- Version upgrade to 2.4.1
- Dropped patch upstream_pull_174 because it it is included in this release
- Dropped patch cups-2.1.0-cups-systemd-socket.patch because it it is included in this release (https://github.com/OpenPrinting/cups/commit/e96e96b4bd0d4e6f634bbb66b95d6e475501541c)
- Changed upstream source packages signing key (https://github.com/OpenPrinting/cups/discussions/327#discussioncomment-2060579)
- Re-enabled testsuite
* Also removed make check because since upstream change the two target are identical (https://github.com/OpenPrinting/cups/commit/96ba46ebc818b610b0e40cbc9d62ef1dcd3ec9b6#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52R239)
- Changed cups-2.1.0-cups-systemd-socket.patch to accomodate new coding style
- Changed cups-config-libs.orig to accommodate recent code changes (SSL->TLS)
- Changed cups-2.1.0-default-webcontent-path.patch to accommodate code changes

old: Printing/cups
new: home:ajoga:branches:openSUSE:Factory/cups rev None
Index: cups-2.1.0-default-webcontent-path.patch
===================================================================
--- cups-2.1.0-default-webcontent-path.patch (revision 380)
+++ cups-2.1.0-default-webcontent-path.patch (revision 2)
@@ -1,17 +1,21 @@
---- config-scripts/cups-directories.m4.orig 2014-03-21 17:42:53.000000000 +0100
-+++ config-scripts/cups-directories.m4 2015-09-01 11:08:43.000000000 +0200
-@@ -206,11 +206,11 @@ fi
- AC_SUBST(MENUDIR)
+--- config-scripts/cups-directories.m4
++++ config-scripts/cups-directories.m4.orig
+@@ -166,15 +166,15 @@ AS_IF([test "x$menudir" = x], [
+ AC_SUBST([MENUDIR])

# Documentation files
--AC_ARG_WITH(docdir, [ --with-docdir set path for documentation],docdir="$withval",docdir="")
-+AC_ARG_WITH(docdir, [ --with-docdir set path and DocumentRoot directive for web content, default=datadir/cups/webcontent],docdir="$withval",docdir="")
+-AC_ARG_WITH([docdir], AS_HELP_STRING([--with-docdir], [set path for documentation]), [
++AC_ARG_WITH([docdir], AS_HELP_STRING([--with-docdir], [set path and DocumentRoot directive for web content, default=datadir/cups/webcontent]), [
+ docdir="$withval"
+ ], [
+ docdir=""
+ ])

- if test x$docdir = x; then
-- CUPS_DOCROOT="$datadir/doc/cups"
-- docdir="$datadir/doc/cups"
-+ CUPS_DOCROOT="$datadir/cups/webcontent"
-+ docdir="$datadir/cups/webcontent"
- else
- CUPS_DOCROOT="$docdir"
- fi
+ AS_IF([test x$docdir = x], [
+- CUPS_DOCROOT="$datadir/doc/cups"
+- docdir="$datadir/doc/cups"
++ CUPS_DOCROOT="$datadir/cups/webcontent"
++ docdir="$datadir/cups/webcontent"
+ ], [
+ CUPS_DOCROOT="$docdir"
+ ])
Index: cups-config-libs.patch
===================================================================
--- cups-config-libs.patch (revision 380)
+++ cups-config-libs.patch (revision 2)
@@ -4,7 +4,7 @@
# flags for compiler and linker...
CFLAGS=""
LDFLAGS="@EXPORT_LDFLAGS@"
--LIBS="@LIBGSSAPI@ @DNSSDLIBS@ @EXPORT_SSLLIBS@ @LIBZ@ @LIBS@"
+-LIBS="@LIBGSSAPI@ @DNSSDLIBS@ @EXPORT_TLSLIBS@ @LIBZ@ @LIBS@"
+LIBS=""

# Check for local invocation...
Index: cups.changes
===================================================================
--- cups.changes (revision 380)
+++ cups.changes (revision 2)
@@ -1,4 +1,88 @@
-------------------------------------------------------------------
+Tue Mar 1 18:16:11 UTC 2022 - Aurélien Joga
+
+- Version upgrade to 2.4.1:
+ * The default color mode now is now configurable and defaults to the printer's reported default mode (Issue #277)
+ * Configuration script now checks linking for -Wl,-pie flags (Issue #303)
+ * Fixed memory leaks - in testi18n (Issue #313), in cups_enum_dests() (Issue #317), in _cupsEncodeOption() and http_tls_upgrade() (Issue #322)
+ * Fixed missing bracket in de/index.html (Issue #299)
+ * Fixed typos in configuration scripts (Issues #304, #316)
+ * Removed remaining legacy code for RIP_MAX_CACHE environment variable (Issue #323)
+ * Removed deprecated directives from cupsctl and cups-files.conf (Issue #300)
+ * Removed purge-jobs legacy code from CGI scripts and templates (Issue #325)
+ * Added configure option --with-idle-exit-timeout (Issue #294)
+ * Added --with-systemd-timeoutstartsec configure option (Issue #298)
+ * DigestOptions now are applied for MD5 Digest authentication defined by RFC 2069 as well (Issue #287)
+ * Fixed compilation on Solaris (Issue #293)
+ * Fixed and improved German translations (Issue #296, Issue #297)
+ * Added warning and debug messages when loading printers if the queue is raw or with driver (Issue #286)
+ * Compilation now uses -fstack-protector-strong if available (Issue #285)
+ * Added support for CUPS running in a Snapcraft snap.
+ * Added basic OAuth 2.0 client support (Issue #100)
+ * Added support for AirPrint and Mopria clients (Issue #105)
+ * Added configure support for specifying systemd dependencies in the CUPS service file (Issue #144)
+ * Added several features and improvements to ipptool (Issue #153)
+ * Added a JSON output mode for ipptool.
+ * The ipptool command now correctly reports an error when a test file cannot be found.
+ * CUPS library now uses thread safe getpwnam_r and getpwuid_r functions (Issue #274)
+ * Fixed Kerberos authentication for the web interface (Issue #19)
+ * The ZPL sample driver now supports more "standard" label sizes (Issue #70)
+ * Fixed reporting of printer instances when enumerating and when no options are set for the main instance (Issue #71)
+ * Reverted USB read limit enforcement change from CUPS 2.2.12 (Issue #72)
+ * The IPP backend did not return the correct status code when a job was canceled at the printer/server (Issue #74)
+ * The testlang unit test program now loops over all of the available locales by default (Issue #85)
+ * The cupsfilter command now shows error messages when options are used incorrectly (Issue #88)
+ * The PPD functions now treat boolean values as case-insensitive (Issue #106)
+ * Temporary queue names no longer end with an underscore (Issue #110)
+ * The USB backend now runs as root (Issue #121)
+ * Added pkg-config file for libcups (Issue #122)
+ * Fixed a PPD memory leak caused by emulator definitions (Issue #124)
+ * Fixed a DISPLAY bug in ipptool (Issue #139)
+ * The scheduler now includes the [Job N] prefix for job log messages, even when using syslog logging (Issue #154)
+ * Added support for locales using the GB18030 character set (Issue #159)
+ * httpReconnect2 did not reset the socket file descriptor when the TLS negotiation failed (Apple #5907)
+ * httpUpdate did not reset the socket file descriptor when the TLS negotiation failed (Apple #5915)
+ * The IPP backend now retries Validate-Job requests (Issue #132)
+ * Now show better error messages when a driver interface program fails to provide a PPD file (Issue #148)
+ * Added dark mode support to the CUPS web interface (Issue #152)
+ * Added a workaround for Solaris in httpAddrConnect2 (Issue #156)
+ * Fixed an interaction between --remote-admin and --remote-any for the cupsctl command (Issue #158)
+ * Now use a 60 second timeout for reading USB backchannel data (Issue #160)
+ * The USB backend now tries harder to find a serial number (Issue #170)
+ * Fixed @IF(name) handling in cupsd.conf (Apple #5918)
+ * Fixed documentation and added examples for CUPS' limited CGI support (Apple #5940)
+ * Fixed the lpc command prompt (Apple #5946)
+ * Now always pass "localhost" in the Host: header when talking over a domain socket or the loopback interface (Issue #185)
+ * Fixed a job history update issue in the scheduler (Issue #187)
+ * Fixed job-pages-per-set value for duplex print jobs.
+ * Fixed an edge case in ippReadIO to make sure that only complete attributes and values are retained on an error (Issue #195)
+ * Hardened ippReadIO to prevent invalid IPP messages from being propagated (Issue #195, Issue #196)
+ * The scheduler now supports the "everywhere" model directly (Issue #201)
+ * Fixed some IPP Everywhere option mapping problems (Issue #238)
+ * Fixed support for "job-hold-until" with the Restart-Job operation (Issue #250)
+ * Fixed the default color/grayscale presets for IPP Everywhere PPDs (Issue #262)
+ * Fixed support for the 'offline-report' state for all USB backends (Issue #264)
+ * Documentation fixes (Issue #92, Issue #163, Issue #177, Issue #184)
+ * Localization updates (Issue #123, Issue #129, Issue #134, Issue #146, Issue #164)
+ * USB quirk updates (Issue #192, Issue #270, Apple #5766, Apple #5838, Apple #5843, Apple #5867)
+ * Web interface updates (Issue #142, Issue #218)
+ * The ippeveprinter tool now automatically uses an available port.
+ * Fixed several Windows TLS and hashing issues.
+ * Deprecated cups-config (Issue #97)
+ * Deprecated Kerberos (AuthType Negotiate) authentication (Issue #98)
+ * Removed support for the (long deprecated and unused) FontPath, ListenBackLog, LPDConfigFile, KeepAliveTimeout, RIPCache, and SMBConfigFile directives in cupsd.conf and cups-files.conf.
+ * Stubbed out deprecated httpMD5 functions.
+ * Add test for undefined page ranges during printing.
+- Dropped patch upstream_pull_174 because it it is included in this release
+- Dropped patch cups-2.1.0-cups-systemd-socket.patch because it it is included in this release (https://github.com/OpenPrinting/cups/commit/e96e96b4bd0d4e6f634bbb66b95d6e475501541c)
+- Changed upstream source packages signing key (https://github.com/OpenPrinting/cups/discussions/327#discussioncomment-2060579)
+- Re-enabled testsuite
+ * Also removed make check because since upstream change the two target are identical (https://github.com/OpenPrinting/cups/commit/96ba46ebc818b610b0e40cbc9d62ef1dcd3ec9b6#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52R239)
+- Changed cups-2.1.0-cups-systemd-socket.patch to accomodate new coding style
+- Changed cups-config-libs.orig to accommodate recent code changes (SSL->TLS)
+- Changed cups-2.1.0-default-webcontent-path.patch to accommodate code changes
+
+-------------------------------------------------------------------
Tue Feb 1 09:18:27 UTC 2022 - jsmeix@suse.de

- Enhanced harden_cups.service.patch by adding
Index: cups.keyring
===================================================================
Binary files cups.keyring (revision 380) and cups.keyring (revision 2) differ
Index: cups.spec
===================================================================
--- cups.spec (revision 380)
+++ cups.spec (revision 2)
@@ -18,9 +18,7 @@

# Cf. https://rpm.org/user_doc/conditional_builds.html
# by default enable testsuite (i.e. in the 'check' section run make check and make test)
-#bcond_without testsuite
-# disable testsuite for now until https://github.com/OpenPrinting/cups/issues/155 is fixed
-%bcond_with testsuite
+%bcond_without testsuite

# _tmpfilesdir is not defined in systemd macros up to openSUSE 13.2
%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d }
@@ -29,34 +27,32 @@
# "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
# "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
# version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
-Version: 2.3.3op2
+Version: 2.4.1
Release: 0
Summary: The Common UNIX Printing System
License: Apache-2.0
Group: Hardware/Printing
URL: https://openprinting.github.io/cups
# To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
-# wget --no-check-certificate -O cups-2.3.3op2-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.3.3op2/cups-2.3.3op2-source.tar.gz
-Source0: https://github.com/OpenPrinting/cups/releases/download/v2.3.3op2/cups-2.3.3op2-source.tar.gz
+# wget --no-check-certificate -O cups-2.4.1-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.1/cups-2.4.1-source.tar.gz
+Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.1/cups-2.4.1-source.tar.gz
# To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
-# wget --no-check-certificate -O cups-2.3.3op2-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.3.3op2/cups-2.3.3op2-source.tar.gz.sig
-Source1: https://github.com/OpenPrinting/cups/releases/download/v2.3.3op2/cups-2.3.3op2-source.tar.gz.sig
-# To get Source2 go to https://www.msweet.org/pgp.html
-# PGP Fingerprint: 845464660B686AAB36540B6F999559A027815955
+# wget --no-check-certificate -O cups-2.4.1-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.1/cups-2.4.1-source.tar.gz.sig
+Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.1/cups-2.4.1-source.tar.gz.sig
+# To get Source2 use gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
+# See https://github.com/OpenPrinting/cups/discussions/327#discussioncomment-2060579
+# PGP Fingerprint: 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
Source2: cups.keyring
# To manually verify Source0 with Source1 and Source2 do e.g.
# gpg --import cups.keyring
-# gpg --list-keys | grep -1 'Michael R Sweet' | grep -v 'expired'
-# gpg --verify cups-2.3.3op2-source.tar.gz.sig cups-2.3.3op2-source.tar.gz
+# gpg --list-keys | grep -1 'Zdenek Dohnal'
+# gpg --verify cups-2.4.1-source.tar.gz.sig cups-2.4.1-source.tar.gz
Source102: Postscript.ppd.gz
Source105: Postscript-level1.ppd.gz
Source106: Postscript-level2.ppd.gz
Source108: cups-client.conf
Source109: baselibs.conf
# Patch0...Patch9 is for patches from upstream:
-# Patch1 upstream_pull_174.patch is https://github.com/OpenPrinting/cups/pull/174
-# Use 60s timeout for read_thread, revert read limits
-Patch1: upstream_pull_174.patch
# Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Patch10 cups-2.1.0-choose-uri-template.patch adds 'smb://...' URIs to templates/choose-uri.tmpl:
@@ -66,8 +62,6 @@
# because the files of the CUPS web content are no documentation, see CUPS STR #3578
# and http://bugzilla.novell.com/show_bug.cgi?id=546023#c6 and subsequent comments:
Patch11: cups-2.1.0-default-webcontent-path.patch
-# Patch12 cups-2.1.0-cups-systemd-socket.patch Use systemd socket activation properly:
-Patch12: cups-2.1.0-cups-systemd-socket.patch
# Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
# Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
Patch100: cups-pam.diff
@@ -83,9 +77,9 @@
Patch103: cups-1.4-do_not_strip_recommended_from_PPDs.patch
# Patch104 cups-config-libs.patch fixes option --libs in cups-config script:
Patch104: cups-config-libs.patch
-# Patch106 Fixes web UI Kerberos authentication (bsc#1175960)
-Patch106: fix-negotiate-authentication-between-CGIs-and-scheduler.patch
Patch107: harden_cups.service.patch
+# Patch108 downgrades the autoconf requirement to the autoconf available in tumbleweed as of writing
+Patch108: downgrade-autoconf-requirement.patch
# Build Requirements:
BuildRequires: dbus-1-devel
BuildRequires: fdupes
@@ -280,9 +274,6 @@
%prep
%setup -q
# Patch0...Patch9 is for patches from upstream:
-# Patch1 upstream_pull_174.patch is https://github.com/OpenPrinting/cups/pull/174
-# Use 60s timeout for read_thread, revert read limits
-%patch1 -p1
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Patch10 cups-2.1.0-choose-uri-template.patch adds 'smb://...' URIs to templates/choose-uri.tmpl:
%patch10 -b choose-uri-template.orig
@@ -291,8 +282,6 @@
# because the files of the CUPS web content are no documentation, see CUPS STR #3578
# and http://bugzilla.novell.com/show_bug.cgi?id=546023#c6 and subsequent comments:
%patch11 -b default-webcontent-path.orig
-# Patch12 cups-2.1.0-cups-systemd-socket.patch Use systemd socket activation properly:
-#patch12 -b cups-systemd-socket.orig
# Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
# Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
%patch100 -b cups-pam.orig
@@ -308,9 +297,8 @@
%patch103 -b do_not_strip_recommended_from_PPDs.orig
# Patch104 cups-config-libs.patch fixes option --libs in cups-config script:
%patch104 -b cups-config-libs.orig
-# Patch106 Fixes web UI Kerberos authentication (bsc#1175960)
-%patch106 -p1
%patch107 -p1
+%patch108 -p1

%build
# Remove ".SILENT" rule for verbose build output
@@ -439,8 +427,6 @@
# There appears to be some kind of race condition when running make check and make test
# cf. https://github.com/OpenPrinting/cups/issues/155
# We print all logs for debugging purposes if either testsuite fails
-echo "DEBUG: running make check"
-bash -c 'make %{?_smp_mflags} check; EXIT=$?; if [ $EXIT -ne 0 ]; then cat test/*_log*-$(whoami); fi; exit $EXIT'
echo "DEBUG: running make test"
bash -c 'make %{?_smp_mflags} test; EXIT=$?; if [ $EXIT -ne 0 ]; then cat test/*_log*-$(whoami); fi; exit $EXIT'
%else
@@ -681,6 +667,7 @@

%files devel
%defattr(-,root,root)
+/usr/lib/pkgconfig/cups.pc
%{_includedir}/cups/
%{_libdir}/libcups.so
%{_libdir}/libcupsimage.so
Index: cups-2.4.1-source.tar.gz
===================================================================
Binary file cups-2.4.1-source.tar.gz (revision 2) added
Index: cups-2.4.1-source.tar.gz.sig
===================================================================
Binary file cups-2.4.1-source.tar.gz.sig (revision 2) added
Index: downgrade-autoconf-requirement.patch
===================================================================
--- downgrade-autoconf-requirement.patch (added)
+++ downgrade-autoconf-requirement.patch (revision 2)
@@ -0,0 +1,15 @@
+diff --git a/configure.ac b/configure.ac
+index a8c6c1040..6ace74a8d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0. See the file "LICENSE" for more
+ dnl information.
+ dnl
+
+-dnl We need at least autoconf 2.71...
+-AC_PREREQ([2.71])
++dnl We need at least autoconf 2.69...
++AC_PREREQ([2.69])
+
+ dnl Package name and version...
+ AC_INIT([CUPS],[2.4.1],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
Index: cups-2.1.0-cups-systemd-socket.patch
===================================================================
--- cups-2.1.0-cups-systemd-socket.patch (revision 380)
+++ cups-2.1.0-cups-systemd-socket.patch (deleted)
@@ -1,43 +0,0 @@
---- scheduler/main.c.orig 2015-06-08 20:32:35.000000000 +0200
-+++ scheduler/main.c 2015-09-01 11:19:36.000000000 +0200
-@@ -656,7 +656,15 @@ main(int argc, /* I - Number of comm
-
- #if defined(HAVE_LAUNCHD) || defined(HAVE_SYSTEMD)
- if (OnDemand)
-+ {
- cupsdAddEvent(CUPSD_EVENT_SERVER_STARTED, NULL, NULL, "Scheduler started on demand.");
-+# ifdef HAVE_SYSTEMD
-+ sd_notifyf(0, "READY=1\n"
-+ "STATUS=Scheduler is running...\n"
-+ "MAINPID=%lu",
-+ (unsigned long) getpid());
-+# endif /* HAVE_SYSTEMD */
-+ }
- else
- #endif /* HAVE_LAUNCHD || HAVE_SYSTEMD */
- if (fg)
---- scheduler/org.cups.cupsd.path.in.orig 2014-03-21 15:50:24.000000000 +0100
-+++ scheduler/org.cups.cupsd.path.in 2015-09-01 11:20:37.000000000 +0200
-@@ -3,6 +3,7 @@ Description=CUPS Scheduler
-
- [Path]
- PathExists=@CUPS_CACHEDIR@/org.cups.cupsd
-+PathExistsGlob=@CUPS_REQUESTS@/d*
-
- [Install]
- WantedBy=multi-user.target
---- scheduler/org.cups.cupsd.service.in.orig 2014-10-21 13:54:05.000000000 +0200
-+++ scheduler/org.cups.cupsd.service.in 2015-09-01 11:22:09.000000000 +0200
-@@ -1,10 +1,11 @@
- [Unit]
- Description=CUPS Scheduler
- Documentation=man:cupsd(8)
-+After=network.target
-
- [Service]
- ExecStart=@sbindir@/cupsd -l
--Type=simple
-+Type=notify
-
- [Install]
- Also=org.cups.cupsd.socket org.cups.cupsd.path
Index: cups-2.3.3op2-source.tar.gz
===================================================================
Binary file cups-2.3.3op2-source.tar.gz (revision 380) deleted
Index: cups-2.3.3op2-source.tar.gz.sig
===================================================================
Binary file cups-2.3.3op2-source.tar.gz.sig (revision 380) deleted
Index: fix-negotiate-authentication-between-CGIs-and-scheduler.patch
===================================================================
--- fix-negotiate-authentication-between-CGIs-and-scheduler.patch (revision 380)
+++ fix-negotiate-authentication-between-CGIs-and-scheduler.patch (deleted)
@@ -1,223 +0,0 @@
-From d4521ed0df7e625ccf2bc079bab6f48c46ef9bf9 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero
-Date: Mon, 26 Oct 2020 17:35:22 +0100
-Subject: [PATCH 1/4] Avoid infinite loop in admin.cgi when negotiate is used
-
-SetAuthorizationString with NULL argument sets an empty string.
-
-Related: #5596
-
-Signed-off-by: Samuel Cabrero
----
- cups/auth.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/cups/auth.c b/cups/auth.c
-index db45bbba6..f2409350a 100644
---- a/cups/auth.c
-+++ b/cups/auth.c
-@@ -295,7 +295,7 @@ cupsDoAuthentication(
- }
- }
-
-- if (http->authstring)
-+ if (http->authstring && http->authstring[0])
- {
- DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\".", http->authstring));
-
---
-2.30.2
-
-
-From 61ad7780bc7d0593e3225d088ac6dff31badf801 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero
-Date: Tue, 27 Oct 2020 16:11:41 +0100
-Subject: [PATCH 2/4] Add cups_is_local_connection() to check if connection is
- to localhost
-
-Related: #5596
-
-Signed-off-by: Samuel Cabrero
----
- cups/auth.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/cups/auth.c b/cups/auth.c
-index f2409350a..d2956438d 100644
---- a/cups/auth.c
-+++ b/cups/auth.c
-@@ -90,6 +90,7 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status,
- # define cups_gss_printf(major, minor, message)
- # endif /* DEBUG */
- #endif /* HAVE_GSSAPI */
-+static int cups_is_local_connection(http_t *http);
- static int cups_local_auth(http_t *http);
-
-
-@@ -916,6 +917,14 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */
- # endif /* DEBUG */
- #endif /* HAVE_GSSAPI */
-
-+static int /* O - 0 if not a local connection */
-+ /* 1 if local connection */
-+cups_is_local_connection(http_t *http) /* I - HTTP connection to server */
-+{
-+ if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
-+ return 0;
-+ return 1;
-+}
-
- /*
- * 'cups_local_auth()' - Get the local authorization certificate if
-@@ -958,7 +967,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
- * See if we are accessing localhost...
- */
-
-- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
-+ if (!cups_is_local_connection(http))
- {
- DEBUG_puts("8cups_local_auth: Not a local connection!");
- return (1);
---
-2.30.2
-
-
-From f629d079750a86b1b605c285f99c0dea3933ca50 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero
-Date: Tue, 27 Oct 2020 16:23:30 +0100
-Subject: [PATCH 3/4] Try local kerberos ccache credentials only for remote
- servers
-
-If connecting to localhost then proceed to ask the client for the
-authorization using cupsGetPassword2. The get password callback will
-return 401 to the client with WWW-Authenticate: Negotiate.
-
-Fixes: #5596
-
-Signed-off-by: Samuel Cabrero
----
- cups/auth.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/cups/auth.c b/cups/auth.c
-index d2956438d..9661657fc 100644
---- a/cups/auth.c
-+++ b/cups/auth.c
-@@ -175,10 +175,10 @@ cupsDoAuthentication(
- DEBUG_printf(("2cupsDoAuthentication: Trying scheme \"%s\"...", scheme));
-
- #ifdef HAVE_GSSAPI
-- if (!_cups_strcasecmp(scheme, "Negotiate"))
-+ if (!_cups_strcasecmp(scheme, "Negotiate") && !cups_is_local_connection(http))
- {
- /*
-- * Kerberos authentication...
-+ * Kerberos authentication to remote server...
- */
-
- int gss_status; /* Auth status */
-@@ -202,7 +202,9 @@ cupsDoAuthentication(
- }
- else
- #endif /* HAVE_GSSAPI */
-- if (_cups_strcasecmp(scheme, "Basic") && _cups_strcasecmp(scheme, "Digest"))
-+ if (_cups_strcasecmp(scheme, "Basic") &&
-+ _cups_strcasecmp(scheme, "Digest") &&
-+ _cups_strcasecmp(scheme, "Negotiate"))
- {
- /*
- * Other schemes not yet supported...
-@@ -216,7 +218,7 @@ cupsDoAuthentication(
- * See if we should retry the current username:password...
- */
-
-- if ((http->digest_tries > 1 || !http->userpass[0]) && (!_cups_strcasecmp(scheme, "Basic") || (!_cups_strcasecmp(scheme, "Digest"))))
-+ if (http->digest_tries > 1 || !http->userpass[0])
- {
- /*
- * Nope - get a new password from the user...
---
-2.30.2
-
-
-From 0563a28b18b21d5574a5e0e38b74246146074bbf Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero
-Date: Tue, 27 Oct 2020 16:18:03 +0100
-Subject: [PATCH 4/4] Allow Local authentication for Negotiate
-
-PeerCred is also possible if address family is AF_LOCAL. This will allow
-the CGI programs to generate the authorization from the local
-certificates based on PID also when Negotiate is used for local
-connections:
-
-Client CGI
-Browser <- Remote conn -> admin.cgi <--- Localhost conn ---> Scheduler
- | | |
- + --- HTTP/POST /admin/ --> | |
- | + --- CUPS-Get-Devices ------------> |
- | | |
- | | <-- 401 Unauthorized --------------+
- | | WWW-Authenticate: |
- | | Negotiate, (PeerCred,) Local |
- | | |
- | <-- 401 Unauthorized -----+ |
- | WWW-Authenticate: | |
- | Negotiate | |
- | | |
- | --- HTTP/POST /admin/ --> | |
- | Authorization: + --- IPP CUPS-GetDevices ---------> |
- | Negotiate | Authorization: Local |
- | | |
-
-Fixes: #5596
-
-Signed-off-by: Samuel Cabrero
----
- cups/auth.c | 5 -----
- scheduler/client.c | 9 ++-------
- 2 files changed, 2 insertions(+), 12 deletions(-)
-
-diff --git a/cups/auth.c b/cups/auth.c
-index 9661657fc..b6fec6b98 100644
---- a/cups/auth.c
-+++ b/cups/auth.c
-@@ -1043,11 +1043,6 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
- }
- # endif /* HAVE_AUTHORIZATION_H */
-
--# ifdef HAVE_GSSAPI
-- if (cups_auth_find(www_auth, "Negotiate"))
-- return (1);
--# endif /* HAVE_GSSAPI */
--
- # if defined(SO_PEERCRED) && defined(AF_LOCAL)
- /*
- * See if we can authenticate using the peer credentials provided over a
-diff --git a/scheduler/client.c b/scheduler/client.c
-index c2ee8f12a..56797d58d 100644
---- a/scheduler/client.c
-+++ b/scheduler/client.c
-@@ -2109,18 +2109,13 @@ cupsdSendHeader(
- }
- else if (auth_type == CUPSD_AUTH_NEGOTIATE)
- {
--#if defined(SO_PEERCRED) && defined(AF_LOCAL)
-- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
-- strlcpy(auth_str, "PeerCred", sizeof(auth_str));
-- else
--#endif /* SO_PEERCRED && AF_LOCAL */
- strlcpy(auth_str, "Negotiate", sizeof(auth_str));
- }
-
-- if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
-+ if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
- {
- /*
-- * Add a "trc" (try root certification) parameter for local non-Kerberos
-+ * Add a "trc" (try root certification) parameter for local
- * requests when the request requires system group membership - then the
- * client knows the root certificate can/should be used.
- *
---
-2.30.2
-
Index: upstream_pull_174.patch
===================================================================
--- upstream_pull_174.patch (revision 380)
+++ upstream_pull_174.patch (deleted)
@@ -1,53 +0,0 @@
-From c37d71b1a31d26a4790166e2508822b18934a5c0 Mon Sep 17 00:00:00 2001
-From: Zdenek Dohnal
-Date: Tue, 13 Apr 2021 15:44:14 +0200
-Subject: [PATCH 1/2] backend/usb-libusb.c: Use 60s timeout for reading at
- backchannel
-
-Some older models malfunction if timeout is too short.
----
- CHANGES.md | 1 +
- backend/usb-libusb.c | 2 +-
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
---- a/backend/usb-libusb.c
-+++ b/backend/usb-libusb.c
-@@ -1704,7 +1704,7 @@ static void *read_thread(void *reference)
- readstatus = libusb_bulk_transfer(g.printer->handle,
- g.printer->read_endp,
- readbuffer, rbytes,
-- &rbytes, 250);
-+ &rbytes, 60000);
- if (readstatus == LIBUSB_SUCCESS && rbytes > 0)
- {
- fprintf(stderr, "DEBUG: Read %d bytes of back-channel data...\n", (int)rbytes);
-
-From 4cb6f6806cdbe040d478b266a1d351b19341dd79 Mon Sep 17 00:00:00 2001
-From: Zdenek Dohnal
-Date: Tue, 13 Apr 2021 15:47:37 +0200
-Subject: [PATCH 2/2] backend/usb-libusb.c: Revert enforcing read limits
-
-This commit reverts the change introduced by 2.2.12 [1] - its
-implementation caused a regression with Lexmark filters.
-
-[1]
-https://github.com/apple/cups/commit/35e927f83529cd9b4bc37bcd418c50e307fced35
----
- CHANGES.md | 1 +
- backend/usb-libusb.c | 3 ++-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/backend/usb-libusb.c b/backend/usb-libusb.c
-index fbb0d9d89..89b5182f7 100644
---- a/backend/usb-libusb.c
-+++ b/backend/usb-libusb.c
-@@ -1721,7 +1721,8 @@ static void *read_thread(void *reference)
- * Make sure this loop executes no more than once every 250 miliseconds...
- */
-
-- if ((g.wait_eof || !g.read_thread_stop))
-+ if ((readstatus != LIBUSB_SUCCESS || rbytes == 0) &&
-+ (g.wait_eof || !g.read_thread_stop))
- usleep(250000);
- }
- while (g.wait_eof || !g.read_thread_stop);