diff options
author | Daniel Ahlberg <aliz@gentoo.org> | 2003-05-30 09:28:05 +0000 |
---|---|---|
committer | Daniel Ahlberg <aliz@gentoo.org> | 2003-05-30 09:28:05 +0000 |
commit | 7ac171c33a2c22f2df6aad10970185bb63e15973 (patch) | |
tree | 532b169079e054d371b463aeda45ffe48f2936d4 | |
parent | fix to smooth DISTCC_HOSTS upgrades (diff) | |
download | gentoo-2-7ac171c33a2c22f2df6aad10970185bb63e15973.tar.gz gentoo-2-7ac171c33a2c22f2df6aad10970185bb63e15973.tar.bz2 gentoo-2-7ac171c33a2c22f2df6aad10970185bb63e15973.zip |
Security update
-rw-r--r-- | net-print/cups/ChangeLog | 7 | ||||
-rw-r--r-- | net-print/cups/Manifest | 3 | ||||
-rw-r--r-- | net-print/cups/cups-1.1.18-r5.ebuild | 141 | ||||
-rw-r--r-- | net-print/cups/files/cups-1.1.18-str75.patchv2 | 270 | ||||
-rw-r--r-- | net-print/cups/files/digest-cups-1.1.18-r5 | 1 |
5 files changed, 421 insertions, 1 deletions
diff --git a/net-print/cups/ChangeLog b/net-print/cups/ChangeLog index fbd61726d2b7..6cb0e9a7349b 100644 --- a/net-print/cups/ChangeLog +++ b/net-print/cups/ChangeLog @@ -1,6 +1,11 @@ # ChangeLog for net-print/cups # Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-print/cups/ChangeLog,v 1.38 2003/04/07 11:58:42 gmsoft Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-print/cups/ChangeLog,v 1.39 2003/05/30 09:28:04 aliz Exp $ + +*cups-1.1.18-r5 (30 May 2003) + + 30 May 2003; Daniel Ahlberg <aliz@gentoo.org> cups-1.1.18.ebuild : + Security update. *cups-1.1.18-r4 (28 Jan 2003) diff --git a/net-print/cups/Manifest b/net-print/cups/Manifest index ccbd0d9cb9d5..28f0af105ebf 100644 --- a/net-print/cups/Manifest +++ b/net-print/cups/Manifest @@ -8,6 +8,7 @@ MD5 1ed9fba3b93cb3b12a7fc6be33d6df33 cups-1.1.18-r2.ebuild 3790 MD5 6683ebe34b50cfa51735074b051cfa0a cups-1.1.18-r3.ebuild 3860 MD5 bf3e1022247801354edbe2d44caa209e cups-1.1.18-r4.ebuild 3863 MD5 808c77e6178aa8b6785c34746e02c1a6 cups-1.1.18.ebuild 3743 +MD5 2577691665d61483d39befe2719be65a cups-1.1.18-r5.ebuild 3904 MD5 ec90893091ccb9fa45c107c08dc7152c files/configure-jpeg-buildfix-1.1.15.diff 308 MD5 dc2809ac1071076672c0a439ddd2c097 files/configure-jpeg-buildfix.diff 432 MD5 4d42d58387ed0a01b5f4e49ace9a8c0a files/cups.pam 232 @@ -26,3 +27,5 @@ MD5 23295c953b3c5dfed3b9ecff049f3421 files/digest-cups-1.1.18-r3 72 MD5 23295c953b3c5dfed3b9ecff049f3421 files/digest-cups-1.1.18-r4 72 MD5 7bce495a238ee9dbebb61496f3b3ae51 files/disable-strip.patch 422 MD5 d668826632fc35de75182b57d217be29 files/foomatic-gswrapper 1710 +MD5 5484493b0e4d631f7ccea67f988ff0e6 files/cups-1.1.18-str75.patchv2 7223 +MD5 23295c953b3c5dfed3b9ecff049f3421 files/digest-cups-1.1.18-r5 72 diff --git a/net-print/cups/cups-1.1.18-r5.ebuild b/net-print/cups/cups-1.1.18-r5.ebuild new file mode 100644 index 000000000000..6f0d6ed956e2 --- /dev/null +++ b/net-print/cups/cups-1.1.18-r5.ebuild @@ -0,0 +1,141 @@ +# Copyright 1999-2003 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-print/cups/cups-1.1.18-r5.ebuild,v 1.1 2003/05/30 09:28:05 aliz Exp $ + +inherit eutils flag-o-matic + +IUSE="ssl slp pam" + +DESCRIPTION="The Common Unix Printing System" +HOMEPAGE="http://www.cups.org" + +S=${WORKDIR}/${P} +SRC_URI="ftp://ftp.easysw.com/pub/cups/${PV}/${P}-source.tar.bz2" +PROVIDE="virtual/lpr" + +DEPEND="virtual/glibc + pam? ( >=sys-libs/pam-0.75 ) + ssl? ( >=dev-libs/openssl-0.9.6b ) + slp? ( >=net-libs/openslp-1.0.4 ) + >=media-libs/libpng-1.2.1 + >=media-libs/tiff-3.5.5 + >=media-libs/jpeg-6b + usb? ( >=sys-apps/hotplug-20020401-r1 )" +RDEPEND="${DEPEND} !virtual/lpr" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~x86 ~ppc ~sparc ~alpha ~hppa" + +filter-flags -fomit-frame-pointer + +src_unpack() { + unpack ${A} + cd ${S} + + epatch ${FILESDIR}/${P}-str75.patchv2 + + #make sure libcupsimage gets linked with libjpeg + epatch ${FILESDIR}/configure-jpeg-buildfix-1.1.15.diff || die + epatch ${FILESDIR}/disable-strip.patch || die + +# bzip2 -dc ${DISTDIR}/${PPATCH}.diff.bz2 | patch -p1 || die + WANT_AUTOCONF_2_5=1 autoconf || die + + #known problem, probably will be fixed next release //woodchip; #9188 + #covered by above patch... +# cd pdftops && cp Makefile Makefile.orig +# sed -e 's|FTFont.o||' \ +# -e 's|SFont.o||' \ +# -e 's|T1Font.o||' \ +# -e 's|TTFont.o||' Makefile.orig > Makefile +} + +src_compile() { + local myconf + use pam || myconf="${myconf} --disable-pam" + use ssl || myconf="${myconf} --disable-ssl" + use slp || myconf="${myconf} --disable-slp" + + ./configure \ + --with-cups-user=lp \ + --with-cups-group=lp \ + --host=${CHOST} ${myconf} || die "bad ./configure" + + make || die "compile problem" + +} + +src_install() { + dodir /var/spool /var/log/cups /etc/cups + + make \ + LOCALEDIR=${D}/usr/share/locale \ + DOCDIR=${D}/usr/share/cups/docs \ + REQUESTS=${D}/var/spool/cups \ + SERVERBIN=${D}/usr/lib/cups \ + DATADIR=${D}/usr/share/cups \ + INCLUDEDIR=${D}/usr/include \ + AMANDIR=${D}/usr/share/man \ + PMANDIR=${D}/usr/share/man \ + MANDIR=${D}/usr/share/man \ + SERVERROOT=${D}/etc/cups \ + LOGDIR=${D}/var/log/cups \ + SBINDIR=${D}/usr/sbin \ + PAMDIR=${D}/etc/pam.d \ + EXEC_PREFIX=${D}/usr \ + LIBDIR=${D}/usr/lib \ + BINDIR=${D}/usr/bin \ + bindir=${D}/usr/bin \ + INITDIR=${D}/etc \ + PREFIX=${D} \ + install || die "install problem" + + dodoc {CHANGES,CREDITS,ENCRYPTION,LICENSE,README}.txt + dosym /usr/share/cups/docs /usr/share/doc/${PF}/html + + fowners lp.root /usr/bin/lppasswd + fperms 4755 /usr/bin/lppasswd + + # cleanups + rm -rf ${D}/etc/init.d + rm -rf ${D}/etc/pam.d + rm -rf ${D}/etc/rc* + rm -rf ${D}/usr/share/man/cat* + rm -rf ${D}/etc/cups/{certs,interfaces,ppd} + rm -rf ${D}/var + + mv ${D}/etc/cups/cupsd.conf ${D}/etc/cups/cupsd.conf.orig + sed -e "s:^#\(DocumentRoot\).*:\1 /usr/share/cups/docs:" \ + -e "s:^#\(SystemGroup\).*:\1 lp:" \ + -e "s:^#\(User\).*:\1 lp:" \ + -e "s:^#\(Group\).*:\1 lp:" \ + ${D}/etc/cups/cupsd.conf.orig > ${D}/etc/cups/cupsd.conf + rm -f ${D}/etc/cups/cupsd.conf.orig + + # foomatic cups filters + exeinto /usr/lib/cups/filter + doexe ${FILESDIR}/cupsomatic + doexe ${FILESDIR}/foomatic-gswrapper + + insinto /etc/pam.d ; newins ${FILESDIR}/cups.pam cups + exeinto /etc/init.d ; newexe ${FILESDIR}/cupsd.rc6 cupsd + insinto /etc/xinetd.d ; newins ${FILESDIR}/cups.xinetd cups-lpd + + insinto /etc/cups; newins ${FILESDIR}/cupsd.conf-1.1.18 cupsd.conf +} + +pkg_postinst() { + install -d -m0755 ${ROOT}/var/log/cups + install -d -m0755 ${ROOT}/var/spool + install -m0700 -o lp -d ${ROOT}/var/spool/cups + install -m1700 -o lp -d ${ROOT}/var/spool/cups/tmp + install -m0711 -o lp -d ${ROOT}/etc/cups/certs + install -d -m0755 ${ROOT}/etc/cups/{interfaces,ppd} + + einfo + einfo "emerge >=app-text/ghostscript-7.05-r1 if you need to print" + einfo "to a non-postscript printer(after cups itself! even if it's" + einfo "already installed!)" + einfo +} diff --git a/net-print/cups/files/cups-1.1.18-str75.patchv2 b/net-print/cups/files/cups-1.1.18-str75.patchv2 new file mode 100644 index 000000000000..701864b65325 --- /dev/null +++ b/net-print/cups/files/cups-1.1.18-str75.patchv2 @@ -0,0 +1,270 @@ +diff -ur cups-1.1.18/cups/http.c cups-1.1.18.patched/cups/http.c +--- cups-1.1.18/cups/http.c Tue Dec 17 13:56:42 2002 ++++ cups-1.1.18.patched/cups/http.c Mon May 12 16:41:26 2003 +@@ -29,6 +29,7 @@ + * default HTTP proxy (if any). + * httpCheck() - Check to see if there is a pending response from + * the server. ++ * httpWait() - Wait for data available on a connection. + * httpClose() - Close an HTTP connection... + * httpConnect() - Connect to a HTTP server. + * httpConnectEncrypt() - Connect to a HTTP server using encryption. +@@ -240,6 +241,18 @@ + int /* O - 0 = no data, 1 = data available */ + httpCheck(http_t *http) /* I - HTTP connection */ + { ++ return (httpWait(http, 0)); ++} ++ ++ ++/* ++ * 'httpWait()' - Wait for data available on a connection. ++ */ ++ ++int /* O - 0 = no data, 1 = data available */ ++httpWait(http_t *http, /* I - HTTP connection */ ++ int msec) /* I - Milliseconds to wait */ ++{ + fd_set input; /* Input set for select() */ + struct timeval timeout; /* Timeout */ + +@@ -254,6 +267,14 @@ + if (http->used) + return (1); + ++#ifdef HAVE_LIBSSL ++ if (http->tls) ++ { ++ if (SSL_pending((SSL *)(http->tls))) ++ return (1); ++ } ++#endif /* HAVE_LIBSSL */ ++ + /* + * Then try doing a select() to poll the socket... + */ +@@ -261,10 +282,15 @@ + FD_ZERO(&input); + FD_SET(http->fd, &input); + +- timeout.tv_sec = 0; +- timeout.tv_usec = 0; ++ if (msec >= 0) ++ { ++ timeout.tv_sec = msec / 1000; ++ timeout.tv_usec = (msec % 1000) * 1000; + +- return (select(http->fd + 1, &input, NULL, NULL, &timeout) > 0); ++ return (select(http->fd + 1, &input, NULL, NULL, &timeout) > 0); ++ } ++ else ++ return (select(http->fd + 1, &input, NULL, NULL, NULL) > 0); + } + + +@@ -857,7 +883,10 @@ + char buffer[8192]; /* Junk buffer */ + + +- while (httpRead(http, buffer, sizeof(buffer)) > 0); ++ if (http->state != HTTP_WAITING) ++ { ++ while (httpRead(http, buffer, sizeof(buffer)) > 0); ++ } + } + + +@@ -931,6 +960,9 @@ + * Buffer small reads for better performance... + */ + ++ if (!http->blocking && !httpWait(http, 1000)) ++ return (0); ++ + if (http->data_remaining > sizeof(http->buffer)) + bytes = sizeof(http->buffer); + else +@@ -967,7 +999,10 @@ + #endif /* WIN32 */ + } + else ++ { ++ http->error = EPIPE; + return (0); ++ } + } + + if (http->used > 0) +@@ -987,10 +1022,18 @@ + } + #ifdef HAVE_LIBSSL + else if (http->tls) ++ { ++ if (!http->blocking && !httpWait(http, 1000)) ++ return (0); ++ + bytes = SSL_read((SSL *)(http->tls), buffer, length); ++ } + #endif /* HAVE_LIBSSL */ + else + { ++ if (!http->blocking && !httpWait(http, 1000)) ++ return (0); ++ + DEBUG_printf(("httpRead: reading %d bytes from socket...\n", length)); + bytes = recv(http->fd, buffer, length, 0); + DEBUG_printf(("httpRead: read %d bytes from socket...\n", bytes)); +@@ -1009,6 +1052,11 @@ + http->error = errno; + #endif /* WIN32 */ + } ++ else ++ { ++ http->error = EPIPE; ++ return (0); ++ } + + if (http->data_remaining == 0) + { +@@ -1247,13 +1295,16 @@ + * No newline; see if there is more data to be read... + */ + ++ if (!http->blocking && !httpWait(http, 1000)) ++ return (NULL); ++ + #ifdef HAVE_LIBSSL + if (http->tls) + bytes = SSL_read((SSL *)(http->tls), bufend, + HTTP_MAX_BUFFER - http->used); + else + #endif /* HAVE_LIBSSL */ +- bytes = recv(http->fd, bufend, HTTP_MAX_BUFFER - http->used, 0); ++ bytes = recv(http->fd, bufend, HTTP_MAX_BUFFER - http->used, 0); + + if (bytes < 0) + { +@@ -1285,8 +1336,7 @@ + } + else if (bytes == 0) + { +- if (http->blocking) +- http->error = EPIPE; ++ http->error = EPIPE; + + return (NULL); + } +@@ -1554,6 +1604,7 @@ + case HTTP_POST_RECV : + case HTTP_PUT : + http->state ++; ++ case HTTP_POST_SEND : + break; + + default : +diff -ur cups-1.1.18/cups/http.h cups-1.1.18.patched/cups/http.h +--- cups-1.1.18/cups/http.h Tue Dec 17 13:56:42 2002 ++++ cups-1.1.18.patched/cups/http.h Fri May 9 13:59:10 2003 +@@ -338,6 +338,9 @@ + char [33]); + extern char *httpMD5String(const md5_byte_t *, char [33]); + ++/**** New in CUPS 1.1.19 ****/ ++extern int httpWait(http_t *http, int msec); ++ + + /* + * C++ magic... +diff -ur cups-1.1.18/cups/ipp.c cups-1.1.18.patched/cups/ipp.c +--- cups-1.1.18/cups/ipp.c Tue Dec 17 13:56:42 2002 ++++ cups-1.1.18.patched/cups/ipp.c Fri May 9 14:08:44 2003 +@@ -2036,7 +2036,14 @@ + if (http->data_remaining == 0) + { + if (http->data_encoding == HTTP_ENCODE_CHUNKED) +- httpGets(len, sizeof(len), http); ++ { ++ /* ++ * Get the trailing CR LF after the chunk... ++ */ ++ ++ if (!httpGets(len, sizeof(len), http)) ++ return (-1); ++ } + + if (http->data_encoding != HTTP_ENCODE_CHUNKED) + { +diff -ur cups-1.1.18/scheduler/client.c cups-1.1.18.patched/scheduler/client.c +--- cups-1.1.18/scheduler/client.c Tue Dec 17 14:00:14 2002 ++++ cups-1.1.18.patched/scheduler/client.c Fri May 9 14:25:52 2003 +@@ -82,6 +82,8 @@ + client_t *con; /* New client pointer */ + unsigned address;/* Address of client */ + struct hostent *host; /* Host entry for address */ ++ static time_t last_dos = 0; ++ /* Time of last DoS attack */ + + + LogMessage(L_DEBUG2, "AcceptClient(%p) %d NumClients = %d", +@@ -134,8 +136,12 @@ + + if (count >= MaxClientsPerHost) + { +- LogMessage(L_WARN, "Possible DoS attack - more than %d clients connecting from %s!", +- MaxClientsPerHost, Clients[i].http.hostname); ++ if ((time(NULL) - last_dos) >= 60) ++ { ++ last_dos = time(NULL); ++ LogMessage(L_WARN, "Possible DoS attack - more than %d clients connecting from %s!", ++ MaxClientsPerHost, Clients[i].http.hostname); ++ } + + #ifdef WIN32 + closesocket(con->http.fd); +@@ -272,7 +278,7 @@ + setsockopt(con->http.fd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val)); + + /* +- * Add the socket to the select() input mask. ++ * Close this file on all execs... + */ + + fcntl(con->http.fd, F_SETFD, fcntl(con->http.fd, F_GETFD) | FD_CLOEXEC); +@@ -1438,6 +1444,10 @@ + } + } + } ++ else if (con->http.state == HTTP_POST_RECV) ++ { ++ return (0); ++ } + else if (con->http.state != HTTP_POST_SEND) + { + CloseClient(con); +@@ -1784,6 +1794,14 @@ + shutdown(con->http.fd, 0); + con->http.used = 0; + ++ /* ++ * Update the activity time so that we timeout after 30 seconds rather ++ * then the current Timeout setting (300 by default). This prevents ++ * some DoS situations... ++ */ ++ ++ con->http.activity = time(NULL) - Timeout + 30; ++ + LogMessage(L_DEBUG2, "ShutdownClient: Removing fd %d from InputSet...", + con->http.fd); + +diff -ur cups-1.1.18/test/run-stp-tests.sh cups-1.1.18.patched/test/run-stp-tests.sh +--- cups-1.1.18/test/run-stp-tests.sh Tue Dec 17 14:00:25 2002 ++++ cups-1.1.18.patched/test/run-stp-tests.sh Fri May 9 14:18:48 2003 +@@ -142,6 +142,7 @@ + + cat >/tmp/$user/cupsd.conf <<EOF + Browsing Off ++FileDevice Yes + Listen 127.0.0.1:$port + User $user + ServerRoot /tmp/$user + ServerRoot /tmp/$user diff --git a/net-print/cups/files/digest-cups-1.1.18-r5 b/net-print/cups/files/digest-cups-1.1.18-r5 new file mode 100644 index 000000000000..0d007fa65558 --- /dev/null +++ b/net-print/cups/files/digest-cups-1.1.18-r5 @@ -0,0 +1 @@ +MD5 4a8a423a8268d088bffa19f6515883a7 cups-1.1.18-source.tar.bz2 3491321 |