER_CHANGED) +- what = "QueueChanged"; + else if (event & CUPSD_EVENT_JOB_CREATED) + what = "JobQueuedLocal"; + else if ((event & CUPSD_EVENT_JOB_STATE) && job && + job->state_value == IPP_JOB_PROCESSING) + what = "JobStartedLocal"; ++ else if (event & (CUPSD_EVENT_PRINTER_CHANGED|CUPSD_EVENT_JOB_STATE_CHANGED|CUPSD_EVENT_PRINTER_STATE_CHANGED)) ++ what = "QueueChanged"; + else + return; + +@@ -1333,7 +1333,7 @@ cupsd_send_dbus(cupsd_eventmask_t event, + dbus_message_append_iter_init(message, &iter); + if (dest) + dbus_message_iter_append_string(&iter, dest->name); +- if (job) ++ if (job && strcmp (what, "QueueChanged") != 0) + { + dbus_message_iter_append_uint32(&iter, job->id); + dbus_message_iter_append_string(&iter, job->username); diff --git a/cups-epson-A6-crash.patch b/cups-epson-A6-crash.patch new file mode 100644 index 00000000..e8813b1c --- /dev/null +++ b/cups-epson-A6-crash.patch @@ -0,0 +1,13 @@ +diff --git a/filter/rastertoepson.c b/filter/rastertoepson.c +index 73e8d0600..4522e6b48 100644 +--- a/filter/rastertoepson.c ++++ b/filter/rastertoepson.c +@@ -301,7 +302,7 @@ StartPage( + + if (DotBytes) + { +- if ((LineBuffers[0] = calloc((size_t)DotBytes, header->cupsWidth * (size_t)(Shingling + 1))) == NULL) ++ if ((LineBuffers[0] = calloc((size_t)DotBytes, (header->cupsWidth + 7) * (size_t)(Shingling + 1))) == NULL) + { + fputs("ERROR: Unable to allocate memory\n", stderr); + exit(1); diff --git a/cups-filter-debug.patch b/cups-filter-debug.patch new file mode 100644 index 00000000..96c82dab --- /dev/null +++ b/cups-filter-debug.patch @@ -0,0 +1,32 @@ +diff -up cups-1.6b1/scheduler/job.c.filter-debug cups-1.6b1/scheduler/job.c +--- cups-1.6b1/scheduler/job.c.filter-debug 2012-05-25 16:06:01.000000000 +0200 ++++ cups-1.6b1/scheduler/job.c 2012-05-25 16:07:46.309259511 +0200 +@@ -625,10 +625,28 @@ cupsdContinueJob(cupsd_job_t *job) /* I + + if (!filters) + { ++ mime_filter_t *current; ++ + cupsdLogJob(job, CUPSD_LOG_ERROR, + "Unable to convert file %d to printable format.", + job->current_file); + ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "Required: %s/%s -> %s/%s", ++ job->filetypes[job->current_file]->super, ++ job->filetypes[job->current_file]->type, ++ job->printer->filetype->super, ++ job->printer->filetype->type); ++ ++ for (current = (mime_filter_t *)cupsArrayFirst(MimeDatabase->srcs); ++ current; ++ current = (mime_filter_t *)cupsArrayNext(MimeDatabase->srcs)) ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "Available: %s/%s -> %s/%s (%s)", ++ current->src->super, current->src->type, ++ current->dst->super, current->dst->type, ++ current->filter); ++ + abort_message = "Aborting job because it cannot be printed."; + abort_state = IPP_JOB_ABORTED; + diff --git a/cups-freebind.patch b/cups-freebind.patch new file mode 100644 index 00000000..6d9ba430 --- /dev/null +++ b/cups-freebind.patch @@ -0,0 +1,15 @@ +diff -up cups-2.0.2/cups/http-addr.c.freebind cups-2.0.2/cups/http-addr.c +--- cups-2.0.2/cups/http-addr.c.freebind 2015-02-10 14:46:33.000000000 +0100 ++++ cups-2.0.2/cups/http-addr.c 2015-02-10 14:50:35.074759141 +0100 +@@ -186,6 +186,10 @@ httpAddrListen(http_addr_t *addr, /* I - + val = 1; + setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, CUPS_SOCAST &val, sizeof(val)); + ++#ifdef __linux ++ setsockopt(fd, IPPROTO_IP, IP_FREEBIND, CUPS_SOCAST &val, sizeof(val)); ++#endif /* __linux */ ++ + #ifdef IPV6_V6ONLY + if (addr->addr.sa_family == AF_INET6) + setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, CUPS_SOCAST &val, sizeof(val)); +diff -up cups-2.0.2/scheduler/listen.c.freebind cups-2.0.2/scheduler/listen.c diff --git a/cups-hp-deviceid-oid.patch b/cups-hp-deviceid-oid.patch new file mode 100644 index 00000000..da5136a8 --- /dev/null +++ b/cups-hp-deviceid-oid.patch @@ -0,0 +1,21 @@ +diff -up cups-1.5b1/backend/snmp.c.hp-deviceid-oid cups-1.5b1/backend/snmp.c +--- cups-1.5b1/backend/snmp.c.hp-deviceid-oid 2011-05-20 05:49:49.000000000 +0200 ++++ cups-1.5b1/backend/snmp.c 2011-05-24 17:24:48.000000000 +0200 +@@ -187,6 +187,7 @@ static const int UriOID[] = { CUPS_OID_p + static const int LexmarkProductOID[] = { 1,3,6,1,4,1,641,2,1,2,1,2,1,-1 }; + static const int LexmarkProductOID2[] = { 1,3,6,1,4,1,674,10898,100,2,1,2,1,2,1,-1 }; + static const int LexmarkDeviceIdOID[] = { 1,3,6,1,4,1,641,2,1,2,1,3,1,-1 }; ++static const int HPDeviceIdOID[] = { 1,3,6,1,4,1,11,2,3,9,1,1,7,0,-1 }; + static const int XeroxProductOID[] = { 1,3,6,1,4,1,128,2,1,3,1,2,0,-1 }; + static cups_array_t *DeviceURIs = NULL; + static int HostNameLookups = 0; +@@ -1006,6 +1007,9 @@ read_snmp_response(int fd) /* I - SNMP + _cupsSNMPWrite(fd, &(packet.address), CUPS_SNMP_VERSION_1, + packet.community, CUPS_ASN1_GET_REQUEST, + DEVICE_PRODUCT, XeroxProductOID); ++ _cupsSNMPWrite(fd, &(packet.address), CUPS_SNMP_VERSION_1, ++ packet.community, CUPS_ASN1_GET_REQUEST, ++ DEVICE_ID, HPDeviceIdOID); + break; + + case DEVICE_DESCRIPTION : diff --git a/cups-ipp-multifile.patch b/cups-ipp-multifile.patch new file mode 100644 index 00000000..beac7fad --- /dev/null +++ b/cups-ipp-multifile.patch @@ -0,0 +1,15 @@ +diff -up cups-1.7.0/backend/ipp.c.ipp-multifile cups-1.7.0/backend/ipp.c +--- cups-1.7.0/backend/ipp.c.ipp-multifile 2013-10-24 15:52:00.745814354 +0100 ++++ cups-1.7.0/backend/ipp.c 2013-10-24 15:53:46.463266724 +0100 +@@ -1758,7 +1758,10 @@ main(int argc, /* I - Number of comm + ippAddBoolean(request, IPP_TAG_OPERATION, "last-document", + (i + 1) >= num_files); + +- if (document_format) ++ if (num_files > 1) ++ ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_MIMETYPE, ++ "document-format", NULL, "application/octet-stream"); ++ else if (document_format) + ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_MIMETYPE, + "document-format", NULL, document_format); + diff --git a/cups-ippeve-webui.patch b/cups-ippeve-webui.patch new file mode 100644 index 00000000..049d6b97 --- /dev/null +++ b/cups-ippeve-webui.patch @@ -0,0 +1,124 @@ +diff --git a/backend/dnssd.c b/backend/dnssd.c +index 34781d5ce..7074f4294 100644 +--- a/backend/dnssd.c ++++ b/backend/dnssd.c +@@ -1252,6 +1252,13 @@ query_callback( + strlcat(make_and_model, " ", sizeof(make_and_model)); + strlcat(make_and_model, model, sizeof(make_and_model)); + ++ if (!_cups_strncasecmp(make_and_model, "EPSON EPSON ", 12)) ++ _cups_strcpy(make_and_model, make_and_model + 6); ++ else if (!_cups_strncasecmp(make_and_model, "HP HP ", 6)) ++ _cups_strcpy(make_and_model, make_and_model + 3); ++ else if (!_cups_strncasecmp(make_and_model, "Lexmark International Lexmark ", 30)) ++ _cups_strcpy(make_and_model, make_and_model + 22); ++ + device->make_and_model = strdup(make_and_model); + } + else +diff --git a/cgi-bin/admin.c b/cgi-bin/admin.c +index f788083fb..a3b5057b0 100644 +--- a/cgi-bin/admin.c ++++ b/cgi-bin/admin.c +@@ -928,6 +929,8 @@ do_am_printer(http_t *http, /* I - HTTP connection */ + else if (!file && + (!cgiGetVariable("PPD_NAME") || cgiGetVariable("SELECT_MAKE"))) + { ++ int ipp_everywhere = !strncmp(var, "ipp://", 6) || !strncmp(var, "ipps://", 7) || (!strncmp(var, "dnssd://", 8) && (strstr(var, "_ipp._tcp") || strstr(var, "_ipps._tcp"))); ++ + if (modify && !cgiGetVariable("SELECT_MAKE")) + { + /* +@@ -1076,6 +1079,8 @@ do_am_printer(http_t *http, /* I - HTTP connection */ + if (!modify) + cgiSetVariable("CURRENT_MAKE_AND_MODEL", + cgiGetArray("PPD_MAKE_AND_MODEL", 0)); ++ if (ipp_everywhere) ++ cgiSetVariable("SHOW_IPP_EVERYWHERE", "1"); + cgiCopyTemplateLang("choose-model.tmpl"); + cgiEndHTML(); + } +diff --git a/templates/choose-model.tmpl b/templates/choose-model.tmpl +index ee9338cc5..d72534236 100644 +--- a/templates/choose-model.tmpl ++++ b/templates/choose-model.tmpl +@@ -39,6 +39,7 @@ + + + +diff --git a/templates/de/choose-model.tmpl b/templates/de/choose-model.tmpl +index cb9b6f3bc..a08a8e3e0 100644 +--- a/templates/de/choose-model.tmpl ++++ b/templates/de/choose-model.tmpl +@@ -39,6 +39,7 @@ Drucker {?printer_is_shared=?nicht:{?printer_is_shared=0?nicht:}} im Netzwerk fr + + + +diff --git a/templates/es/choose-model.tmpl b/templates/es/choose-model.tmpl +index 8a5a4ba90..74f0a9bb9 100644 +--- a/templates/es/choose-model.tmpl ++++ b/templates/es/choose-model.tmpl +@@ -39,6 +39,7 @@ + + + +diff --git a/templates/fr/choose-model.tmpl b/templates/fr/choose-model.tmpl +index 1e154f18a..3038b3fe3 100644 +--- a/templates/fr/choose-model.tmpl ++++ b/templates/fr/choose-model.tmpl +@@ -39,6 +39,7 @@ + + + +diff --git a/templates/ja/choose-model.tmpl b/templates/ja/choose-model.tmpl +index daf1375fd..b3c286b11 100644 +--- a/templates/ja/choose-model.tmpl ++++ b/templates/ja/choose-model.tmpl +@@ -39,6 +39,7 @@ + + + +diff --git a/templates/pt_BR/choose-model.tmpl b/templates/pt_BR/choose-model.tmpl +index 55d8bd8d5..a5939ee9c 100644 +--- a/templates/pt_BR/choose-model.tmpl ++++ b/templates/pt_BR/choose-model.tmpl +@@ -39,6 +39,7 @@ + + + +diff --git a/templates/ru/choose-model.tmpl b/templates/ru/choose-model.tmpl +index 2f0d6d9ba..86507814d 100644 +--- a/templates/ru/choose-model.tmpl ++++ b/templates/ru/choose-model.tmpl +@@ -39,6 +39,7 @@ + + + diff --git a/cups-ippvalidateattr-regression.patch b/cups-ippvalidateattr-regression.patch new file mode 100644 index 00000000..8185bf88 --- /dev/null +++ b/cups-ippvalidateattr-regression.patch @@ -0,0 +1,63 @@ +diff --git a/cups/ipp.c b/cups/ipp.c +index 95d53cc44..325de02b9 100644 +--- a/cups/ipp.c ++++ b/cups/ipp.c +@@ -5033,16 +5033,19 @@ ippValidateAttribute( + break; + } + +- if (*ptr < ' ' || *ptr == 0x7f) +- { +- ipp_set_error(IPP_STATUS_ERROR_BAD_REQUEST, _("\"%s\": Bad text value \"%s\" - bad control character (PWG 5100.14 section 8.3)."), attr->name, attr->values[i].string.text); +- return (0); +- } +- else if (*ptr) +- { +- ipp_set_error(IPP_STATUS_ERROR_BAD_REQUEST, _("\"%s\": Bad text value \"%s\" - bad UTF-8 sequence (RFC 8011 section 5.1.2)."), attr->name, attr->values[i].string.text); +- return (0); +- } ++ if (*ptr) ++ { ++ if (*ptr < ' ' || *ptr == 0x7f) ++ { ++ ipp_set_error(IPP_STATUS_ERROR_BAD_REQUEST, _("\"%s\": Bad text value \"%s\" - bad control character (PWG 5100.14 section 8.3)."), attr->name, attr->values[i].string.text); ++ return (0); ++ } ++ else ++ { ++ ipp_set_error(IPP_STATUS_ERROR_BAD_REQUEST, _("\"%s\": Bad text value \"%s\" - bad UTF-8 sequence (RFC 8011 section 5.1.2)."), attr->name, attr->values[i].string.text); ++ return (0); ++ } ++ } + + if ((ptr - attr->values[i].string.text) > (IPP_MAX_TEXT - 1)) + { +@@ -5091,16 +5094,19 @@ ippValidateAttribute( + break; + } + +- if (*ptr < ' ' || *ptr == 0x7f) +- { +- ipp_set_error(IPP_STATUS_ERROR_BAD_REQUEST, _("\"%s\": Bad name value \"%s\" - bad control character (PWG 5100.14 section 8.1)."), attr->name, attr->values[i].string.text); +- return (0); +- } +- else if (*ptr) ++ if (*ptr) + { +- ipp_set_error(IPP_STATUS_ERROR_BAD_REQUEST, _("\"%s\": Bad name value \"%s\" - bad UTF-8 sequence (RFC 8011 section 5.1.3)."), attr->name, attr->values[i].string.text); +- return (0); +- } ++ if (*ptr < ' ' || *ptr == 0x7f) ++ { ++ ipp_set_error(IPP_STATUS_ERROR_BAD_REQUEST, _("\"%s\": Bad name value \"%s\" - bad control character (PWG 5100.14 section 8.1)."), attr->name, attr->values[i].string.text); ++ return (0); ++ } ++ else ++ { ++ ipp_set_error(IPP_STATUS_ERROR_BAD_REQUEST, _("\"%s\": Bad name value \"%s\" - bad UTF-8 sequence (RFC 8011 section 5.1.3)."), attr->name, attr->values[i].string.text); ++ return (0); ++ } ++ } + + if ((ptr - attr->values[i].string.text) > (IPP_MAX_NAME - 1)) + { diff --git a/cups-journal-history.patch b/cups-journal-history.patch new file mode 100644 index 00000000..07717e86 --- /dev/null +++ b/cups-journal-history.patch @@ -0,0 +1,109 @@ +diff --git a/scheduler/log.c b/scheduler/log.c +index b6226201f..cdb5437dc 100644 +--- a/scheduler/log.c ++++ b/scheduler/log.c +@@ -565,56 +565,15 @@ cupsdLogJob(cupsd_job_t *job, /* I - Job */ + if (level > LogLevel && LogDebugHistory <= 0) + return (1); + +-#ifdef HAVE_SYSTEMD_SD_JOURNAL_H +- if (!strcmp(ErrorLog, "syslog")) +- { +- cupsd_printer_t *printer = job ? (job->printer ? job->printer : (job->dest ? cupsdFindDest(job->dest) : NULL)) : NULL; +- static const char * const job_states[] = +- { /* job-state strings */ +- "Pending", +- "PendingHeld", +- "Processing", +- "ProcessingStopped", +- "Canceled", +- "Aborted", +- "Completed" +- }; +- +- va_start(ap, message); +- +- do +- { +- va_copy(ap2, ap); +- status = format_log_line(message, ap2); +- va_end(ap2); +- } +- while (status == 0); +- +- va_end(ap); +- +- if (job) +- sd_journal_send("MESSAGE=%s", log_line, +- "PRIORITY=%i", log_levels[level], +- PWG_Event"=JobStateChanged", +- PWG_ServiceURI"=%s", printer ? printer->uri : "", +- PWG_JobID"=%d", job->id, +- PWG_JobState"=%s", job->state_value < IPP_JSTATE_PENDING ? "" : job_states[job->state_value - IPP_JSTATE_PENDING], +- PWG_JobImpressionsCompleted"=%d", ippGetInteger(job->impressions, 0), +- NULL); +- else +- sd_journal_send("MESSAGE=%s", log_line, +- "PRIORITY=%i", log_levels[level], +- NULL); +- +- return (1); +- } +-#endif /* HAVE_SYSTEMD_SD_JOURNAL_H */ +- + /* + * Format and write the log message... + */ + ++#ifdef HAVE_SYSTEMD_SD_JOURNAL_H ++ if (job && strcmp(ErrorLog, "syslog")) ++#else + if (job) ++#endif /* HAVE_SYSTEMD_SD_JOURNAL_H */ + snprintf(jobmsg, sizeof(jobmsg), "[Job %d] %s", job->id, message); + else + strlcpy(jobmsg, message, sizeof(jobmsg)); +@@ -673,7 +632,43 @@ cupsdLogJob(cupsd_job_t *job, /* I - Job */ + return (1); + } + else if (level <= LogLevel) ++ { ++#ifdef HAVE_SYSTEMD_SD_JOURNAL_H ++ if (!strcmp(ErrorLog, "syslog")) ++ { ++ cupsd_printer_t *printer = job ? (job->printer ? job->printer : (job->dest ? cupsdFindDest(job->dest) : NULL)) : NULL; ++ static const char * const job_states[] = ++ { /* job-state strings */ ++ "Pending", ++ "PendingHeld", ++ "Processing", ++ "ProcessingStopped", ++ "Canceled", ++ "Aborted", ++ "Completed" ++ }; ++ ++ if (job) ++ sd_journal_send("MESSAGE=%s", log_line, ++ "PRIORITY=%i", log_levels[level], ++ PWG_Event"=JobStateChanged", ++ PWG_ServiceURI"=%s", printer ? printer->uri : "", ++ PWG_JobID"=%d", job->id, ++ PWG_JobState"=%s", job->state_value < IPP_JSTATE_PENDING ? "" : job_states[job->state_value - IPP_JSTATE_PENDING], ++ PWG_JobImpressionsCompleted"=%d", ippGetInteger(job->impressions, 0), ++ NULL); ++ else ++ sd_journal_send("MESSAGE=%s", log_line, ++ "PRIORITY=%i", log_levels[level], ++ NULL); ++ ++ return (1); ++ } ++ else ++#endif /* HAVE_SYSTEMD_SD_JOURNAL_H */ ++ + return (cupsdWriteErrorLog(level, log_line)); ++ } + else + return (1); + } diff --git a/cups-logrotate.patch b/cups-logrotate.patch new file mode 100644 index 00000000..6b8eb8ce --- /dev/null +++ b/cups-logrotate.patch @@ -0,0 +1,63 @@ +diff -up cups-2.1b1/scheduler/log.c.logrotate cups-2.1b1/scheduler/log.c +--- cups-2.1b1/scheduler/log.c.logrotate 2015-06-04 20:00:31.000000000 +0200 ++++ cups-2.1b1/scheduler/log.c 2015-06-29 13:25:09.623350218 +0200 +@@ -26,6 +26,9 @@ + # include + #endif /* HAVE_ASL_H */ + #include ++#include ++#include ++#include + + + /* +@@ -135,12 +138,10 @@ cupsdCheckLogFile(cups_file_t **lf, /* I + } + + /* +- * Format the filename as needed... ++ * Format the filename... + */ + +- if (!*lf || +- (strncmp(logname, "/dev/", 5) && cupsFileTell(*lf) > MaxLogSize && +- MaxLogSize > 0)) ++ if (strncmp(logname, "/dev/", 5)) + { + /* + * Handle format strings... +@@ -254,6 +255,34 @@ cupsdCheckLogFile(cups_file_t **lf, /* I + /* + * Change ownership and permissions of non-device logs... + */ ++ ++ fchown(cupsFileNumber(*lf), RunUser, Group); ++ fchmod(cupsFileNumber(*lf), LogFilePerm); ++ } ++ } ++ ++ /* ++ * Has someone else (i.e. logrotate) already rotated the log for us? ++ */ ++ else if (strncmp(filename, "/dev/", 5)) ++ { ++ struct stat st; ++ if (stat(filename, &st) || st.st_size == 0) ++ { ++ /* File is either missing or has zero size. */ ++ ++ cupsFileClose(*lf); ++ if ((*lf = cupsFileOpen(filename, "a")) == NULL) ++ { ++ syslog(LOG_ERR, "Unable to open log file \"%s\" - %s", filename, ++ strerror(errno)); ++ ++ return (0); ++ } ++ ++ /* ++ * Change ownership and permissions of non-device logs... ++ */ + + fchown(cupsFileNumber(*lf), RunUser, Group); + fchmod(cupsFileNumber(*lf), LogFilePerm); diff --git a/cups-lpr-help.patch b/cups-lpr-help.patch new file mode 100644 index 00000000..f025698f --- /dev/null +++ b/cups-lpr-help.patch @@ -0,0 +1,48 @@ +diff -up cups-2.2b2/berkeley/lpr.c.lpr-help cups-2.2b2/berkeley/lpr.c +--- cups-2.2b2/berkeley/lpr.c.lpr-help 2016-06-24 17:43:35.000000000 +0200 ++++ cups-2.2b2/berkeley/lpr.c 2016-06-27 15:11:30.646348752 +0200 +@@ -18,6 +18,31 @@ + #include + + ++static void ++usage (const char *name) ++{ ++ _cupsLangPrintf(stdout, ++"Usage: %s [OPTION] [ file(s) ]\n" ++"Print files.\n\n" ++" -E force encryption\n" ++" -H server[:port] specify alternate server\n" ++" -C title, -J title, -T title\n" ++" set the job name\n\n" ++" -P destination/instance print to named printer\n" ++" -U username specify alternate username\n" ++" -# num-copies set number of copies\n" ++" -h disable banner printing\n" ++" -l print without filtering\n" ++" -m send email on completion\n" ++" -o option[=value] set a job option\n" ++" -p format text file with header\n" ++" -q hold job for printing\n" ++" -r delete files after printing\n" ++"\nWith no file given, read standard input.\n" ++, name); ++} ++ ++ + /* + * 'main()' - Parse options and send files for printing. + */ +@@ -281,6 +306,12 @@ main(int argc, /* I - Number of comm + break; + + default : ++ if (!strcmp (argv[i], "--help")) ++ { ++ usage (argv[0]); ++ return (0); ++ } ++ + _cupsLangPrintf(stderr, _("%s: Error - unknown option \"%c\"."), argv[0], *opt); + return (1); + } diff --git a/cups-lspp.patch b/cups-lspp.patch new file mode 100644 index 00000000..667cda19 --- /dev/null +++ b/cups-lspp.patch @@ -0,0 +1,1997 @@ +diff -up cups-2.2.8/config.h.in.lspp cups-2.2.8/config.h.in +--- cups-2.2.8/config.h.in.lspp 2018-06-05 18:06:54.000000000 +0200 ++++ cups-2.2.8/config.h.in 2018-06-08 17:34:38.682653959 +0200 +@@ -730,4 +730,11 @@ static __inline int _cups_abs(int i) { r + # endif /* __GNUC__ || __STDC_VERSION__ */ + #endif /* !HAVE_ABS && !abs */ + ++/* ++ * Are we trying to meet LSPP requirements? ++ */ ++ ++#undef WITH_LSPP ++ ++ + #endif /* !_CUPS_CONFIG_H_ */ +diff -up cups-2.2.8/config-scripts/cups-lspp.m4.lspp cups-2.2.8/config-scripts/cups-lspp.m4 +--- cups-2.2.8/config-scripts/cups-lspp.m4.lspp 2018-06-08 17:34:38.682653959 +0200 ++++ cups-2.2.8/config-scripts/cups-lspp.m4 2018-06-08 17:34:38.682653959 +0200 +@@ -0,0 +1,36 @@ ++dnl ++dnl LSPP code for the Common UNIX Printing System (CUPS). ++dnl ++dnl Copyright 2005-2006 by Hewlett-Packard Development Company, L.P. ++dnl ++dnl This program is free software; you can redistribute it and/or modify ++dnl it under the terms of the GNU General Public License as published by ++dnl the Free Software Foundation; version 2. ++dnl ++dnl This program is distributed in the hope that it will be useful, but ++dnl WITHOUT ANY WARRANTY; without even the implied warranty of ++dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++dnl General Public License for more details. ++dnl ++dnl You should have received a copy of the GNU General Public License ++dnl along with this program; if not, write to the Free Software Foundation, ++dnl Inc., 51 Franklin Street, Fifth Floor Boston, MA 02110-1301 USA ++dnl ++ ++dnl Are we trying to meet LSPP requirements ++AC_ARG_ENABLE(lspp, [ --enable-lspp turn on auditing and label support, default=no]) ++ ++if test x"$enable_lspp" != xno; then ++ case "$uname" in ++ Linux) ++ AC_CHECK_LIB(audit,audit_log_user_message, [LIBAUDIT="-laudit" AC_SUBST(LIBAUDIT)]) ++ AC_CHECK_HEADER(libaudit.h) ++ AC_CHECK_LIB(selinux,getpeercon, [LIBSELINUX="-lselinux" AC_SUBST(LIBSELINUX)]) ++ AC_CHECK_HEADER(selinux/selinux.h) ++ AC_DEFINE(WITH_LSPP) ++ ;; ++ *) ++ # All others ++ ;; ++ esac ++fi +diff -up cups-2.2.8/configure.ac.lspp cups-2.2.8/configure.ac +--- cups-2.2.8/configure.ac.lspp 2018-06-05 18:06:54.000000000 +0200 ++++ cups-2.2.8/configure.ac 2018-06-08 17:34:38.682653959 +0200 +@@ -38,6 +38,8 @@ sinclude(config-scripts/cups-startup.m4) + sinclude(config-scripts/cups-defaults.m4) + sinclude(config-scripts/cups-scripting.m4) + ++sinclude(config-scripts/cups-lspp.m4) ++ + INSTALL_LANGUAGES="" + UNINSTALL_LANGUAGES="" + LANGFILES="" +diff -up cups-2.2.8/filter/common.c.lspp cups-2.2.8/filter/common.c +--- cups-2.2.8/filter/common.c.lspp 2018-06-05 18:06:54.000000000 +0200 ++++ cups-2.2.8/filter/common.c 2018-06-08 17:34:38.682653959 +0200 +@@ -17,6 +17,12 @@ + * Include necessary headers... + */ + ++#include "config.h" ++#ifdef WITH_LSPP ++#define _GNU_SOURCE ++#include ++#endif /* WITH_LSPP */ ++ + #include "common.h" + #include + +@@ -299,6 +305,18 @@ WriteLabelProlog(const char *label, /* I + { + const char *classification; /* CLASSIFICATION environment variable */ + const char *ptr; /* Temporary string pointer */ ++#ifdef WITH_LSPP ++ int i, /* counter */ ++ n, /* counter */ ++ lines, /* number of lines needed */ ++ line_len, /* index into tmp_label */ ++ label_len, /* length of the label in characters */ ++ label_index, /* index into the label */ ++ longest, /* length of the longest line */ ++ longest_line, /* index to the longest line */ ++ max_width; /* maximum width in characters */ ++ char **wrapped_label; /* label with line breaks */ ++#endif /* WITH_LSPP */ + + + /* +@@ -321,6 +339,124 @@ WriteLabelProlog(const char *label, /* I + return; + } + ++#ifdef WITH_LSPP ++ if (strncmp(classification, "LSPP:", 5) == 0 && label == NULL) ++ { ++ /* ++ * Based on the 12pt fixed width font below determine the max_width ++ */ ++ max_width = width / 8; ++ longest_line = 0; ++ longest = 0; ++ classification += 5; // Skip the "LSPP:" ++ label_len = strlen(classification); ++ ++ if (label_len > max_width) ++ { ++ lines = 1 + (int)(label_len / max_width); ++ line_len = (int)(label_len / lines); ++ wrapped_label = malloc(sizeof(*wrapped_label) * lines); ++ label_index = i = n = 0; ++ while (classification[label_index]) ++ { ++ if ((label_index + line_len) > label_len) ++ break; ++ switch (classification[label_index + line_len + i]) ++ { ++ case ':': ++ case ',': ++ case '-': ++ i++; ++ wrapped_label[n++] = strndup(&classification[label_index], (line_len + i)); ++ label_index += line_len + i; ++ i = 0; ++ break; ++ default: ++ i++; ++ break; ++ } ++ if ((i + line_len) == max_width) ++ { ++ wrapped_label[n++] = strndup(&(classification[label_index]), (line_len + i)); ++ label_index = label_index + line_len + i; ++ i = 0; ++ } ++ } ++ wrapped_label[n] = strndup(&classification[label_index], label_len - label_index); ++ } ++ else ++ { ++ lines = 1; ++ wrapped_label = malloc(sizeof(*wrapped_label)); ++ wrapped_label[0] = (char*)classification; ++ } ++ ++ for (n = 0; n < lines; n++ ) ++ { ++ printf("userdict/ESPp%c(", ('a' + n)); ++ for (ptr = wrapped_label[n], i = 0; *ptr; ptr ++, i++) ++ if (*ptr < 32 || *ptr > 126) ++ printf("\\%03o", *ptr); ++ else ++ { ++ if (*ptr == '(' || *ptr == ')' || *ptr == '\\') ++ putchar('\\'); ++ ++ printf("%c", *ptr); ++ } ++ if (i > longest) ++ { ++ longest = i; ++ longest_line = n; ++ } ++ printf(")put\n"); ++ } ++ ++ /* ++ * For LSPP use a fixed width font so that line wrapping can be calculated ++ */ ++ ++ puts("userdict/ESPlf /Nimbus-Mono findfont 12 scalefont put"); ++ ++ /* ++ * Finally, the procedure to write the labels on the page... ++ */ ++ ++ printf("userdict/ESPwl{\n" ++ " ESPlf setfont\n"); ++ printf(" ESPp%c stringwidth pop dup 12 add exch -0.5 mul %.0f add\n ", ++ 'a' + longest_line, width * 0.5f); ++ for (n = 1; n < lines; n++) ++ printf(" dup"); ++ printf("\n 1 setgray\n"); ++ printf(" dup 6 sub %.0f %d index %.0f ESPrf\n", ++ (bottom - 2.0), (2 + lines), 6.0 + (16.0 * lines)); ++ printf(" dup 6 sub %.0f %d index %.0f ESPrf\n", ++ (top - 6.0 - (16.0 * lines)), (2 + lines), 4.0 + (16.0 * lines)); ++ printf(" 0 setgray\n"); ++ printf(" dup 6 sub %.0f %d index %.0f ESPrs\n", ++ (bottom - 2.0), (2 + lines), 6.0 + (16.0 * lines)); ++ printf(" dup 6 sub %.0f %d index %.0f ESPrs\n", ++ (top - 6.0 - (16.0 * lines)), (2 + lines), 4.0 + (16.0 * lines)); ++ for (n = 0; n < lines; n ++) ++ { ++ printf(" dup %.0f moveto ESPp%c show\n", ++ bottom + 6.0 + ((lines - (n+1)) * 16.0), 'a' + n); ++ printf(" %.0f moveto ESPp%c show\n", top + 2.0 - ((n + 1) * 16.0), 'a' + n); ++ } ++ printf(" pop\n" ++ "}bind put\n"); ++ ++ /* ++ * Do some clean up at the end of the LSPP special case ++ */ ++ free(wrapped_label); ++ ++ } ++ else ++ { ++#endif /* !WITH_LSPP */ ++ + /* + * Set the classification + page label string... + */ +@@ -401,7 +537,10 @@ WriteLabelProlog(const char *label, /* I + printf(" %.0f moveto ESPpl show\n", top - 14.0); + puts("pop"); + puts("}bind put"); ++ } ++#ifdef WITH_LSPP + } ++#endif /* WITH_LSPP */ + + + /* +diff -up cups-2.2.8/filter/pstops.c.lspp cups-2.2.8/filter/pstops.c +--- cups-2.2.8/filter/pstops.c.lspp 2018-06-05 18:06:54.000000000 +0200 ++++ cups-2.2.8/filter/pstops.c 2018-06-08 17:34:38.683653951 +0200 +@@ -3176,6 +3176,18 @@ write_label_prolog(pstops_doc_t *doc, /* + { + const char *classification; /* CLASSIFICATION environment variable */ + const char *ptr; /* Temporary string pointer */ ++#ifdef WITH_LSPP ++ int i, /* counter */ ++ n, /* counter */ ++ lines, /* number of lines needed */ ++ line_len, /* index into tmp_label */ ++ label_len, /* length of the label in characters */ ++ label_index, /* index into the label */ ++ longest, /* length of the longest line */ ++ longest_line, /* index to the longest line */ ++ max_width; /* maximum width in characters */ ++ char **wrapped_label; /* label with line breaks */ ++#endif /* WITH_LSPP */ + + + /* +@@ -3198,6 +3210,124 @@ write_label_prolog(pstops_doc_t *doc, /* + return; + } + ++#ifdef WITH_LSPP ++ if (strncmp(classification, "LSPP:", 5) == 0 && label == NULL) ++ { ++ /* ++ * Based on the 12pt fixed width font below determine the max_width ++ */ ++ max_width = width / 8; ++ longest_line = 0; ++ longest = 0; ++ classification += 5; // Skip the "LSPP:" ++ label_len = strlen(classification); ++ ++ if (label_len > max_width) ++ { ++ lines = 1 + (int)(label_len / max_width); ++ line_len = (int)(label_len / lines); ++ wrapped_label = malloc(sizeof(*wrapped_label) * lines); ++ label_index = i = n = 0; ++ while (classification[label_index]) ++ { ++ if ((label_index + line_len) > label_len) ++ break; ++ switch (classification[label_index + line_len + i]) ++ { ++ case ':': ++ case ',': ++ case '-': ++ i++; ++ wrapped_label[n++] = strndup(&classification[label_index], (line_len + i)); ++ label_index += line_len + i; ++ i = 0; ++ break; ++ default: ++ i++; ++ break; ++ } ++ if ((i + line_len) == max_width) ++ { ++ wrapped_label[n++] = strndup(&(classification[label_index]), (line_len + i)); ++ label_index = label_index + line_len + i; ++ i = 0; ++ } ++ } ++ wrapped_label[n] = strndup(&classification[label_index], label_len - label_index); ++ } ++ else ++ { ++ lines = 1; ++ wrapped_label = malloc(sizeof(*wrapped_label)); ++ wrapped_label[0] = (char*)classification; ++ } ++ ++ for (n = 0; n < lines; n++ ) ++ { ++ printf("userdict/ESPp%c(", ('a' + n)); ++ for (ptr = wrapped_label[n], i = 0; *ptr; ptr ++, i++) ++ if (*ptr < 32 || *ptr > 126) ++ printf("\\%03o", *ptr); ++ else ++ { ++ if (*ptr == '(' || *ptr == ')' || *ptr == '\\') ++ putchar('\\'); ++ ++ printf("%c", *ptr); ++ } ++ if (i > longest) ++ { ++ longest = i; ++ longest_line = n; ++ } ++ printf(")put\n"); ++ } ++ ++ /* ++ * For LSPP use a fixed width font so that line wrapping can be calculated ++ */ ++ ++ puts("userdict/ESPlf /Nimbus-Mono findfont 12 scalefont put"); ++ ++ /* ++ * Finally, the procedure to write the labels on the page... ++ */ ++ ++ printf("userdict/ESPwl{\n" ++ " ESPlf setfont\n"); ++ printf(" ESPp%c stringwidth pop dup 12 add exch -0.5 mul %.0f add\n ", ++ 'a' + longest_line, width * 0.5f); ++ for (n = 1; n < lines; n++) ++ printf(" dup"); ++ printf("\n 1 setgray\n"); ++ printf(" dup 6 sub %.0f %d index %.0f ESPrf\n", ++ (bottom - 2.0), (2 + lines), 6.0 + (16.0 * lines)); ++ printf(" dup 6 sub %.0f %d index %.0f ESPrf\n", ++ (top - 6.0 - (16.0 * lines)), (2 + lines), 4.0 + (16.0 * lines)); ++ printf(" 0 setgray\n"); ++ printf(" dup 6 sub %.0f %d index %.0f ESPrs\n", ++ (bottom - 2.0), (2 + lines), 6.0 + (16.0 * lines)); ++ printf(" dup 6 sub %.0f %d index %.0f ESPrs\n", ++ (top - 6.0 - (16.0 * lines)), (2 + lines), 4.0 + (16.0 * lines)); ++ for (n = 0; n < lines; n ++) ++ { ++ printf(" dup %.0f moveto ESPp%c show\n", ++ bottom + 6.0 + ((lines - (n+1)) * 16.0), 'a' + n); ++ printf(" %.0f moveto ESPp%c show\n", top + 2.0 - ((n + 1) * 16.0), 'a' + n); ++ } ++ printf(" pop\n" ++ "}bind put\n"); ++ ++ /* ++ * Do some clean up at the end of the LSPP special case ++ */ ++ free(wrapped_label); ++ ++ } ++ else ++ { ++#endif /* !WITH_LSPP */ ++ + /* + * Set the classification + page label string... + */ +@@ -3276,7 +3406,10 @@ write_label_prolog(pstops_doc_t *doc, /* + doc_printf(doc, " %.0f moveto ESPpl show\n", top - 14.0); + doc_puts(doc, "pop\n"); + doc_puts(doc, "}bind put\n"); ++ } ++#ifdef WITH_LSPP + } ++#endif /* WITH_LSPP */ + + + /* +diff -up cups-2.2.8/Makedefs.in.lspp cups-2.2.8/Makedefs.in +--- cups-2.2.8/Makedefs.in.lspp 2018-06-05 18:06:54.000000000 +0200 ++++ cups-2.2.8/Makedefs.in 2018-06-08 17:34:38.683653951 +0200 +@@ -161,7 +161,7 @@ LDFLAGS = -L../cgi-bin -L../cups -L../f + @LDFLAGS@ @RELROFLAGS@ @PIEFLAGS@ $(OPTIM) + LINKCUPS = @LINKCUPS@ $(LIBGSSAPI) $(DNSSDLIBS) $(SSLLIBS) $(LIBZ) + LINKCUPSIMAGE = @LINKCUPSIMAGE@ +-LIBS = $(LINKCUPS) $(COMMONLIBS) ++LIBS = $(LINKCUPS) $(COMMONLIBS) @LIBAUDIT@ @LIBSELINUX@ + ONDEMANDFLAGS = @ONDEMANDFLAGS@ + ONDEMANDLIBS = @ONDEMANDLIBS@ + OPTIM = @OPTIM@ +diff -up cups-2.2.8/scheduler/client.c.lspp cups-2.2.8/scheduler/client.c +--- cups-2.2.8/scheduler/client.c.lspp 2018-06-05 18:06:54.000000000 +0200 ++++ cups-2.2.8/scheduler/client.c 2018-06-08 17:34:38.729653586 +0200 +@@ -22,12 +22,20 @@ + #define _HTTP_NO_PRIVATE + #include "cupsd.h" + ++#ifndef _GNU_SOURCE ++#define _GNU_SOURCE ++#endif /* !defined(_GNU_SOURCE) */ + #ifdef __APPLE__ + # include + #endif /* __APPLE__ */ + #ifdef HAVE_TCPD_H + # include + #endif /* HAVE_TCPD_H */ ++#ifdef WITH_LSPP ++# include ++# include ++# include ++#endif /* WITH_LSPP */ + + + /* +@@ -268,6 +276,59 @@ cupsdAcceptClient(cupsd_listener_t *lis) + } + #endif /* HAVE_TCPD_H */ + ++#ifdef WITH_LSPP ++ if (is_lspp_config()) ++ { ++ struct ucred cr; ++ unsigned int cl=sizeof(cr); ++ ++ if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &cr, &cl) == 0) ++ { ++ /* ++ * client_pid_to_auid() can be racey ++ * In this case the pid is based on a socket connected to the client ++ */ ++ if ((con->auid = client_pid_to_auid(cr.pid)) == -1) ++ { ++ httpClose(con->http); ++ cupsdLogClient(con, CUPSD_LOG_ERROR, ++ "Unable to determine client auid for client pid=%d", ++ cr.pid); ++ free(con); ++ return; ++ } ++ cupsdLogClient(con, CUPSD_LOG_INFO, ++ "peer's pid=%d, uid=%d, gid=%d, auid=%d", ++ cr.pid, cr.uid, cr.gid, con->auid); ++ } ++ else ++ { ++ httpClose(con->http); ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "getsockopt() failed"); ++ free(con); ++ return; ++ } ++ ++ /* ++ * get the context of the peer connection ++ */ ++ if (getpeercon(httpGetFd(con->http), &con->scon)) ++ { ++ httpClose(con->http); ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "getpeercon() failed"); ++ free(con); ++ return; ++ } ++ ++ cupsdLogClient(con, CUPSD_LOG_INFO, "client context=%s", con->scon); ++ } ++ else ++ { ++ cupsdLogClient(con, CUPSD_LOG_DEBUG, "skipping getpeercon()"); ++ cupsdSetString(&con->scon, UNKNOWN_SL); ++ } ++#endif /* WITH_LSPP */ ++ + #ifdef AF_LOCAL + if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) + { +@@ -562,6 +623,13 @@ cupsdReadClient(cupsd_client_t *con) /* + mime_type_t *type; /* MIME type of file */ + cupsd_printer_t *p; /* Printer */ + static unsigned request_id = 0; /* Request ID for temp files */ ++#ifdef WITH_LSPP ++ security_context_t spoolcon; /* context of the job file */ ++ context_t clicon; /* contex_t container for con->scon */ ++ context_t tmpcon; /* temp context to swap the level */ ++ char *clirange; /* SELinux sensitivity range */ ++ char *cliclearance; /* SELinux low end clearance */ ++#endif /* WITH_LSPP */ + + + status = HTTP_STATUS_CONTINUE; +@@ -1938,6 +2006,73 @@ cupsdReadClient(cupsd_client_t *con) /* + fcntl(con->file, F_SETFD, fcntl(con->file, F_GETFD) | FD_CLOEXEC); + } + ++#ifdef WITH_LSPP ++ if (strncmp(con->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0) ++ { ++ if (getfilecon(con->filename, &spoolcon) == -1) ++ { ++ cupsdSendError(con, HTTP_STATUS_SERVER_ERROR, CUPSD_AUTH_NONE); ++ cupsdCloseClient(con); ++ return; ++ } ++ clicon = context_new(con->scon); ++ tmpcon = context_new(spoolcon); ++ freecon(spoolcon); ++ if (!clicon || !tmpcon) ++ { ++ cupsdSendError(con, HTTP_STATUS_SERVER_ERROR, CUPSD_AUTH_NONE); ++ if (clicon) ++ context_free(clicon); ++ if (tmpcon) ++ context_free(tmpcon); ++ cupsdCloseClient(con); ++ return; ++ } ++ clirange = (char *) context_range_get(clicon); ++ if (clirange) ++ { ++ clirange = strdup(clirange); ++ if ((cliclearance = strtok(clirange, "-")) != NULL) ++ { ++ if (context_range_set(tmpcon, cliclearance) == -1) ++ { ++ cupsdSendError(con, HTTP_STATUS_SERVER_ERROR, CUPSD_AUTH_NONE); ++ free(clirange); ++ context_free(tmpcon); ++ context_free(clicon); ++ cupsdCloseClient(con); ++ return; ++ } ++ } ++ else ++ { ++ if (context_range_set(tmpcon, (context_range_get(clicon))) == -1) ++ { ++ cupsdSendError(con, HTTP_STATUS_SERVER_ERROR, CUPSD_AUTH_NONE); ++ free(clirange); ++ context_free(tmpcon); ++ context_free(clicon); ++ cupsdCloseClient(con); ++ return; ++ } ++ } ++ free(clirange); ++ } ++ if (setfilecon(con->filename, context_str(tmpcon)) == -1) ++ { ++ cupsdSendError(con, HTTP_STATUS_SERVER_ERROR, CUPSD_AUTH_NONE); ++ context_free(tmpcon); ++ context_free(clicon); ++ cupsdCloseClient(con); ++ return; ++ } ++ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "%s set to %s", ++ con->filename, context_str(tmpcon)); ++ context_free(tmpcon); ++ context_free(clicon); ++ } ++#endif /* WITH_LSPP */ ++ + if (httpGetState(con->http) != HTTP_STATE_POST_SEND) + { + if (!httpWait(con->http, 0)) +@@ -3485,6 +3620,49 @@ is_path_absolute(const char *path) /* I + return (1); + } + ++#ifdef WITH_LSPP ++/* ++ * 'client_pid_to_auid()' - Using the client's pid, read /proc and determine the loginuid. ++ */ ++ ++uid_t client_pid_to_auid(pid_t clipid) ++{ ++ uid_t uid; ++ int len, in; ++ char buf[16] = {0}; ++ char fname[32] = {0}; ++ ++ ++ /* ++ * Hopefully this pid is still the one we are interested in. ++ */ ++ snprintf(fname, 32, "/proc/%d/loginuid", clipid); ++ in = open(fname, O_NOFOLLOW|O_RDONLY); ++ ++ if (in < 0) ++ return (uid_t) -1; ++ ++ errno = 0; ++ ++ do { ++ len = read(in, buf, sizeof(buf)); ++ } while (len < 0 && errno == EINTR); ++ ++ close(in); ++ ++ if (len < 0 || len >= sizeof(buf)) ++ return (uid_t) -1; ++ ++ errno = 0; ++ buf[len] = 0; ++ uid = strtol(buf, 0, 10); ++ ++ if (errno != 0) ++ return (uid_t) -1; ++ else ++ return uid; ++} ++#endif /* WITH_LSPP */ + + /* + * 'pipe_command()' - Pipe the output of a command to the remote client. +diff -up cups-2.2.8/scheduler/client.h.lspp cups-2.2.8/scheduler/client.h +--- cups-2.2.8/scheduler/client.h.lspp 2018-06-05 18:06:54.000000000 +0200 ++++ cups-2.2.8/scheduler/client.h 2018-06-08 17:34:38.729653586 +0200 +@@ -16,6 +16,13 @@ + #endif /* HAVE_AUTHORIZATION_H */ + + ++/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */ ++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */ ++ ++#ifdef WITH_LSPP ++#include ++#endif /* WITH_LSPP */ ++ + /* + * HTTP client structure... + */ +@@ -66,6 +73,10 @@ struct cupsd_client_s + #ifdef HAVE_AUTHORIZATION_H + AuthorizationRef authref; /* Authorization ref */ + #endif /* HAVE_AUTHORIZATION_H */ ++#ifdef WITH_LSPP ++ security_context_t scon; /* Security context of connection */ ++ uid_t auid; /* Audit loginuid of the client */ ++#endif /* WITH_LSPP */ + }; + + #define HTTP(con) ((con)->http) +@@ -139,6 +150,9 @@ extern void cupsdStartListening(void); + extern void cupsdStopListening(void); + extern void cupsdUpdateCGI(void); + extern void cupsdWriteClient(cupsd_client_t *con); ++#ifdef WITH_LSPP ++extern uid_t client_pid_to_auid(pid_t clipid); ++#endif /* WITH_LSPP */ + + #ifdef HAVE_SSL + extern int cupsdEndTLS(cupsd_client_t *con); +diff -up cups-2.2.8/scheduler/conf.c.lspp cups-2.2.8/scheduler/conf.c +--- cups-2.2.8/scheduler/conf.c.lspp 2018-06-08 17:34:38.676654007 +0200 ++++ cups-2.2.8/scheduler/conf.c 2018-06-08 17:34:38.730653578 +0200 +@@ -40,6 +40,9 @@ + # define INADDR_NONE 0xffffffff + #endif /* !INADDR_NONE */ + ++#ifdef WITH_LSPP ++# include ++#endif /* WITH_LSPP */ + + /* + * Configuration variable structure... +@@ -131,6 +134,10 @@ static const cupsd_var_t cupsd_vars[] = + { "ServerName", &ServerName, CUPSD_VARTYPE_STRING }, + { "StrictConformance", &StrictConformance, CUPSD_VARTYPE_BOOLEAN }, + { "Timeout", &Timeout, CUPSD_VARTYPE_TIME }, ++#ifdef WITH_LSPP ++ { "AuditLog", &AuditLog, CUPSD_VARTYPE_INTEGER }, ++ { "PerPageLabels", &PerPageLabels, CUPSD_VARTYPE_BOOLEAN }, ++#endif /* WITH_LSPP */ + { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN } + }; + static const cupsd_var_t cupsfiles_vars[] = +@@ -544,6 +551,9 @@ cupsdReadConfiguration(void) + const char *tmpdir; /* TMPDIR environment variable */ + struct stat tmpinfo; /* Temporary directory info */ + cupsd_policy_t *p; /* Policy */ ++#ifdef WITH_LSPP ++ char *audit_message; /* Audit message string */ ++#endif /* WITH_LSPP */ + + + /* +@@ -863,6 +873,25 @@ cupsdReadConfiguration(void) + + RunUser = getuid(); + ++#ifdef WITH_LSPP ++ if (AuditLog != -1) ++ { ++ /* ++ * ClassifyOverride is set during read_configuration, if its ON, report it now ++ */ ++ if (ClassifyOverride) ++ audit_log_user_message(AuditLog, AUDIT_USYS_CONFIG, ++ "[Config] ClassifyOverride=enabled Users can override print banners", ++ ServerName, NULL, NULL, 1); ++ /* ++ * PerPageLabel is set during read_configuration, if its OFF, report it now ++ */ ++ if (!PerPageLabels) ++ audit_log_user_message(AuditLog, AUDIT_USYS_CONFIG, ++ "[Config] PerPageLabels=disabled", ServerName, NULL, NULL, 1); ++ } ++#endif /* WITH_LSPP */ ++ + cupsdLogMessage(CUPSD_LOG_INFO, "Remote access is %s.", + RemotePort ? "enabled" : "disabled"); + +@@ -1274,7 +1303,19 @@ cupsdReadConfiguration(void) + cupsdClearString(&Classification); + + if (Classification) ++ { + cupsdLogMessage(CUPSD_LOG_INFO, "Security set to \"%s\"", Classification); ++#ifdef WITH_LSPP ++ if (AuditLog != -1) ++ { ++ audit_message = NULL; ++ cupsdSetStringf(&audit_message, "[Config] Classification=%s", Classification); ++ audit_log_user_message(AuditLog, AUDIT_LABEL_LEVEL_CHANGE, audit_message, ++ ServerName, NULL, NULL, 1); ++ cupsdClearString(&audit_message); ++ } ++#endif /* WITH_LSPP */ ++ } + + /* + * Check the MaxClients setting, and then allocate memory for it... +@@ -3832,6 +3873,18 @@ read_location(cups_file_t *fp, /* I - C + return ((FatalErrors & CUPSD_FATAL_CONFIG) ? 0 : linenum); + } + ++#ifdef WITH_LSPP ++int is_lspp_config() ++{ ++ if (Classification != NULL) ++ return ((_cups_strcasecmp(Classification, MLS_CONFIG) == 0) ++ || (_cups_strcasecmp(Classification, TE_CONFIG) == 0) ++ || (_cups_strcasecmp(Classification, SELINUX_CONFIG) == 0)); ++ else ++ return 0; ++} ++#endif /* WITH_LSPP */ ++ + + /* + * 'read_policy()' - Read a definition. +diff -up cups-2.2.8/scheduler/conf.h.lspp cups-2.2.8/scheduler/conf.h +--- cups-2.2.8/scheduler/conf.h.lspp 2018-06-05 18:06:54.000000000 +0200 ++++ cups-2.2.8/scheduler/conf.h 2018-06-08 17:34:38.730653578 +0200 +@@ -246,6 +246,13 @@ VAR char *ServerKeychain VALUE(NULL); + /* Keychain holding cert + key */ + #endif /* HAVE_SSL */ + ++#ifdef WITH_LSPP ++VAR int AuditLog VALUE(-1), ++ /* File descriptor for audit */ ++ PerPageLabels VALUE(TRUE); ++ /* Put the label on each page */ ++#endif /* WITH_LSPP */ ++ + #ifdef HAVE_ONDEMAND + VAR int IdleExitTimeout VALUE(60); + /* Time after which an idle cupsd will exit */ +@@ -264,6 +271,9 @@ VAR int HaveServerCreds VALUE(0); + VAR gss_cred_id_t ServerCreds; /* Server's GSS credentials */ + #endif /* HAVE_GSSAPI */ + ++#ifdef WITH_LSPP ++extern int is_lspp_config(void); ++#endif /* WITH_LSPP */ + + /* + * Prototypes... +diff -up cups-2.2.8/scheduler/cupsd.h.lspp cups-2.2.8/scheduler/cupsd.h +--- cups-2.2.8/scheduler/cupsd.h.lspp 2018-06-05 18:06:54.000000000 +0200 ++++ cups-2.2.8/scheduler/cupsd.h 2018-06-08 17:34:38.730653578 +0200 +@@ -11,6 +11,8 @@ + * file is missing or damaged, see the license at "http://www.cups.org/". + */ + ++/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */ ++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */ + + /* + * Include necessary headers. +@@ -36,13 +38,20 @@ + # include + #endif /* WIN32 */ + ++#include "config.h" ++#ifdef WITH_LSPP ++# define MLS_CONFIG "mls" ++# define TE_CONFIG "te" ++# define SELINUX_CONFIG "SELinux" ++# define UNKNOWN_SL "UNKNOWN SL" ++#endif /* WITH_LSPP */ ++ + #include "mime.h" + + #if defined(HAVE_CDSASSL) + # include + #endif /* HAVE_CDSASSL */ + +- + /* + * Some OS's don't have hstrerror(), most notably Solaris... + */ +diff -up cups-2.2.8/scheduler/ipp.c.lspp cups-2.2.8/scheduler/ipp.c +--- cups-2.2.8/scheduler/ipp.c.lspp 2018-06-08 17:34:38.652654197 +0200 ++++ cups-2.2.8/scheduler/ipp.c 2018-06-08 17:37:19.166378937 +0200 +@@ -14,6 +14,9 @@ + * missing or damaged, see the license at "http://www.cups.org/". + */ + ++/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */ ++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */ ++ + /* + * Include necessary headers... + */ +@@ -37,6 +40,14 @@ extern int mbr_check_membership_by_id(uu + # endif /* HAVE_MEMBERSHIPPRIV_H */ + #endif /* __APPLE__ */ + ++#ifdef WITH_LSPP ++#include ++#include ++#include ++#include ++#include ++#include ++#endif /* WITH_LSPP */ + + /* + * Local functions... +@@ -61,6 +72,9 @@ static void cancel_all_jobs(cupsd_client + static void cancel_job(cupsd_client_t *con, ipp_attribute_t *uri); + static void cancel_subscription(cupsd_client_t *con, int id); + static int check_rss_recipient(const char *recipient); ++#ifdef WITH_LSPP ++static int check_context(cupsd_client_t *con, cupsd_job_t *job); ++#endif /* WITH_LSPP */ + static int check_quotas(cupsd_client_t *con, cupsd_printer_t *p); + static void close_job(cupsd_client_t *con, ipp_attribute_t *uri); + static void copy_attrs(ipp_t *to, ipp_t *from, cups_array_t *ra, +@@ -1250,6 +1264,21 @@ add_job(cupsd_client_t *con, /* I - Cl + "time-at-creation", + "time-at-processing" + }; ++#ifdef WITH_LSPP ++ char *audit_message; /* Audit message string */ ++ char *printerfile; /* device file pointed to by the printer */ ++ char *userheader = NULL; /* User supplied job-sheets[0] */ ++ char *userfooter = NULL; /* User supplied job-sheets[1] */ ++ int override = 0; /* Was a banner overrode on a job */ ++ security_id_t clisid; /* SELinux SID for the client */ ++ security_id_t psid; /* SELinux SID for the printer */ ++ context_t printercon; /* Printer's context string */ ++ struct stat printerstat; /* Printer's stat buffer */ ++ security_context_t devcon; /* Printer's SELinux context */ ++ struct avc_entry_ref avcref; /* Pointer to the access vector cache */ ++ security_class_t tclass; /* Object class for the SELinux check */ ++ access_vector_t avr; /* Access method being requested */ ++#endif /* WITH_LSPP */ + + + cupsdLogMessage(CUPSD_LOG_DEBUG2, "add_job(%p[%d], %p(%s), %p(%s/%s))", +@@ -1578,6 +1607,106 @@ add_job(cupsd_client_t *con, /* I - Cl + + attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME); + ++#ifdef WITH_LSPP ++ if (is_lspp_config()) ++ { ++ if (!con->scon || strncmp(con->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) == 0) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "add_job: missing classification for connection \'%s\'!", printer->name); ++ send_ipp_status(con, IPP_INTERNAL_ERROR, _("Missing required security attributes.")); ++ return (NULL); ++ } ++ ++ /* ++ * Perform an access check so that if the user gets feedback at enqueue time ++ */ ++ ++ printerfile = strstr(printer->device_uri, "/dev/"); ++ if (printerfile == NULL && (strncmp(printer->device_uri, "file:/", 6) == 0)) ++ printerfile = printer->device_uri + strlen("file:"); ++ ++ if (printerfile != NULL) ++ { ++ cupsdLogMessage(CUPSD_LOG_DEBUG, "add_job: Attempting an access check on printer device %s", ++ printerfile); ++ ++ if (lstat(printerfile, &printerstat) < 0) ++ { ++ if (errno != ENOENT) ++ { ++ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Unable to stat the printer")); ++ return (NULL); ++ } ++ /* ++ * The printer does not exist, so for now assume it's a FileDevice ++ */ ++ tclass = SECCLASS_FILE; ++ avr = FILE__WRITE; ++ } ++ else if (S_ISCHR(printerstat.st_mode)) ++ { ++ tclass = SECCLASS_CHR_FILE; ++ avr = CHR_FILE__WRITE; ++ } ++ else if (S_ISREG(printerstat.st_mode)) ++ { ++ tclass = SECCLASS_FILE; ++ avr = FILE__WRITE; ++ } ++ else ++ { ++ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Printer is not a character device or regular file")); ++ return (NULL); ++ } ++ static int avc_initialized = 0; ++ if (!avc_initialized++) ++ avc_init("cupsd_enqueue_", NULL, NULL, NULL, NULL); ++ avc_entry_ref_init(&avcref); ++ if (avc_context_to_sid(con->scon, &clisid) != 0) ++ { ++ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Unable to get the SELinux sid of the client")); ++ return (NULL); ++ } ++ if (getfilecon(printerfile, &devcon) == -1) ++ { ++ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Unable to get the SELinux context of the printer")); ++ return (NULL); ++ } ++ printercon = context_new(devcon); ++ cupsdLogMessage(CUPSD_LOG_DEBUG, "add_job: printer context %s client context %s", ++ context_str(printercon), con->scon); ++ context_free(printercon); ++ ++ if (avc_context_to_sid(devcon, &psid) != 0) ++ { ++ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Unable to get the SELinux sid of the printer")); ++ freecon(devcon); ++ return (NULL); ++ } ++ freecon(devcon); ++ if (avc_has_perm(clisid, psid, tclass, avr, &avcref, NULL) != 0) ++ { ++ /* ++ * The access check failed, so cancel the job and send an audit message ++ */ ++ if (AuditLog != -1) ++ { ++ audit_message = NULL; ++ cupsdSetStringf(&audit_message, "job=? auid=%u acct=%s obj=%s refused" ++ " unable to access printer=%s", con->auid, ++ con->username, con->scon, printer->name); ++ audit_log_user_message(AuditLog, AUDIT_USER_LABELED_EXPORT, audit_message, ++ ServerName, NULL, NULL, 0); ++ cupsdClearString(&audit_message); ++ } ++ ++ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux prohibits access to the printer")); ++ return (NULL); ++ } ++ } ++ } ++#endif /* WITH_LSPP */ ++ + if ((job = cupsdAddJob(priority, printer->name)) == NULL) + { + send_ipp_status(con, IPP_INTERNAL_ERROR, +@@ -1586,6 +1715,32 @@ add_job(cupsd_client_t *con, /* I - Cl + return (NULL); + } + ++#ifdef WITH_LSPP ++ if (is_lspp_config()) ++ { ++ /* ++ * duplicate the security context and auid of the connection into the job structure ++ */ ++ job->scon = strdup(con->scon); ++ job->auid = con->auid; ++ ++ /* ++ * add the security context to the request so that on a restart the security ++ * attributes will be able to be restored ++ */ ++ ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "security-context", ++ NULL, job->scon); ++ } ++ else ++ { ++ /* ++ * Fill in the security context of the job as unlabeled ++ */ ++ cupsdLogMessage(CUPSD_LOG_DEBUG, "add_job: setting context of job to %s", UNKNOWN_SL); ++ cupsdSetString(&job->scon, UNKNOWN_SL); ++ } ++#endif /* WITH_LSPP */ ++ + job->dtype = printer->type & (CUPS_PRINTER_CLASS | CUPS_PRINTER_REMOTE); + job->attrs = con->request; + job->dirty = 1; +@@ -1773,6 +1928,29 @@ add_job(cupsd_client_t *con, /* I - Cl + ippSetString(job->attrs, &attr, 0, printer->job_sheets[0]); + ippSetString(job->attrs, &attr, 1, printer->job_sheets[1]); + } ++#ifdef WITH_LSPP ++ else ++ { ++ /* ++ * The option was present, so capture the user supplied strings ++ */ ++ userheader = strdup(attr->values[0].string.text); ++ ++ if (attr->num_values > 1) ++ userfooter = strdup(attr->values[1].string.text); ++ ++ if (Classification != NULL && (strcmp(userheader, Classification) == 0) ++ && userfooter &&(strcmp(userfooter, Classification) == 0)) ++ { ++ /* ++ * Since both values are Classification, the user is not trying to Override ++ */ ++ free(userheader); ++ if (userfooter) free(userfooter); ++ userheader = userfooter = NULL; ++ } ++ } ++#endif /* WITH_LSPP */ + + job->job_sheets = attr; + +@@ -1803,6 +1981,9 @@ add_job(cupsd_client_t *con, /* I - Cl + "job-sheets=\"%s,none\", " + "job-originating-user-name=\"%s\"", + Classification, job->username); ++#ifdef WITH_LSPP ++ override = 1; ++#endif /* WITH_LSPP */ + } + else if (attr->num_values == 2 && + strcmp(attr->values[0].string.text, +@@ -1821,6 +2002,9 @@ add_job(cupsd_client_t *con, /* I - Cl + "job-originating-user-name=\"%s\"", + attr->values[0].string.text, + attr->values[1].string.text, job->username); ++#ifdef WITH_LSPP ++ override = 1; ++#endif /* WITH_LSPP */ + } + else if (strcmp(attr->values[0].string.text, Classification) && + strcmp(attr->values[0].string.text, "none") && +@@ -1841,6 +2025,9 @@ add_job(cupsd_client_t *con, /* I - Cl + "job-originating-user-name=\"%s\"", + attr->values[0].string.text, + attr->values[1].string.text, job->username); ++#ifdef WITH_LSPP ++ override = 1; ++#endif /* WITH_LSPP */ + } + } + else if (strcmp(attr->values[0].string.text, Classification) && +@@ -1881,8 +2068,52 @@ add_job(cupsd_client_t *con, /* I - Cl + "job-sheets=\"%s\", " + "job-originating-user-name=\"%s\"", + Classification, job->username); ++#ifdef WITH_LSPP ++ override = 1; ++#endif /* WITH_LSPP */ ++ } ++#ifdef WITH_LSPP ++ if (is_lspp_config() && AuditLog != -1) ++ { ++ audit_message = NULL; ++ ++ if (userheader || userfooter) ++ { ++ if (!override) ++ { ++ /* ++ * The user overrode the banner, so audit it ++ */ ++ cupsdSetStringf(&audit_message, "job=%d user supplied job-sheets=%s,%s" ++ " using banners=%s,%s", job->id, userheader, ++ userfooter, attr->values[0].string.text, ++ (attr->num_values > 1) ? attr->values[1].string.text : "(null)"); ++ audit_log_user_message(AuditLog, AUDIT_LABEL_OVERRIDE, audit_message, ++ ServerName, NULL, NULL, 1); ++ } ++ else ++ { ++ /* ++ * The user tried to override the banner, audit the failure ++ */ ++ cupsdSetStringf(&audit_message, "job=%d user supplied job-sheets=%s,%s" ++ " ignored banners=%s,%s", job->id, userheader, ++ userfooter, attr->values[0].string.text, ++ (attr->num_values > 1) ? attr->values[1].string.text : "(null)"); ++ audit_log_user_message(AuditLog, AUDIT_LABEL_OVERRIDE, audit_message, ++ ServerName, NULL, NULL, 0); ++ } ++ cupsdClearString(&audit_message); ++ } + } ++ ++ if (userheader) ++ free(userheader); ++ if (userfooter) ++ free(userfooter); ++#endif /* WITH_LSPP */ + } ++ + + /* + * See if we need to add the starting sheet... +@@ -3656,6 +3887,128 @@ check_rss_recipient( + } + + ++#ifdef WITH_LSPP ++/* ++ * 'check_context()' - Check SELinux security context of a user and job ++ */ ++ ++static int /* O - 1 if OK, 0 if not, -1 on error */ ++check_context(cupsd_client_t *con, /* I - Client connection */ ++ cupsd_job_t *job) /* I - Job */ ++{ ++ int enforcing; /* is SELinux in enforcing mode */ ++ char filename[1024]; /* Filename of the spool file */ ++ security_id_t clisid; /* SELinux SID of the client */ ++ security_id_t jobsid; /* SELinux SID of the job */ ++ security_id_t filesid; /* SELinux SID of the spool file */ ++ struct avc_entry_ref avcref; /* AVC entry cache pointer */ ++ security_class_t tclass; /* SELinux security class */ ++ access_vector_t avr; /* SELinux access being queried */ ++ security_context_t spoolfilecon; /* SELinux context of the spool file */ ++ ++ ++ /* ++ * Validate the input to be sure there are contexts to work with... ++ */ ++ ++ if (con->scon == NULL || job->scon == NULL ++ || strncmp(con->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) == 0 ++ || strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) == 0) ++ return -1; ++ ++ if ((enforcing = security_getenforce()) == -1) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "Error while determining SELinux enforcement"); ++ return -1; ++ } ++ cupsdLogJob(job, CUPSD_LOG_DEBUG, ++ "check_context: client context %s job context %s", ++ con->scon, job->scon); ++ ++ ++ /* ++ * Initialize the avc engine... ++ */ ++ ++ static int avc_initialized = 0; ++ if (! avc_initialized++) ++ { ++ if (avc_init("cupsd", NULL, NULL, NULL, NULL) < 0) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, "check_context: unable avc_init"); ++ return -1; ++ } ++ } ++ if (avc_context_to_sid(con->scon, &clisid) != 0) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "check_context: unable to convert %s to SELinux sid", ++ con->scon); ++ return -1; ++ } ++ if (avc_context_to_sid(job->scon, &jobsid) != 0) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "check_context: unable to convert %s to SELinux sid", ++ job->scon); ++ return -1; ++ } ++ avc_entry_ref_init(&avcref); ++ tclass = SECCLASS_FILE; ++ avr = FILE__READ; ++ ++ /* ++ * Perform the check with the client as the subject, first with the job as the object ++ * if that fails then with the spool file as the object... ++ */ ++ ++ if (avc_has_perm_noaudit(clisid, jobsid, tclass, avr, &avcref, NULL) != 0) ++ { ++ cupsdLogJob(job, CUPSD_LOG_INFO, ++ "check_context: SELinux denied access " ++ "based on the client context"); ++ ++ snprintf(filename, sizeof(filename), "%s/c%05d", RequestRoot, job->id); ++ if (getfilecon(filename, &spoolfilecon) == -1) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "check_context: Unable to get spoolfile context"); ++ return -1; ++ } ++ if (avc_context_to_sid(spoolfilecon, &filesid) != 0) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "check_context: Unable to determine the " ++ "SELinux sid for the spool file"); ++ freecon(spoolfilecon); ++ return -1; ++ } ++ freecon(spoolfilecon); ++ if (avc_has_perm_noaudit(clisid, filesid, tclass, avr, &avcref, NULL) != 0) ++ { ++ cupsdLogJob(job, CUPSD_LOG_INFO, ++ "check_context: SELinux denied access to the spool file"); ++ return 0; ++ } ++ cupsdLogJob(job, CUPSD_LOG_INFO, ++ "check_context: SELinux allowed access to the spool file"); ++ return 1; ++ } ++ else ++ if (enforcing == 0) ++ cupsdLogJob(job, CUPSD_LOG_INFO, ++ "check_context: allowing operation due to permissive mode"); ++ else ++ cupsdLogJob(job, CUPSD_LOG_INFO, ++ "check_context: SELinux allowed access based on the " ++ "client context"); ++ ++ return 1; ++} ++#endif /* WITH_LSPP */ ++ ++ + /* + * 'check_quotas()' - Check quotas for a printer and user. + */ +@@ -4112,6 +4465,15 @@ copy_banner(cupsd_client_t *con, /* I - + char attrname[255], /* Name of attribute */ + *s; /* Pointer into name */ + ipp_attribute_t *attr; /* Attribute */ ++#ifdef WITH_LSPP ++ const char *mls_label; /* SL of print job */ ++ char *jobrange; /* SELinux sensitivity range */ ++ char *jobclearance; /* SELinux low end clearance */ ++ context_t jobcon; /* SELinux context of the job */ ++ context_t tmpcon; /* Temp context to set the level */ ++ security_context_t spoolcon; /* Context of the file in the spool */ ++#endif /* WITH_LSPP */ ++ + + + cupsdLogMessage(CUPSD_LOG_DEBUG2, +@@ -4147,6 +4509,85 @@ copy_banner(cupsd_client_t *con, /* I - + + fchmod(cupsFileNumber(out), 0640); + fchown(cupsFileNumber(out), RunUser, Group); ++#ifdef WITH_LSPP ++ if (job->scon != NULL && ++ strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0) ++ { ++ if (getfilecon(filename, &spoolcon) == -1) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "Unable to get the context of the banner file %s - %s", ++ filename, strerror(errno)); ++ job->num_files --; ++ return (0); ++ } ++ tmpcon = context_new(spoolcon); ++ jobcon = context_new(job->scon); ++ freecon(spoolcon); ++ if (!tmpcon || !jobcon) ++ { ++ if (tmpcon) ++ context_free(tmpcon); ++ if (jobcon) ++ context_free(jobcon); ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "copy_banner: Unable to get the SELinux contexts"); ++ job->num_files --; ++ return (0); ++ } ++ jobrange = (char *) context_range_get(jobcon); ++ if (jobrange) ++ { ++ jobrange = strdup(jobrange); ++ if ((jobclearance = strtok(jobrange, "-")) != NULL) ++ { ++ if (context_range_set(tmpcon, jobclearance) == -1) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "copy_banner: Unable to set the " ++ "level of the context for file %s - %s", ++ filename, strerror(errno)); ++ free(jobrange); ++ context_free(jobcon); ++ context_free(tmpcon); ++ job->num_files --; ++ return (0); ++ } ++ } ++ else ++ { ++ if (context_range_set(tmpcon, (context_range_get(jobcon))) == -1) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "copy_banner: Unable to set the " ++ "level of the context for file %s - %s", ++ filename, strerror(errno)); ++ free(jobrange); ++ context_free(jobcon); ++ context_free(tmpcon); ++ job->num_files --; ++ return (0); ++ } ++ } ++ free(jobrange); ++ } ++ if (setfilecon(filename, context_str(tmpcon)) == -1) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "copy_banner: Unable to set the " ++ "context of the banner file %s - %s", ++ filename, strerror(errno)); ++ context_free(jobcon); ++ context_free(tmpcon); ++ job->num_files --; ++ return (0); ++ } ++ cupsdLogJob(job, CUPSD_LOG_DEBUG2, "copy_banner: %s set to %s", ++ filename, context_str(tmpcon)); ++ context_free(jobcon); ++ context_free(tmpcon); ++ } ++#endif /* WITH_LSPP */ + + /* + * Try the localized banner file under the subdirectory... +@@ -4241,6 +4682,24 @@ copy_banner(cupsd_client_t *con, /* I - + else + s = attrname; + ++#ifdef WITH_LSPP ++ if (strcmp(s, "mls-label") == 0) ++ { ++ if (job->scon != NULL && strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0) ++ { ++ jobcon = context_new(job->scon); ++ if (_cups_strcasecmp(name, MLS_CONFIG) == 0) ++ mls_label = context_range_get(jobcon); ++ else if (_cups_strcasecmp(name, TE_CONFIG) == 0) ++ mls_label = context_type_get(jobcon); ++ else // default to using the whole context string ++ mls_label = context_str(jobcon); ++ cupsFilePuts(out, mls_label); ++ context_free(jobcon); ++ } ++ continue; ++ } ++#endif /* WITH_LSPP */ + if (!strcmp(s, "printer-name")) + { + cupsFilePuts(out, job->dest); +@@ -6480,6 +6939,22 @@ get_job_attrs(cupsd_client_t *con, /* I + + exclude = cupsdGetPrivateAttrs(policy, con, printer, job->username); + ++ ++#ifdef WITH_LSPP ++ /* ++ * Check SELinux... ++ */ ++ if (is_lspp_config() && check_context(con, job) != 1) ++ { ++ /* ++ * Unfortunately we have to lie to the user... ++ */ ++ send_ipp_status(con, IPP_NOT_FOUND, _("Job #%d does not exist!"), jobid); ++ return; ++ } ++#endif /* WITH_LSPP */ ++ ++ + /* + * Copy attributes... + */ +@@ -6877,6 +7352,11 @@ get_jobs(cupsd_client_t *con, /* I - C + if (username[0] && _cups_strcasecmp(username, job->username)) + continue; + ++#ifdef WITH_LSPP ++ if (is_lspp_config() && check_context(con, job) != 1) ++ continue; ++#endif /* WITH_LSPP */ ++ + if (count > 0) + ippAddSeparator(con->response); + +@@ -11475,6 +11955,11 @@ validate_user(cupsd_job_t *job, /* I + + strlcpy(username, get_username(con), userlen); + ++#ifdef WITH_LSPP ++ if (is_lspp_config() && check_context(con, job) != 1) ++ return 0; ++#endif /* WITH_LSPP */ ++ + /* + * Check the username against the owner... + */ +diff -up cups-2.2.8/scheduler/job.c.lspp cups-2.2.8/scheduler/job.c +--- cups-2.2.8/scheduler/job.c.lspp 2018-06-08 17:34:38.657654158 +0200 ++++ cups-2.2.8/scheduler/job.c 2018-06-08 17:34:38.733653554 +0200 +@@ -11,6 +11,9 @@ + * missing or damaged, see the license at "http://www.cups.org/". + */ + ++/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */ ++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */ ++ + /* + * Include necessary headers... + */ +@@ -26,6 +29,14 @@ + # endif /* HAVE_IOKIT_PWR_MGT_IOPMLIBPRIVATE_H */ + #endif /* __APPLE__ */ + ++#ifdef WITH_LSPP ++#include ++#include ++#include ++#include ++#include ++#include ++#endif /* WITH_LSPP */ + + /* + * Design Notes for Job Management +@@ -547,6 +558,14 @@ cupsdContinueJob(cupsd_job_t *job) /* I + /* PRINTER_STATE_REASONS env var */ + rip_max_cache[255]; + /* RIP_MAX_CACHE env variable */ ++#ifdef WITH_LSPP ++ char *audit_message = NULL; /* Audit message string */ ++ context_t jobcon; /* SELinux context of the job */ ++ char *label_template = NULL; /* SL to put in classification ++ env var */ ++ const char *mls_label = NULL; /* SL to put in classification ++ env var */ ++#endif /* WITH_LSPP */ + + + cupsdLogMessage(CUPSD_LOG_DEBUG2, +@@ -1083,6 +1102,67 @@ cupsdContinueJob(cupsd_job_t *job) /* I + if (final_content_type[0]) + envp[envc ++] = final_content_type; + ++#ifdef WITH_LSPP ++ if (is_lspp_config()) ++ { ++ if (!job->scon || strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) == 0) ++ { ++ if (AuditLog != -1) ++ { ++ audit_message = NULL; ++ cupsdSetStringf(&audit_message, "job=%d auid=%u acct=%s printer=%s title=%s", ++ job->id, job->auid, job->username, job->printer->name, title); ++ audit_log_user_message(AuditLog, AUDIT_USER_UNLABELED_EXPORT, audit_message, ++ ServerName, NULL, NULL, 1); ++ cupsdClearString(&audit_message); ++ } ++ } ++ else ++ { ++ jobcon = context_new(job->scon); ++ ++ if ((attr = ippFindAttribute(job->attrs, "job-sheets", IPP_TAG_NAME)) == NULL) ++ label_template = strdup(Classification); ++ else if (attr->num_values > 1 && ++ strcmp(attr->values[1].string.text, "none") != 0) ++ label_template = strdup(attr->values[1].string.text); ++ else ++ label_template = strdup(attr->values[0].string.text); ++ ++ if (_cups_strcasecmp(label_template, MLS_CONFIG) == 0) ++ mls_label = context_range_get(jobcon); ++ else if (_cups_strcasecmp(label_template, TE_CONFIG) == 0) ++ mls_label = context_type_get(jobcon); ++ else if (_cups_strcasecmp(label_template, SELINUX_CONFIG) == 0) ++ mls_label = context_str(jobcon); ++ else ++ mls_label = label_template; ++ ++ if (mls_label && (PerPageLabels || banner_page)) ++ { ++ snprintf(classification, sizeof(classification), "CLASSIFICATION=LSPP:%s", mls_label); ++ envp[envc ++] = classification; ++ } ++ ++ if ((AuditLog != -1) && !banner_page) ++ { ++ audit_message = NULL; ++ cupsdSetStringf(&audit_message, "job=%d auid=%u acct=%s printer=%s title=%s" ++ " obj=%s label=%s", job->id, job->auid, job->username, ++ job->printer->name, title, job->scon, mls_label?mls_label:"none"); ++ audit_log_user_message(AuditLog, AUDIT_USER_LABELED_EXPORT, audit_message, ++ ServerName, NULL, NULL, 1); ++ cupsdClearString(&audit_message); ++ } ++ context_free(jobcon); ++ free(label_template); ++ } ++ } ++ else ++ /* ++ * Fall through to the non-LSPP behavior ++ */ ++#endif /* WITH_LSPP */ + if (Classification && !banner_page) + { + if ((attr = ippFindAttribute(job->attrs, "job-sheets", +@@ -1862,6 +1942,22 @@ cupsdLoadJob(cupsd_job_t *job) /* I - J + ippSetString(job->attrs, &job->reasons, 0, "none"); + } + ++#ifdef WITH_LSPP ++ if ((attr = ippFindAttribute(job->attrs, "security-context", IPP_TAG_NAME)) != NULL) ++ cupsdSetString(&job->scon, attr->values[0].string.text); ++ else if (is_lspp_config()) ++ { ++ /* ++ * There was no security context so delete the job ++ */ ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "Missing or bad security-context attribute " ++ "in control file \"%s\"!", ++ jobfile); ++ goto error; ++ } ++#endif /* WITH_LSPP */ ++ + job->impressions = ippFindAttribute(job->attrs, "job-impressions-completed", IPP_TAG_INTEGER); + job->sheets = ippFindAttribute(job->attrs, "job-media-sheets-completed", IPP_TAG_INTEGER); + job->job_sheets = ippFindAttribute(job->attrs, "job-sheets", IPP_TAG_NAME); +@@ -2275,6 +2371,14 @@ cupsdSaveJob(cupsd_job_t *job) /* I - J + { + char filename[1024]; /* Job control filename */ + cups_file_t *fp; /* Job file */ ++#ifdef WITH_LSPP ++ security_context_t spoolcon; /* context of the job control file */ ++ context_t jobcon; /* contex_t container for job->scon */ ++ context_t tmpcon; /* Temp context to swap the level */ ++ char *jobclearance; /* SELinux low end clearance */ ++ const char *jobrange; /* SELinux sensitivity range */ ++ char *jobrange_copy; /* SELinux sensitivity range */ ++#endif /* WITH_LSPP */ + + + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdSaveJob(job=%p(%d)): job->attrs=%p", +@@ -2297,6 +2401,78 @@ cupsdSaveJob(cupsd_job_t *job) /* I - J + + fchown(cupsFileNumber(fp), RunUser, Group); + ++#ifdef WITH_LSPP ++ if (job->scon && strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0) ++ { ++ if (getfilecon(filename, &spoolcon) == -1) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "Unable to get context of job control file \"%s\" - %s.", ++ filename, strerror(errno)); ++ return; ++ } ++ jobcon = context_new(job->scon); ++ tmpcon = context_new(spoolcon); ++ freecon(spoolcon); ++ if (!jobcon || !tmpcon) ++ { ++ if (jobcon) ++ context_free(jobcon); ++ if (tmpcon) ++ context_free(tmpcon); ++ cupsdLogJob(job, CUPSD_LOG_ERROR, "Unable to get SELinux contexts"); ++ return; ++ } ++ jobrange = context_range_get(jobcon); ++ if (jobrange) ++ { ++ jobrange_copy = strdup(jobrange); ++ if ((jobclearance = strtok(jobrange_copy, "-")) != NULL) ++ { ++ if (context_range_set(tmpcon, jobclearance) == -1) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "Unable to set the range for " ++ "job control file \"%s\" - %s.", ++ filename, strerror(errno)); ++ free(jobrange_copy); ++ context_free(tmpcon); ++ context_free(jobcon); ++ return; ++ } ++ } ++ else ++ { ++ if (context_range_set(tmpcon, (context_range_get(jobcon))) == -1) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "Unable to set the range for " ++ "job control file \"%s\" - %s.", ++ filename, strerror(errno)); ++ free(jobrange_copy); ++ context_free(tmpcon); ++ context_free(jobcon); ++ return; ++ } ++ } ++ free(jobrange_copy); ++ } ++ if (setfilecon(filename, context_str(tmpcon)) == -1) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "Unable to set context of job control file \"%s\" - %s.", ++ filename, strerror(errno)); ++ context_free(tmpcon); ++ context_free(jobcon); ++ return; ++ } ++ cupsdLogJob(job, CUPSD_LOG_DEBUG2, "New spool file context=%s", ++ context_str(tmpcon)); ++ context_free(tmpcon); ++ context_free(jobcon); ++ } ++#endif /* WITH_LSPP */ ++ + job->attrs->state = IPP_IDLE; + + if (ippWriteIO(fp, (ipp_iocb_t)cupsFileWrite, 1, NULL, +@@ -3943,6 +4119,19 @@ get_options(cupsd_job_t *job, /* I - Jo + banner_page) + continue; + ++#ifdef WITH_LSPP ++ /* ++ * In LSPP mode refuse to honor the page-label ++ */ ++ if (is_lspp_config() && ++ !strcmp(attr->name, "page-label")) ++ { ++ cupsdLogJob(job, CUPSD_LOG_DEBUG, ++ "Ignoring page-label option due to LSPP mode"); ++ continue; ++ } ++#endif /* WITH_LSPP */ ++ + /* + * Otherwise add them to the list... + */ +@@ -4704,6 +4893,18 @@ start_job(cupsd_job_t *job, /* I - + cupsd_printer_t *printer) /* I - Printer to print job */ + { + const char *filename; /* Support filename */ ++#ifdef WITH_LSPP ++ char *audit_message = NULL; /* Audit message string */ ++ char *printerfile = NULL; /* Device file pointed to by the printer */ ++ security_id_t clisid; /* SELinux SID for the client */ ++ security_id_t psid; /* SELinux SID for the printer */ ++ context_t printercon; /* Printer's context string */ ++ struct stat printerstat; /* Printer's stat buffer */ ++ security_context_t devcon; /* Printer's SELinux context */ ++ struct avc_entry_ref avcref; /* Pointer to the access vector cache */ ++ security_class_t tclass; /* Object class for the SELinux check */ ++ access_vector_t avr; /* Access method being requested */ ++#endif /* WITH_LSPP */ + ipp_attribute_t *cancel_after = ippFindAttribute(job->attrs, + "job-cancel-after", + IPP_TAG_INTEGER); +@@ -4892,6 +5093,113 @@ start_job(cupsd_job_t *job, /* I - + fcntl(job->side_pipes[1], F_SETFD, + fcntl(job->side_pipes[1], F_GETFD) | FD_CLOEXEC); + ++#ifdef WITH_LSPP ++ if (is_lspp_config()) ++ { ++ /* ++ * Perform an access check before printing, but only if the printer starts with /dev/ ++ */ ++ printerfile = strstr(printer->device_uri, "/dev/"); ++ if (printerfile == NULL && (strncmp(printer->device_uri, "file:/", 6) == 0)) ++ printerfile = printer->device_uri + strlen("file:"); ++ ++ if (printerfile != NULL) ++ { ++ cupsdLogJob(job, CUPSD_LOG_DEBUG, ++ "Attempting to check access on printer device %s", ++ printerfile); ++ if (lstat(printerfile, &printerstat) < 0) ++ { ++ if (errno != ENOENT) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "Unable to stat the printer"); ++ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); ++ return ; ++ } ++ /* ++ * The printer does not exist, so for now assume it's a FileDevice ++ */ ++ tclass = SECCLASS_FILE; ++ avr = FILE__WRITE; ++ } ++ else if (S_ISCHR(printerstat.st_mode)) ++ { ++ tclass = SECCLASS_CHR_FILE; ++ avr = CHR_FILE__WRITE; ++ } ++ else if (S_ISREG(printerstat.st_mode)) ++ { ++ tclass = SECCLASS_FILE; ++ avr = FILE__WRITE; ++ } ++ else ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "StartJob: Printer is not a character device or " ++ "regular file"); ++ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); ++ return ; ++ } ++ static int avc_initialized = 0; ++ if (!avc_initialized++) ++ avc_init("cupsd_dequeue_", NULL, NULL, NULL, NULL); ++ avc_entry_ref_init(&avcref); ++ if (avc_context_to_sid(job->scon, &clisid) != 0) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "Unable to determine the SELinux sid for the job"); ++ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); ++ return ; ++ } ++ if (getfilecon(printerfile, &devcon) == -1) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "Unable to get the SELinux context of %s", ++ printerfile); ++ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); ++ return ; ++ } ++ printercon = context_new(devcon); ++ cupsdLogJob(job, CUPSD_LOG_DEBUG, ++ "Printer context %s client context %s", ++ context_str(printercon), job->scon); ++ context_free(printercon); ++ ++ if (avc_context_to_sid(devcon, &psid) != 0) ++ { ++ cupsdLogJob(job, CUPSD_LOG_ERROR, ++ "Unable to determine the SELinux sid for the printer"); ++ freecon(devcon); ++ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); ++ return ; ++ } ++ freecon(devcon); ++ ++ if (avc_has_perm(clisid, psid, tclass, avr, &avcref, NULL) != 0) ++ { ++ /* ++ * The access check failed, so cancel the job and send an audit message ++ */ ++ if (AuditLog != -1) ++ { ++ audit_message = NULL; ++ cupsdSetStringf(&audit_message, "job=%d auid=%u acct=%s obj=%s canceled" ++ " unable to access printer=%s", job->id, ++ job->auid, (job->username)?job->username:"?", job->scon, printer->name); ++ audit_log_user_message(AuditLog, AUDIT_USER_LABELED_EXPORT, audit_message, ++ ServerName, NULL, NULL, 0); ++ cupsdClearString(&audit_message); ++ } ++ ++ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); ++ ++ return ; ++ } ++ } ++ } ++#endif /* WITH_LSPP */ ++ + /* + * Now start the first file in the job... + */ +diff -up cups-2.2.8/scheduler/job.h.lspp cups-2.2.8/scheduler/job.h +--- cups-2.2.8/scheduler/job.h.lspp 2018-06-05 18:06:54.000000000 +0200 ++++ cups-2.2.8/scheduler/job.h 2018-06-08 17:34:38.733653554 +0200 +@@ -11,6 +11,13 @@ + * missing or damaged, see the license at "http://www.cups.org/". + */ + ++/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */ ++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */ ++ ++#ifdef WITH_LSPP ++#include ++#endif /* WITH_LSPP */ ++ + /* + * Constants... + */ +@@ -88,6 +95,10 @@ struct cupsd_job_s /**** Job request * + int progress; /* Printing progress */ + int num_keywords; /* Number of PPD keywords */ + cups_option_t *keywords; /* PPD keywords */ ++#ifdef WITH_LSPP ++ security_context_t scon; /* Security context of job */ ++ uid_t auid; /* Audit loginuid for this job */ ++#endif /* WITH_LSPP */ + }; + + typedef struct cupsd_joblog_s /**** Job log message ****/ +diff -up cups-2.2.8/scheduler/main.c.lspp cups-2.2.8/scheduler/main.c +--- cups-2.2.8/scheduler/main.c.lspp 2018-06-08 17:34:38.663654110 +0200 ++++ cups-2.2.8/scheduler/main.c 2018-06-08 17:34:38.734653546 +0200 +@@ -56,6 +56,9 @@ + # include + #endif /* HAVE_SYS_PARAM_H */ + ++#ifdef WITH_LSPP ++# include ++#endif /* WITH_LSPP */ + + /* + * Local functions... +@@ -122,6 +125,9 @@ main(int argc, /* I - Number of comm + #if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET) + struct sigaction action; /* Actions for POSIX signals */ + #endif /* HAVE_SIGACTION && !HAVE_SIGSET */ ++#if WITH_LSPP ++ auditfail_t failmode; /* Action for audit_open failure */ ++#endif /* WITH_LSPP */ + #ifdef __APPLE__ + int use_sysman = 1; /* Use system management functions? */ + #else +@@ -495,6 +501,25 @@ main(int argc, /* I - Number of comm + exit(errno); + } + ++#ifdef WITH_LSPP ++ if ((AuditLog = audit_open()) < 0 ) ++ { ++ if (get_auditfail_action(&failmode) == 0) ++ { ++ if (failmode == FAIL_LOG) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to connect to audit subsystem."); ++ AuditLog = -1; ++ } ++ else if (failmode == FAIL_TERMINATE) ++ { ++ fprintf(stderr, "cupsd: unable to start auditing, terminating"); ++ return -1; ++ } ++ } ++ } ++#endif /* WITH_LSPP */ ++ + /* + * Let the system know we are busy while we bring up cupsd... + */ +@@ -1188,6 +1213,11 @@ main(int argc, /* I - Number of comm + + cupsdStopSelect(); + ++#ifdef WITH_LSPP ++ if (AuditLog != -1) ++ audit_close(AuditLog); ++#endif /* WITH_LSPP */ ++ + return (!stop_scheduler); + } + +diff -up cups-2.2.8/scheduler/printers.c.lspp cups-2.2.8/scheduler/printers.c +--- cups-2.2.8/scheduler/printers.c.lspp 2018-06-05 18:06:54.000000000 +0200 ++++ cups-2.2.8/scheduler/printers.c 2018-06-08 17:34:38.734653546 +0200 +@@ -11,6 +11,8 @@ + * missing or damaged, see the license at "http://www.cups.org/". + */ + ++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */ ++ + /* + * Include necessary headers... + */ +@@ -35,6 +37,10 @@ + # include + #endif /* __APPLE__ */ + ++#ifdef WITH_LSPP ++# include ++# include ++#endif /* WITH_LSPP */ + + /* + * Local functions... +@@ -2202,6 +2208,13 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p) + ipp_attribute_t *attr; /* Attribute data */ + char *name, /* Current user/group name */ + *filter; /* Current filter */ ++#ifdef WITH_LSPP ++ char *audit_message; /* Audit message string */ ++ char *printerfile; /* Path to a local printer dev */ ++ char *rangestr; /* Printer's range if its available */ ++ security_context_t devcon; /* Printer SELinux context */ ++ context_t printercon; /* context_t for the printer */ ++#endif /* WITH_LSPP */ + + + DEBUG_printf(("cupsdSetPrinterAttrs: entering name = %s, type = %x\n", p->name, +@@ -2329,6 +2342,45 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p) + attr->values[1].string.text = _cupsStrAlloc(Classification ? + Classification : p->job_sheets[1]); + } ++#ifdef WITH_LSPP ++ if (AuditLog != -1) ++ { ++ audit_message = NULL; ++ rangestr = NULL; ++ printercon = 0; ++ printerfile = strstr(p->device_uri, "/dev/"); ++ if (printerfile == NULL && (strncmp(p->device_uri, "file:/", 6) == 0)) ++ printerfile = p->device_uri + strlen("file:"); ++ ++ if (printerfile != NULL) ++ { ++ if (getfilecon(printerfile, &devcon) == -1) ++ { ++ if(is_selinux_enabled()) ++ cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdSetPrinterAttrs: Unable to get printer context"); ++ } ++ else ++ { ++ printercon = context_new(devcon); ++ freecon(devcon); ++ } ++ } ++ ++ if (printercon && context_range_get(printercon)) ++ rangestr = strdup(context_range_get(printercon)); ++ else ++ rangestr = strdup("unknown"); ++ ++ cupsdSetStringf(&audit_message, "printer=%s uri=%s banners=%s,%s range=%s", ++ p->name, p->sanitized_device_uri, p->job_sheets[0], p->job_sheets[1], rangestr); ++ audit_log_user_message(AuditLog, AUDIT_LABEL_LEVEL_CHANGE, audit_message, ++ ServerName, NULL, NULL, 1); ++ if (printercon) ++ context_free(printercon); ++ free(rangestr); ++ cupsdClearString(&audit_message); ++ } ++#endif /* WITH_LSPP */ + } + + p->raw = 0; diff --git a/cups-multilib.patch b/cups-multilib.patch new file mode 100644 index 00000000..3c6bc397 --- /dev/null +++ b/cups-multilib.patch @@ -0,0 +1,16 @@ +diff -up cups-1.5b1/cups-config.in.multilib cups-1.5b1/cups-config.in +--- cups-1.5b1/cups-config.in.multilib 2010-06-16 02:48:25.000000000 +0200 ++++ cups-1.5b1/cups-config.in 2011-05-23 17:33:31.000000000 +0200 +@@ -22,8 +22,10 @@ prefix=@prefix@ + exec_prefix=@exec_prefix@ + bindir=@bindir@ + includedir=@includedir@ +-libdir=@libdir@ +-imagelibdir=@libdir@ ++# Fetch libdir from gnutls's pkg-config script. This is a bit ++# of a cheat, but the cups-devel package requires gnutls-devel anyway. ++libdir=`pkg-config --variable=libdir gnutls` ++imagelibdir=`pkg-config --variable=libdir gnutls` + datarootdir=@datadir@ + datadir=@datadir@ + sysconfdir=@sysconfdir@ diff --git a/cups-no-export-ssllibs.patch b/cups-no-export-ssllibs.patch new file mode 100644 index 00000000..14b44265 --- /dev/null +++ b/cups-no-export-ssllibs.patch @@ -0,0 +1,10 @@ +diff -up cups-2.2b2/config-scripts/cups-ssl.m4.no-export-ssllibs cups-2.2b2/config-scripts/cups-ssl.m4 +--- cups-2.2b2/config-scripts/cups-ssl.m4.no-export-ssllibs 2016-06-27 15:06:22.299980753 +0200 ++++ cups-2.2b2/config-scripts/cups-ssl.m4 2016-06-27 15:08:00.953154042 +0200 +@@ -102,5 +102,5 @@ AC_SUBST(IPPALIASES) + AC_SUBST(SSLFLAGS) + AC_SUBST(SSLLIBS) + +-EXPORT_SSLLIBS="$SSLLIBS" ++EXPORT_SSLLIBS="" + AC_SUBST(EXPORT_SSLLIBS) diff --git a/cups-no-gzip-man.patch b/cups-no-gzip-man.patch new file mode 100644 index 00000000..c476b7b4 --- /dev/null +++ b/cups-no-gzip-man.patch @@ -0,0 +1,18 @@ +diff -up cups-2.2.4/config-scripts/cups-manpages.m4.no-gzip-man cups-2.2.4/config-scripts/cups-manpages.m4 +--- cups-2.2.4/config-scripts/cups-manpages.m4.no-gzip-man 2017-06-30 20:37:09.470034273 +0200 ++++ cups-2.2.4/config-scripts/cups-manpages.m4 2017-06-30 20:39:15.982884832 +0200 +@@ -53,10 +53,10 @@ case "$host_os_name" in + ;; + linux* | gnu* | darwin*) + # Linux, GNU Hurd, and macOS +- MAN1EXT=1.gz +- MAN5EXT=5.gz +- MAN7EXT=7.gz +- MAN8EXT=8.gz ++ MAN1EXT=1 ++ MAN5EXT=5 ++ MAN7EXT=7 ++ MAN8EXT=8 + MAN8DIR=8 + ;; + *) diff --git a/cups-ricoh-deviceid-oid.patch b/cups-ricoh-deviceid-oid.patch new file mode 100644 index 00000000..c148f953 --- /dev/null +++ b/cups-ricoh-deviceid-oid.patch @@ -0,0 +1,21 @@ +diff -up cups-1.5b1/backend/snmp.c.ricoh-deviceid-oid cups-1.5b1/backend/snmp.c +--- cups-1.5b1/backend/snmp.c.ricoh-deviceid-oid 2011-05-24 17:29:48.000000000 +0200 ++++ cups-1.5b1/backend/snmp.c 2011-05-24 17:29:48.000000000 +0200 +@@ -188,6 +188,7 @@ static const int LexmarkProductOID[] = { + static const int LexmarkProductOID2[] = { 1,3,6,1,4,1,674,10898,100,2,1,2,1,2,1,-1 }; + static const int LexmarkDeviceIdOID[] = { 1,3,6,1,4,1,641,2,1,2,1,3,1,-1 }; + static const int HPDeviceIdOID[] = { 1,3,6,1,4,1,11,2,3,9,1,1,7,0,-1 }; ++static const int RicohDeviceIdOID[] = { 1,3,6,1,4,1,367,3,2,1,1,1,11,0,-1 }; + static const int XeroxProductOID[] = { 1,3,6,1,4,1,128,2,1,3,1,2,0,-1 }; + static cups_array_t *DeviceURIs = NULL; + static int HostNameLookups = 0; +@@ -1005,6 +1006,9 @@ read_snmp_response(int fd) /* I - SNMP + packet.community, CUPS_ASN1_GET_REQUEST, + DEVICE_ID, LexmarkDeviceIdOID); + _cupsSNMPWrite(fd, &(packet.address), CUPS_SNMP_VERSION_1, ++ packet.community, CUPS_ASN1_GET_REQUEST, ++ DEVICE_ID, RicohDeviceIdOID); ++ _cupsSNMPWrite(fd, &(packet.address), CUPS_SNMP_VERSION_1, + packet.community, CUPS_ASN1_GET_REQUEST, + DEVICE_PRODUCT, XeroxProductOID); + _cupsSNMPWrite(fd, &(packet.address), CUPS_SNMP_VERSION_1, diff --git a/cups-synconclose.patch b/cups-synconclose.patch new file mode 100644 index 00000000..8aee02b4 --- /dev/null +++ b/cups-synconclose.patch @@ -0,0 +1,48 @@ +diff -up cups-2.0.2/conf/cups-files.conf.in.LGOyhq cups-2.0.2/conf/cups-files.conf.in +--- cups-2.0.2/conf/cups-files.conf.in.LGOyhq 2015-02-10 13:51:24.912193296 +0100 ++++ cups-2.0.2/conf/cups-files.conf.in 2015-02-10 13:52:49.400997262 +0100 +@@ -7,7 +7,7 @@ + #FatalErrors @CUPS_FATAL_ERRORS@ + + # Do we call fsync() after writing configuration or status files? +-#SyncOnClose No ++#SyncOnClose Yes + + # Default user and group for filters/backends/helper programs; this cannot be + # any user or group that resolves to ID 0 for security reasons... +diff -up cups-2.0.2/doc/help/man-cups-files.conf.html.LGOyhq cups-2.0.2/doc/help/man-cups-files.conf.html +--- cups-2.0.2/doc/help/man-cups-files.conf.html.LGOyhq 2015-02-10 13:52:49.400997262 +0100 ++++ cups-2.0.2/doc/help/man-cups-files.conf.html 2015-02-10 13:53:07.057747311 +0100 +@@ -136,7 +136,7 @@ The default is "/etc/cups". +
Specifies whether the scheduler calls + fsync(2) + after writing configuration or state files. +-The default is "No". ++The default is "Yes". +
SystemGroup group-name [ ... group-name ] +
Specifies the group(s) to use for @SYSTEM group authentication. + The default contains "admin", "lpadmin", "root", "sys", and/or "system". +diff -up cups-2.0.2/man/cups-files.conf.man.in.LGOyhq cups-2.0.2/man/cups-files.conf.man.in +--- cups-2.0.2/man/cups-files.conf.man.in.LGOyhq 2015-02-10 13:52:49.400997262 +0100 ++++ cups-2.0.2/man/cups-files.conf.man.in 2015-02-10 13:53:23.753510964 +0100 +@@ -201,7 +201,7 @@ The default is "/etc/cups". + Specifies whether the scheduler calls + .BR fsync (2) + after writing configuration or state files. +-The default is "No". ++The default is "Yes". + .\"#SystemGroup + .TP 5 + \fBSystemGroup \fIgroup-name \fR[ ... \fIgroup-name\fR ] +diff -up cups-2.0.2/scheduler/conf.c.LGOyhq cups-2.0.2/scheduler/conf.c +--- cups-2.0.2/scheduler/conf.c.LGOyhq 2015-02-10 13:51:24.991192177 +0100 ++++ cups-2.0.2/scheduler/conf.c 2015-02-10 13:52:49.401997248 +0100 +@@ -717,7 +717,7 @@ cupsdReadConfiguration(void) + RootCertDuration = 300; + Sandboxing = CUPSD_SANDBOXING_STRICT; + StrictConformance = FALSE; +- SyncOnClose = FALSE; ++ SyncOnClose = TRUE; + Timeout = DEFAULT_TIMEOUT; + WebInterface = CUPS_DEFAULT_WEBIF; + diff --git a/cups-system-auth.patch b/cups-system-auth.patch new file mode 100644 index 00000000..60117a9c --- /dev/null +++ b/cups-system-auth.patch @@ -0,0 +1,38 @@ +diff -up cups-1.5b1/conf/cups.password-auth.system-auth cups-1.5b1/conf/cups.password-auth +--- cups-1.5b1/conf/cups.password-auth.system-auth 2011-05-23 17:27:27.000000000 +0200 ++++ cups-1.5b1/conf/cups.password-auth 2011-05-23 17:27:27.000000000 +0200 +@@ -0,0 +1,4 @@ ++#%PAM-1.0 ++# Use password-auth common PAM configuration for the daemon ++auth include password-auth ++account include password-auth +diff -up cups-1.5b1/conf/cups.system-auth.system-auth cups-1.5b1/conf/cups.system-auth +--- cups-1.5b1/conf/cups.system-auth.system-auth 2011-05-23 17:27:27.000000000 +0200 ++++ cups-1.5b1/conf/cups.system-auth 2011-05-23 17:27:27.000000000 +0200 +@@ -0,0 +1,3 @@ ++#%PAM-1.0 ++auth include system-auth ++account include system-auth +diff -up cups-1.5b1/conf/Makefile.system-auth cups-1.5b1/conf/Makefile +--- cups-1.5b1/conf/Makefile.system-auth 2011-05-12 07:21:56.000000000 +0200 ++++ cups-1.5b1/conf/Makefile 2011-05-23 17:27:27.000000000 +0200 +@@ -90,10 +90,16 @@ install-data: + done + -if test x$(PAMDIR) != x; then \ + $(INSTALL_DIR) -m 755 $(BUILDROOT)$(PAMDIR); \ +- if test -r $(BUILDROOT)$(PAMDIR)/cups ; then \ +- $(INSTALL_DATA) $(PAMFILE) $(BUILDROOT)$(PAMDIR)/cups.N ; \ ++ if test -f /etc/pam.d/password-auth; then \ ++ $(INSTALL_DATA) cups.password-auth $(BUILDROOT)$(PAMDIR)/cups; \ ++ elif test -f /etc/pam.d/system-auth; then \ ++ $(INSTALL_DATA) cups.system-auth $(BUILDROOT)$(PAMDIR)/cups; \ + else \ +- $(INSTALL_DATA) $(PAMFILE) $(BUILDROOT)$(PAMDIR)/cups ; \ ++ if test -r $(BUILDROOT)$(PAMDIR)/cups ; then \ ++ $(INSTALL_DATA) $(PAMFILE) $(BUILDROOT)$(PAMDIR)/cups.N ; \ ++ else \ ++ $(INSTALL_DATA) $(PAMFILE) $(BUILDROOT)$(PAMDIR)/cups ; \ ++ fi ; \ + fi ; \ + fi + diff --git a/cups-systemd-socket.patch b/cups-systemd-socket.patch new file mode 100644 index 00000000..cacd19f7 --- /dev/null +++ b/cups-systemd-socket.patch @@ -0,0 +1,73 @@ +diff -up cups-2.2.8/scheduler/main.c.systemd-socket cups-2.2.8/scheduler/main.c +--- cups-2.2.8/scheduler/main.c.systemd-socket 2018-06-05 18:06:54.000000000 +0200 ++++ cups-2.2.8/scheduler/main.c 2018-09-19 10:38:09.285892238 +0200 +@@ -681,8 +681,16 @@ main(int argc, /* I - Number of comm + + #ifdef HAVE_ONDEMAND + if (OnDemand) ++ { + cupsdAddEvent(CUPSD_EVENT_SERVER_STARTED, NULL, NULL, "Scheduler started on demand."); +- else ++# ifdef HAVE_SYSTEMD ++ sd_notifyf(0, "READY=1\n" ++ "STATUS=Scheduler is running...\n" ++ "MAINPID=%lu", ++ (unsigned long) getpid()); ++# endif /* HAVE_SYSTEMD */ ++ } else ++ + #endif /* HAVE_ONDEMAND */ + if (fg) + cupsdAddEvent(CUPSD_EVENT_SERVER_STARTED, NULL, NULL, "Scheduler started in foreground."); +diff -up cups-2.2.8/scheduler/org.cups.cupsd.path.in.systemd-socket cups-2.2.8/scheduler/org.cups.cupsd.path.in +--- cups-2.2.8/scheduler/org.cups.cupsd.path.in.systemd-socket 2018-06-05 18:06:54.000000000 +0200 ++++ cups-2.2.8/scheduler/org.cups.cupsd.path.in 2018-09-19 10:46:11.246666713 +0200 +@@ -1,6 +1,6 @@ + [Unit] + Description=CUPS Scheduler +-PartOf=org.cups.cupsd.service ++PartOf=cups.service + + [Path] + PathExists=@CUPS_CACHEDIR@/org.cups.cupsd +diff -up cups-2.2.8/scheduler/org.cups.cupsd.service.in.systemd-socket cups-2.2.8/scheduler/org.cups.cupsd.service.in +--- cups-2.2.8/scheduler/org.cups.cupsd.service.in.systemd-socket 2018-06-05 18:06:54.000000000 +0200 ++++ cups-2.2.8/scheduler/org.cups.cupsd.service.in 2018-09-19 10:41:11.378295760 +0200 +@@ -1,12 +1,13 @@ + [Unit] + Description=CUPS Scheduler + Documentation=man:cupsd(8) ++After=network.target + + [Service] + ExecStart=@sbindir@/cupsd -l +-Type=simple ++Type=notify + Restart=on-failure + + [Install] +-Also=org.cups.cupsd.socket org.cups.cupsd.path ++Also=cups.socket cups.path + WantedBy=printer.target +diff -up cups-2.2.8/scheduler/org.cups.cupsd.socket.in.systemd-socket cups-2.2.8/scheduler/org.cups.cupsd.socket.in +--- cups-2.2.8/scheduler/org.cups.cupsd.socket.in.systemd-socket 2018-09-19 10:42:21.411681757 +0200 ++++ cups-2.2.8/scheduler/org.cups.cupsd.socket.in 2018-09-19 10:42:44.819476530 +0200 +@@ -1,6 +1,6 @@ + [Unit] + Description=CUPS Scheduler +-PartOf=org.cups.cupsd.service ++PartOf=cups.service + + [Socket] + ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@ +diff -up cups-2.2.8/scheduler/org.cups.cups-lpd.socket.systemd-socket cups-2.2.8/scheduler/org.cups.cups-lpd.socket +--- cups-2.2.8/scheduler/org.cups.cups-lpd.socket.systemd-socket 2018-09-19 10:53:59.222563802 +0200 ++++ cups-2.2.8/scheduler/org.cups.cups-lpd.socket 2018-09-19 10:54:16.483412464 +0200 +@@ -1,6 +1,6 @@ + [Unit] + Description=CUPS LPD Server Socket +-PartOf=org.cups.cups-lpd.service ++PartOf=cups-lpd.service + + [Socket] + ListenStream=515 diff --git a/cups-uri-compat.patch b/cups-uri-compat.patch new file mode 100644 index 00000000..2520a5be --- /dev/null +++ b/cups-uri-compat.patch @@ -0,0 +1,51 @@ +diff -up cups-1.5b1/backend/usb-unix.c.uri-compat cups-1.5b1/backend/usb-unix.c +--- cups-1.5b1/backend/usb-unix.c.uri-compat 2011-05-24 15:59:05.000000000 +0200 ++++ cups-1.5b1/backend/usb-unix.c 2011-05-24 16:02:03.000000000 +0200 +@@ -63,11 +63,34 @@ print_device(const char *uri, /* I - De + int device_fd; /* USB device */ + ssize_t tbytes; /* Total number of bytes written */ + struct termios opts; /* Parallel port options */ ++ char *fixed_uri = strdup (uri); ++ char *p; + + + (void)argc; + (void)argv; + ++ p = strchr (fixed_uri, ':'); ++ if (p++ != NULL) ++ { ++ char *e; ++ p += strspn (p, "/"); ++ e = strchr (p, '/'); ++ if (e > p) ++ { ++ size_t mfrlen = e - p; ++ e++; ++ if (!strncasecmp (e, p, mfrlen)) ++ { ++ char *x = e + mfrlen; ++ if (!strncmp (x, "%20", 3)) ++ /* Take mfr name out of mdl name for compatibility with ++ * Fedora 11 before bug #507244 was fixed. */ ++ strcpy (e, x + 3); puts(fixed_uri); ++ } ++ } ++ } ++ + /* + * Open the USB port device... + */ +@@ -107,10 +130,10 @@ print_device(const char *uri, /* I - De + _cups_strncasecmp(hostname, "Minolta", 7); + #endif /* __FreeBSD__ || __NetBSD__ || __OpenBSD__ || __DragonFly__ */ + +- if (use_bc && !strncmp(uri, "usb:/dev/", 9)) ++ if (use_bc && !strncmp(fixed_uri, "usb:/dev/", 9)) + use_bc = 0; + +- if ((device_fd = open_device(uri, &use_bc)) == -1) ++ if ((device_fd = open_device(fixed_uri, &use_bc)) == -1) + { + if (getenv("CLASS") != NULL) + { diff --git a/cups-usb-paperout.patch b/cups-usb-paperout.patch new file mode 100644 index 00000000..f1f73f0a --- /dev/null +++ b/cups-usb-paperout.patch @@ -0,0 +1,52 @@ +diff -up cups-1.5b1/backend/usb-unix.c.usb-paperout cups-1.5b1/backend/usb-unix.c +--- cups-1.5b1/backend/usb-unix.c.usb-paperout 2011-05-24 15:51:39.000000000 +0200 ++++ cups-1.5b1/backend/usb-unix.c 2011-05-24 15:51:39.000000000 +0200 +@@ -30,6 +30,11 @@ + + #include + ++#ifdef __linux ++#include ++#include ++#endif /* __linux */ ++ + + /* + * Local functions... +@@ -334,7 +339,19 @@ open_device(const char *uri, /* I - Dev + if (!strncmp(uri, "usb:/dev/", 9)) + #ifdef __linux + { +- return (open(uri + 4, O_RDWR | O_EXCL)); ++ fd = open(uri + 4, O_RDWR | O_EXCL); ++ ++ if (fd != -1) ++ { ++ /* ++ * Tell the driver to return from write() with errno==ENOSPACE ++ * on paper-out. ++ */ ++ unsigned int t = 1; ++ ioctl (fd, LPABORT, &t); ++ } ++ ++ return fd; + } + else if (!strncmp(uri, "usb://", 6)) + { +@@ -400,7 +417,14 @@ open_device(const char *uri, /* I - Dev + if (!strcmp(uri, device_uri)) + { + /* +- * Yes, return this file descriptor... ++ * Yes, tell the driver to return from write() with ++ * errno==ENOSPACE on paper-out. ++ */ ++ unsigned int t = 1; ++ ioctl (fd, LPABORT, &t); ++ ++ /* ++ * Return this file descriptor... + */ + + fprintf(stderr, "DEBUG: Printer using device file \"%s\"...\n", diff --git a/cups-web-devices-timeout.patch b/cups-web-devices-timeout.patch new file mode 100644 index 00000000..fa3a320f --- /dev/null +++ b/cups-web-devices-timeout.patch @@ -0,0 +1,19 @@ +diff -up cups-1.7rc1/cgi-bin/admin.c.web-devices-timeout cups-1.7rc1/cgi-bin/admin.c +--- cups-1.7rc1/cgi-bin/admin.c.web-devices-timeout 2013-05-29 12:51:34.000000000 +0100 ++++ cups-1.7rc1/cgi-bin/admin.c 2013-08-16 16:01:17.308264287 +0100 +@@ -1019,13 +1019,13 @@ do_am_printer(http_t *http, /* I - HTTP + } + + /* +- * Scan for devices for up to 30 seconds... ++ * Scan for devices for up to 10 seconds... + */ + + fputs("DEBUG: Getting list of devices...\n", stderr); + + current_device = 0; +- if (cupsGetDevices(http, 5, CUPS_INCLUDE_ALL, CUPS_EXCLUDE_NONE, ++ if (cupsGetDevices(http, 10, CUPS_INCLUDE_ALL, CUPS_EXCLUDE_NONE, + (cups_device_cb_t)choose_device_cb, + (void *)title) == IPP_OK) + { diff --git a/cups-ypbind.patch b/cups-ypbind.patch new file mode 100644 index 00000000..f942708a --- /dev/null +++ b/cups-ypbind.patch @@ -0,0 +1,12 @@ +diff -up cups-2.2.0/scheduler/org.cups.cupsd.service.in.ypbind cups-2.2.0/scheduler/org.cups.cupsd.service.in +--- cups-2.2.0/scheduler/org.cups.cupsd.service.in.ypbind 2017-09-22 16:51:39.053585694 +0200 ++++ cups-2.2.0/scheduler/org.cups.cupsd.service.in 2017-09-22 16:52:02.588403584 +0200 +@@ -1,7 +1,7 @@ + [Unit] + Description=CUPS Scheduler + Documentation=man:cupsd(8) +-After=network.target ++After=network.target ypbind.service + + [Service] + ExecStart=@sbindir@/cupsd -l diff --git a/cups.logrotate b/cups.logrotate new file mode 100644 index 00000000..773c70fd --- /dev/null +++ b/cups.logrotate @@ -0,0 +1,5 @@ +/var/log/cups/*_log { + missingok + notifempty + sharedscripts +} diff --git a/cups.spec b/cups.spec new file mode 100644 index 00000000..5a0a645c --- /dev/null +++ b/cups.spec @@ -0,0 +1,345 @@ +Name: cups +Epoch: 1 +Version: 2.2.8 +Release: 7 +Summary: CUPS is the standards-based, open source printing system for linux operating systems. +License: GPLv2+ and LGPLv2+ with exceptions and AML +Url: http://www.cups.org/ +Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz + +Source2: cupsprinter.png +Source3: cups.logrotate +Source4: ncp.backend +Source5: macros.cups + +Patch1: cups-no-gzip-man.patch +Patch2: cups-system-auth.patch +Patch3: cups-multilib.patch +Patch5: cups-banners.patch +Patch7: cups-no-export-ssllibs.patch +Patch8: cups-direct-usb.patch +Patch12: cups-eggcups.patch +Patch13: cups-driverd-timeout.patch +Patch15: cups-logrotate.patch +Patch16: cups-usb-paperout.patch +Patch19: cups-uri-compat.patch +Patch22: cups-hp-deviceid-oid.patch +Patch24: cups-ricoh-deviceid-oid.patch +Patch25: cups-systemd-socket.patch +Patch30: cups-freebind.patch +Patch35: cups-ipp-multifile.patch +Patch36: cups-web-devices-timeout.patch +Patch37: cups-synconclose.patch +Patch38: cups-ypbind.patch +Patch100: cups-lspp.patch +Patch9: cups-lpr-help.patch +Patch18: cups-filter-debug.patch +Patch29: cups-dymo-deviceid.patch +Patch40: cups-journal-history.patch +Patch41: cups-accesslog-null.patch +Patch42: cups-epson-A6-crash.patch +Patch43: cups-ippvalidateattr-regression.patch +Patch44: cups-ippeve-webui.patch +Patch45: 0001-Fix-memory-leaks-found-by-Coverity-Issue-5375.patch +Patch6000: CVE-2018-4300.patch +Patch6001: CVE-2019-8675-CVE-2019-8696.patch + +Provides: cupsddk cupsddk-drivers cups-filesystem cups-client cups-ipptool cups-lpd +Provides: lpd lpr /usr/bin/lpq /usr/bin/lpr /usr/bin/lp /usr/bin/cancel /usr/bin/lprm /usr/bin/lpstat +Obsoletes: cups-client cups-filesystem cups-lpd cups-ipptool + +BuildRequires: pam-devel pkgconf-pkg-config pkgconfig(gnutls) libacl-devel openldap-devel pkgconfig(libusb-1.0) +BuildRequires: krb5-devel pkgconfig(avahi-client) systemd pkgconfig(libsystemd) pkgconfig(dbus-1) python3-cups +BuildRequires: automake zlib-devel gcc gcc-c++ libselinux-devel audit-libs-devel +Requires: dbus systemd acl cups-filters /usr/sbin/alternatives %{name}-libs = %{epoch}:%{version}-%{release} + +%description +CUPS is the standards-based, open source printing system developed by Apple Inc. +for UNIX®-like operating systems. CUPS uses the Internet Printing +Protocol (IPP) to support printing to local and network printers.. + +%package devel +Summary: CUPS printing system - development environment +License: LGPLv2 +Requires: %{name}%-libs = %{epoch}:%{version}-%{release} +Requires: gnutls-devel krb5-devel zlib-devel +Provides: cupsddk-devel + +%description devel +CUPS is the standards-based, open source printing system developed by Apple Inc. +for macOS® and other UNIX®-like operating systems. Developers can use this development +package to develop other printer drivers. + +%package libs +Summary: CUPS libs +License: LGPLv2 and zlib + +%description libs +The package provides cups libraries + +%package help +Summary: Documents for cups +Buildarch: noarch + +%description help +Man pages and other related documents. + +%prep +%autosetup -n %{name}-%{version} -p1 + +sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in +sed -i -e 's,^ErrorLog .*$,ErrorLog syslog,' -i -e 's,^AccessLog .*$,AccessLog syslog,' -i -e 's,^PageLog .*,PageLog syslog,' conf/cups-files.conf.in + +aclocal -I config-scripts +autoconf -I config-scripts + +%build +export DSOFLAGS="$DSOFLAGS -L../cgi-bin -L../filter -L../ppdc -L../scheduler -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/%{?_vendor}/%{?_vendor}-hardened-ld -Wl,-z,relro,-z,now -fPIE -pie" +export CFLAGS="$RPM_OPT_FLAGS -fstack-protector-all -DLDAP_DEPRECATED=1" +# --enable-debug to avoid stripping binaries +%configure --with-docdir=%{_datadir}/%{name}/www --enable-debug \ + --enable-lspp \ + --with-exe-file-perm=0755 \ + --with-cupsd-file-perm=0755 \ + --with-log-file-perm=0600 \ + --enable-relro \ + --with-dbusdir=%{_sysconfdir}/dbus-1 \ + --with-php=/usr/bin/php-cgi \ + --enable-avahi \ + --enable-threads \ + --enable-gnutls \ + --enable-webif \ + --with-xinetd=no \ + --with-access-log-level=actions \ + --enable-page-logging \ + localedir=%{_datadir}/locale + +%make_build + +%install +make BUILDROOT=${RPM_BUILD_ROOT} install + +rm -rf ${RPM_BUILD_ROOT}%{_initddir} ${RPM_BUILD_ROOT}%{_sysconfdir}/{init.d,rc?.d} +install -d ${RPM_BUILD_ROOT}%{_unitdir} + +find ${RPM_BUILD_ROOT}%{_datadir}/cups/model -name "*.ppd" |xargs gzip -n9f + +pushd ${RPM_BUILD_ROOT}%{_bindir} +for file in cancel lp lpq lpr lprm lpstat; do + mv $file $file.cups +done + +mv ${RPM_BUILD_ROOT}%{_sbindir}/lpc ${RPM_BUILD_ROOT}%{_sbindir}/lpc.cups +cd ${RPM_BUILD_ROOT}%{_mandir}/man1 +for file in cancel lp lpq lpr lprm lpstat; do + mv $file.1 $file-cups.1 +done + +mv ${RPM_BUILD_ROOT}%{_mandir}/man8/lpc.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/lpc-cups.8 +popd + +mv ${RPM_BUILD_ROOT}%{_unitdir}/org.cups.cupsd.path ${RPM_BUILD_ROOT}%{_unitdir}/cups.path +mv ${RPM_BUILD_ROOT}%{_unitdir}/org.cups.cupsd.service ${RPM_BUILD_ROOT}%{_unitdir}/cups.service +mv ${RPM_BUILD_ROOT}%{_unitdir}/org.cups.cupsd.socket ${RPM_BUILD_ROOT}%{_unitdir}/cups.socket +mv ${RPM_BUILD_ROOT}%{_unitdir}/org.cups.cups-lpd.socket ${RPM_BUILD_ROOT}%{_unitdir}/cups-lpd.socket +mv ${RPM_BUILD_ROOT}%{_unitdir}/org.cups.cups-lpd@.service ${RPM_BUILD_ROOT}%{_unitdir}/cups-lpd@.service + +/bin/sed -i -e "s,org.cups.cupsd,cups,g" ${RPM_BUILD_ROOT}%{_unitdir}/cups.service + +install -d ${RPM_BUILD_ROOT}%{_datadir}/pixmaps ${RPM_BUILD_ROOT}%{_sysconfdir}/X11/sysconfig \ + ${RPM_BUILD_ROOT}%{_sysconfdir}/X11/applnk/System ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d \ + ${RPM_BUILD_ROOT}%{_rpmconfigdir}/macros.d +install -p -m 644 %{SOURCE2} ${RPM_BUILD_ROOT}%{_datadir}/pixmaps +install -p -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/cups +install -p -m 755 %{SOURCE4} ${RPM_BUILD_ROOT}%{_exec_prefix}/lib/cups/backend/ncp +install -m 0644 %{SOURCE5} ${RPM_BUILD_ROOT}%{_rpmconfigdir}/macros.d + +touch ${RPM_BUILD_ROOT}%{_sysconfdir}/cups/{printers,classes,client,subscriptions}.conf +touch ${RPM_BUILD_ROOT}%{_sysconfdir}/cups/lpoptions + +install -d ${RPM_BUILD_ROOT}%{_datadir}/ppd + +install -d ${RPM_BUILD_ROOT}%{_tmpfilesdir} +cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/cups.conf < ${RPM_BUILD_ROOT}%{_tmpfilesdir}/cups-lp.conf < %{name}.lang + +%pre + +%preun +%systemd_preun %{name}.path %{name}.socket %{name}.service +%systemd_preun cups-lpd.socket + +%post + +%systemd_post %{name}.path %{name}.socket %{name}.service + +install -d ${RPM_BUILD_ROOT}%{_localstatedir}/run/cups/certs + +/bin/sed -i -e "s,^PageLogFormat,#PageLogFormat,i" %{_sysconfdir}/cups/cups-files.conf + +%systemd_post cups-lpd.socket +exit 0 + +%post libs -p /sbin/ldconfig + +%postun + +%systemd_postun_with_restart %{name}.path %{name}.socket %{name}.service +%systemd_postun_with_restart cups-lpd.socket +exit 0 + +%postun libs -p /sbin/ldconfig + +%triggerin -- samba-client +ln -sf %{_libexecdir}/samba/cups_backend_smb %{_exec_prefix}/lib/cups/backend/smb || : +exit 0 + +%triggerun -- samba-client +[ $2 = 0 ] || exit 0 +rm -f %{_exec_prefix}/lib/cups/backend/smb + +%files -f %{name}.lang +%dir %attr(0755,root,lp) %{_sysconfdir}/cups +%dir %attr(0755,root,lp) %{_localstatedir}/run/cups +%dir %attr(0511,lp,sys) %{_localstatedir}/run/cups/certs +%{_tmpfilesdir}/cups.conf +%{_tmpfilesdir}/cups-lp.conf +%verify(not md5 size mtime) %config(noreplace) %attr(0640,root,lp) %{_sysconfdir}/cups/cupsd.conf +%attr(0640,root,lp) %{_sysconfdir}/cups/cupsd.conf.default +%verify(not md5 size mtime) %config(noreplace) %attr(0640,root,lp) %{_sysconfdir}/cups/cups-files.conf +%attr(0640,root,lp) %{_sysconfdir}/cups/cups-files.conf.default +%verify(not md5 size mtime) %config(noreplace) %attr(0644,root,lp) %{_sysconfdir}/cups/client.conf +%verify(not md5 size mtime) %config(noreplace) %attr(0600,root,lp) %{_sysconfdir}/cups/classes.conf +%verify(not md5 size mtime) %config(noreplace) %attr(0600,root,lp) %{_sysconfdir}/cups/printers.conf +%verify(not md5 size mtime) %config(noreplace) %attr(0644,root,lp) %{_sysconfdir}/cups/snmp.conf +%attr(0640,root,lp) %{_sysconfdir}/cups/snmp.conf.default +%verify(not md5 size mtime) %config(noreplace) %attr(0640,root,lp) %{_sysconfdir}/cups/subscriptions.conf +%verify(not md5 size mtime) %config(noreplace) %attr(0644,root,lp) %{_sysconfdir}/cups/lpoptions +%dir %attr(0755,root,lp) %{_sysconfdir}/cups/ppd +%dir %attr(0700,root,lp) %{_sysconfdir}/cups/ssl +%config(noreplace) %{_sysconfdir}/pam.d/cups +%config(noreplace) %{_sysconfdir}/logrotate.d/cups +%config(noreplace) %{_sysconfdir}/dbus-1/system.d/cups.conf + +%dir %{_datadir}/cups/data +%dir %{_datadir}/cups/drv +%dir %{_datadir}/cups/mime +%dir %{_datadir}/cups/model +%dir %{_datadir}/cups/ppdc +%dir %{_datadir}/ppd +%exclude %{_mandir}/cat? +%exclude %{_mandir}/*/cat? +%exclude %{_datadir}/applications/cups.desktop +%exclude %{_datadir}/icons +%exclude %{_datadir}/cups/banners +%exclude %{_datadir}/cups/data/testprint + +%{_unitdir}/%{name}.service +%{_unitdir}/%{name}.socket +%{_unitdir}/%{name}.path +%{_unitdir}/cups-lpd.socket +%{_unitdir}/cups-lpd@.service +%{_bindir}/cupstestppd +%{_bindir}/cupstestdsc +%{_bindir}/ppd* +%{_bindir}/cancel* +%{_bindir}/lp* +%{_bindir}/ipptool +%{_bindir}/ippfind +%{_sbindir}/* +%{_sbindir}/lpc.cups + +%{_exec_prefix}/lib/cups/backend/* +%{_exec_prefix}/lib/cups/cgi-bin +%dir %{_exec_prefix}/lib/cups/driver +%dir %{_exec_prefix}/lib/cups/daemon +%{_exec_prefix}/lib/cups/daemon/cups-deviced +%{_exec_prefix}/lib/cups/daemon/cups-driverd +%{_exec_prefix}/lib/cups/daemon/cups-exec +%{_exec_prefix}/lib/cups/notifier +%{_exec_prefix}/lib/cups/filter/* +%{_exec_prefix}/lib/cups/monitor +%{_exec_prefix}/lib/cups/daemon/cups-lpd + +%{_datadir}/cups/templates/*.tmpl +%{_datadir}/cups/templates/de/*.tmpl +%{_datadir}/cups/templates/fr/*.tmpl +%{_datadir}/cups/templates/es/*.tmpl +%{_datadir}/cups/templates/ja/*.tmpl +%{_datadir}/cups/templates/ru/*.tmpl +%{_datadir}/cups/templates/pt_BR/*.tmpl +%dir %attr(1770,root,lp) %{_localstatedir}/spool/cups/tmp +%dir %attr(0710,root,lp) %{_localstatedir}/spool/cups +%dir %attr(0755,lp,sys) %{_localstatedir}/log/cups +%{_datadir}/pixmaps/cupsprinter.png + +%{_datadir}/cups/drv/sample.drv +%{_datadir}/cups/examples +%{_datadir}/cups/mime/mime.types +%{_datadir}/cups/mime/mime.convs +%{_datadir}/cups/ppdc/*.defs +%{_datadir}/cups/ppdc/*.h + +%{_datadir}/%{name}/www/images +%{_datadir}/%{name}/www/*.css +%dir %{_datadir}/%{name}/usb +%{_datadir}/%{name}/usb/org.cups.usb-quirks +%dir %{_datadir}/cups/ipptool +%{_datadir}/cups/ipptool/* + +%files libs +%{license} LICENSE.txt +%{_libdir}/lib*.so.* + +%files devel +%{_bindir}/cups-config +%{_libdir}/*.so +%{_includedir}/cups +%{_rpmconfigdir}/macros.d/macros.cups + +%files help +%{_mandir}/man[1578]/* +%{_mandir}/man1/cancel-cups.1.gz +%{_mandir}/man1/cups-config.1.gz +%{_mandir}/man1/ipptool.1.gz +%{_mandir}/man1/lp*.1.gz +%{_mandir}/man5/ipptoolfile.5.gz +%{_mandir}/man8/cups-lpd.8.gz +%{_mandir}/man8/lpc-cups.8.gz + +%doc README.md CREDITS.md CHANGES.md +%doc %{_datadir}/%{name}/www/index.html +%doc %{_datadir}/%{name}/www/help +%doc %{_datadir}/%{name}/www/robots.txt +%doc %{_datadir}/%{name}/www/de/index.html +%doc %{_datadir}/%{name}/www/es/index.html +%doc %{_datadir}/%{name}/www/ja/index.html +%doc %{_datadir}/%{name}/www/ru/index.html +%doc %{_datadir}/%{name}/www/pt_BR/index.html +%doc %{_datadir}/%{name}/www/apple-touch-icon.png + +%changelog +* Wed Sep 25 2019 gaoguanghui - 2.2.8-7 +- Type:cves +- ID:CVE-2019-8675 CVE-2019-8696 +- SUG:restart +- DESC:fix CVE-2019-8675 CVE-2019-8696 + +* Wed Sep 18 2019 Guan Yanjie - 2.2.8-6 +- Package init diff --git a/cupsprinter.png b/cupsprinter.png new file mode 100644 index 00000000..324df1c2 Binary files /dev/null and b/cupsprinter.png differ diff --git a/macros.cups b/macros.cups new file mode 100644 index 00000000..5b560d99 --- /dev/null +++ b/macros.cups @@ -0,0 +1 @@ +%_cups_serverbin %(/usr/bin/cups-config --serverbin) diff --git a/ncp.backend b/ncp.backend new file mode 100755 index 00000000..d57ada1b --- /dev/null +++ b/ncp.backend @@ -0,0 +1,51 @@ +#!/bin/sh +# This is a modified version of 'ncpprint'. It can now be used as a CUPS +# backend. +# Modifications: +# Copyright (C) 2002 Red Hat, inc +# Copyright (C) 2002 Tim Waugh +# Before modification: shipped as /usr/share/printconf/util/ncpprint + +if [ -z "$*" ] +then + # This is where we would enumerate all the URIs we support. + # Patches welcome. + exit 0 +fi + +FILE=$6 +if [ -z "$FILE" ] +then + FILE=- +fi + +# $DEVICE_URI is 'ncp://[user:password@]server/queue' +URI=${DEVICE_URI#*://} +queue=${URI#*/} +URI=${URI%/$queue} +server=${URI#*@} +URI=${URI%$server} +URI=${URI%@} +if [ -n "$URI" ] +then + user=${URI%:*} + URI=${URI#$user} + password=${URI#:} +fi + +#echo user: ${user-(none)} +#echo password: ${password-(none)} +#echo server: $server +#echo queue: $queue + +if [ -n "$user" ] +then + if [ -n "$password" ] + then + /usr/bin/nprint -S "$server" -q "$queue" -U "$user" -P "$password" -N "$FILE" 2>/dev/null + else + /usr/bin/nprint -S "$server" -q "$queue" -U "$user" -n -N "$FILE" 2>/dev/null + fi +else + /usr/bin/nprint -S "$server" -q "$queue" -N "$FILE" 2>/dev/null +fi