diff --git a/README.OpenSource b/README.OpenSource index 548790dc..0285ac07 100644 --- a/README.OpenSource +++ b/README.OpenSource @@ -3,9 +3,9 @@ "Name" : "cups", "License" : "Apache 2.0 License", "License File" : "LICENSE", - "Version Number" : "2.4.0-4.oe2203sp1", - "Owner" : "dongzhengkuan@huawei.com", - "Upstream URL" : "https://repo.openeuler.org/openEuler-22.03-LTS-SP1/source/Packages/cups-2.4.0-4.oe2203sp1.src.rpm", + "Version Number" : "2.4.0-10.oe2203sp3", + "Owner" : "caizihua1@huawei.com", + "Upstream URL" : "https://repo.openeuler.org/openEuler-22.03-LTS-SP3/source/Packages/cups-2.4.0-10.oe2203sp3.src.rpm", "Description" : "OpenPrinting CUPS is the most current version of CUPS, a standards-based, open source printing system for Linux® and other Unix®-like operating systems" } ] diff --git a/backport-CVE-2023-4504.patch b/backport-CVE-2023-4504.patch index 86465d7c..e254746c 100644 --- a/backport-CVE-2023-4504.patch +++ b/backport-CVE-2023-4504.patch @@ -1,8 +1,25 @@ +From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Wed, 20 Sep 2023 14:45:17 +0200 +Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504 + +We didn't check for end of buffer if it looks there is an escaped +character - check for NULL terminator there and if found, return NULL +as return value and in `ptr`, because a lone backslash is not +a valid PostScript character. + +Reference:https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31 +Conflict:Patch context adaptation + +--- + cups/raster-interpret.c | 14 +++++++++++++- + 1 files changed, 14 insertions(+) + diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c -index fbe52f37..c24388d2 100644 +index 6fcf731b5..b8655c8c6 100644 --- a/cups/raster-interpret.c +++ b/cups/raster-interpret.c -@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */ +@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */ cur ++; @@ -23,3 +40,5 @@ index fbe52f37..c24388d2 100644 *valptr++ = '\b'; else if (*cur == 'f') *valptr++ = '\f'; + + diff --git a/cups.spec b/cups.spec index 8d0ae213..71f64264 100644 --- a/cups.spec +++ b/cups.spec @@ -16,9 +16,9 @@ Name: cups Epoch: 1 Version: 2.4.0 -Release: 8 +Release: 10 Summary: CUPS is the standards-based, open source printing system for linux operating systems. -License: GPLv2+ and LGPLv2+ with exceptions and AML +License: Apache-2.0 WITH LLVM-exception Url: https://openprinting.github.io/cups/ # Apple stopped uploading the new versions into github, use OpenPrinting fork Source0: https://github.com/OpenPrinting/cups/releases/download/v%{version}/cups-%{version}-source.tar.gz @@ -43,6 +43,7 @@ Patch6002: backport-Also-fix-cupsfilter.patch Patch6003: backport-CVE-2023-32324.patch Patch6004: fix-httpAddrGetList-test-case-fail.patch Patch6005: backport-CVE-2023-34241.patch +Patch6006: backport-CVE-2023-4504.patch BuildRequires: pam-devel pkgconf-pkg-config pkgconfig(gnutls) libacl-devel openldap-devel pkgconfig(libusb-1.0) BuildRequires: krb5-devel pkgconfig(avahi-client) systemd pkgconfig(libsystemd) pkgconfig(dbus-1) python3-cups @@ -464,6 +465,12 @@ rm -f %{_exec_prefix}/lib/cups/backend/smb %doc %{_datadir}/%{name}/www/apple-touch-icon.png %changelog +* Fri Sep 22 2023 zhouwenpei - 1:2.4.0-10 +- fix CVE-2023-4504 + +* Wed Jul 19 2023 haomimi - 1:2.4.0-9 +- DESC:The license is changed to apache 2.0 + * Mon Jun 26 2023 zhouwenpei - 1:2.4.0-8 - fix CVE-2023-34241