&data issue filed as http://www.cups.org/str.php?L3079 and fixed in
cups svn 28 minutes later.
The deeper issue is that firefox3 defines SHA1_Update in nss and cups
uses openssl and the nss symbol wins; hence any use of RAND_seed
fails.
and CVE-2008-3641. Also, it fixes a ton of bugs and has portability
enhancements. Full list of changes:
- SECURITY: The HP-GL/2 filter did not range check pen numbers
(STR #2911)
- SECURITY: The SGI image file reader did not range check
16-bit run lengths (STR #2918)
- SECURITY: The text filter did not range check cpi, lpi, or
column values (STR #2919)
- Documentation updates (STR #2904, STR #2944)
- The French web admin page was never updated (STR #2963)
- The IPP backend did not retry print jobs when the printer
reported itself as busy or unavailable (STR #2951)
- The "Set Allowed Users" web interface did not handle trailing
whitespace correctly (STR #2956)
- The PostScript filter did not work with Adobe applications
using custom page sizes (STR #2968)
- The Mac OS X USB backend did not work with some printers
that reported a bad 1284 device ID.
- The scheduler incorrectly resolved the client connection
address when HostNameLookups was set to Off (STR #2946)
- The IPP backend incorrectly stopped the local queue if
the remote server reported the "paused" state.
- The cupsGetDests() function did not catch all types of
request errors.
- The scheduler did not always log "job queued" messages
(STR #2943)
- The scheduler did not support destination filtering using
the printer-location attribute properly (STR #2945)
- The scheduler did not send the server-started,
server-restarted, or server-stopped events (STR #2927)
- The scheduler no longer enforces configuration file
permissions on symlinked files (STR #2937)
- CUPS now reinitializes the DNS resolver on failures
(STR #2920)
- The CUPS desktop menu item was broken (STR #2924)
- The PPD parser was too strict about missing keyword
values in "relaxed" mode.
- The PostScript filter incorrectly mirrored landscape
documents.
- The scheduler did not correctly update the
auth-info-required value(s) if the AuthType was Default.
- The scheduler required Kerberos authentication for
all operations on remote Kerberized printers instead
of just for the operations that needed it.
- The socket backend could wait indefinitely for back-
channel data with some devices.
- PJL panel messages were not reset correctly on older
printers (STR #2909)
- cupsfilter used the wrong default path (STR #2908)
- Fixed address matching for "BrowseAddress @IF(name)"
(STR #2910)
- Fixed compiles on AIX.
- Firefox 3 did not work with the CUPS web interface in SSL
mode (STR #2892)
- Custom options with multiple parameters were not emitted
correctly.
- Refined the cupstestppd utility.
- ppdEmit*() did not support custom JCL options (STR #2889)
- The cupstestppd utility incorrectly reported missing
"en" base translations (STR #2887)
- Documentation updates (STR #2785, STR #2861, STR #2862)
- The scheduler did not add the ending job sheet when the
job was released.
- The IPP backend did not relay marker-* attributes.
- The CUPS GNOME/KDE menu item was not localized for
Chinese (STR #2880)
- The CUPS GNOME/KDE menu item was not localized for
Japanese (STR #2876)
- The cupstestppd utility reported mixed line endings for
Mac OS and Windows PPD files (STR #2874)
- The pdftops filter did not print landscape orientation PDF
pages correctly on all printers (STR #2850)
- The scheduler did not handle expiring of implicit classes
or their members properly, leading to a configuration where
one of the members would have a short name (STR #2766)
- The scheduler and cupstestppd utilities did not support
cupsFilter and cupsPreFilter programs with spaces in their
names (STR #2866)
- Removed unused variables and assignments found by the
LLVM "clang" tool.
- Added NULL checks recommended by the LLVM "clang" tool.
- The scheduler would crash if you started a printer that
pointed to a backend that did not exist (STR #2865)
- The ppdLocalize functions incorrectly mapped all generic
locales to country-specific locales.
- The cups-driverd program did not support Simplified Chinese
or Traditional Chinese language version strings (STR #2851)
- Added an Indonesian translation (STR #2792)
- Fixed a timing issue in the backends that could cause data
corruption with the CUPS_SC_CMD_DRAIN_OUTPUT side-channel
command (STR #2858)
- The scheduler did not support "HostNameLookups" with all of
the boolean names (STR #2861)
- Fixed a compile problem with glibc 2.8 (STR #2860)
- The PostScript filter did not support %%IncludeFeature lines
in the page setup section of each page (STR #2831)
- The scheduler did not generate printer-state events when the
default printer was changed (STR #2764)
- cupstestppd incorrectly reported a warning about the PPD format
version in some locales (STR #2854)
- cupsGetPPD() and friends incorrectly returned a PPD file for
a class with no printers.
- The member-uris values for local printers in a class returned
by the scheduler did not reflect the connected hostname or
port.
- The CUPS PHP extension was not thread-safe (STR #2828)
- The scheduler incorrectly added the document-format-default
attribute to the list of "common" printer attributes, which
over time would slow down the printing system (STR #2755,
STR #2836)
- The cups-deviced and cups-driverd helper programs did not set
the CFProcessPath environment variable on Mac OS X (STR #2837)
- "lpstat -p" could report the wrong job as printing (STR #2845)
- The scheduler would crash when some cupsd.conf directives
were missing values (STR #2849)
- The web interface "move jobs" operation redirected users to
the wrong URL (STR #2815)
- The Polish web interface translation contained errors
(STR #2815)
- The scheduler did not report PostScript printer PPDs with
filters as PostScript devices.
- The scheduler did not set the job document-format attribute
for jobs submitted using Create-Job and Send-Document.
- cupsFileTell() did not work for log files opened in append
mode (STR #2810)
- The scheduler did not set QUERY_STRING all of the time
for CGI scripts (STR #2781, STR #2816)
- The scheduler now returns an error for bad job-sheets
values (STR #2775)
- Authenticated remote printing did not work over domain
sockets (STR #2750)
- The scheduler incorrectly logged errors for print filters
when a job was canceled (STR #2806, #2808)
- The scheduler no longer allows multiple RSS subscriptions
with the same URI (STR #2789)
- The scheduler now supports Kerberized printing with
multiple server names (STR #2783)
- "Satisfy any" did not work in IPP policies (STR #2782)
- The CUPS imaging library would crash with very large
images - more than 16Mx16M pixels (STR #2805)
- The PNG image loading code would crash with large images
(STR #2790)
- The scheduler did not limit the total number of filters.
- The scheduler now ensures that the RSS directory has
the correct permissions.
- The RSS notifier did not quote the feed URL in the RSS
file it created (STR #2801)
- The web interface allowed the creation and cancellation
of RSS subscriptions without a username (STR #2774)
- Increased the default MaxCopies value on Mac OS X to
9999 to match the limit imposed by the print dialog.
- The scheduler did not reject requests with an empty
Content-Length field (STR #2787)
- The scheduler did not log the current date and time and
did not escape special characters in request URIs when
logging bad requests to the access_log file (STR #2788)
OKed by jlam.
Changes in 1.3.7
The new release includes three security fixes and several printing and
authentication fixes.
CVE-2008-0047: cgiCompileSearch buffer overflow
CVE-2008-1373: CUPS GIF image filter overflow
Updated the "make check" tests to do a more thorough automated test.
cups-driverd complained about missing directories
cupsaddsmb would leave the Samba username and password on disk if no
Windows drivers were installed
The Linux USB backend used 100% CPU when a printer was disconnected
The sample raster drivers did not properly handle SIGTERM
The scheduler sent notify_post() messages too often on Mac OS X.
Kerberos access to the web interface did not work
The scheduler did not support "AuthType Default" in IPP policies
The scheduler did not support the "HideImplicitMembers" directive as
documented
"make check" didn't return a non-zero exit code on error
The scheduler incorrectly logged AUTH_foo environment variables in
debug mode
The image filters inverted PBM files
cupsctl would crash if the scheduler was not running
The scheduler could crash when printing using a port monitor
The scheduler would crash if PAM was broken
The image filters did not work with some CMYK JPEG files produced by
Adobe applications
The Mac OS X USB backend did not work with printers that did not
report a make or model.
The job-sheets option was not encoded properly
The scheduler incorrectly complained about missing LSB PPD directories.
Changes in 1.3.6
The new release fixes some platform-specific build problems, web
interface issues, PDF and PostScript filter option handling, and a
number of minor bugs discovered during routine code audits.
CUPS 1.2.12 fixes several file typing issues, a bad error message in the
scheduler, a web interface setting problem, and a bug in the PHP language
binding. It also includes an updated Italian translation. Changes include:
* The PHP cups_print_file() function crashed if the options array
contained non-string option values
* The image/tiff file matching rule incorrectly identified some text files
as TIFF files
* The filter(7) man page incorrectly documented the "PAGE: total #-pages"
message
* PCL text files were mis-identified as HP-GL/2 and caused the HP-GL/2
filter to hang
* When printing to a queue with user ACLs, the scheduler incorrectly
returned a quota error instead of a "not allowed to print" error
* cupsaddsmb could get in a loop if no printer drivers were installed
* cupsRasterReadHeader() did not byte-swap the header properly when
compiled with certain versions of GCC.
* The IPP backend did not send the document-format attribute for filtered
jobs
* Some PPD files could cause a crash in ppdOpen2
* The web admin interface incorrectly handled the "share printers" and
"show remote printers" settings
* The scheduler's log messages about AuthClass and AuthGroupName advised
using a replacement directive but had the wrong syntax
* Updated the PostScript/PJL and HP-GL/2 MIME rules to look in the first
4k of the file, not just the first 1k
* Updated the Italian localization
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
CUPS 1.2.11 fixes several build system, printing, PPD, and IPP conformance
issues. It also fixes a crash bug in the scheduler when printing to files
in non-existent directories.
This is based on a suggestion by Yorick Hardy, who reports that it
improved behavior. Without the patch, the cups usb driver tries to
read status from ulpt(4) (for most printers), and this results in no
output.
pkgsrc changes: fix locale path
patch a bug in pstops's n-up handling (reported to upstream)
CUPS 1.2.10 fixes the init script used to start the scheduler, a recursion
bug in the pdftops filter, and several other issues reported after the
1.2.9 release. Changes include:
* ppdLocalize() now supports localizing for Japanese using the "jp" locale
name used by the ppdmerge program from the CUPS DDK 1.1.0
* _cupsAdminSetServerSettings() did not support changing of top-level
directives as designed.
* The init script path check was broken.
* CUPS incorrectly used the attribute "notify-recipient" instead of
"notify-recicpient-uri" in several places
* Fixed a configure script bug on MirBSD
* The pdftops filter did not limit the amount of recursion of page sets
* Custom page sizes with fractional point sizes did not work
* The lpoptions command would crash when adding or removing options on a
system with no printers
CUPS 1.2.9 fixes several printing issues and scheduler crash bug.
Changes include:
* The scheduler did not use the default job-sheets (banners) for implicit
classes
* The scheduler could crash when listing complete jobs that had been
unloaded from memory
* The French localization was doubled up
* Build system fixes for several platforms
* The scheduler's openssl certificate generation code was broken on some
platforms
* The scheduler's log rotation check for devices was broken
* The LPD mini-daemon did not handle the document-format option correctly
* The pdftops filter ignored the "match" size option in the pdftops.conf
file
* cupstestppd now validates UTF-8 text strings in globalized PPD files
* The outputorder=reverse option did not work with all printers
* Classes containing other classes did not always work
* Printer location and description information was lost if the
corresponding string contained the "#" character
* cupsRemoveOption() did not work properly
* The USB backend did not work with some USB to parallel cables on Mac OSX.
* The test page did not print the rulers properly on large media sizes
* The text filter could crash when pretty printing certain types of files
ok'ed jlam a while back.
CUPS 1.2.8 adds a French localization, updates the Japanese and Spanish
localizations, and fixes several web interface, printing, and networking
bugs.
CUPS 1.2.7 adds several Mac OS X improvements, implements timeouts in the
SSL negotiation code, and fixes the bounding box generated by the PostScript
filter, bidirectional support in the USB backend, and another case where the
lpstat command could hang.
CUPS 1.2.6 fixes some compile errors, localization of the web interface on
Mac OS X, bugs in the lpc and lpstat commands, and backchannel support in
the parallel backend.
CUPS 1.2.5 fixes minor printing, networking, and documentation issues and
adds support for older versions of DBUS and a translation for Estonian.
CUPS 1.2.4 fixes a number of web interface, scheduler, and CUPS API
issues.
CUPS 1.2.3 fixes a number of web interface, networking, remote printing,
and CUPS API issues.
CUPS 1.2.2 fixes several build, platform, notification, and printing bugs.
CUPS 1.2.1 fixes several build, platform, and printing bugs.
CUPS 1.2.0 is the first stable feature release in the 1.2.x series and
includes over 90 new features and changes since CUPS 1.1.23, including a
greatly improved web interface and "plug-and-print" support for many local
and network printers.
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
PKGLOCALEDIR and which install their locale files directly under
${PREFIX}/${PKGLOCALEDIR} and sort the PLIST file entries. From now
on, pkgsrc/mk/plist/plist-locale.awk will automatically handle
transforming the PLIST to refer to the correct locale directory.
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
