CUPS 2.3.3op2 is the latest OpenPrinting CUPS security and bug fix
release. Changes include:
Security: Fixed a buffer (read) overflow in the ippReadIO function
(CVE-2020-10001)
Clarified the documentation for the "Listen" directive (Issue #53)
Fixed duplicate ColorModel entries for AirPrint printers (Issue 59)
Fixed directory/permission defaults for Debian kfreebsd-based systems
(Issue #60, Issue #61)
Fixed crash bug in ppdOpen (Issue #64, Issue #78)
Fixed regression in snprintf emulation function (Issue #67)
The scheduler's systemd service file now waits for the nslcd service to start
(Issue #69)
The libusb-based USB backend now uses a simpler read timer implementation to
avoid a regression in a previous change (Issue #72)
The PPD caching code now only tracks the APPrinterIconPath value on macOS
(Issue #73)
Fixed segfault in help.cgi when searching in man pages (Issue #81)
Root certificates were incorrectly stored in "~/.cups/ssl".
building against a newer SDK while setting an earlier -macosx-version-min
value can create a conflicting function definition. This tweak avoids
that conflict while allowing an older compat definition to exist.
Change to the OpenPrinting fork of apple/cups, e.g., that fork already contains
- dnssd patch patch-config-scripts_cups-dnssd.m4
- freebsd patch patch-cups_getifaddrs-internal.h
- libtool patch patch-af
https://github.com/apple/cups/issues/4947 was fixed in both.
Changes in CUPS v2.3.3op1
-------------------------
- The automated test suite can now be activated using `make test` for
consistency with other projects and CI environments - the old `make check`
continues to work as well, and the previous test server behavior can be
accessed by running `make testserver`.
- ippeveprinter now supports multiple icons and strings files.
- ippeveprinter now uses the system's FQDN with Avahi.
- ippeveprinter now supports Get-Printer-Attributes on "/".
- ippeveprinter now uses a deterministic "printer-uuid" value.
- ippeveprinter now uses system sounds on macOS for Identify-Printer.
- Updated ippfind to look for files in "~/Desktop" on Windows.
- Updated ippfind to honor `SKIP-XXX` directives with `PAUSE`.
- Updated IPP Everywhere support to work around printers that only advertise
color raster support but really also support grayscale (Issue #1)
- ipptool now supports DNS-SD URIs like `ipps://My%20Printer._ipps._tcp.local`
(Issue #5)
- The scheduler now allows root backends to have world read permissions but not
world execute permissions (Issue #21)
- Failures to bind IPv6 listener sockets no longer cause errors if IPv6 is
disabled on the host (Issue #25)
- The SNMP backend now supports the HP and Ricoh vendor MIBs (Issue #28)
- The scheduler no longer includes a timestamp in files it writes (Issue #29)
- The systemd service names are now "cups.service" and "cups-lpd.service"
(Issue #30, Issue #31)
- The scheduler no longer adds the local hostname to the ServerAlias list
(Issue #32)
- Added `LogFileGroup` directive in "cups-files.conf" to control the group
owner of log files (Issue #34)
- Added `--with-max-log-size` configure option (Issue #35)
- Added `--enable-sync-on-close` configure option (Issue #37)
- Added `--with-error-policy` configure option (Issue #38)
- IPP Everywhere PPDs could have an "unknown" default InputSlot (Issue #44)
- The `httpAddrListen` function now uses a listen backlog of 128.
- Added USB quirks (Apple issue #5789, #5823, #5831)
- Fixed IPP Everywhere v1.1 conformance issues in ippeveprinter.
- Fixed DNS-SD name collision support in ippeveprinter.
- Fixed compiler and code analyzer warnings.
- Fixed TLS support on Windows.
- Fixed ippfind sub-type searches with Avahi.
- Fixed the default hostname used by ippeveprinter on macOS.
- Fixed resolution of local IPP-USB printers with Avahi.
- Fixed coverity issues (Issue #2)
- Fixed `httpAddrConnect` issues (Issue #3)
- Fixed web interface device URI issue (Issue #4)
- Fixed lp/lpr "printer/class not found" error reporting (Issue #6)
- Fixed xinetd support for LPD clients (Issue #7)
- Fixed libtool build issue (Issue #11)
- Fixed a memory leak in the scheduler (Issue #12)
- Fixed a potential integer overflow in the PPD hashing code (Issue #13)
- Fixed output-bin and print-quality handling issues (Issue #18)
- Fixed PPD options getting mapped to odd IPP values like "tray---4" (Issue #23)
- Fixed remote access to the cupsd.conf and log files (Issue #24)
- Fixed the automated test suite when running in certain build/CI environments
(Issue #25)
- Fixed a logging regression caused by a previous change for Apple issue #5604
(Issue #25)
- Fixed fax phone number handling with GNOME (Issue #40)
- Fixed potential rounding error in rastertopwg filter (Issue #41)
- Fixed the "uri-security-supported" value from the scheduler (Issue #42)
- Fixed IPP backend crash bug with "printer-alert" values (Issue #43)
- Removed old Solaris inetconv(1m) reference in cups-lpd man page (Issue #46)
- Fixed default options that incorrectly use the "custom" prefix (Issue #48)
- Fixed a memory leak when resolving DNS-SD URIs (Issue #49)
- Fixed systemd status reporting by adopting the notify interface (Issue #51)
- Fixed crash in rastertopwg (Apple issue #5773)
- Fixed cupsManualCopies values in IPP Everywhere PPDs (Apple issue #5807)
The intention with this change is to make it easier to enable CUPS support
by default in places, without requiring the daemon (which might conflict
with other printing setups).
Bump cups-base PKGREVISION and make it depend on libcups.
Changes:
2.3.3
-----
- CVE-2020-3898: The `ppdOpen` function did not handle invalid UI
constraint. `ppdcSource::get_resolution` function did not handle
invalid resolution strings.
- CVE-2019-8842: The `ippReadIO` function may under-read an extension
field.
- Fixed WARNING_OPTIONS support for GCC 9.x
2.3.2
-----
- Localization updates.
Changes:
2.3.1
-----
- Documentation updates (Issue #5661, #5674, #5682)
- CVE-2019-2228: The `ippSetValuetag` function did not validate the default
language value.
- Fixed a crash bug in the web interface (Issue #5621)
- The PPD cache code now looks up page sizes using their dimensions
(Issue #5633)
- PPD files containing "custom" option keywords did not work (Issue #5639)
- Added a workaround for the scheduler's systemd support (Issue #5640)
- On Windows, TLS certificates generated on February 29 would likely fail
(Issue #5643)
- Added a DigestOptions directive for the `client.conf` file to control whether
MD5-based Digest authentication is allowed (Issue #5647)
- Fixed a bug in the handling of printer resource files (Issue #5652)
- The libusb-based USB backend now reports an error when the distribution
permissions are wrong (Issue #5658)
- Added paint can labels to Dymo driver (Issue #5662)
- The `ippeveprinter` program now supports authentication (Issue #5665)
- The `ippeveprinter` program now advertises DNS-SD services on the correct
interfaces, and provides a way to turn them off (Issue #5666)
- The `--with-dbusdir` option was ignored by the configure script (Issue #5671)
- Sandboxed applications were not able to get the default printer (Issue #5676)
- Log file access controls were not preserved by `cupsctl` (Issue #5677)
- Default printers set with `lpoptions` did not work in all cases (Issue #5681,
Issue #5683, Issue #5684)
- Fixed an error in the jobs web interface template (Issue #5694)
- Fixed an off-by-one error in `ippEnumString` (Issue #5695)
- Fixed some new compiler warnings (Issue #5700)
- Fixed a few issues with the Apple Raster support (rdar://55301114)
- The IPP backend did not detect all cases where a job should be retried using
a raster format (rdar://56021091)
- Fixed spelling of "fold-accordion".
- Fixed the default common name for TLS certificates used by `ippeveprinter`.
- Fixed the option names used for IPP Everywhere finishing options.
- Added support for the second roll of the DYMO Twin/DUO label printers.
Changes:
2.3.0
-----
- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows
(rdar://51685251)
- Added a GPL2/LGPL2 exception to the new CUPS license terms.
- Documentation updates (Issue #5604)
- Localization updates (Issue #5637)
- Fixed a bug in the scheduler job cleanup code (Issue #5588)
- Fixed builds when there is no TLS library (Issue #5590)
- Eliminated some new GCC compiler warnings (Issue #5591)
- Removed dead code from the scheduler (Issue #5593)
- "make" failed with GZIP options (Issue #5595)
- Fixed potential excess logging from the scheduler when removing job files
(Issue #5597)
- Fixed a NULL pointer dereference bug in `httpGetSubField2` (Issue #5598)
- Added FIPS-140 workarounds for GNU TLS (Issue #5601, Issue #5622)
- The scheduler no longer provides a default value for the description
(Issue #5603)
- The scheduler now logs jobs held for authentication using the error level so
it is clear what happened (Issue #5604)
- The `lpadmin` command did not always update the PPD file for changes to the
`cupsIPPSupplies` and `cupsSNMPSupplies` keywords (Issue #5610)
- The scheduler now uses both the group's membership list as well as the
various OS-specific membership functions to determine whether a user belongs
to a named group (Issue #5613)
- Added USB quirks rule for HP LaserJet 1015 (Issue #5617)
- Fixed some PPD parser issues (Issue #5623, Issue #5624)
- The IPP parser no longer allows invalid member attributes in collections
(Issue #5630)
- The configure script now treats the "wheel" group as a potential system
group (Issue #5638)
- Fixed a USB printing issue on macOS (rdar://31433931)
- Fixed IPP buffer overflow (rdar://50035411)
- Fixed memory disclosure issue in the scheduler (rdar://51373853)
- Fixed DoS issues in the scheduler (rdar://51373929)
- Fixed an issue with unsupported "sides" values in the IPP backend
(rdar://51775322)
- The scheduler would restart continuously when idle and printers were not
shared (rdar://52561199)
- Fixed an issue with `EXPECT !name WITH-VALUE ...` tests.
- Fixed a command ordering issue in the Zebra ZPL driver.
- Fixed a memory leak in `ppdOpen`.
pkgsrc changes:
- Remove patches/patch-5613 (already present)
Changes:
2.2.12
------
- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251)
- The `cupsctl` command now prevents setting "cups-files.conf" directives
(Issue #5530)
- Updated the systemd service file for cupsd (Issue #5551)
- The `cupsCheckDestSupported` function did not check octetString values
correctly (Issue #5557)
- The scheduler did not encode octetString values like "job-password" correctly
for the print filters (Issue #5558)
- Restored minimal support for the `Emulators` keyword in PPD files to allow
old Samsung printer drivers to continue to work (Issue #5562)
- Timed out job submission now yields an error (Issue #5570)
- The footer in the web interface covered some content on small displays
(Issue #5574)
- The libusb-based USB backend now enforces read limits, improving print speed
in many cases (Issue #5583)
- Fixed some compatibility issues with old releases of CUPS (Issue #5587)
- Fixed a bug in the scheduler job cleanup code (Issue #5588)
- "make" failed with GZIP options (Issue #5595)
- Added FIPS-140 workarounds for GNU TLS (Issue #5601, Issue #5622)
- The scheduler no longer provides a default value for the description
(Issue #5603)
- The `lpadmin` command did not always update the PPD file for changes to the
`cupsIPPSupplies` and `cupsSNMPSupplies` keywords (Issue #5610)
- The scheduler now uses both the group's membership list as well as the
various OS-specific membership functions to determine whether a user belongs
to a named group (Issue #5613)
- Added USB quirks rule for HP LaserJet 1015 (Issue #5617)
- Fixed some PPD parser issues (Issue #5623, Issue #5624)
- The IPP parser no longer allows invalid member attributes in collections
(Issue #5630)
- Fixed IPP buffer overflow (rdar://50035411)
- Fixed memory disclosure issue in the scheduler (rdar://51373853)
- Fixed DoS issues in the scheduler (rdar://51373929)
- The scheduler would restart continuously when idle and printers were not
shared (rdar://52561199)
- Fixed a command ordering issue in the Zebra ZPL driver.
- Fixed a memory leak in `ppdOpen`.
Changes in CUPS v2.2.11
-----------------------
- Running ppdmerge with the same input and output filenames did not work as
advertised (Issue #5455)
- Fixed a potential memory leak when reading at the end of a file (Issue #5473)
- Fixed potential unaligned accesses in the string pool (Issue #5474)
- Fixed a potential memory leak when loading a PPD file (Issue #5475)
- Added a USB quirks rule for the Lexmark E120n (Issue #5478)
- Updated the USB quirks rule for Zebra label printers (Issue #5395)
- Fixed a compile error on Linux (Issue #5483)
- The lpadmin command, web interface, and scheduler all queried an IPP
Everywhere printer differently, resulting in different PPDs for the same
printer (Issue #5484)
- Fixed an issue with the self-signed certificates generated by GNU TLS
(Issue #5506)
- The `ippValidateAttribute` function did not catch all instances of invalid
UTF-8 strings (Issue #5509)
- Non-Kerberized printing to Windows via IPP was broken (Issue #5515)
- The scheduler no longer stops a printer if an error occurs when a job is
canceled or aborted (Issue #5517)
- Added a USB quirks rule for the DYMO 450 Turbo (Issue #5521)
- Added a USB quirks rule for Xerox printers (Issue #5523)
- The scheduler's self-signed certificate did not include all of the alternate
names for the server when using GNU TLS (Issue #5525)
- Fixed compiler warnings with newer versions of GCC (Issue #5532, Issue #5533)
- Fixed some PPD caching and IPP Everywhere PPD accounting/password bugs
(Issue #5535)
- Fixed `PreserveJobHistory` bug with time values (Issue #5538)
- Media size matching now uses a tolerance of 0.5mm (rdar://33822024)
- The lpadmin command would hang with a bad PPD file (rdar://41495016)
- Fixed a potential crash bug in cups-driverd (rdar://46625579)
- Fixed a performance regression with large PPDs (rdar://47040759)
- The scheduler did not always idle exit as quickly as it could.
Changes
2.2.10
------
- CVE-2018-4700: Linux session cookies used a predictable random number seed.
- The `lpoptions` command now works with IPP Everywhere printers that have not
yet been added as local queues (Issue #5045)
- Added USB quirk rules (Issue #5395, Issue #5443)
- The generated PPD files for IPP Everywhere printers did not contain the
cupsManualCopies keyword (Issue #5433)
- Kerberos credentials might be truncated (Issue #5435)
- The handling of `MaxJobTime 0` did not match the documentation (Issue #5438)
- Incorporated the page accounting changes from CUPS 2.3 (Issue #5439)
- Fixed a bug adding a queue with the `-E` option (Issue #5440)
- Fixed a crash bug when mapping PPD duplex options to IPP attributes
(rdar://46183976)
pkgsrc changes:
- Remove patches/patch-cups_ipp.c, no more needed (applied)
- Remove patches/patch-ppdc_Makefile, libcupsppdc.la is no more installed
(also libcupscgi.la, libcupsmime.la are no longer installed, unfortunately no
rationale seems present in the changelog about that)
Changes:
2.2.9
-----
- Localization changes (Issue #5348, Issue #5362, Issue #5408)
- Documentation updates (Issue #5369)
- The lpadmin command would create a non-working printer in some error cases
(Issue #5305)
- The scheduler would crash if an empty `AccessLog` directive was specified
(Issue #5309)
- Fixed a regression in the changes to ippValidateAttribute (Issue #5322,
Issue #5330)
- Fixed a crash bug in the Epson dot matrix driver (Issue #5323)
- Automatic debug logging of job errors did not work with systemd (Issue #5337)
- The web interface did not list the IPP Everywhere "driver" (Issue #5338)
- The IPP Everywhere "driver" now properly supports face-up printers
(Issue #5345)
- Fixed some typos in the label printer drivers (Issue #5350)
- Multi-file jobs could get stuck if the backend failed (Issue #5359,
Issue #5413)
- The IPP Everywhere "driver" no longer does local filtering when printing to
a shared CUPS printer (Issue #5361)
- The lpadmin command now correctly reports IPP errors when configuring an
IPP Everywhere printer (Issue #5370)
- Fixed some memory leaks discovered by Coverity (Issue #5375)
- The PPD compiler incorrectly terminated JCL options (Issue #5379)
- The cupstestppd utility did not generate errors for missing/mismatched
CloseUI/JCLCloseUI keywords (Issue #5381)
- The scheduler now reports the actual location of the log file (Issue #5398)
- Added a USB quirk rule (Issue #5420)
- The scheduler was being backgrounded on macOS, causing applications to spin
(rdar://40436080)
- The scheduler did not validate that required initial request attributes were
in the operation group (rdar://41098178)
- Authentication in the web interface did not work on macOS (rdar://41444473)
- Fixed an issue with HTTP Digest authentication (rdar://41709086)
- The scheduler could crash when job history was purged (rdar://42198057)
- Dropped non-working RSS subscriptions UI from web interface templates.
- Fixed a memory leak for some IPP (extension) syntaxes.
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
Using a PKG_OPTIONS_VAR that is different to PKGBASE is problematic when
PKG_BUILD_OPTIONS is used. Deprecate the `cups' option (via PKG_LEGACY_OPTIONS
so if `cups' is still used everything will continue to work) in favour of
`cups-base'.
Thanks to <bouyer> for pointing out this problem on tech-pkg@ ML!
