From 5983cc09eade48687c10dd3241c946d899369a43 Mon Sep 17 00:00:00 2001 From: Lars Wendler Date: Tue, 3 Sep 2019 09:51:15 +0200 Subject: net-print/cups: Security cleanup Bug: https://bugs.gentoo.org/692300 Package-Manager: Portage-2.3.75, Repoman-2.3.17 Signed-off-by: Lars Wendler --- net-print/cups/Manifest | 1 - net-print/cups/cups-2.2.11.ebuild | 336 ------------------------- net-print/cups/files/cups-2.3_rc1-no_pam.patch | 164 ------------ 3 files changed, 501 deletions(-) delete mode 100644 net-print/cups/cups-2.2.11.ebuild delete mode 100644 net-print/cups/files/cups-2.3_rc1-no_pam.patch diff --git a/net-print/cups/Manifest b/net-print/cups/Manifest index b9b923a3fe7a..c4d4ef2a259a 100644 --- a/net-print/cups/Manifest +++ b/net-print/cups/Manifest @@ -1,3 +1,2 @@ -DIST cups-2.2.11-source.tar.gz 10405908 BLAKE2B 9b7ee4da9502e42fd1b4a2c57ab709b3127ee8aeb8481a52f37da19fe5578f406260f1551e3fcedcd3a828fbed69267e68fcfd7bfabadf65afce4c3af19b4a1f SHA512 21a6916041b50044d336871f10d1192635458a3d318f19a18ad21d27027dd3839400601019e758424c218225a34aba148ba3a57f0ce3fe14c4df03bd1fde3403 DIST cups-2.2.12-source.tar.gz 10409313 BLAKE2B 126ea81f7108b3b62f5e062ed522898dd48d4e5b4077c834e8fe89012445dd0a903bafa62f593551ed5f1c92cce4fbd22f56834e0615ed65ca4a6ae84dc2ca1c SHA512 b8e7be512938ad388d469d093ad0c882ab42ea1408c27a91340f8424aa0e79e588df3d59795624973b89074a2af650fa9b5b6ed5224138b17e4c6dbbcbf0a2e6 DIST cups-2.3.0-source.tar.gz 8129049 BLAKE2B 738dbc7ee5ddcc9ffee44083cd93d8a0e75f4d3bf0b704dd643dc59db2cc2381dd65f676c0979bc65fee03438d160d9d650ceb93f8c702102eb1449d306a81a3 SHA512 c51f173b5fbae1554a3f4a3786fb3b5566e50d9f775473788ee3553922ac7e02e4785492c87c93fd46f159f50d97cc10ff6feafb3397cd9c1840840f3a9cdfae diff --git a/net-print/cups/cups-2.2.11.ebuild b/net-print/cups/cups-2.2.11.ebuild deleted file mode 100644 index 1c078ac92c8b..000000000000 --- a/net-print/cups/cups-2.2.11.ebuild +++ /dev/null @@ -1,336 +0,0 @@ -# Copyright 1999-2019 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -PYTHON_COMPAT=( python2_7 ) - -inherit autotools flag-o-matic linux-info xdg multilib-minimal pam python-single-r1 user java-pkg-opt-2 systemd toolchain-funcs - -MY_P="${P/_rc/rc}" -MY_P="${MY_P/_beta/b}" -MY_PV="${PV/_rc/rc}" -MY_PV="${MY_PV/_beta/b}" - -if [[ ${PV} == *9999 ]]; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/apple/cups.git" - if [[ ${PV} != 9999 ]]; then - EGIT_BRANCH=branch-${PV/.9999} - fi -else - #SRC_URI="https://github.com/apple/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" - SRC_URI="https://github.com/apple/cups/releases/download/v${PV}/${P}-source.tar.gz" - KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~mips ppc ppc64 s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~m68k-mint" -fi - -DESCRIPTION="The Common Unix Printing System" -HOMEPAGE="https://www.cups.org/" - -LICENSE="GPL-2" -SLOT="0" -IUSE="acl dbus debug java kerberos lprng-compat pam python selinux +ssl static-libs systemd +threads usb X xinetd zeroconf" - -CDEPEND=" - app-text/libpaper - sys-libs/zlib - acl? ( - kernel_linux? ( - sys-apps/acl - sys-apps/attr - ) - ) - dbus? ( >=sys-apps/dbus-1.6.18-r1[${MULTILIB_USEDEP}] ) - java? ( >=virtual/jre-1.6:* ) - kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) - !lprng-compat? ( !net-print/lprng ) - pam? ( virtual/pam ) - python? ( ${PYTHON_DEPS} ) - ssl? ( >=net-libs/gnutls-2.12.23-r6:0=[${MULTILIB_USEDEP}] ) - systemd? ( sys-apps/systemd ) - usb? ( virtual/libusb:1 ) - X? ( x11-misc/xdg-utils ) - xinetd? ( sys-apps/xinetd ) - zeroconf? ( >=net-dns/avahi-0.6.31-r2[${MULTILIB_USEDEP}] ) -" - -DEPEND="${CDEPEND}" -BDEPEND=" - >=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}] -" - -RDEPEND="${CDEPEND} - selinux? ( sec-policy/selinux-cups ) -" - -PDEPEND=">=net-print/cups-filters-1.0.43" - -REQUIRED_USE=" - python? ( ${PYTHON_REQUIRED_USE} ) - usb? ( threads ) -" - -# upstream includes an interactive test which is a nono for gentoo -RESTRICT="test" - -# systemd-socket.patch from Fedora -PATCHES=( - "${FILESDIR}/${PN}-2.2.0-dont-compress-manpages.patch" - "${FILESDIR}/${PN}-2.2.6-fix-install-perms.patch" - "${FILESDIR}/${PN}-1.4.4-nostrip.patch" - "${FILESDIR}/${PN}-2.0.2-rename-systemd-service-files.patch" - "${FILESDIR}/${PN}-2.0.1-xinetd-installation-fix.patch" -) - -MULTILIB_CHOST_TOOLS=( - /usr/bin/cups-config -) - -pkg_setup() { - enewgroup lp - enewuser lp -1 -1 -1 lp - enewgroup lpadmin 106 - - use python && python-single-r1_pkg_setup - - if use kernel_linux; then - linux-info_pkg_setup - if ! linux_config_exists; then - ewarn "Can't check the linux kernel configuration." - ewarn "You might have some incompatible options enabled." - else - # recheck that we don't have usblp to collide with libusb; this should now work in most cases (bug 501122) - if use usb; then - if linux_chkconfig_present USB_PRINTER; then - elog "Your USB printers will be managed via libusb. In case you run into problems, " - elog "please try disabling USB_PRINTER support in your kernel or blacklisting the" - elog "usblp kernel module." - elog "Alternatively, just disable the usb useflag for cups (your printer will still work)." - fi - else - #here we should warn user that he should enable it so he can print - if ! linux_chkconfig_present USB_PRINTER; then - ewarn "If you plan to use USB printers you should enable the USB_PRINTER" - ewarn "support in your kernel." - ewarn "Please enable it:" - ewarn " CONFIG_USB_PRINTER=y" - ewarn "in /usr/src/linux/.config or" - ewarn " Device Drivers --->" - ewarn " USB support --->" - ewarn " [*] USB Printer support" - ewarn "Alternatively, enable the usb useflag for cups and use the libusb code." - fi - fi - fi - fi -} - -src_prepare() { - default - - # Remove ".SILENT" rule for verbose output (bug 524338). - sed 's#^.SILENT:##g' -i "${S}"/Makedefs.in || die "sed failed" - - # Fix install-sh, posix sh does not have 'function'. - sed 's#function gzipcp#gzipcp()#g' -i "${S}/install-sh" - - AT_M4DIR=config-scripts eaclocal - eautoconf - - # custom Makefiles - multilib_copy_sources -} - -multilib_src_configure() { - export DSOFLAGS="${LDFLAGS}" - - einfo LINGUAS=\"${LINGUAS}\" - - # explicitly specify compiler wrt bug 524340 - # - # need to override KRB5CONFIG for proper flags - # https://github.com/apple/cups/issues/4423 - local myeconfargs=( - CC="$(tc-getCC)" - CXX="$(tc-getCXX)" - KRB5CONFIG="${EPREFIX}"/usr/bin/${CHOST}-krb5-config - --libdir="${EPREFIX}"/usr/$(get_libdir) - --localstatedir="${EPREFIX}"/var - --with-exe-file-perm=755 - --with-rundir="${EPREFIX}"/run/cups - --with-cups-user=lp - --with-cups-group=lp - --with-docdir="${EPREFIX}"/usr/share/cups/html - --with-languages="${LINGUAS}" - --with-system-groups=lpadmin - --with-xinetd="${EPREFIX}"/etc/xinetd.d - $(multilib_native_use_enable acl) - $(use_enable dbus) - $(use_enable debug) - $(use_enable debug debug-guards) - $(use_enable debug debug-printfs) - $(multilib_native_use_with java) - $(use_enable kerberos gssapi) - $(multilib_native_use_enable pam) - $(multilib_native_use_with python python "${PYTHON}") - $(use_enable static-libs static) - $(use_enable threads) - $(use_enable ssl gnutls) - $(use_enable systemd) - $(multilib_native_use_enable usb libusb) - $(use_enable zeroconf avahi) - --disable-dnssd - --without-perl - --without-php - $(multilib_is_native_abi && echo --enable-libpaper || echo --disable-libpaper) - ) - - if tc-is-static-only; then - myeconfargs+=( - --disable-shared - ) - fi - - econf "${myeconfargs[@]}" - - # install in /usr/libexec always, instead of using /usr/lib/cups, as that - # makes more sense when facing multilib support. - sed -i -e "s:SERVERBIN.*:SERVERBIN = \"\$\(BUILDROOT\)${EPREFIX}/usr/libexec/cups\":" Makedefs || die - sed -i -e "s:#define CUPS_SERVERBIN.*:#define CUPS_SERVERBIN \"${EPREFIX}/usr/libexec/cups\":" config.h || die - sed -i -e "s:cups_serverbin=.*:cups_serverbin=\"${EPREFIX}/usr/libexec/cups\":" cups-config || die - - # additional path corrections needed for prefix, see bug 597728 - sed \ - -e "s:ICONDIR.*:ICONDIR = ${EPREFIX}/usr/share/icons:" \ - -e "s:INITDIR.*:INITDIR = ${EPREFIX}/etc:" \ - -e "s:DBUSDIR.*:DBUSDIR = ${EPREFIX}/etc/dbus-1:" \ - -e "s:MENUDIR.*:MENUDIR = ${EPREFIX}/usr/share/applications:" \ - -i Makedefs || die -} - -multilib_src_compile() { - if multilib_is_native_abi; then - default - else - emake libs - fi -} - -multilib_src_test() { - multilib_is_native_abi && default -} - -multilib_src_install() { - if multilib_is_native_abi; then - emake BUILDROOT="${D}" install - else - emake BUILDROOT="${D}" install-libs install-headers - dobin cups-config - fi -} - -multilib_src_install_all() { - dodoc {CHANGES,CREDITS,README}.md - - # move the default config file to docs - dodoc "${ED}"/etc/cups/cupsd.conf.default - rm -f "${ED}"/etc/cups/cupsd.conf.default - - # clean out cups init scripts - rm -rf "${ED}"/etc/{init.d/cups,rc*,pam.d/cups} - - # install our init script - local neededservices - use zeroconf && neededservices+=" avahi-daemon" - use dbus && neededservices+=" dbus" - [[ -n ${neededservices} ]] && neededservices="need${neededservices}" - cp "${FILESDIR}"/cupsd.init.d-r3 "${T}"/cupsd || die - sed -i \ - -e "s/@neededservices@/${neededservices}/" \ - "${T}"/cupsd || die - doinitd "${T}"/cupsd - - # install our pam script - pamd_mimic_system cups auth account - - if use xinetd ; then - # correct path - sed -i \ - -e "s:server = .*:server = /usr/libexec/cups/daemon/cups-lpd:" \ - "${ED}"/etc/xinetd.d/cups-lpd || die - # it is safer to disable this by default, bug #137130 - grep -w 'disable' "${ED}"/etc/xinetd.d/cups-lpd || \ - { sed -i -e "s:}:\tdisable = yes\n}:" "${ED}"/etc/xinetd.d/cups-lpd || die ; } - # write permission for file owner (root), bug #296221 - fperms u+w /etc/xinetd.d/cups-lpd || die "fperms failed" - else - # always configure with --with-xinetd= and clean up later, - # bug #525604 - rm -rf "${ED}"/etc/xinetd.d - fi - - keepdir /usr/libexec/cups/driver /usr/share/cups/{model,profiles} \ - /var/log/cups /var/spool/cups/tmp - - keepdir /etc/cups/{interfaces,ppd,ssl} - - if ! use X ; then - rm -r "${ED}"/usr/share/applications || die - fi - - # create /etc/cups/client.conf, bug #196967 and #266678 - echo "ServerName ${EPREFIX}/run/cups/cups.sock" >> "${ED}"/etc/cups/client.conf - - # the following file is now provided by cups-filters: - rm -r "${ED}"/usr/share/cups/banners || die - - # the following are created by the init script - rm -r "${ED}"/var/cache/cups || die - rm -r "${ED}"/run || die - - # for the special case of running lprng and cups together, bug 467226 - if use lprng-compat ; then - rm -fv "${ED}"/usr/bin/{lp*,cancel} - rm -fv "${ED}"/usr/sbin/lp* - rm -fv "${ED}"/usr/share/man/man1/{lp*,cancel*} - rm -fv "${ED}"/usr/share/man/man8/lp* - ewarn "Not installing lp... binaries, since the lprng-compat useflag is set." - ewarn "Unless you plan to install an exotic server setup, you most likely" - ewarn "do not want this. Disable the useflag then and all will be fine." - fi -} - -pkg_preinst() { - xdg_pkg_preinst -} - -pkg_postinst() { - # Update desktop file database and gtk icon cache (bug 370059) - xdg_pkg_postinst - - local v - - for v in ${REPLACING_VERSIONS}; do - if ! ver_test ${v} -ge 2.2.2-r2 ; then - echo - ewarn "The cupsd init script switched to using pidfiles. Shutting down" - ewarn "cupsd will fail the next time. To fix this, please run once as root" - ewarn " killall cupsd ; /etc/init.d/cupsd zap ; /etc/init.d/cupsd start" - echo - break - fi - done - - for v in ${REPLACING_VERSIONS}; do - echo - elog "For information about installing a printer and general cups setup" - elog "take a look at: https://wiki.gentoo.org/wiki/Printing" - echo - break - done -} - -pkg_postrm() { - # Update desktop file database and gtk icon cache (bug 370059) - xdg_pkg_postrm -} diff --git a/net-print/cups/files/cups-2.3_rc1-no_pam.patch b/net-print/cups/files/cups-2.3_rc1-no_pam.patch deleted file mode 100644 index 17e69ab7b0ac..000000000000 --- a/net-print/cups/files/cups-2.3_rc1-no_pam.patch +++ /dev/null @@ -1,164 +0,0 @@ -From 3cd7b5e053f8100da1ca8d8daf93976cca3516ef Mon Sep 17 00:00:00 2001 -From: Michael R Sweet -Date: Fri, 23 Feb 2018 13:21:56 -0500 -Subject: [PATCH] Fix builds without PAM (Issue #5253) - ---- a/scheduler/auth.c -+++ b/scheduler/auth.c -@@ -67,9 +68,6 @@ static int check_authref(cupsd_client_t *con, const char *right); - static int compare_locations(cupsd_location_t *a, - cupsd_location_t *b); - static cupsd_authmask_t *copy_authmask(cupsd_authmask_t *am, void *data); --#if !HAVE_LIBPAM --static char *cups_crypt(const char *pw, const char *salt); --#endif /* !HAVE_LIBPAM */ - static void free_authmask(cupsd_authmask_t *am, void *data); - #if HAVE_LIBPAM - static int pam_func(int, const struct pam_message **, -@@ -690,14 +688,14 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ - * client... - */ - -- pass = cups_crypt(password, pw->pw_passwd); -+ pass = crypt(password, pw->pw_passwd); - - if (!pass || strcmp(pw->pw_passwd, pass)) - { - # ifdef HAVE_SHADOW_H - if (spw) - { -- pass = cups_crypt(password, spw->sp_pwdp); -+ pass = crypt(password, spw->sp_pwdp); - - if (pass == NULL || strcmp(spw->sp_pwdp, pass)) - { -@@ -1991,129 +1989,6 @@ copy_authmask(cupsd_authmask_t *mask, /* I - Existing auth mask */ - } - - --#if !HAVE_LIBPAM --/* -- * 'cups_crypt()' - Encrypt the password using the DES or MD5 algorithms, -- * as needed. -- */ -- --static char * /* O - Encrypted password */ --cups_crypt(const char *pw, /* I - Password string */ -- const char *salt) /* I - Salt (key) string */ --{ -- if (!strncmp(salt, "$1$", 3)) -- { -- /* -- * Use MD5 passwords without the benefit of PAM; this is for -- * Slackware Linux, and the algorithm was taken from the -- * old shadow-19990827/lib/md5crypt.c source code... :( -- */ -- -- int i; /* Looping var */ -- unsigned long n; /* Output number */ -- int pwlen; /* Length of password string */ -- const char *salt_end; /* End of "salt" data for MD5 */ -- char *ptr; /* Pointer into result string */ -- _cups_md5_state_t state; /* Primary MD5 state info */ -- _cups_md5_state_t state2; /* Secondary MD5 state info */ -- unsigned char digest[16]; /* MD5 digest result */ -- static char result[120]; /* Final password string */ -- -- -- /* -- * Get the salt data between dollar signs, e.g. $1$saltdata$md5. -- * Get a maximum of 8 characters of salt data after $1$... -- */ -- -- for (salt_end = salt + 3; *salt_end && (salt_end - salt) < 11; salt_end ++) -- if (*salt_end == '$') -- break; -- -- /* -- * Compute the MD5 sum we need... -- */ -- -- pwlen = strlen(pw); -- -- _cupsMD5Init(&state); -- _cupsMD5Append(&state, (unsigned char *)pw, pwlen); -- _cupsMD5Append(&state, (unsigned char *)salt, salt_end - salt); -- -- _cupsMD5Init(&state2); -- _cupsMD5Append(&state2, (unsigned char *)pw, pwlen); -- _cupsMD5Append(&state2, (unsigned char *)salt + 3, salt_end - salt - 3); -- _cupsMD5Append(&state2, (unsigned char *)pw, pwlen); -- _cupsMD5Finish(&state2, digest); -- -- for (i = pwlen; i > 0; i -= 16) -- _cupsMD5Append(&state, digest, i > 16 ? 16 : i); -- -- for (i = pwlen; i > 0; i >>= 1) -- _cupsMD5Append(&state, (unsigned char *)((i & 1) ? "" : pw), 1); -- -- _cupsMD5Finish(&state, digest); -- -- for (i = 0; i < 1000; i ++) -- { -- _cupsMD5Init(&state); -- -- if (i & 1) -- _cupsMD5Append(&state, (unsigned char *)pw, pwlen); -- else -- _cupsMD5Append(&state, digest, 16); -- -- if (i % 3) -- _cupsMD5Append(&state, (unsigned char *)salt + 3, salt_end - salt - 3); -- -- if (i % 7) -- _cupsMD5Append(&state, (unsigned char *)pw, pwlen); -- -- if (i & 1) -- _cupsMD5Append(&state, digest, 16); -- else -- _cupsMD5Append(&state, (unsigned char *)pw, pwlen); -- -- _cupsMD5Finish(&state, digest); -- } -- -- /* -- * Copy the final sum to the result string and return... -- */ -- -- memcpy(result, salt, (size_t)(salt_end - salt)); -- ptr = result + (salt_end - salt); -- *ptr++ = '$'; -- -- for (i = 0; i < 5; i ++, ptr += 4) -- { -- n = ((((unsigned)digest[i] << 8) | (unsigned)digest[i + 6]) << 8); -- -- if (i < 4) -- n |= (unsigned)digest[i + 12]; -- else -- n |= (unsigned)digest[5]; -- -- to64(ptr, n, 4); -- } -- -- to64(ptr, (unsigned)digest[11], 2); -- ptr += 2; -- *ptr = '\0'; -- -- return (result); -- } -- else -- { -- /* -- * Use the standard crypt() function... -- */ -- -- return (crypt(pw, salt)); -- } --} --#endif /* !HAVE_LIBPAM */ -- -- - /* - * 'free_authmask()' - Free function for auth masks. - */ -- cgit v1.2.3-65-gdbad