summaryrefslogtreecommitdiff
path: root/print
diff options
context:
space:
mode:
authordrochner <drochner@pkgsrc.org>2011-07-13 19:58:54 +0000
committerdrochner <drochner@pkgsrc.org>2011-07-13 19:58:54 +0000
commitceffedba3e9c3f4603553f8bfd4d4a8b38c170e6 (patch)
tree581c549b0c79e53ecf901fe20bec6cad0ca79f7a /print
parent2a1c9380a2b24f4343fd112463833c977d36622a (diff)
downloadpkgsrc-ceffedba3e9c3f4603553f8bfd4d4a8b38c170e6.tar.gz
add a patch from Suse bug #698451 (which is said there to originate
from upstream but I couldn't locate it) to fix possible injection of shell commands in print requests which would be executed as the "lp" user bump PKGREV
Diffstat (limited to 'print')
-rw-r--r--print/foomatic4-filters/Makefile3
-rw-r--r--print/foomatic4-filters/distinfo4
-rw-r--r--print/foomatic4-filters/patches/patch-ac216
3 files changed, 215 insertions, 8 deletions
diff --git a/print/foomatic4-filters/Makefile b/print/foomatic4-filters/Makefile
index 89cd55e1eb8..8a2eaaf5967 100644
--- a/print/foomatic4-filters/Makefile
+++ b/print/foomatic4-filters/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.9 2011/01/17 14:14:52 drochner Exp $
+# $NetBSD: Makefile,v 1.10 2011/07/13 19:58:54 drochner Exp $
DISTNAME= foomatic-filters-4.0.6
+PKGREVISION= 1
CATEGORIES= print
MASTER_SITES= http://www.linuxprinting.org/download/foomatic/
diff --git a/print/foomatic4-filters/distinfo b/print/foomatic4-filters/distinfo
index 3ab1946ce0a..38b1e0c77ab 100644
--- a/print/foomatic4-filters/distinfo
+++ b/print/foomatic4-filters/distinfo
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.3 2011/01/17 14:14:52 drochner Exp $
+$NetBSD: distinfo,v 1.4 2011/07/13 19:58:54 drochner Exp $
SHA1 (foomatic-filters-4.0.6.tar.gz) = 5ebeb6fbf856433053bb5dc8d6a2fde824b88efd
RMD160 (foomatic-filters-4.0.6.tar.gz) = a218d8d279cb7256194b11323ed823095f65e152
Size (foomatic-filters-4.0.6.tar.gz) = 244365 bytes
-SHA1 (patch-ac) = 5013be198bca54423d520382bf686e9c6280dc43
+SHA1 (patch-ac) = 2f5a9e529517befef2639611a0099edd9b38a81e
SHA1 (patch-ad) = 40f620a2f26d0872f87a2e332dd45853634ca5dc
diff --git a/print/foomatic4-filters/patches/patch-ac b/print/foomatic4-filters/patches/patch-ac
index 9f104c3a2e6..ebf605d6473 100644
--- a/print/foomatic4-filters/patches/patch-ac
+++ b/print/foomatic4-filters/patches/patch-ac
@@ -1,8 +1,8 @@
-$NetBSD: patch-ac,v 1.1.1.1 2009/11/20 20:50:43 drochner Exp $
+$NetBSD: patch-ac,v 1.2 2011/07/13 19:58:54 drochner Exp $
---- foomaticrip.c.orig 2009-01-14 20:23:15.000000000 +0100
+--- foomaticrip.c.orig 2011-07-13 13:54:29.000000000 +0000
+++ foomaticrip.c
-@@ -153,7 +153,7 @@ char cupsfilterpath[PATH_MAX] = "/usr/lo
+@@ -177,7 +177,7 @@ char cupsfilterpath[PATH_MAX] = "/usr/lo
"/opt/cups/filter:"
"/usr/lib/cups/filter";
@@ -11,7 +11,7 @@ $NetBSD: patch-ac,v 1.1.1.1 2009/11/20 20:50:43 drochner Exp $
void config_set_option(const char *key, const char *value)
{
-@@ -968,6 +968,7 @@ int print_file(const char *filename, int
+@@ -1059,6 +1059,7 @@ int print_file(const char *filename, int
if (dup2(fileno(out), fileno(stdin)) < 0)
rip_die(EXIT_PRNERR_NORETRY_BAD_SETTINGS,
"Couldn't dup stdout of pdf-to-ps\n");
@@ -19,7 +19,7 @@ $NetBSD: patch-ac,v 1.1.1.1 2009/11/20 20:50:43 drochner Exp $
ret = print_file("<STDIN>", 0);
-@@ -999,6 +1000,7 @@ int print_file(const char *filename, int
+@@ -1090,6 +1091,7 @@ int print_file(const char *filename, int
/* Read further data from the file converter and not from STDIN */
if (dup2(fileno(fchandle), fileno(stdin)) < 0)
rip_die(EXIT_PRNERR_NORETRY_BAD_SETTINGS, "Couldn't dup fileconverterhandle\n");
@@ -27,3 +27,209 @@ $NetBSD: patch-ac,v 1.1.1.1 2009/11/20 20:50:43 drochner Exp $
ret = print_file("<STDIN>", 0);
+@@ -1236,8 +1238,11 @@ int main(int argc, char** argv)
+ }
+
+ /* Check for LPRng first so we do not pick up bogus ppd files by the -ppd option */
+- if (arglist_remove_flag(arglist, "--lprng"))
+- spooler = SPOOLER_LPRNG;
++ if (spooler != SPOOLER_CUPS && spooler != SPOOLER_PPR &&
++ spooler != SPOOLER_PPR_INT) {
++ if (arglist_remove_flag(arglist, "--lprng"))
++ spooler = SPOOLER_LPRNG;
++ }
+
+ /* 'PRINTCAP_ENTRY' environment variable is : LPRng
+ the :ppd=/path/to/ppdfile printcap entry should be used */
+@@ -1259,96 +1264,104 @@ int main(int argc, char** argv)
+ }
+ }
+
+- /* PPD file name given via the command line
+- allow duplicates, and use the last specified one */
+- if (spooler != SPOOLER_LPRNG) {
+- while ((str = arglist_get_value(arglist, "-p"))) {
+- strncpy(job->ppdfile, str, 256);
+- arglist_remove(arglist, "-p");
+- }
+- }
+- while ((str = arglist_get_value(arglist, "--ppd"))) {
+- strncpy(job->ppdfile, str, 256);
+- arglist_remove(arglist, "--ppd");
+- }
+-
+- /* Check for LPD/GNUlpr by typical options which the spooler puts onto
+- the filter's command line (options "-w": text width, "-l": text
+- length, "-i": indent, "-x", "-y": graphics size, "-c": raw printing,
+- "-n": user name, "-h": host name) */
+- if ((str = arglist_get_value(arglist, "-h"))) {
+- if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
+- spooler = SPOOLER_LPD;
+- strncpy(job->host, str, 127);
+- job->host[127] = '\0';
+- arglist_remove(arglist, "-h");
+- }
+- if ((str = arglist_get_value(arglist, "-n"))) {
+- if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
+- spooler = SPOOLER_LPD;
+-
+- strncpy(job->user, str, 127);
+- job->user[127] = '\0';
+- arglist_remove(arglist, "-n");
+- }
+- if (arglist_remove(arglist, "-w") ||
+- arglist_remove(arglist, "-l") ||
+- arglist_remove(arglist, "-x") ||
+- arglist_remove(arglist, "-y") ||
+- arglist_remove(arglist, "-i") ||
+- arglist_remove_flag(arglist, "-c")) {
++ /* CUPS calls foomatic-rip only with 5 or 6 positional parameters,
++ not with named options, like for example "-p <string>". Also PPR
++ does not used named options. */
++ if (spooler != SPOOLER_CUPS && spooler != SPOOLER_PPR &&
++ spooler != SPOOLER_PPR_INT) {
++ /* Check for LPD/GNUlpr by typical options which the spooler puts onto
++ the filter's command line (options "-w": text width, "-l": text
++ length, "-i": indent, "-x", "-y": graphics size, "-c": raw printing,
++ "-n": user name, "-h": host name) */
++ if ((str = arglist_get_value(arglist, "-h"))) {
++ if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
++ spooler = SPOOLER_LPD;
++ strncpy(job->host, str, 127);
++ job->host[127] = '\0';
++ arglist_remove(arglist, "-h");
++ }
++ if ((str = arglist_get_value(arglist, "-n"))) {
+ if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
+ spooler = SPOOLER_LPD;
+- }
+- /* LPRng delivers the option settings via the "-Z" argument */
+- if ((str = arglist_get_value(arglist, "-Z"))) {
+- spooler = SPOOLER_LPRNG;
+- dstrcatf(job->optstr, "%s ", str);
+- arglist_remove(arglist, "-Z");
+- }
+- /* Job title and options for stock LPD */
+- if ((str = arglist_get_value(arglist, "-j")) || (str = arglist_get_value(arglist, "-J"))) {
+- strncpy_omit(job->title, str, 128, omit_shellescapes);
+- if (spooler == SPOOLER_LPD)
+- dstrcatf(job->optstr, "%s ", job->title);
+- if (!arglist_remove(arglist, "-j"))
+- arglist_remove(arglist, "-J");
+- }
+- /* Check for CPS */
+- if (arglist_remove_flag(arglist, "--cps") > 0)
+- spooler = SPOOLER_CPS;
+-
+- /* Options for spooler-less printing, CPS, or PDQ */
+- while ((str = arglist_get_value(arglist, "-o"))) {
+- strncpy_omit(tmp, str, 1024, omit_shellescapes);
+- dstrcatf(job->optstr, "%s ", tmp);
+- arglist_remove(arglist, "-o");
+- /* If we don't print as PPR RIP or as CPS filter, we print
+- without spooler (we check for PDQ later) */
+- if (spooler != SPOOLER_PPR && spooler != SPOOLER_CPS)
+- spooler = SPOOLER_DIRECT;
+- }
+-
+- /* Printer for spooler-less printing or PDQ */
+- if ((str = arglist_get_value(arglist, "-d"))) {
+- strncpy_omit(job->printer, str, 256, omit_shellescapes);
+- arglist_remove(arglist, "-d");
+- }
+-
+- /* Printer for spooler-less printing, PDQ, or LPRng */
+- if ((str = arglist_get_value(arglist, "-P"))) {
+- strncpy_omit(job->printer, str, 256, omit_shellescapes);
+- arglist_remove(arglist, "-P");
+- }
+-
+- /* Were we called from a PDQ wrapper? */
+- if (arglist_remove_flag(arglist, "--pdq"))
+- spooler = SPOOLER_PDQ;
+
+- /* Were we called to build the PDQ driver declaration file? */
+- genpdqfile = check_pdq_file(arglist);
+- if (genpdqfile)
+- spooler = SPOOLER_PDQ;
++ strncpy(job->user, str, 127);
++ job->user[127] = '\0';
++ arglist_remove(arglist, "-n");
++ }
++ if (arglist_remove(arglist, "-w") ||
++ arglist_remove(arglist, "-l") ||
++ arglist_remove(arglist, "-x") ||
++ arglist_remove(arglist, "-y") ||
++ arglist_remove(arglist, "-i") ||
++ arglist_remove_flag(arglist, "-c")) {
++ if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG)
++ spooler = SPOOLER_LPD;
++ }
++ /* LPRng delivers the option settings via the "-Z" argument */
++ if ((str = arglist_get_value(arglist, "-Z"))) {
++ spooler = SPOOLER_LPRNG;
++ dstrcatf(job->optstr, "%s ", str);
++ arglist_remove(arglist, "-Z");
++ }
++ /* Job title and options for stock LPD */
++ if ((str = arglist_get_value(arglist, "-j")) || (str = arglist_get_value(arglist, "-J"))) {
++ strncpy_omit(job->title, str, 128, omit_shellescapes);
++ if (spooler == SPOOLER_LPD)
++ dstrcatf(job->optstr, "%s ", job->title);
++ if (!arglist_remove(arglist, "-j"))
++ arglist_remove(arglist, "-J");
++ }
++
++ /* Check for CPS */
++ if (arglist_remove_flag(arglist, "--cps") > 0)
++ spooler = SPOOLER_CPS;
++
++ /* PPD file name given via the command line
++ allow duplicates, and use the last specified one */
++ if (spooler != SPOOLER_GNULPR && spooler != SPOOLER_LPRNG &&
++ spooler != SPOOLER_LPD) {
++ while ((str = arglist_get_value(arglist, "-p"))) {
++ strncpy(job->ppdfile, str, 256);
++ arglist_remove(arglist, "-p");
++ }
++ while ((str = arglist_get_value(arglist, "--ppd"))) {
++ strncpy(job->ppdfile, str, 256);
++ arglist_remove(arglist, "--ppd");
++ }
++ }
++
++ /* Options for spooler-less printing, CPS, or PDQ */
++ while ((str = arglist_get_value(arglist, "-o"))) {
++ strncpy_omit(tmp, str, 1024, omit_shellescapes);
++ dstrcatf(job->optstr, "%s ", tmp);
++ arglist_remove(arglist, "-o");
++ /* If we don't print as PPR RIP or as CPS filter, we print
++ without spooler (we check for PDQ later) */
++ if (spooler != SPOOLER_PPR && spooler != SPOOLER_CPS)
++ spooler = SPOOLER_DIRECT;
++ }
++
++ /* Printer for spooler-less printing or PDQ */
++ if ((str = arglist_get_value(arglist, "-d"))) {
++ strncpy_omit(job->printer, str, 256, omit_shellescapes);
++ arglist_remove(arglist, "-d");
++ }
++
++ /* Printer for spooler-less printing, PDQ, or LPRng */
++ if ((str = arglist_get_value(arglist, "-P"))) {
++ strncpy_omit(job->printer, str, 256, omit_shellescapes);
++ arglist_remove(arglist, "-P");
++ }
++
++ /* Were we called from a PDQ wrapper? */
++ if (arglist_remove_flag(arglist, "--pdq"))
++ spooler = SPOOLER_PDQ;
++
++ /* Were we called to build the PDQ driver declaration file? */
++ genpdqfile = check_pdq_file(arglist);
++ if (genpdqfile)
++ spooler = SPOOLER_PDQ;
++ }
+
+ /* spooler specific initialization */
+ switch (spooler) {