summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Ahlberg <aliz@gentoo.org>2003-05-30 09:28:05 +0000
committerDaniel Ahlberg <aliz@gentoo.org>2003-05-30 09:28:05 +0000
commit7ac171c33a2c22f2df6aad10970185bb63e15973 (patch)
tree532b169079e054d371b463aeda45ffe48f2936d4
parentfix to smooth DISTCC_HOSTS upgrades (diff)
downloadgentoo-2-7ac171c33a2c22f2df6aad10970185bb63e15973.tar.gz
gentoo-2-7ac171c33a2c22f2df6aad10970185bb63e15973.tar.bz2
gentoo-2-7ac171c33a2c22f2df6aad10970185bb63e15973.zip
Security update
-rw-r--r--net-print/cups/ChangeLog7
-rw-r--r--net-print/cups/Manifest3
-rw-r--r--net-print/cups/cups-1.1.18-r5.ebuild141
-rw-r--r--net-print/cups/files/cups-1.1.18-str75.patchv2270
-rw-r--r--net-print/cups/files/digest-cups-1.1.18-r51
5 files changed, 421 insertions, 1 deletions
diff --git a/net-print/cups/ChangeLog b/net-print/cups/ChangeLog
index fbd61726d2b7..6cb0e9a7349b 100644
--- a/net-print/cups/ChangeLog
+++ b/net-print/cups/ChangeLog
@@ -1,6 +1,11 @@
# ChangeLog for net-print/cups
# Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-print/cups/ChangeLog,v 1.38 2003/04/07 11:58:42 gmsoft Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-print/cups/ChangeLog,v 1.39 2003/05/30 09:28:04 aliz Exp $
+
+*cups-1.1.18-r5 (30 May 2003)
+
+ 30 May 2003; Daniel Ahlberg <aliz@gentoo.org> cups-1.1.18.ebuild :
+ Security update.
*cups-1.1.18-r4 (28 Jan 2003)
diff --git a/net-print/cups/Manifest b/net-print/cups/Manifest
index ccbd0d9cb9d5..28f0af105ebf 100644
--- a/net-print/cups/Manifest
+++ b/net-print/cups/Manifest
@@ -8,6 +8,7 @@ MD5 1ed9fba3b93cb3b12a7fc6be33d6df33 cups-1.1.18-r2.ebuild 3790
MD5 6683ebe34b50cfa51735074b051cfa0a cups-1.1.18-r3.ebuild 3860
MD5 bf3e1022247801354edbe2d44caa209e cups-1.1.18-r4.ebuild 3863
MD5 808c77e6178aa8b6785c34746e02c1a6 cups-1.1.18.ebuild 3743
+MD5 2577691665d61483d39befe2719be65a cups-1.1.18-r5.ebuild 3904
MD5 ec90893091ccb9fa45c107c08dc7152c files/configure-jpeg-buildfix-1.1.15.diff 308
MD5 dc2809ac1071076672c0a439ddd2c097 files/configure-jpeg-buildfix.diff 432
MD5 4d42d58387ed0a01b5f4e49ace9a8c0a files/cups.pam 232
@@ -26,3 +27,5 @@ MD5 23295c953b3c5dfed3b9ecff049f3421 files/digest-cups-1.1.18-r3 72
MD5 23295c953b3c5dfed3b9ecff049f3421 files/digest-cups-1.1.18-r4 72
MD5 7bce495a238ee9dbebb61496f3b3ae51 files/disable-strip.patch 422
MD5 d668826632fc35de75182b57d217be29 files/foomatic-gswrapper 1710
+MD5 5484493b0e4d631f7ccea67f988ff0e6 files/cups-1.1.18-str75.patchv2 7223
+MD5 23295c953b3c5dfed3b9ecff049f3421 files/digest-cups-1.1.18-r5 72
diff --git a/net-print/cups/cups-1.1.18-r5.ebuild b/net-print/cups/cups-1.1.18-r5.ebuild
new file mode 100644
index 000000000000..6f0d6ed956e2
--- /dev/null
+++ b/net-print/cups/cups-1.1.18-r5.ebuild
@@ -0,0 +1,141 @@
+# Copyright 1999-2003 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-print/cups/cups-1.1.18-r5.ebuild,v 1.1 2003/05/30 09:28:05 aliz Exp $
+
+inherit eutils flag-o-matic
+
+IUSE="ssl slp pam"
+
+DESCRIPTION="The Common Unix Printing System"
+HOMEPAGE="http://www.cups.org"
+
+S=${WORKDIR}/${P}
+SRC_URI="ftp://ftp.easysw.com/pub/cups/${PV}/${P}-source.tar.bz2"
+PROVIDE="virtual/lpr"
+
+DEPEND="virtual/glibc
+ pam? ( >=sys-libs/pam-0.75 )
+ ssl? ( >=dev-libs/openssl-0.9.6b )
+ slp? ( >=net-libs/openslp-1.0.4 )
+ >=media-libs/libpng-1.2.1
+ >=media-libs/tiff-3.5.5
+ >=media-libs/jpeg-6b
+ usb? ( >=sys-apps/hotplug-20020401-r1 )"
+RDEPEND="${DEPEND} !virtual/lpr"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~x86 ~ppc ~sparc ~alpha ~hppa"
+
+filter-flags -fomit-frame-pointer
+
+src_unpack() {
+ unpack ${A}
+ cd ${S}
+
+ epatch ${FILESDIR}/${P}-str75.patchv2
+
+ #make sure libcupsimage gets linked with libjpeg
+ epatch ${FILESDIR}/configure-jpeg-buildfix-1.1.15.diff || die
+ epatch ${FILESDIR}/disable-strip.patch || die
+
+# bzip2 -dc ${DISTDIR}/${PPATCH}.diff.bz2 | patch -p1 || die
+ WANT_AUTOCONF_2_5=1 autoconf || die
+
+ #known problem, probably will be fixed next release //woodchip; #9188
+ #covered by above patch...
+# cd pdftops && cp Makefile Makefile.orig
+# sed -e 's|FTFont.o||' \
+# -e 's|SFont.o||' \
+# -e 's|T1Font.o||' \
+# -e 's|TTFont.o||' Makefile.orig > Makefile
+}
+
+src_compile() {
+ local myconf
+ use pam || myconf="${myconf} --disable-pam"
+ use ssl || myconf="${myconf} --disable-ssl"
+ use slp || myconf="${myconf} --disable-slp"
+
+ ./configure \
+ --with-cups-user=lp \
+ --with-cups-group=lp \
+ --host=${CHOST} ${myconf} || die "bad ./configure"
+
+ make || die "compile problem"
+
+}
+
+src_install() {
+ dodir /var/spool /var/log/cups /etc/cups
+
+ make \
+ LOCALEDIR=${D}/usr/share/locale \
+ DOCDIR=${D}/usr/share/cups/docs \
+ REQUESTS=${D}/var/spool/cups \
+ SERVERBIN=${D}/usr/lib/cups \
+ DATADIR=${D}/usr/share/cups \
+ INCLUDEDIR=${D}/usr/include \
+ AMANDIR=${D}/usr/share/man \
+ PMANDIR=${D}/usr/share/man \
+ MANDIR=${D}/usr/share/man \
+ SERVERROOT=${D}/etc/cups \
+ LOGDIR=${D}/var/log/cups \
+ SBINDIR=${D}/usr/sbin \
+ PAMDIR=${D}/etc/pam.d \
+ EXEC_PREFIX=${D}/usr \
+ LIBDIR=${D}/usr/lib \
+ BINDIR=${D}/usr/bin \
+ bindir=${D}/usr/bin \
+ INITDIR=${D}/etc \
+ PREFIX=${D} \
+ install || die "install problem"
+
+ dodoc {CHANGES,CREDITS,ENCRYPTION,LICENSE,README}.txt
+ dosym /usr/share/cups/docs /usr/share/doc/${PF}/html
+
+ fowners lp.root /usr/bin/lppasswd
+ fperms 4755 /usr/bin/lppasswd
+
+ # cleanups
+ rm -rf ${D}/etc/init.d
+ rm -rf ${D}/etc/pam.d
+ rm -rf ${D}/etc/rc*
+ rm -rf ${D}/usr/share/man/cat*
+ rm -rf ${D}/etc/cups/{certs,interfaces,ppd}
+ rm -rf ${D}/var
+
+ mv ${D}/etc/cups/cupsd.conf ${D}/etc/cups/cupsd.conf.orig
+ sed -e "s:^#\(DocumentRoot\).*:\1 /usr/share/cups/docs:" \
+ -e "s:^#\(SystemGroup\).*:\1 lp:" \
+ -e "s:^#\(User\).*:\1 lp:" \
+ -e "s:^#\(Group\).*:\1 lp:" \
+ ${D}/etc/cups/cupsd.conf.orig > ${D}/etc/cups/cupsd.conf
+ rm -f ${D}/etc/cups/cupsd.conf.orig
+
+ # foomatic cups filters
+ exeinto /usr/lib/cups/filter
+ doexe ${FILESDIR}/cupsomatic
+ doexe ${FILESDIR}/foomatic-gswrapper
+
+ insinto /etc/pam.d ; newins ${FILESDIR}/cups.pam cups
+ exeinto /etc/init.d ; newexe ${FILESDIR}/cupsd.rc6 cupsd
+ insinto /etc/xinetd.d ; newins ${FILESDIR}/cups.xinetd cups-lpd
+
+ insinto /etc/cups; newins ${FILESDIR}/cupsd.conf-1.1.18 cupsd.conf
+}
+
+pkg_postinst() {
+ install -d -m0755 ${ROOT}/var/log/cups
+ install -d -m0755 ${ROOT}/var/spool
+ install -m0700 -o lp -d ${ROOT}/var/spool/cups
+ install -m1700 -o lp -d ${ROOT}/var/spool/cups/tmp
+ install -m0711 -o lp -d ${ROOT}/etc/cups/certs
+ install -d -m0755 ${ROOT}/etc/cups/{interfaces,ppd}
+
+ einfo
+ einfo "emerge >=app-text/ghostscript-7.05-r1 if you need to print"
+ einfo "to a non-postscript printer(after cups itself! even if it's"
+ einfo "already installed!)"
+ einfo
+}
diff --git a/net-print/cups/files/cups-1.1.18-str75.patchv2 b/net-print/cups/files/cups-1.1.18-str75.patchv2
new file mode 100644
index 000000000000..701864b65325
--- /dev/null
+++ b/net-print/cups/files/cups-1.1.18-str75.patchv2
@@ -0,0 +1,270 @@
+diff -ur cups-1.1.18/cups/http.c cups-1.1.18.patched/cups/http.c
+--- cups-1.1.18/cups/http.c Tue Dec 17 13:56:42 2002
++++ cups-1.1.18.patched/cups/http.c Mon May 12 16:41:26 2003
+@@ -29,6 +29,7 @@
+ * default HTTP proxy (if any).
+ * httpCheck() - Check to see if there is a pending response from
+ * the server.
++ * httpWait() - Wait for data available on a connection.
+ * httpClose() - Close an HTTP connection...
+ * httpConnect() - Connect to a HTTP server.
+ * httpConnectEncrypt() - Connect to a HTTP server using encryption.
+@@ -240,6 +241,18 @@
+ int /* O - 0 = no data, 1 = data available */
+ httpCheck(http_t *http) /* I - HTTP connection */
+ {
++ return (httpWait(http, 0));
++}
++
++
++/*
++ * 'httpWait()' - Wait for data available on a connection.
++ */
++
++int /* O - 0 = no data, 1 = data available */
++httpWait(http_t *http, /* I - HTTP connection */
++ int msec) /* I - Milliseconds to wait */
++{
+ fd_set input; /* Input set for select() */
+ struct timeval timeout; /* Timeout */
+
+@@ -254,6 +267,14 @@
+ if (http->used)
+ return (1);
+
++#ifdef HAVE_LIBSSL
++ if (http->tls)
++ {
++ if (SSL_pending((SSL *)(http->tls)))
++ return (1);
++ }
++#endif /* HAVE_LIBSSL */
++
+ /*
+ * Then try doing a select() to poll the socket...
+ */
+@@ -261,10 +282,15 @@
+ FD_ZERO(&input);
+ FD_SET(http->fd, &input);
+
+- timeout.tv_sec = 0;
+- timeout.tv_usec = 0;
++ if (msec >= 0)
++ {
++ timeout.tv_sec = msec / 1000;
++ timeout.tv_usec = (msec % 1000) * 1000;
+
+- return (select(http->fd + 1, &input, NULL, NULL, &timeout) > 0);
++ return (select(http->fd + 1, &input, NULL, NULL, &timeout) > 0);
++ }
++ else
++ return (select(http->fd + 1, &input, NULL, NULL, NULL) > 0);
+ }
+
+
+@@ -857,7 +883,10 @@
+ char buffer[8192]; /* Junk buffer */
+
+
+- while (httpRead(http, buffer, sizeof(buffer)) > 0);
++ if (http->state != HTTP_WAITING)
++ {
++ while (httpRead(http, buffer, sizeof(buffer)) > 0);
++ }
+ }
+
+
+@@ -931,6 +960,9 @@
+ * Buffer small reads for better performance...
+ */
+
++ if (!http->blocking && !httpWait(http, 1000))
++ return (0);
++
+ if (http->data_remaining > sizeof(http->buffer))
+ bytes = sizeof(http->buffer);
+ else
+@@ -967,7 +999,10 @@
+ #endif /* WIN32 */
+ }
+ else
++ {
++ http->error = EPIPE;
+ return (0);
++ }
+ }
+
+ if (http->used > 0)
+@@ -987,10 +1022,18 @@
+ }
+ #ifdef HAVE_LIBSSL
+ else if (http->tls)
++ {
++ if (!http->blocking && !httpWait(http, 1000))
++ return (0);
++
+ bytes = SSL_read((SSL *)(http->tls), buffer, length);
++ }
+ #endif /* HAVE_LIBSSL */
+ else
+ {
++ if (!http->blocking && !httpWait(http, 1000))
++ return (0);
++
+ DEBUG_printf(("httpRead: reading %d bytes from socket...\n", length));
+ bytes = recv(http->fd, buffer, length, 0);
+ DEBUG_printf(("httpRead: read %d bytes from socket...\n", bytes));
+@@ -1009,6 +1052,11 @@
+ http->error = errno;
+ #endif /* WIN32 */
+ }
++ else
++ {
++ http->error = EPIPE;
++ return (0);
++ }
+
+ if (http->data_remaining == 0)
+ {
+@@ -1247,13 +1295,16 @@
+ * No newline; see if there is more data to be read...
+ */
+
++ if (!http->blocking && !httpWait(http, 1000))
++ return (NULL);
++
+ #ifdef HAVE_LIBSSL
+ if (http->tls)
+ bytes = SSL_read((SSL *)(http->tls), bufend,
+ HTTP_MAX_BUFFER - http->used);
+ else
+ #endif /* HAVE_LIBSSL */
+- bytes = recv(http->fd, bufend, HTTP_MAX_BUFFER - http->used, 0);
++ bytes = recv(http->fd, bufend, HTTP_MAX_BUFFER - http->used, 0);
+
+ if (bytes < 0)
+ {
+@@ -1285,8 +1336,7 @@
+ }
+ else if (bytes == 0)
+ {
+- if (http->blocking)
+- http->error = EPIPE;
++ http->error = EPIPE;
+
+ return (NULL);
+ }
+@@ -1554,6 +1604,7 @@
+ case HTTP_POST_RECV :
+ case HTTP_PUT :
+ http->state ++;
++ case HTTP_POST_SEND :
+ break;
+
+ default :
+diff -ur cups-1.1.18/cups/http.h cups-1.1.18.patched/cups/http.h
+--- cups-1.1.18/cups/http.h Tue Dec 17 13:56:42 2002
++++ cups-1.1.18.patched/cups/http.h Fri May 9 13:59:10 2003
+@@ -338,6 +338,9 @@
+ char [33]);
+ extern char *httpMD5String(const md5_byte_t *, char [33]);
+
++/**** New in CUPS 1.1.19 ****/
++extern int httpWait(http_t *http, int msec);
++
+
+ /*
+ * C++ magic...
+diff -ur cups-1.1.18/cups/ipp.c cups-1.1.18.patched/cups/ipp.c
+--- cups-1.1.18/cups/ipp.c Tue Dec 17 13:56:42 2002
++++ cups-1.1.18.patched/cups/ipp.c Fri May 9 14:08:44 2003
+@@ -2036,7 +2036,14 @@
+ if (http->data_remaining == 0)
+ {
+ if (http->data_encoding == HTTP_ENCODE_CHUNKED)
+- httpGets(len, sizeof(len), http);
++ {
++ /*
++ * Get the trailing CR LF after the chunk...
++ */
++
++ if (!httpGets(len, sizeof(len), http))
++ return (-1);
++ }
+
+ if (http->data_encoding != HTTP_ENCODE_CHUNKED)
+ {
+diff -ur cups-1.1.18/scheduler/client.c cups-1.1.18.patched/scheduler/client.c
+--- cups-1.1.18/scheduler/client.c Tue Dec 17 14:00:14 2002
++++ cups-1.1.18.patched/scheduler/client.c Fri May 9 14:25:52 2003
+@@ -82,6 +82,8 @@
+ client_t *con; /* New client pointer */
+ unsigned address;/* Address of client */
+ struct hostent *host; /* Host entry for address */
++ static time_t last_dos = 0;
++ /* Time of last DoS attack */
+
+
+ LogMessage(L_DEBUG2, "AcceptClient(%p) %d NumClients = %d",
+@@ -134,8 +136,12 @@
+
+ if (count >= MaxClientsPerHost)
+ {
+- LogMessage(L_WARN, "Possible DoS attack - more than %d clients connecting from %s!",
+- MaxClientsPerHost, Clients[i].http.hostname);
++ if ((time(NULL) - last_dos) >= 60)
++ {
++ last_dos = time(NULL);
++ LogMessage(L_WARN, "Possible DoS attack - more than %d clients connecting from %s!",
++ MaxClientsPerHost, Clients[i].http.hostname);
++ }
+
+ #ifdef WIN32
+ closesocket(con->http.fd);
+@@ -272,7 +278,7 @@
+ setsockopt(con->http.fd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));
+
+ /*
+- * Add the socket to the select() input mask.
++ * Close this file on all execs...
+ */
+
+ fcntl(con->http.fd, F_SETFD, fcntl(con->http.fd, F_GETFD) | FD_CLOEXEC);
+@@ -1438,6 +1444,10 @@
+ }
+ }
+ }
++ else if (con->http.state == HTTP_POST_RECV)
++ {
++ return (0);
++ }
+ else if (con->http.state != HTTP_POST_SEND)
+ {
+ CloseClient(con);
+@@ -1784,6 +1794,14 @@
+ shutdown(con->http.fd, 0);
+ con->http.used = 0;
+
++ /*
++ * Update the activity time so that we timeout after 30 seconds rather
++ * then the current Timeout setting (300 by default). This prevents
++ * some DoS situations...
++ */
++
++ con->http.activity = time(NULL) - Timeout + 30;
++
+ LogMessage(L_DEBUG2, "ShutdownClient: Removing fd %d from InputSet...",
+ con->http.fd);
+
+diff -ur cups-1.1.18/test/run-stp-tests.sh cups-1.1.18.patched/test/run-stp-tests.sh
+--- cups-1.1.18/test/run-stp-tests.sh Tue Dec 17 14:00:25 2002
++++ cups-1.1.18.patched/test/run-stp-tests.sh Fri May 9 14:18:48 2003
+@@ -142,6 +142,7 @@
+
+ cat >/tmp/$user/cupsd.conf <<EOF
+ Browsing Off
++FileDevice Yes
+ Listen 127.0.0.1:$port
+ User $user
+ ServerRoot /tmp/$user
+ ServerRoot /tmp/$user
diff --git a/net-print/cups/files/digest-cups-1.1.18-r5 b/net-print/cups/files/digest-cups-1.1.18-r5
new file mode 100644
index 000000000000..0d007fa65558
--- /dev/null
+++ b/net-print/cups/files/digest-cups-1.1.18-r5
@@ -0,0 +1 @@
+MD5 4a8a423a8268d088bffa19f6515883a7 cups-1.1.18-source.tar.bz2 3491321