Upgrade cups to version 1.3.9 in order to fix CVE-2008-3639, CVE-2008-3640

and CVE-2008-3641. Also, it fixes a ton of bugs and has portability
enhancements. Full list of changes:

 - SECURITY: The HP-GL/2 filter did not range check pen numbers
   (STR #2911)
 - SECURITY: The SGI image file reader did not range check
   16-bit run lengths (STR #2918)
 - SECURITY: The text filter did not range check cpi, lpi, or
   column values (STR #2919)
 - Documentation updates (STR #2904, STR #2944)
 - The French web admin page was never updated (STR #2963)
 - The IPP backend did not retry print jobs when the printer
   reported itself as busy or unavailable (STR #2951)
 - The "Set Allowed Users" web interface did not handle trailing
   whitespace correctly (STR #2956)
 - The PostScript filter did not work with Adobe applications
   using custom page sizes (STR #2968)
 - The Mac OS X USB backend did not work with some printers
   that reported a bad 1284 device ID.
 - The scheduler incorrectly resolved the client connection
   address when HostNameLookups was set to Off (STR #2946)
 - The IPP backend incorrectly stopped the local queue if
   the remote server reported the "paused" state.
 - The cupsGetDests() function did not catch all types of
   request errors.
 - The scheduler did not always log "job queued" messages
   (STR #2943)
 - The scheduler did not support destination filtering using
   the printer-location attribute properly (STR #2945)
 - The scheduler did not send the server-started,
   server-restarted, or server-stopped events (STR #2927)
 - The scheduler no longer enforces configuration file
   permissions on symlinked files (STR #2937)
 - CUPS now reinitializes the DNS resolver on failures
   (STR #2920)
 - The CUPS desktop menu item was broken (STR #2924)
 - The PPD parser was too strict about missing keyword
   values in "relaxed" mode.
 - The PostScript filter incorrectly mirrored landscape
   documents.
 - The scheduler did not correctly update the
   auth-info-required value(s) if the AuthType was Default.
 - The scheduler required Kerberos authentication for
   all operations on remote Kerberized printers instead
   of just for the operations that needed it.
 - The socket backend could wait indefinitely for back-
   channel data with some devices.
 - PJL panel messages were not reset correctly on older
   printers (STR #2909)
 - cupsfilter used the wrong default path (STR #2908)
 - Fixed address matching for "BrowseAddress @IF(name)"
   (STR #2910)
 - Fixed compiles on AIX.
 - Firefox 3 did not work with the CUPS web interface in SSL
   mode (STR #2892)
 - Custom options with multiple parameters were not emitted
   correctly.
 - Refined the cupstestppd utility.
 - ppdEmit*() did not support custom JCL options (STR #2889)
 - The cupstestppd utility incorrectly reported missing
   "en" base translations (STR #2887)
 - Documentation updates (STR #2785, STR #2861, STR #2862)
 - The scheduler did not add the ending job sheet when the
   job was released.
 - The IPP backend did not relay marker-* attributes.
 - The CUPS GNOME/KDE menu item was not localized for
   Chinese (STR #2880)
 - The CUPS GNOME/KDE menu item was not localized for
   Japanese (STR #2876)
 - The cupstestppd utility reported mixed line endings for
   Mac OS and Windows PPD files (STR #2874)
 - The pdftops filter did not print landscape orientation PDF
   pages correctly on all printers (STR #2850)
 - The scheduler did not handle expiring of implicit classes
   or their members properly, leading to a configuration where
   one of the members would have a short name (STR #2766)
 - The scheduler and cupstestppd utilities did not support
   cupsFilter and cupsPreFilter programs with spaces in their
   names (STR #2866)
 - Removed unused variables and assignments found by the
   LLVM "clang" tool.
 - Added NULL checks recommended by the LLVM "clang" tool.
 - The scheduler would crash if you started a printer that
   pointed to a backend that did not exist (STR #2865)
 - The ppdLocalize functions incorrectly mapped all generic
   locales to country-specific locales.
 - The cups-driverd program did not support Simplified Chinese
   or Traditional Chinese language version strings (STR #2851)
 - Added an Indonesian translation (STR #2792)
 - Fixed a timing issue in the backends that could cause data
   corruption with the CUPS_SC_CMD_DRAIN_OUTPUT side-channel
   command (STR #2858)
 - The scheduler did not support "HostNameLookups" with all of
   the boolean names (STR #2861)
 - Fixed a compile problem with glibc 2.8 (STR #2860)
 - The PostScript filter did not support %%IncludeFeature lines
   in the page setup section of each page (STR #2831)
 - The scheduler did not generate printer-state events when the
   default printer was changed (STR #2764)
 - cupstestppd incorrectly reported a warning about the PPD format
   version in some locales (STR #2854)
 - cupsGetPPD() and friends incorrectly returned a PPD file for
   a class with no printers.
 - The member-uris values for local printers in a class returned
   by the scheduler did not reflect the connected hostname or
   port.
 - The CUPS PHP extension was not thread-safe (STR #2828)
 - The scheduler incorrectly added the document-format-default
   attribute to the list of "common" printer attributes, which
   over time would slow down the printing system (STR #2755,
   STR #2836)
 - The cups-deviced and cups-driverd helper programs did not set
   the CFProcessPath environment variable on Mac OS X (STR #2837)
 - "lpstat -p" could report the wrong job as printing (STR #2845)
 - The scheduler would crash when some cupsd.conf directives
   were missing values (STR #2849)
 - The web interface "move jobs" operation redirected users to
   the wrong URL (STR #2815)
 - The Polish web interface translation contained errors
   (STR #2815)
 - The scheduler did not report PostScript printer PPDs with
   filters as PostScript devices.
 - The scheduler did not set the job document-format attribute
   for jobs submitted using Create-Job and Send-Document.
 - cupsFileTell() did not work for log files opened in append
   mode (STR #2810)
 - The scheduler did not set QUERY_STRING all of the time
   for CGI scripts (STR #2781, STR #2816)
 - The scheduler now returns an error for bad job-sheets
   values (STR #2775)
 - Authenticated remote printing did not work over domain
   sockets (STR #2750)
 - The scheduler incorrectly logged errors for print filters
   when a job was canceled (STR #2806, #2808)
 - The scheduler no longer allows multiple RSS subscriptions
   with the same URI (STR #2789)
 - The scheduler now supports Kerberized printing with
   multiple server names (STR #2783)
 - "Satisfy any" did not work in IPP policies (STR #2782)
 - The CUPS imaging library would crash with very large
   images - more than 16Mx16M pixels (STR #2805)
 - The PNG image loading code would crash with large images
   (STR #2790)
 - The scheduler did not limit the total number of filters.
 - The scheduler now ensures that the RSS directory has
   the correct permissions.
 - The RSS notifier did not quote the feed URL in the RSS
   file it created (STR #2801)
 - The web interface allowed the creation and cancellation
   of RSS subscriptions without a username (STR #2774)
 - Increased the default MaxCopies value on Mac OS X to
   9999 to match the limit imposed by the print dialog.
 - The scheduler did not reject requests with an empty
   Content-Length field (STR #2787)
 - The scheduler did not log the current date and time and
   did not escape special characters in request URIs when
   logging bad requests to the access_log file (STR #2788)

4 files changed, 135 insertions, 81 deletions

diff --git a/print/cups/Makefile b/print/cups/Makefile
index b6abf1f7cb5..22223d0ca2e 100644
--- a/print/cups/Makefile
+++ b/print/cups/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.135 2008/08/23 07:47:00 obache Exp $
+# $NetBSD: Makefile,v 1.136 2008/10/22 21:48:15 tonnerre Exp $
 #
 # The CUPS author is very good about taking back changes into the main
 # CUPS distribution.  The correct place to send patches or bug-fixes is:
@@ -6,8 +6,7 @@
 
 DISTNAME=	cups-${DIST_VERS}-source
 PKGNAME=	cups-${VERS}
-PKGREVISION=	1
-BASE_VERS=	1.3.7
+BASE_VERS=	1.3.9
 DIST_VERS=	${BASE_VERS}
 VERS=		${DIST_VERS:S/-/./g}
 CATEGORIES=	print
diff --git a/print/cups/PLIST b/print/cups/PLIST
index 4ff85969135..0e9f5e57900 100644
--- a/print/cups/PLIST
+++ b/print/cups/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.24 2008/04/12 22:43:09 jlam Exp $
+@comment $NetBSD: PLIST,v 1.25 2008/10/22 21:48:16 tonnerre Exp $
 bin/cancel
 bin/cups-config
 bin/cupstestdsc
@@ -59,7 +59,6 @@ libexec/cups/monitor/bcp
 libexec/cups/monitor/tbcp
 libexec/cups/notifier/mailto
 libexec/cups/notifier/rss
-libexec/cups/notifier/testnotify
 man/man1/cancel.1
 man/man1/cups-config.1
 man/man1/cupstestdsc.1
@@ -521,6 +520,73 @@ share/cups/templates/he/users.tmpl
 share/cups/templates/header.tmpl
 share/cups/templates/help-header.tmpl
 share/cups/templates/help-printable.tmpl
+share/cups/templates/id/add-class.tmpl
+share/cups/templates/id/add-printer.tmpl
+share/cups/templates/id/add-rss-subscription.tmpl
+share/cups/templates/id/admin.tmpl
+share/cups/templates/id/choose-device.tmpl
+share/cups/templates/id/choose-make.tmpl
+share/cups/templates/id/choose-model.tmpl
+share/cups/templates/id/choose-serial.tmpl
+share/cups/templates/id/choose-uri.tmpl
+share/cups/templates/id/class-added.tmpl
+share/cups/templates/id/class-confirm.tmpl
+share/cups/templates/id/class-deleted.tmpl
+share/cups/templates/id/class-jobs-header.tmpl
+share/cups/templates/id/class-modified.tmpl
+share/cups/templates/id/classes-header.tmpl
+share/cups/templates/id/classes.tmpl
+share/cups/templates/id/edit-config.tmpl
+share/cups/templates/id/error-op.tmpl
+share/cups/templates/id/error.tmpl
+share/cups/templates/id/header.tmpl
+share/cups/templates/id/help-header.tmpl
+share/cups/templates/id/help-printable.tmpl
+share/cups/templates/id/job-cancel.tmpl
+share/cups/templates/id/job-hold.tmpl
+share/cups/templates/id/job-move.tmpl
+share/cups/templates/id/job-moved.tmpl
+share/cups/templates/id/job-release.tmpl
+share/cups/templates/id/job-restart.tmpl
+share/cups/templates/id/jobs-header.tmpl
+share/cups/templates/id/jobs.tmpl
+share/cups/templates/id/list-available-printers.tmpl
+share/cups/templates/id/maintenance.tmpl
+share/cups/templates/id/modify-class.tmpl
+share/cups/templates/id/modify-printer.tmpl
+share/cups/templates/id/norestart.tmpl
+share/cups/templates/id/option-boolean.tmpl
+share/cups/templates/id/option-conflict.tmpl
+share/cups/templates/id/option-header.tmpl
+share/cups/templates/id/option-pickmany.tmpl
+share/cups/templates/id/option-pickone.tmpl
+share/cups/templates/id/option-trailer.tmpl
+share/cups/templates/id/pager.tmpl
+share/cups/templates/id/printer-accept.tmpl
+share/cups/templates/id/printer-added.tmpl
+share/cups/templates/id/printer-configured.tmpl
+share/cups/templates/id/printer-confirm.tmpl
+share/cups/templates/id/printer-default.tmpl
+share/cups/templates/id/printer-deleted.tmpl
+share/cups/templates/id/printer-jobs-header.tmpl
+share/cups/templates/id/printer-modified.tmpl
+share/cups/templates/id/printer-purge.tmpl
+share/cups/templates/id/printer-reject.tmpl
+share/cups/templates/id/printer-start.tmpl
+share/cups/templates/id/printer-stop.tmpl
+share/cups/templates/id/printers-header.tmpl
+share/cups/templates/id/printers.tmpl
+share/cups/templates/id/restart.tmpl
+share/cups/templates/id/samba-export.tmpl
+share/cups/templates/id/samba-exported.tmpl
+share/cups/templates/id/search.tmpl
+share/cups/templates/id/set-printer-options-header.tmpl
+share/cups/templates/id/set-printer-options-trailer.tmpl
+share/cups/templates/id/subscription-added.tmpl
+share/cups/templates/id/subscription-canceled.tmpl
+share/cups/templates/id/test-page.tmpl
+share/cups/templates/id/trailer.tmpl
+share/cups/templates/id/users.tmpl
 share/cups/templates/it/add-class.tmpl
 share/cups/templates/it/add-printer.tmpl
 share/cups/templates/it/admin.tmpl
@@ -1058,6 +1124,7 @@ share/doc/cups/fr/images/button-delete-class.gif
 share/doc/cups/fr/images/button-delete-printer.gif
 share/doc/cups/fr/images/button-edit-configuration-file.gif
 share/doc/cups/fr/images/button-export-samba.gif
+share/doc/cups/fr/images/button-find-new-printers.gif
 share/doc/cups/fr/images/button-help.gif
 share/doc/cups/fr/images/button-hold-job.gif
 share/doc/cups/fr/images/button-manage-classes.gif
@@ -1218,6 +1285,62 @@ share/doc/cups/help/spec-stp.html
 share/doc/cups/help/standard.html
 share/doc/cups/help/translation.html
 share/doc/cups/help/whatsnew.html
+share/doc/cups/id/images/button-accept-jobs.gif
+share/doc/cups/id/images/button-add-class.gif
+share/doc/cups/id/images/button-add-printer.gif
+share/doc/cups/id/images/button-add-rss-subscription.gif
+share/doc/cups/id/images/button-add-this-printer.gif
+share/doc/cups/id/images/button-cancel-all-jobs.gif
+share/doc/cups/id/images/button-cancel-job.gif
+share/doc/cups/id/images/button-cancel-subscription.gif
+share/doc/cups/id/images/button-change-settings.gif
+share/doc/cups/id/images/button-clean-print-heads.gif
+share/doc/cups/id/images/button-clear.gif
+share/doc/cups/id/images/button-continue.gif
+share/doc/cups/id/images/button-delete-class.gif
+share/doc/cups/id/images/button-delete-printer.gif
+share/doc/cups/id/images/button-edit-configuration-file.gif
+share/doc/cups/id/images/button-export-samba.gif
+share/doc/cups/id/images/button-find-new-printers.gif
+share/doc/cups/id/images/button-help.gif
+share/doc/cups/id/images/button-hold-job.gif
+share/doc/cups/id/images/button-manage-classes.gif
+share/doc/cups/id/images/button-manage-jobs.gif
+share/doc/cups/id/images/button-manage-printers.gif
+share/doc/cups/id/images/button-manage-server.gif
+share/doc/cups/id/images/button-modify-class.gif
+share/doc/cups/id/images/button-modify-printer.gif
+share/doc/cups/id/images/button-move-job.gif
+share/doc/cups/id/images/button-move-jobs.gif
+share/doc/cups/id/images/button-print-self-test-page.gif
+share/doc/cups/id/images/button-print-test-page.gif
+share/doc/cups/id/images/button-publish-printer.gif
+share/doc/cups/id/images/button-reject-jobs.gif
+share/doc/cups/id/images/button-release-job.gif
+share/doc/cups/id/images/button-restart-job.gif
+share/doc/cups/id/images/button-save-changes.gif
+share/doc/cups/id/images/button-search.gif
+share/doc/cups/id/images/button-set-allowed-users.gif
+share/doc/cups/id/images/button-set-as-default.gif
+share/doc/cups/id/images/button-set-printer-options.gif
+share/doc/cups/id/images/button-show-active.gif
+share/doc/cups/id/images/button-show-all.gif
+share/doc/cups/id/images/button-show-completed.gif
+share/doc/cups/id/images/button-show-next.gif
+share/doc/cups/id/images/button-show-previous.gif
+share/doc/cups/id/images/button-sort-ascending.gif
+share/doc/cups/id/images/button-sort-descending.gif
+share/doc/cups/id/images/button-start-class.gif
+share/doc/cups/id/images/button-start-printer.gif
+share/doc/cups/id/images/button-stop-class.gif
+share/doc/cups/id/images/button-stop-printer.gif
+share/doc/cups/id/images/button-unpublish-printer.gif
+share/doc/cups/id/images/button-use-default-config.gif
+share/doc/cups/id/images/button-view-access-log.gif
+share/doc/cups/id/images/button-view-error-log.gif
+share/doc/cups/id/images/button-view-page-log.gif
+share/doc/cups/id/images/button-view-printable-version.gif
+share/doc/cups/id/index.html
 share/doc/cups/images/bottom-left.gif
 share/doc/cups/images/bottom-right.gif
 share/doc/cups/images/button-accept-jobs.gif
@@ -1580,6 +1703,7 @@ share/locale/et/cups_et.po
 share/locale/fi/cups_fi.po
 share/locale/fr/cups_fr.po
 share/locale/he/cups_he.po
+share/locale/id/cups_id.po
 share/locale/it/cups_it.po
 share/locale/ja/cups_ja.po
 share/locale/ko/cups_ko.po
@@ -1625,6 +1749,8 @@ share/locale/zh_TW/cups_zh_TW.po
 @dirrm share/doc/cups/it/images
 @dirrm share/doc/cups/it
 @dirrm share/doc/cups/images
+@dirrm share/doc/cups/id/images
+@dirrm share/doc/cups/id
 @dirrm share/doc/cups/help
 @dirrm share/doc/cups/he/images
 @dirrm share/doc/cups/he
@@ -1662,6 +1788,7 @@ share/locale/zh_TW/cups_zh_TW.po
 @dirrm share/cups/templates/ko
 @dirrm share/cups/templates/ja
 @dirrm share/cups/templates/it
+@dirrm share/cups/templates/id
 @dirrm share/cups/templates/he
 @dirrm share/cups/templates/fr
 @exec ${MKDIR} %D/share/cups/templates/fi
diff --git a/print/cups/distinfo b/print/cups/distinfo
index f467efa9199..6fe10205be5 100644
--- a/print/cups/distinfo
+++ b/print/cups/distinfo
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.56 2008/04/15 17:26:23 drochner Exp $
+$NetBSD: distinfo,v 1.57 2008/10/22 21:48:16 tonnerre Exp $
 
-SHA1 (cups-1.3.7-source.tar.bz2) = 4267822cdad2fdad44ff0885587132250bcf8dff
-RMD160 (cups-1.3.7-source.tar.bz2) = 7d3bd9dbe91e787f7032b770e576ab31cfcf6588
-Size (cups-1.3.7-source.tar.bz2) = 3895825 bytes
+SHA1 (cups-1.3.9-source.tar.bz2) = c1a596b355201320456b393446286fe3947bce16
+RMD160 (cups-1.3.9-source.tar.bz2) = ec8bd9fc6ee45648b6eb22949f44fc4cf2defd4e
+Size (cups-1.3.9-source.tar.bz2) = 3993875 bytes
 SHA1 (patch-aa) = 51ff6e66f881e445adca768d4cf2f6bd18fc36dd
 SHA1 (patch-ab) = 11936b2512fc4480a45a8efb01de0c5a29a7a6e8
 SHA1 (patch-ac) = 02fab706563f7ba01d66530f9462759689c09f04
diff --git a/print/cups/patches/patch-au b/print/cups/patches/patch-au
deleted file mode 100644
index d12daeddb35..00000000000
--- a/print/cups/patches/patch-au
+++ /dev/null
@@ -1,72 +0,0 @@
-$NetBSD: patch-au,v 1.11 2008/04/15 17:26:23 drochner Exp $
-
---- ./filter/image-png.c.orig	2007-07-11 23:46:42.000000000 +0200
-+++ ./filter/image-png.c
-@@ -3,7 +3,7 @@
-  *
-  *   PNG image routines for the Common UNIX Printing System (CUPS).
-  *
-- *   Copyright 2007 by Apple Inc.
-+ *   Copyright 2007-2008 by Apple Inc.
-  *   Copyright 1993-2007 by Easy Software Products.
-  *
-  *   These coded instructions, statements, and computer programs are the
-@@ -170,16 +170,56 @@ _cupsImageReadPNG(
-     * Interlaced images must be loaded all at once...
-     */
- 
-+    size_t bufsize;			/* Size of buffer */
-+
-+
-     if (color_type == PNG_COLOR_TYPE_GRAY ||
- 	color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
--      in = malloc(img->xsize * img->ysize);
-+    {
-+      bufsize = img->xsize * img->ysize;
-+
-+      if ((bufsize / img->ysize) != img->xsize)
-+      {
-+	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
-+		(unsigned)width, (unsigned)height);
-+	fclose(fp);
-+	return (1);
-+      }
-+    }
-     else
--      in = malloc(img->xsize * img->ysize * 3);
-+    {
-+      bufsize = img->xsize * img->ysize * 3;
-+
-+      if ((bufsize / (img->ysize * 3)) != img->xsize)
-+      {
-+	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
-+		(unsigned)width, (unsigned)height);
-+	fclose(fp);
-+	return (1);
-+      }
-+    }
-+
-+    in = malloc(bufsize);
-   }
- 
-   bpp = cupsImageGetDepth(img);
-   out = malloc(img->xsize * bpp);
- 
-+  if (!in || !out)
-+  {
-+    fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
-+
-+    if (in)
-+      free(in);
-+
-+    if (out)
-+      free(out);
-+
-+    fclose(fp);
-+
-+    return (1);
-+  }
-+
-  /*
-   * Read the image, interlacing as needed...
-   */