All, For the _ppdCreateFromIPP code in cups/ppd-cache.c, the commits for CUPS 2.5 are:
8361420cb Escape localized strings in PPDs.
dfb947e13 Fix localization of finishing templates and general presets.
5a4803788 PPDize preset and template names.
bcd720b06 Refactor make-and-model code.
96b3bdf01 Validate URIs and attribute names before putting them in the
generated PPD.
The corresponding commits in the 2.4.x branch are:
2abe1ba8a Fix warnings for unused vars.
1e6ca5913 Quote PPD localized strings.
e0630cd18 PPDize preset and template names.
04bb2af45 Refactor make-and-model code.
9939a70b7 Mirror IPP Everywhere printer changes from master.
I've attached a diff from v2.4.10 with these changes:
ppd-cache.patch
Description: Binary data
> On Sep 26, 2024, at 8:09 PM, Zdenek Dohnal <zdoh...@redhat.com> wrote: >> ... >> https://github.com/OpenPrinting/cups/commit/8361420cbbfa2e729545c4c537c49fc6322c9631 >> >> "Escape localized strings in PPDs", which is similar to the last hunk in >> "Prevent PPD generation based on invalid IPP response" CVE-2024-47175 >> libppd commit referenced by Alan above. >> >> Possibly unrelated to today's disclosure but also security-relevant is: >> >> https://github.com/OpenPrinting/cups/commit/e3467edf3be2d20a022495d9726a741e36768caf >> >> "Update httpConnectURI to do X.509 pinning, and use it when doing the IPP" >> >> Zdenek, I hope you will soon clarify which commits fix what issues, to >> assist with distro backports. I understand you're still busy getting >> these in now and it's probably night time for you, so follow up when you >> have a moment later, please. >> >> Thanks, >> >> Alexander >> > -- > Zdenek Dohnal > Senior Software Engineer > Red Hat, BRQ-TPBC > ________________________ Michael Sweet
