CAN-2005-3191
CAN-2005-3192
The fixes were largely copied from xpdf-3.01pl1.patch from foolabs.com;
however, patch-be for Stream.cxx also includes a proper fix for
CAN-2005-3191 which was only partially fixed in the foolabs.com patch.
Bump the PKGREVISION to 4.
backslashes anymore. A single backslash is enough. Changed the
definition in all affected packages. For those that are not caught, an
additional check is placed into bsd.pkginstall.mk.
as the INSTALL and DEINSTALL scripts no longer distinguish between
the two types of files. Drop SUPPORT_FILES{,_PERMS} and modify the
packages in pkgsrc accordingly.
"A vulnerability has been reported in CUPS, which can be exploited by malicious
people to cause a DoS (Denial of Service) on a vulnerable system.
When processing a PDF file, bounds checking was not correctly performed on
some fields. This could cause the pdftops filter (running as user "lp") to
crash."
http://secunia.com/advisories/16380/http://rhn.redhat.com/errata/RHSA-2005-706.html
Patch from RedHat.
USE_TOOLS and any of "autoconf", "autoconf213", "automake" or
"automake14". Also, we don't need to call the auto* tools via
${ACLOCAL}, ${AUTOCONF}, etc., since the tools framework takes care
to symlink the correct tool to the correct name, so we can just use
aclocal, autoconf, etc.
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
An overflow check introduced earlier (for CAN-2004-0888) was never
triggered on 64-bit systems because 64-bit arithmetics was used there.
Sprinkle some casts to int su that the overflow can happen.
This fix is similar to the redhat one. The fix for similar code
in print/teTeX-bin looks much cleaner, but since cups already contains
the wrong redhad fix, I've chosen to stay close to the original.
bump PKGREVISION
within NetBSD-current's bsd.own.mk, which conflicts with its usage in
pkgsrc. The package that use USE_PAM have been converted to use the
bsd.options.mk framework. This should fix PR pkg/29257.
It includes the correct buildlink3.mk file from either Linux-PAM
(security/PAM) or OpenPAM (security/openpam) and eventually will
support solaris-pam. pam.buildlink3.mk will:
* set PAMBASE to the base directory of the PAM files;
* set PAM_TYPE to the PAM implementation used.
There are two variables that can be used to tweak the selection of
the PAM implementation:
PAM_DEFAULT is a user-settable variable whose value is the default
PAM implementation to use.
PAM_ACCEPTED is a package-settable list of PAM implementations
that may be used by the package.
Modify most packages that include PAM/buildlink3.mk to include
pam.buildlink3.mk instead.
- The scheduler's is_path_absolute() code could cause a DoS (STR #1042)
- The scheduler's device loading code used the wrong size limits for the
make/model and info parameters (STR #1035)
- The PNG loading code did not use a "long unsigned integer" format
specifier for the width and height (STR #1032)
- The web interface only showed the first 4 or 8 characters of
"{variable-name}" for undefined template variables (STR #1031)
- The hpgltops filter did not handle a common PCL command to enter
HP-GL/2 mode (STR #1037)
- The scheduler no longer sends the page-set option when printing banner
pages (STR #995)
- The hpgltops filter contained two buffer overflows that could
potentially allow remote access to the "lp" account (STR #1024)
- The lppasswd command did not protect against file descriptor or ulimit
attacks (STR #1023)
- The "lpc status" command used the wrong resource path when querying
the list of printers and jobs, causing unnecessary authentication
requests (STR #1018)
- The httpWait() function did not handle signal interruptions (STR #1020)
- The USB backend used the wrong size status variable when checking the
printer status (STR #1017)
- The scheduler did not delete classes from other classes or implicit
classes, which could cause a crash (STR #1015)
- The IPP backend now logs the remote print job ID at log level NOTICE
instead of INFO (so it shows up in the error_log file...)
dependency (so we need it in the buildlink directory to build other
packages). Should fix build of libgnomeprint shown in minskim@'s
latest Linux bulk build.
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
- The lpstat man page incorrectly listed the "-s" option
as using the equivalent of the "-p" option to list the
printers; it uses the "-v" option to list the printers
(STR #986)
- Now allow 0-length reads in the CUPS file API (STR
#985)
- cupsDoFileRequest() now sets cupsLastError() to
IPP_ERROR on network errors (STR #953)
- The pdftops filter didn't scale small pages up to the
output page size when the fitplot option was used (STR
#984)
- Fixed the ipptest program usage message (STR #959)
- Added Spanish man pages (STR #963)
- Fixed the order of comparisons in the client.conf
reading code (STR #971)
- cupsLangGet() incorrectly set the current locale (STR
#970)
Changes 1.1.22rc2:
- The pdftops filter didn't check the range of all
integer attributes (STR #972)
- Documentation corrections (STR #944, STR #946)
- Also sanitize device URI in argv[0] (STR #933)
- cupsRasterReadHeader() didn't swap bytes for the
numeric fields properly (STR #930)
Changes 1.1.22rc1:
- Now sanitize the device URI that is reported in the
error_log file (STR #920)
- Fixed some memory and file descriptor leaks in the job
dispatch code (STR #921)
- Deleting a printer could cause a crash with browsing
enabled (STR #865, STR #881, STR #928)
- Browsing would turn off if the scheduler got an EAGAIN
error (STR #924)
- The mime.types file didn't recognize PostScript as a
PJL language name (STR #925)
Changes 1.1.21:
- The scheduler did not separate Digest authentication
parameters with commas (STR #882)
- Fixed some problems with image printing to custom page
sizes (STR #891)
- Removed the remaining scheduler code that did not use
the "close-on-exec" file descriptor flag to speed up
program invocations (STR #890)
- The "lpr -r" command removed the print file even if it
was not printed. It now only removes the file if the
job is successfully created (STR #886)
- Revamped the custom page size orientation fix (STR
#127)
- The lp, lpq, lpr, and lpstat commands now report when
an environment variable is pointing to a non-existent
printer instead of just saying "no default
destination" (STR #879)
- Queue names with 2 periods (e.g. "printer..2") were
not supported (STR #866)
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
All library names listed by *.la files no longer need to be listed
in the PLIST, e.g., instead of:
lib/libfoo.a
lib/libfoo.la
lib/libfoo.so
lib/libfoo.so.0
lib/libfoo.so.0.1
one simply needs:
lib/libfoo.la
and bsd.pkg.mk will automatically ensure that the additional library
names are listed in the installed package +CONTENTS file.
Also make LIBTOOLIZE_PLIST default to "yes".
into the bsd.options.mk framework. Instead of appending to
${PKG_OPTIONS_VAR}, it appends to PKG_DEFAULT_OPTIONS. This causes
the default options to be the union of PKG_DEFAULT_OPTIONS and any
old USE_* and FOO_USE_* settings.
This fixes PR pkg/26590.
for each package can be determined by invoking:
make show-var VARNAME=PKG_OPTIONS_VAR
The old options are still supported unless the variable named in
PKG_OPTIONS_VAR is set within make(1) (usually via /etc/mk.conf).
packages install filters into libexec/cups/filter - which doesn't work
in pkgview land. To work around this disable pkgview installation of
cups until the issues are resolved.
ok'd by jlam@
the PKGREVISION. Also remove the unnecessary -preserve-dup-deps argument
to libtool, rename the configure option to --enable-libtool, and remove
the unnecessary bits to deal with libcrypt/libcrypto (buildlink3 does
this for us automatically).
the RCD_SCRIPTS rc.d script(s) to the PLIST.
This GENERATE_PLIST idea is part of Greg A. Woods'
PR #22954.
This helps when the RC_SCRIPTS are installed to
a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later,
the default RCD_SCRIPTS_EXAMPLEDIR will be changed
to be more clear that they are the examples.)
These patches also remove the etc/rc.d/ scripts from PLISTs
(of packages that use RCD_SCRIPTS). (This also removes
now unused references from openssh* makefiles. Note that
qmail package has not been changed yet.)
I have been doing automatic PLIST registration for RC_SCRIPTS
for over a year. Not all of these packages have been tested,
but many have been tested and used.
Somethings maybe to do:
- a few packages still manually install the rc.d scripts to
hard-coded etc/rc.d. These need to be fixed.
- maybe remove from mk/${OPSYS}.pkg.dist mtree specifications too.
by moving the inclusion of buildlink3.mk files outside of the protected
region. This bug would be seen by users that have set PREFER_PKGSRC
or PREFER_NATIVE to non-default values.
BUILDLINK_PACKAGES should be ordered so that for any package in the
list, that package doesn't depend on any packages to the left of it
in the list. This ordering property is used to check for builtin
packages in the correct order. The problem was that including a
buildlink3.mk file for <pkg> correctly ensured that <pkg> was removed
from BUILDLINK_PACKAGES and appended to the end. However, since the
inclusion of any other buildlink3.mk files within that buildlink3.mk
was in a region that was protected against multiple inclusion, those
dependencies weren't also moved to the end of BUILDLINK_PACKAGES.
