OKed by jlam.
Changes in 1.3.7
The new release includes three security fixes and several printing and
authentication fixes.
CVE-2008-0047: cgiCompileSearch buffer overflow
CVE-2008-1373: CUPS GIF image filter overflow
Updated the "make check" tests to do a more thorough automated test.
cups-driverd complained about missing directories
cupsaddsmb would leave the Samba username and password on disk if no
Windows drivers were installed
The Linux USB backend used 100% CPU when a printer was disconnected
The sample raster drivers did not properly handle SIGTERM
The scheduler sent notify_post() messages too often on Mac OS X.
Kerberos access to the web interface did not work
The scheduler did not support "AuthType Default" in IPP policies
The scheduler did not support the "HideImplicitMembers" directive as
documented
"make check" didn't return a non-zero exit code on error
The scheduler incorrectly logged AUTH_foo environment variables in
debug mode
The image filters inverted PBM files
cupsctl would crash if the scheduler was not running
The scheduler could crash when printing using a port monitor
The scheduler would crash if PAM was broken
The image filters did not work with some CMYK JPEG files produced by
Adobe applications
The Mac OS X USB backend did not work with printers that did not
report a make or model.
The job-sheets option was not encoded properly
The scheduler incorrectly complained about missing LSB PPD directories.
Changes in 1.3.6
The new release fixes some platform-specific build problems, web
interface issues, PDF and PostScript filter option handling, and a
number of minor bugs discovered during routine code audits.
CUPS 1.2.12 fixes several file typing issues, a bad error message in the
scheduler, a web interface setting problem, and a bug in the PHP language
binding. It also includes an updated Italian translation. Changes include:
* The PHP cups_print_file() function crashed if the options array
contained non-string option values
* The image/tiff file matching rule incorrectly identified some text files
as TIFF files
* The filter(7) man page incorrectly documented the "PAGE: total #-pages"
message
* PCL text files were mis-identified as HP-GL/2 and caused the HP-GL/2
filter to hang
* When printing to a queue with user ACLs, the scheduler incorrectly
returned a quota error instead of a "not allowed to print" error
* cupsaddsmb could get in a loop if no printer drivers were installed
* cupsRasterReadHeader() did not byte-swap the header properly when
compiled with certain versions of GCC.
* The IPP backend did not send the document-format attribute for filtered
jobs
* Some PPD files could cause a crash in ppdOpen2
* The web admin interface incorrectly handled the "share printers" and
"show remote printers" settings
* The scheduler's log messages about AuthClass and AuthGroupName advised
using a replacement directive but had the wrong syntax
* Updated the PostScript/PJL and HP-GL/2 MIME rules to look in the first
4k of the file, not just the first 1k
* Updated the Italian localization
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
CUPS 1.2.11 fixes several build system, printing, PPD, and IPP conformance
issues. It also fixes a crash bug in the scheduler when printing to files
in non-existent directories.
This is based on a suggestion by Yorick Hardy, who reports that it
improved behavior. Without the patch, the cups usb driver tries to
read status from ulpt(4) (for most printers), and this results in no
output.
pkgsrc changes: fix locale path
patch a bug in pstops's n-up handling (reported to upstream)
CUPS 1.2.10 fixes the init script used to start the scheduler, a recursion
bug in the pdftops filter, and several other issues reported after the
1.2.9 release. Changes include:
* ppdLocalize() now supports localizing for Japanese using the "jp" locale
name used by the ppdmerge program from the CUPS DDK 1.1.0
* _cupsAdminSetServerSettings() did not support changing of top-level
directives as designed.
* The init script path check was broken.
* CUPS incorrectly used the attribute "notify-recipient" instead of
"notify-recicpient-uri" in several places
* Fixed a configure script bug on MirBSD
* The pdftops filter did not limit the amount of recursion of page sets
* Custom page sizes with fractional point sizes did not work
* The lpoptions command would crash when adding or removing options on a
system with no printers
CUPS 1.2.9 fixes several printing issues and scheduler crash bug.
Changes include:
* The scheduler did not use the default job-sheets (banners) for implicit
classes
* The scheduler could crash when listing complete jobs that had been
unloaded from memory
* The French localization was doubled up
* Build system fixes for several platforms
* The scheduler's openssl certificate generation code was broken on some
platforms
* The scheduler's log rotation check for devices was broken
* The LPD mini-daemon did not handle the document-format option correctly
* The pdftops filter ignored the "match" size option in the pdftops.conf
file
* cupstestppd now validates UTF-8 text strings in globalized PPD files
* The outputorder=reverse option did not work with all printers
* Classes containing other classes did not always work
* Printer location and description information was lost if the
corresponding string contained the "#" character
* cupsRemoveOption() did not work properly
* The USB backend did not work with some USB to parallel cables on Mac OSX.
* The test page did not print the rulers properly on large media sizes
* The text filter could crash when pretty printing certain types of files
ok'ed jlam a while back.
CUPS 1.2.8 adds a French localization, updates the Japanese and Spanish
localizations, and fixes several web interface, printing, and networking
bugs.
CUPS 1.2.7 adds several Mac OS X improvements, implements timeouts in the
SSL negotiation code, and fixes the bounding box generated by the PostScript
filter, bidirectional support in the USB backend, and another case where the
lpstat command could hang.
CUPS 1.2.6 fixes some compile errors, localization of the web interface on
Mac OS X, bugs in the lpc and lpstat commands, and backchannel support in
the parallel backend.
CUPS 1.2.5 fixes minor printing, networking, and documentation issues and
adds support for older versions of DBUS and a translation for Estonian.
CUPS 1.2.4 fixes a number of web interface, scheduler, and CUPS API
issues.
CUPS 1.2.3 fixes a number of web interface, networking, remote printing,
and CUPS API issues.
CUPS 1.2.2 fixes several build, platform, notification, and printing bugs.
CUPS 1.2.1 fixes several build, platform, and printing bugs.
CUPS 1.2.0 is the first stable feature release in the 1.2.x series and
includes over 90 new features and changes since CUPS 1.1.23, including a
greatly improved web interface and "plug-and-print" support for many local
and network printers.
CAN-2005-3191
CAN-2005-3192
The fixes were largely copied from xpdf-3.01pl1.patch from foolabs.com;
however, patch-be for Stream.cxx also includes a proper fix for
CAN-2005-3191 which was only partially fixed in the foolabs.com patch.
Bump the PKGREVISION to 4.
backslashes anymore. A single backslash is enough. Changed the
definition in all affected packages. For those that are not caught, an
additional check is placed into bsd.pkginstall.mk.
as the INSTALL and DEINSTALL scripts no longer distinguish between
the two types of files. Drop SUPPORT_FILES{,_PERMS} and modify the
packages in pkgsrc accordingly.
"A vulnerability has been reported in CUPS, which can be exploited by malicious
people to cause a DoS (Denial of Service) on a vulnerable system.
When processing a PDF file, bounds checking was not correctly performed on
some fields. This could cause the pdftops filter (running as user "lp") to
crash."
http://secunia.com/advisories/16380/http://rhn.redhat.com/errata/RHSA-2005-706.html
Patch from RedHat.
USE_TOOLS and any of "autoconf", "autoconf213", "automake" or
"automake14". Also, we don't need to call the auto* tools via
${ACLOCAL}, ${AUTOCONF}, etc., since the tools framework takes care
to symlink the correct tool to the correct name, so we can just use
aclocal, autoconf, etc.
An overflow check introduced earlier (for CAN-2004-0888) was never
triggered on 64-bit systems because 64-bit arithmetics was used there.
Sprinkle some casts to int su that the overflow can happen.
This fix is similar to the redhat one. The fix for similar code
in print/teTeX-bin looks much cleaner, but since cups already contains
the wrong redhad fix, I've chosen to stay close to the original.
bump PKGREVISION
within NetBSD-current's bsd.own.mk, which conflicts with its usage in
pkgsrc. The package that use USE_PAM have been converted to use the
bsd.options.mk framework. This should fix PR pkg/29257.
It includes the correct buildlink3.mk file from either Linux-PAM
(security/PAM) or OpenPAM (security/openpam) and eventually will
support solaris-pam. pam.buildlink3.mk will:
* set PAMBASE to the base directory of the PAM files;
* set PAM_TYPE to the PAM implementation used.
There are two variables that can be used to tweak the selection of
the PAM implementation:
PAM_DEFAULT is a user-settable variable whose value is the default
PAM implementation to use.
PAM_ACCEPTED is a package-settable list of PAM implementations
that may be used by the package.
Modify most packages that include PAM/buildlink3.mk to include
pam.buildlink3.mk instead.
- The scheduler's is_path_absolute() code could cause a DoS (STR #1042)
- The scheduler's device loading code used the wrong size limits for the
make/model and info parameters (STR #1035)
- The PNG loading code did not use a "long unsigned integer" format
specifier for the width and height (STR #1032)
- The web interface only showed the first 4 or 8 characters of
"{variable-name}" for undefined template variables (STR #1031)
- The hpgltops filter did not handle a common PCL command to enter
HP-GL/2 mode (STR #1037)
- The scheduler no longer sends the page-set option when printing banner
pages (STR #995)
- The hpgltops filter contained two buffer overflows that could
potentially allow remote access to the "lp" account (STR #1024)
- The lppasswd command did not protect against file descriptor or ulimit
attacks (STR #1023)
- The "lpc status" command used the wrong resource path when querying
the list of printers and jobs, causing unnecessary authentication
requests (STR #1018)
- The httpWait() function did not handle signal interruptions (STR #1020)
- The USB backend used the wrong size status variable when checking the
printer status (STR #1017)
- The scheduler did not delete classes from other classes or implicit
classes, which could cause a crash (STR #1015)
- The IPP backend now logs the remote print job ID at log level NOTICE
instead of INFO (so it shows up in the error_log file...)
