Re: [oe-core][PATCH] cups: Upgrade 2.4.6 -> 2.4.7

[Markus Volk]

Hi,

| hash.c:16:12: fatal error: gnutls/crypto.h: No such file or directory
|    16 | #  include <gnutls/crypto.h>
it fails because there is no tls implementation activated by default. I 
do my builds with gnutls enabled and removing the bbappend that 
contains the packageconfig makes this problem reproducible for me. My 
question is, is it a reasonable standard to build without encryption? 
As I understand it, the correct solution would be to add tls support by 
default  (adding --with-tls=openssl also fixes the issue). Maybe we 
could do something like this?
PACKAGECONFIG[gnutls] = "--with-tls=gnutls,--with-tls=openssl,gnutls"

Which tls implementation should be used by default? I know oe-core 
prefers openssl, but there have been known issues with it recently:
<https://github.com/void-linux/void-packages/pull/41193>

On Sun, Nov 12 2023 at 08:21:35 PM +01:00:00, Alexandre Belloni 
<alexandre.bell...@bootlin.com> wrote:
Hello,

This fails:

reproducible:
<https://autobuilder.yoctoproject.org/typhoon/#/builders/117/builds/3912/steps/12/logs/errors>

lib32:
<https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/7998/steps/11/logs/stdio>
<https://autobuilder.yoctoproject.org/typhoon/#/builders/108/builds/5334/steps/11/logs/stdio>


musl:
<https://autobuilder.yoctoproject.org/typhoon/#/builders/64/builds/8115/steps/12/logs/stdio>
<https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/8143/steps/11/logs/stdio>


no-x11:
<https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/12/logs/stdio>
<https://autobuilder.yoctoproject.org/typhoon/#/builders/40/builds/8123/steps/15/logs/stdio>

On 12/11/2023 02:36:17+0100, Markus Volk wrote:
 Changes in CUPS v2.4.7 (2023-09-20)
 -----------------------------------

 - CVE-2023-4504 - Fixed Heap-based buffer overflow when reading 
Postscript
   in PPD files
 - Added OpenSSL support for cupsHashData (Issue #762)
 - Fixed delays in lpd backend (Issue #741)
 - Fixed extensive logging in scheduler (Issue #604)
 - Fixed hanging of `lpstat` on IBM AIX (Issue #773)
 - Fixed hanging of `lpstat` on Solaris (Issue #156)
 - Fixed printing to stderr if we can't open cups-files.conf (Issue 
#777)
 - Fixed purging job files via `cancel -x` (Issue #742)
 - Fixed RFC 1179 port reserving behavior in LPD backend (Issue #743)
 - Fixed a bug in the PPD command interpretation code (Issue #768)

 Signed-off-by: Markus Volk <f_...@t-online.de 
<mailto:f_...@t-online.de>>
 ---
  meta/recipes-extended/cups/cups.inc           |  1 -
  .../cups/cups/CVE-2023-4504.patch             | 42 
-------------------
  .../cups/{cups_2.4.6.bb => cups_2.4.7.bb}     |  2 +-
  3 files changed, 1 insertion(+), 44 deletions(-)
  delete mode 100644 
meta/recipes-extended/cups/cups/CVE-2023-4504.patch
  rename meta/recipes-extended/cups/{cups_2.4.6.bb => cups_2.4.7.bb} 
(51%)

 diff --git a/meta/recipes-extended/cups/cups.inc 
b/meta/recipes-extended/cups/cups.inc
 index fa32c38549..36feaddcf8 100644
 --- a/meta/recipes-extended/cups/cups.inc
 +++ b/meta/recipes-extended/cups/cups.inc
 @@ -15,7 +15,6 @@ SRC_URI = 
"${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
             
file://0004-cups-fix-multilib-install-file-conflicts.patch 
<file://0004-cups-fix-multilib-install-file-conflicts.patch/> \
             file://volatiles.99_cups <file://volatiles.99_cups/> \
             file://cups-volatiles.conf 
<file://cups-volatiles.conf/> \
 -           file://CVE-2023-4504.patch 
<file://cve-2023-4504.patch/> \
             "

  GITHUB_BASE_URI = "<https://github.com/OpenPrinting/cups/releases>"
 diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch 
b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
 deleted file mode 100644
 index e52e43a209..0000000000
 --- a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
 +++ /dev/null
 @@ -1,42 +0,0 @@
 -CVE: CVE-2023-4504
 -Upstream-Status: Backport 
[<https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31> 
]
 -Signed-off-by: Lee Chee Yang <chee.yang....@intel.com 
<mailto:chee.yang....@intel.com>>
 -
 -From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 
2001
 -From: Zdenek Dohnal <zdoh...@redhat.com 
<mailto:zdoh...@redhat.com>>
 -Date: Wed, 20 Sep 2023 14:45:17 +0200
 -Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
 -
 -We didn't check for end of buffer if it looks there is an escaped
 -character - check for NULL terminator there and if found, return 
NULL
 -as return value and in `ptr`, because a lone backslash is not
 -a valid PostScript character.
 ----
 - cups/raster-interpret.c | 14 +++++++++++++-
 - 1 files changed, 13 insertions(+), 1 deletion(-)
 -
 -diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
 -index 6fcf731b5..b8655c8c6 100644
 ---- a/cups/raster-interpret.c
 -+++ b/cups/raster-interpret.c
 -@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - 
Stack */
 -
 -          cur ++;
 -
 --            if (*cur == 'b')
 -+        /*
 -+         * Return NULL if we reached NULL terminator, a lone backslash
 -+         * is not a valid character in PostScript.
 -+         */
 -+
 -+         if (!*cur)
 -+         {
 -+           *ptr = NULL;
 -+
 -+           return (NULL);
 -+         }
 -+
 -+         if (*cur == 'b')
 -            *valptr++ = '\b';
 -          else if (*cur == 'f')
 -            *valptr++ = '\f';
 diff --git a/meta/recipes-extended/cups/cups_2.4.6.bb 
b/meta/recipes-extended/cups/cups_2.4.7.bb
 similarity index 51%
 rename from meta/recipes-extended/cups/cups_2.4.6.bb
 rename to meta/recipes-extended/cups/cups_2.4.7.bb
 index 58029fdbd4..f4b0282e4c 100644
 --- a/meta/recipes-extended/cups/cups_2.4.6.bb
 +++ b/meta/recipes-extended/cups/cups_2.4.7.bb
 @@ -2,4 +2,4 @@ require cups.inc

  LIC_FILES_CHKSUM = 
"file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" 
<file://license;md5=3b83ef96387f14655fc854ddc3c6bd57/>

 -SRC_URI[sha256sum] = 
"58e970cf1955e1cc87d0847c32526d9c2ccee335e5f0e3882b283138ba0e7262"
 +SRC_URI[sha256sum] = 
"dd54228dd903526428ce7e37961afaed230ad310788141da75cebaa08362cf6c"
 --
 2.42.0



 



--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com <https://bootlin.com/>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190454): 
https://lists.openembedded.org/g/openembedded-core/message/190454
Mute This Topic: https://lists.openembedded.org/mt/102536625/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-