summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars Wendler <polynomial-c@gentoo.org>2019-09-03 09:51:15 +0200
committerLars Wendler <polynomial-c@gentoo.org>2019-09-03 09:51:15 +0200
commit5983cc09eade48687c10dd3241c946d899369a43 (patch)
treefe9eaafa50d30c10db643c849bc1ca08eaad0d87 /net-print/cups
parentnet-libs/nghttp2: Security cleanup (diff)
downloadgentoo-5983cc09eade48687c10dd3241c946d899369a43.tar.gz
gentoo-5983cc09eade48687c10dd3241c946d899369a43.tar.bz2
gentoo-5983cc09eade48687c10dd3241c946d899369a43.zip
net-print/cups: Security cleanup
Bug: https://bugs.gentoo.org/692300 Package-Manager: Portage-2.3.75, Repoman-2.3.17 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Diffstat (limited to 'net-print/cups')
-rw-r--r--net-print/cups/Manifest1
-rw-r--r--net-print/cups/cups-2.2.11.ebuild336
-rw-r--r--net-print/cups/files/cups-2.3_rc1-no_pam.patch164
3 files changed, 0 insertions, 501 deletions
diff --git a/net-print/cups/Manifest b/net-print/cups/Manifest
index b9b923a3fe7..c4d4ef2a259 100644
--- a/net-print/cups/Manifest
+++ b/net-print/cups/Manifest
@@ -1,3 +1,2 @@
-DIST cups-2.2.11-source.tar.gz 10405908 BLAKE2B 9b7ee4da9502e42fd1b4a2c57ab709b3127ee8aeb8481a52f37da19fe5578f406260f1551e3fcedcd3a828fbed69267e68fcfd7bfabadf65afce4c3af19b4a1f SHA512 21a6916041b50044d336871f10d1192635458a3d318f19a18ad21d27027dd3839400601019e758424c218225a34aba148ba3a57f0ce3fe14c4df03bd1fde3403
DIST cups-2.2.12-source.tar.gz 10409313 BLAKE2B 126ea81f7108b3b62f5e062ed522898dd48d4e5b4077c834e8fe89012445dd0a903bafa62f593551ed5f1c92cce4fbd22f56834e0615ed65ca4a6ae84dc2ca1c SHA512 b8e7be512938ad388d469d093ad0c882ab42ea1408c27a91340f8424aa0e79e588df3d59795624973b89074a2af650fa9b5b6ed5224138b17e4c6dbbcbf0a2e6
DIST cups-2.3.0-source.tar.gz 8129049 BLAKE2B 738dbc7ee5ddcc9ffee44083cd93d8a0e75f4d3bf0b704dd643dc59db2cc2381dd65f676c0979bc65fee03438d160d9d650ceb93f8c702102eb1449d306a81a3 SHA512 c51f173b5fbae1554a3f4a3786fb3b5566e50d9f775473788ee3553922ac7e02e4785492c87c93fd46f159f50d97cc10ff6feafb3397cd9c1840840f3a9cdfae
diff --git a/net-print/cups/cups-2.2.11.ebuild b/net-print/cups/cups-2.2.11.ebuild
deleted file mode 100644
index 1c078ac92c8..00000000000
--- a/net-print/cups/cups-2.2.11.ebuild
+++ /dev/null
@@ -1,336 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-PYTHON_COMPAT=( python2_7 )
-
-inherit autotools flag-o-matic linux-info xdg multilib-minimal pam python-single-r1 user java-pkg-opt-2 systemd toolchain-funcs
-
-MY_P="${P/_rc/rc}"
-MY_P="${MY_P/_beta/b}"
-MY_PV="${PV/_rc/rc}"
-MY_PV="${MY_PV/_beta/b}"
-
-if [[ ${PV} == *9999 ]]; then
- inherit git-r3
- EGIT_REPO_URI="https://github.com/apple/cups.git"
- if [[ ${PV} != 9999 ]]; then
- EGIT_BRANCH=branch-${PV/.9999}
- fi
-else
- #SRC_URI="https://github.com/apple/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
- SRC_URI="https://github.com/apple/cups/releases/download/v${PV}/${P}-source.tar.gz"
- KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~mips ppc ppc64 s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~m68k-mint"
-fi
-
-DESCRIPTION="The Common Unix Printing System"
-HOMEPAGE="https://www.cups.org/"
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE="acl dbus debug java kerberos lprng-compat pam python selinux +ssl static-libs systemd +threads usb X xinetd zeroconf"
-
-CDEPEND="
- app-text/libpaper
- sys-libs/zlib
- acl? (
- kernel_linux? (
- sys-apps/acl
- sys-apps/attr
- )
- )
- dbus? ( >=sys-apps/dbus-1.6.18-r1[${MULTILIB_USEDEP}] )
- java? ( >=virtual/jre-1.6:* )
- kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
- !lprng-compat? ( !net-print/lprng )
- pam? ( virtual/pam )
- python? ( ${PYTHON_DEPS} )
- ssl? ( >=net-libs/gnutls-2.12.23-r6:0=[${MULTILIB_USEDEP}] )
- systemd? ( sys-apps/systemd )
- usb? ( virtual/libusb:1 )
- X? ( x11-misc/xdg-utils )
- xinetd? ( sys-apps/xinetd )
- zeroconf? ( >=net-dns/avahi-0.6.31-r2[${MULTILIB_USEDEP}] )
-"
-
-DEPEND="${CDEPEND}"
-BDEPEND="
- >=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
-"
-
-RDEPEND="${CDEPEND}
- selinux? ( sec-policy/selinux-cups )
-"
-
-PDEPEND=">=net-print/cups-filters-1.0.43"
-
-REQUIRED_USE="
- python? ( ${PYTHON_REQUIRED_USE} )
- usb? ( threads )
-"
-
-# upstream includes an interactive test which is a nono for gentoo
-RESTRICT="test"
-
-# systemd-socket.patch from Fedora
-PATCHES=(
- "${FILESDIR}/${PN}-2.2.0-dont-compress-manpages.patch"
- "${FILESDIR}/${PN}-2.2.6-fix-install-perms.patch"
- "${FILESDIR}/${PN}-1.4.4-nostrip.patch"
- "${FILESDIR}/${PN}-2.0.2-rename-systemd-service-files.patch"
- "${FILESDIR}/${PN}-2.0.1-xinetd-installation-fix.patch"
-)
-
-MULTILIB_CHOST_TOOLS=(
- /usr/bin/cups-config
-)
-
-pkg_setup() {
- enewgroup lp
- enewuser lp -1 -1 -1 lp
- enewgroup lpadmin 106
-
- use python && python-single-r1_pkg_setup
-
- if use kernel_linux; then
- linux-info_pkg_setup
- if ! linux_config_exists; then
- ewarn "Can't check the linux kernel configuration."
- ewarn "You might have some incompatible options enabled."
- else
- # recheck that we don't have usblp to collide with libusb; this should now work in most cases (bug 501122)
- if use usb; then
- if linux_chkconfig_present USB_PRINTER; then
- elog "Your USB printers will be managed via libusb. In case you run into problems, "
- elog "please try disabling USB_PRINTER support in your kernel or blacklisting the"
- elog "usblp kernel module."
- elog "Alternatively, just disable the usb useflag for cups (your printer will still work)."
- fi
- else
- #here we should warn user that he should enable it so he can print
- if ! linux_chkconfig_present USB_PRINTER; then
- ewarn "If you plan to use USB printers you should enable the USB_PRINTER"
- ewarn "support in your kernel."
- ewarn "Please enable it:"
- ewarn " CONFIG_USB_PRINTER=y"
- ewarn "in /usr/src/linux/.config or"
- ewarn " Device Drivers --->"
- ewarn " USB support --->"
- ewarn " [*] USB Printer support"
- ewarn "Alternatively, enable the usb useflag for cups and use the libusb code."
- fi
- fi
- fi
- fi
-}
-
-src_prepare() {
- default
-
- # Remove ".SILENT" rule for verbose output (bug 524338).
- sed 's#^.SILENT:##g' -i "${S}"/Makedefs.in || die "sed failed"
-
- # Fix install-sh, posix sh does not have 'function'.
- sed 's#function gzipcp#gzipcp()#g' -i "${S}/install-sh"
-
- AT_M4DIR=config-scripts eaclocal
- eautoconf
-
- # custom Makefiles
- multilib_copy_sources
-}
-
-multilib_src_configure() {
- export DSOFLAGS="${LDFLAGS}"
-
- einfo LINGUAS=\"${LINGUAS}\"
-
- # explicitly specify compiler wrt bug 524340
- #
- # need to override KRB5CONFIG for proper flags
- # https://github.com/apple/cups/issues/4423
- local myeconfargs=(
- CC="$(tc-getCC)"
- CXX="$(tc-getCXX)"
- KRB5CONFIG="${EPREFIX}"/usr/bin/${CHOST}-krb5-config
- --libdir="${EPREFIX}"/usr/$(get_libdir)
- --localstatedir="${EPREFIX}"/var
- --with-exe-file-perm=755
- --with-rundir="${EPREFIX}"/run/cups
- --with-cups-user=lp
- --with-cups-group=lp
- --with-docdir="${EPREFIX}"/usr/share/cups/html
- --with-languages="${LINGUAS}"
- --with-system-groups=lpadmin
- --with-xinetd="${EPREFIX}"/etc/xinetd.d
- $(multilib_native_use_enable acl)
- $(use_enable dbus)
- $(use_enable debug)
- $(use_enable debug debug-guards)
- $(use_enable debug debug-printfs)
- $(multilib_native_use_with java)
- $(use_enable kerberos gssapi)
- $(multilib_native_use_enable pam)
- $(multilib_native_use_with python python "${PYTHON}")
- $(use_enable static-libs static)
- $(use_enable threads)
- $(use_enable ssl gnutls)
- $(use_enable systemd)
- $(multilib_native_use_enable usb libusb)
- $(use_enable zeroconf avahi)
- --disable-dnssd
- --without-perl
- --without-php
- $(multilib_is_native_abi && echo --enable-libpaper || echo --disable-libpaper)
- )
-
- if tc-is-static-only; then
- myeconfargs+=(
- --disable-shared
- )
- fi
-
- econf "${myeconfargs[@]}"
-
- # install in /usr/libexec always, instead of using /usr/lib/cups, as that
- # makes more sense when facing multilib support.
- sed -i -e "s:SERVERBIN.*:SERVERBIN = \"\$\(BUILDROOT\)${EPREFIX}/usr/libexec/cups\":" Makedefs || die
- sed -i -e "s:#define CUPS_SERVERBIN.*:#define CUPS_SERVERBIN \"${EPREFIX}/usr/libexec/cups\":" config.h || die
- sed -i -e "s:cups_serverbin=.*:cups_serverbin=\"${EPREFIX}/usr/libexec/cups\":" cups-config || die
-
- # additional path corrections needed for prefix, see bug 597728
- sed \
- -e "s:ICONDIR.*:ICONDIR = ${EPREFIX}/usr/share/icons:" \
- -e "s:INITDIR.*:INITDIR = ${EPREFIX}/etc:" \
- -e "s:DBUSDIR.*:DBUSDIR = ${EPREFIX}/etc/dbus-1:" \
- -e "s:MENUDIR.*:MENUDIR = ${EPREFIX}/usr/share/applications:" \
- -i Makedefs || die
-}
-
-multilib_src_compile() {
- if multilib_is_native_abi; then
- default
- else
- emake libs
- fi
-}
-
-multilib_src_test() {
- multilib_is_native_abi && default
-}
-
-multilib_src_install() {
- if multilib_is_native_abi; then
- emake BUILDROOT="${D}" install
- else
- emake BUILDROOT="${D}" install-libs install-headers
- dobin cups-config
- fi
-}
-
-multilib_src_install_all() {
- dodoc {CHANGES,CREDITS,README}.md
-
- # move the default config file to docs
- dodoc "${ED}"/etc/cups/cupsd.conf.default
- rm -f "${ED}"/etc/cups/cupsd.conf.default
-
- # clean out cups init scripts
- rm -rf "${ED}"/etc/{init.d/cups,rc*,pam.d/cups}
-
- # install our init script
- local neededservices
- use zeroconf && neededservices+=" avahi-daemon"
- use dbus && neededservices+=" dbus"
- [[ -n ${neededservices} ]] && neededservices="need${neededservices}"
- cp "${FILESDIR}"/cupsd.init.d-r3 "${T}"/cupsd || die
- sed -i \
- -e "s/@neededservices@/${neededservices}/" \
- "${T}"/cupsd || die
- doinitd "${T}"/cupsd
-
- # install our pam script
- pamd_mimic_system cups auth account
-
- if use xinetd ; then
- # correct path
- sed -i \
- -e "s:server = .*:server = /usr/libexec/cups/daemon/cups-lpd:" \
- "${ED}"/etc/xinetd.d/cups-lpd || die
- # it is safer to disable this by default, bug #137130
- grep -w 'disable' "${ED}"/etc/xinetd.d/cups-lpd || \
- { sed -i -e "s:}:\tdisable = yes\n}:" "${ED}"/etc/xinetd.d/cups-lpd || die ; }
- # write permission for file owner (root), bug #296221
- fperms u+w /etc/xinetd.d/cups-lpd || die "fperms failed"
- else
- # always configure with --with-xinetd= and clean up later,
- # bug #525604
- rm -rf "${ED}"/etc/xinetd.d
- fi
-
- keepdir /usr/libexec/cups/driver /usr/share/cups/{model,profiles} \
- /var/log/cups /var/spool/cups/tmp
-
- keepdir /etc/cups/{interfaces,ppd,ssl}
-
- if ! use X ; then
- rm -r "${ED}"/usr/share/applications || die
- fi
-
- # create /etc/cups/client.conf, bug #196967 and #266678
- echo "ServerName ${EPREFIX}/run/cups/cups.sock" >> "${ED}"/etc/cups/client.conf
-
- # the following file is now provided by cups-filters:
- rm -r "${ED}"/usr/share/cups/banners || die
-
- # the following are created by the init script
- rm -r "${ED}"/var/cache/cups || die
- rm -r "${ED}"/run || die
-
- # for the special case of running lprng and cups together, bug 467226
- if use lprng-compat ; then
- rm -fv "${ED}"/usr/bin/{lp*,cancel}
- rm -fv "${ED}"/usr/sbin/lp*
- rm -fv "${ED}"/usr/share/man/man1/{lp*,cancel*}
- rm -fv "${ED}"/usr/share/man/man8/lp*
- ewarn "Not installing lp... binaries, since the lprng-compat useflag is set."
- ewarn "Unless you plan to install an exotic server setup, you most likely"
- ewarn "do not want this. Disable the useflag then and all will be fine."
- fi
-}
-
-pkg_preinst() {
- xdg_pkg_preinst
-}
-
-pkg_postinst() {
- # Update desktop file database and gtk icon cache (bug 370059)
- xdg_pkg_postinst
-
- local v
-
- for v in ${REPLACING_VERSIONS}; do
- if ! ver_test ${v} -ge 2.2.2-r2 ; then
- echo
- ewarn "The cupsd init script switched to using pidfiles. Shutting down"
- ewarn "cupsd will fail the next time. To fix this, please run once as root"
- ewarn " killall cupsd ; /etc/init.d/cupsd zap ; /etc/init.d/cupsd start"
- echo
- break
- fi
- done
-
- for v in ${REPLACING_VERSIONS}; do
- echo
- elog "For information about installing a printer and general cups setup"
- elog "take a look at: https://wiki.gentoo.org/wiki/Printing"
- echo
- break
- done
-}
-
-pkg_postrm() {
- # Update desktop file database and gtk icon cache (bug 370059)
- xdg_pkg_postrm
-}
diff --git a/net-print/cups/files/cups-2.3_rc1-no_pam.patch b/net-print/cups/files/cups-2.3_rc1-no_pam.patch
deleted file mode 100644
index 17e69ab7b0a..00000000000
--- a/net-print/cups/files/cups-2.3_rc1-no_pam.patch
+++ /dev/null
@@ -1,164 +0,0 @@
-From 3cd7b5e053f8100da1ca8d8daf93976cca3516ef Mon Sep 17 00:00:00 2001
-From: Michael R Sweet <michael.r.sweet@gmail.com>
-Date: Fri, 23 Feb 2018 13:21:56 -0500
-Subject: [PATCH] Fix builds without PAM (Issue #5253)
-
---- a/scheduler/auth.c
-+++ b/scheduler/auth.c
-@@ -67,9 +68,6 @@ static int check_authref(cupsd_client_t *con, const char *right);
- static int compare_locations(cupsd_location_t *a,
- cupsd_location_t *b);
- static cupsd_authmask_t *copy_authmask(cupsd_authmask_t *am, void *data);
--#if !HAVE_LIBPAM
--static char *cups_crypt(const char *pw, const char *salt);
--#endif /* !HAVE_LIBPAM */
- static void free_authmask(cupsd_authmask_t *am, void *data);
- #if HAVE_LIBPAM
- static int pam_func(int, const struct pam_message **,
-@@ -690,14 +688,14 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
- * client...
- */
-
-- pass = cups_crypt(password, pw->pw_passwd);
-+ pass = crypt(password, pw->pw_passwd);
-
- if (!pass || strcmp(pw->pw_passwd, pass))
- {
- # ifdef HAVE_SHADOW_H
- if (spw)
- {
-- pass = cups_crypt(password, spw->sp_pwdp);
-+ pass = crypt(password, spw->sp_pwdp);
-
- if (pass == NULL || strcmp(spw->sp_pwdp, pass))
- {
-@@ -1991,129 +1989,6 @@ copy_authmask(cupsd_authmask_t *mask, /* I - Existing auth mask */
- }
-
-
--#if !HAVE_LIBPAM
--/*
-- * 'cups_crypt()' - Encrypt the password using the DES or MD5 algorithms,
-- * as needed.
-- */
--
--static char * /* O - Encrypted password */
--cups_crypt(const char *pw, /* I - Password string */
-- const char *salt) /* I - Salt (key) string */
--{
-- if (!strncmp(salt, "$1$", 3))
-- {
-- /*
-- * Use MD5 passwords without the benefit of PAM; this is for
-- * Slackware Linux, and the algorithm was taken from the
-- * old shadow-19990827/lib/md5crypt.c source code... :(
-- */
--
-- int i; /* Looping var */
-- unsigned long n; /* Output number */
-- int pwlen; /* Length of password string */
-- const char *salt_end; /* End of "salt" data for MD5 */
-- char *ptr; /* Pointer into result string */
-- _cups_md5_state_t state; /* Primary MD5 state info */
-- _cups_md5_state_t state2; /* Secondary MD5 state info */
-- unsigned char digest[16]; /* MD5 digest result */
-- static char result[120]; /* Final password string */
--
--
-- /*
-- * Get the salt data between dollar signs, e.g. $1$saltdata$md5.
-- * Get a maximum of 8 characters of salt data after $1$...
-- */
--
-- for (salt_end = salt + 3; *salt_end && (salt_end - salt) < 11; salt_end ++)
-- if (*salt_end == '$')
-- break;
--
-- /*
-- * Compute the MD5 sum we need...
-- */
--
-- pwlen = strlen(pw);
--
-- _cupsMD5Init(&state);
-- _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
-- _cupsMD5Append(&state, (unsigned char *)salt, salt_end - salt);
--
-- _cupsMD5Init(&state2);
-- _cupsMD5Append(&state2, (unsigned char *)pw, pwlen);
-- _cupsMD5Append(&state2, (unsigned char *)salt + 3, salt_end - salt - 3);
-- _cupsMD5Append(&state2, (unsigned char *)pw, pwlen);
-- _cupsMD5Finish(&state2, digest);
--
-- for (i = pwlen; i > 0; i -= 16)
-- _cupsMD5Append(&state, digest, i > 16 ? 16 : i);
--
-- for (i = pwlen; i > 0; i >>= 1)
-- _cupsMD5Append(&state, (unsigned char *)((i & 1) ? "" : pw), 1);
--
-- _cupsMD5Finish(&state, digest);
--
-- for (i = 0; i < 1000; i ++)
-- {
-- _cupsMD5Init(&state);
--
-- if (i & 1)
-- _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
-- else
-- _cupsMD5Append(&state, digest, 16);
--
-- if (i % 3)
-- _cupsMD5Append(&state, (unsigned char *)salt + 3, salt_end - salt - 3);
--
-- if (i % 7)
-- _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
--
-- if (i & 1)
-- _cupsMD5Append(&state, digest, 16);
-- else
-- _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
--
-- _cupsMD5Finish(&state, digest);
-- }
--
-- /*
-- * Copy the final sum to the result string and return...
-- */
--
-- memcpy(result, salt, (size_t)(salt_end - salt));
-- ptr = result + (salt_end - salt);
-- *ptr++ = '$';
--
-- for (i = 0; i < 5; i ++, ptr += 4)
-- {
-- n = ((((unsigned)digest[i] << 8) | (unsigned)digest[i + 6]) << 8);
--
-- if (i < 4)
-- n |= (unsigned)digest[i + 12];
-- else
-- n |= (unsigned)digest[5];
--
-- to64(ptr, n, 4);
-- }
--
-- to64(ptr, (unsigned)digest[11], 2);
-- ptr += 2;
-- *ptr = '\0';
--
-- return (result);
-- }
-- else
-- {
-- /*
-- * Use the standard crypt() function...
-- */
--
-- return (crypt(pw, salt));
-- }
--}
--#endif /* !HAVE_LIBPAM */
--
--
- /*
- * 'free_authmask()' - Free function for auth masks.
- */