-
cups (1.3.9-17ubuntu3.9) jaunty-security; urgency=low
* SECURITY UPDATE: cross-site request forgery in admin interface
- debian/patches/CVE-2010-0540.dpatch: add unpredictable session token
to cgi-bin/admin.c, cgi-bin/cgi.h, cgi-bin/ipp-var.c,
cgi-bin/template.c, cgi-bin/var.c, scheduler/client.c,
templates/*.tmpl.
- CVE-2010-0540
* SECURITY UPDATE: denial of service or arbitrary code execution in
texttops image filter
- debian/patches/CVE-2010-0542.dpatch: make sure calloc succeeded in
filter/texttops.c.
- CVE-2010-0542
* SECURITY UPDATE: web interface memory disclosure
- debian/patches/CVE-2010-1748.dpatch: validate data in cgi-bin/var.c.
- CVE-2010-1748
* SECURITY UPDATE: file overwrite vulnerability
- debian/patches/security-str3510.dpatch: introduce cups_open() in
cups/file.c and use to make sure hard-linked or symlinked files don't
get overwritten as root.
- No CVE number
-- Marc Deslauriers <email address hidden> Fri, 18 Jun 2010 10:26:08 -0400
-
cups (1.3.9-17ubuntu3.7) jaunty-proposed; urgency=low
* debian/patches/fix-lpstat.dpatch: Fix lpstat to work correctly against
CUPS 1.4 servers. (LP: #497606)
-- Evan Broder <email address hidden> Wed, 03 Mar 2010 20:29:00 -0500
-
cups (1.3.9-17ubuntu3.6) jaunty-security; urgency=low
* SECURITY UPDATE: denial of service via use-after-free
- debian/patches/CVE-2009-3553.dpatch: check fdptr->use and
cupsd_inactive_fds in scheduler/select.c.
- CVE-2009-3553
- CVE-2010-0302
* SECURITY UPDATE: privilege escalation via lppasswd tool
- debian/patches/CVE-2010-0393.dpatch: don't allow environment
variables to override directories in cups/globals.c and
systemv/lppasswd.c.
- CVE-2010-0393
-- Marc Deslauriers <email address hidden> Thu, 25 Feb 2010 10:54:47 -0500
-
cups (1.3.9-17ubuntu3.4) jaunty-security; urgency=low
* SECURITY UPDATE: XSS and CRLF injection in headers
- debian/patches/CVE-2009-2820.dpatch: Introduce cgiClearVariables() in
cgi-bin/{var.c,cgi.h}. Clear out variables in
cgi-bin/{classes,help,ipp-var,jobs,printers}.c. Encode URL string and
clear out variables in cgi-bin/admin.c. Filter more characters in
cgi-bin/template.c.
- CVE-2009-2820
* debian/rules: Do not have a failing test suite break the build. This is a
temporary workaround for broken Ubuntu buildd chroots which cannot resolve
their own hostname (see LP #447919).
-- Marc Deslauriers <email address hidden> Sat, 31 Oct 2009 19:20:16 -0400
-
cups (1.3.9-17ubuntu3.2) jaunty-proposed; urgency=low
[ Till Kamppeter ]
* debian/rules: Switch the pdftops filter back to Poppler, as Ghostscript
has a lot of problems in generating PostScript (LP: #382379).
* debian/patches/pdftops-cups-1.4.dpatch: Fixes for the pdftops
filter in Poppler mode: Do not emit PostScript level 3 as it Poppler's
PostScript level 3 output is not compatible with HP's PostScript printers
(LP: #277404); Added support for the new "-origpagesizes" option of
Poppler's pdftops, so that documents with pages of different sizes get
correctly printed (LP: #310575).
[ Martin Pitt ]
* debian/control: Bump poppler-utils dependency to the version which
provides -origpagesizes.
-- Till Kamppeter <email address hidden> Thu, 18 Jun 2009 09:52:48 +0200
-
cups (1.3.9-17ubuntu3.1) jaunty-security; urgency=low
* SECURITY UPDATE: Remote denial-of-service via IPP_TAG_UNSUPPORTED tags.
- debian/patches/CVE-2009-0949.dpatch: make sure the name field exists
in scheduler/ipp.c.
- CVE-2009-0949
-- Marc Deslauriers <email address hidden> Mon, 01 Jun 2009 10:24:49 -0400
-
cups (1.3.9-17ubuntu3) jaunty-proposed; urgency=low
* debian/filters/pstopdf: Make pstopdf also reading default values from the
PPD if there is no space between the colon and the value. Some programs
seem to remove this space when setting the defaults. Fixes LP: #357732
harder.
-- Till Kamppeter <email address hidden> Tue, 28 Apr 2009 11:45:27 +0200
-
cups (1.3.9-17ubuntu2) jaunty-proposed; urgency=low
[ Till Kamppeter ]
* debian/filters/pstopdf: Call Ghostscript with the default paper size
(from PPD or from CUPS filter command line) on its command line. Some
applications generate PostScript without PageSize requests.
Multi-page-size jobs do not get broken by this as Ghostscript uses the
given page size only as default and gives priority to page sizes requested
by the document (contrary to Poppler). (LP: #357732)
[ Martin Pitt ]
* debian/control: Update Vcs-Bzr: for Jaunty branch.
-- Till Kamppeter <email address hidden> Tue, 21 Apr 2009 13:07:29 +0200
-
cups (1.3.9-17ubuntu1) jaunty; urgency=low
* SECURITY UPDATE: fix integer overflow via large TIFF file (LP: #361866)
- debian/patches/CVE-2009-0163.dpatch: adjust CUPS_IMAGE_MAX_HEIGHT in
filter/image-private.h
- CVE-2009-0163
-- Jamie Strandboge <email address hidden> Wed, 15 Apr 2009 09:33:56 -0500
-
cups (1.3.9-17) unstable; urgency=low
[ Till Kamppeter ]
* debian/filters/pstopdf: Added "-dDoNumCopies" to the "ps2pdf" call in
the pstopdf CUPS filter, so that Ghostscript takes into account
/#copies and /NumCopies when converting incoming PostScript to PDF
(Ghostscript upstream bug #690355, LP: #320391).
[ Martin Pitt ]
* debian/control: Update section of cups-dbg to "debug".
-- Martin Pitt <email address hidden> Sun, 05 Apr 2009 18:04:33 -0700
-
cups (1.3.9-16) unstable; urgency=low
[ Till Kamppeter ]
* debian/local/filters/pdf-filters/pdftopdf/P2PResources.cxx: Fixed
corruption of output when generating mmultiple copies of EOG or GIMP
output files (LP: #345183).
* debian/cups.postinst: Silenced non-fatal error messages when
post-instyall script updates PPDs and there are PPDs not belonging to
a CUPS queue in /etc/cups/ppd/ (LP: #345866).
[ Martin Pitt ]
* debian/local/apparmor-profile: Drop 'm' permission for /etc/passwd and
friends, which was a workaround for a kernel apparmor bug on i386. This is
fixed in current kernels. Thanks to Kees Cook for pointing this out!
(LP: #270663)
* debian/cups.install: Do not install the unnecessary (and broken) D-BUS
configuration file any more. All cupsd does is to send signals, which are
allowed by default. It does not provide any D-BUS service right now. Also
remove the obsolete file on upgrades in debian/cups.preinst.
(Closes: #510634, LP: #318742)
* Add logfiles_adm_readable.dpatch: Make log files readable by group "adm".
(LP: #345953)
* debian/changelog: Fix cruft at the end of file.
* debian/local/apparmor-profile: Explicitly deny access to /dev/tty and
writing access to /etc/krb5.conf, so that accesses to them do not create
log spewage. (LP: #348556)
-- Martin Pitt <email address hidden> Fri, 27 Mar 2009 09:35:56 +0100
-
cups (1.3.9-15) unstable; urgency=low
* Add debian/local/apport-hook.py: Apport package hook, thanks to
Brian Murray! Install it in debian/rules if we build for Ubuntu.
(LP: #334080)
* debian/rules: Move init script priority to 50, so that cups starts later
in the boot sequence. There is no reason why it should start so early
(before e. g. gdm). Do the transition on upgrades in debian/cups.postinst.
* debian/control: Promote ttf-freefont from Recommends to Depends, since the
PDF filter chain needs it. (Closes: #516335)
* debian/control: Add "Breaks: foomatic-filters (<< 4.0)", and bump
Recommends: version. Earlier foomatic-filters do not support the PDF
filter chain. (Closes: #511009)
* debian/local/apparmor-profile: Add a few missing rules for Kerberos
authentication. (LP: #324645)
* Add bzr-builddeb configuration (merge mode).
* debian/watch: Update so that it works again.
* debian/local/apparmor-profile: Allow cups to read /etc/likewise, for
authentication. (LP: #303927)
* Add testsuite-increase-wait-timeout.dpatch: Increase test suite's timeout
for waiting for jobs to 10 minutes, for slower architectures like arm and
m68k. (Closes: #518787)
-- Martin Pitt <email address hidden> Tue, 10 Mar 2009 13:46:19 +0100
-
cups (1.3.9-14ubuntu2) jaunty; urgency=low
* Add debian/local/apport-hook.py: Apport package hook, thanks to
Brian Murray! Install it in debian/rules if we build for Ubuntu.
(LP: #334080)
* debian/rules: Move init script priority to 50, so that cups starts later
in the boot sequence. There is no reason why it should start so early
(before e. g. gdm). Do the transition on upgrades in debian/cups.postinst.
-- Martin Pitt <email address hidden> Fri, 27 Feb 2009 09:16:01 +0100
-
cups (1.3.9-14ubuntu1) jaunty; urgency=low
* cups does not need to be started before gdm.
-- Scott James Remnant <email address hidden> Fri, 27 Feb 2009 01:22:13 +0000
-
cups (1.3.9-14) unstable; urgency=low
* debian/patches/pdftops-cups-1.4.dpatch: Revert previous change to
define HAVE_PDFTOPS and CUPS_PDFTOPS, since Till says the filter
should actually use ghostscript now. Add ghostscript build
dependency instead. (LP: #329991)
* Add drop_unnecessary_dependencies.dpatch: Do not link libcups.so
and libcupsimage.so against unnecessary libraries. This avoids
unnecessary package dependencies for both libcups, as well as for
packages using cups-config. (Closes: #438067)
* debian/control: Drop XSBC-Original-Maintainer Ubuntu-ism which
accidentally crept in in r607.
-- Martin Pitt <email address hidden> Mon, 16 Feb 2009 18:05:21 +0100
-
cups (1.3.9-13) unstable; urgency=low
[ Till Kamppeter ]
* debian/local/filters/pdf-filters/filter/imagetopdf.c: Added support for
the new "fit-to-page" option (new, more intuitive name for "fitplot").
* debian/filters/pstopdf: Only apply paper size if the "fitplot" or the
"fit-to-page" option is set.
* debian/local/filters/cpdftocps: Only the last digit of the number of
copies was used (LP: #309314).
* debian/local/filters/pdf-filters/pdftopdf/pdftopdf.cxx: Do not preceed the
PDF output with a newline (LP: #303691). Only impose the page size from
the PPD file to all pages if the "fitplot" or the "fit-to-page" option is
set. This prevented from automatic paper tray switching to the correct paper
sizes when a multiple-page-size document is printed (partial fix for
LP: #310575).
* debian/patches/pdftops-cups-1.4.dpatch: Updated from CUPS 1.4 SVN. Contains
fixes for multiple-page-size document printing (partial fix for
LP: #310575).
* debian/patches/pdftops-dont_fail_on_cancel.dpatch: Removed, should be
fixed in the new upstream version of pdftops.
[ Martin Pitt ]
* debian/patches/pdftops-cups-1.4.dpatch: Add definition of
HAVE_PDFTOPS and CUPS_PDFTOPS, so that the filter actually gets
again built with pdftops support. (Fixes Till's change from above).
-- Martin Pitt <email address hidden> Mon, 16 Feb 2009 07:52:20 +0000
-
cups (1.3.9-12) experimental; urgency=low
[ Till Kamppeter ]
* debian/local/filters/pdf-filters/pdftopdf/P2PPage.cxx,
debian/local/filters/pdf-filters/pdftopdf/pdftopdf.cxx: Do not reposition
the pages when an automatic rotation did not actually take place and
do not apply the page size and margins from the PPD file or the coomand
line if no manipulations affecting the printout size are done (N-up,
scaling, fitplot, ...). This caused LP: #310575.
* debian/cups.postinst: Let the PPD files of the existing print queues get
automatically updated after each installation of this package (if they
use PPDs of this package).
[ Marc Deslauriers ]
* SECURITY UPDATE: denial of service by adding a large number of RSS
subscriptions (Closes: #506180, LP: #298241)
- debian/patches/CVE-2008-5183.dpatch: gracefully handle MaxSubscriptions
being reached in scheduler/{ipp.c,subscriptions.c}
- CVE-2008-5183
[ Martin Pitt ]
* pidfile.dpatch: Adapt to changes from MaxSubscriptions fix from
above.
-- Martin Pitt <email address hidden> Sun, 25 Jan 2009 12:05:44 +0100
-
cups (1.3.9-11ubuntu1) jaunty; urgency=low
* SECURITY UPDATE: denial of service by adding a large number of RSS
subscriptions (LP: #298241)
- debian/patches/CVE-2008-5183.dpatch: gracefully handle MaxSubscriptions
being reached in scheduler/{ipp.c,subscriptions.c}
- CVE-2008-5183
-- Marc Deslauriers <email address hidden> Wed, 14 Jan 2009 08:28:14 -0500
-
cups (1.3.9-11) experimental; urgency=low
* debian/local/filters/cpdftocps: Fixed the fix for the number of copies.
In some cases it failed and pstops was called with 0 copies requested
(LP: #309314, LP: #300312, LP: #286048).
-- Martin Pitt <email address hidden> Fri, 19 Dec 2008 15:58:55 +0100
-
cups (1.3.9-10) experimental; urgency=low
[ Till Kamppeter ]
* debian/local/filters/pdf-filters/pdftopdf/P2PCatalog.cxx,
debian/local/filters/pdf-filters/pdftopdf/P2PCatalog.h,
debian/local/filters/pdf-filters/pdftopdf/P2PDoc.cxx,
debian/local/filters/pdf-filters/pdftopdf/P2PDoc.h,
debian/local/filters/pdf-filters/pdftopdf/P2PPage.cxx,
debian/local/filters/pdf-filters/pdftopdf/P2PPage.h,
debian/local/filters/pdf-filters/pdftopdf/P2PPageTree.cxx,
debian/local/filters/pdf-filters/pdftopdf/P2PPageTree.h,
debian/local/filters/pdf-filters/pdftopdf/pdftopdf.cxx: Fixed problem
of Landscape-oriented PDF files being printed in the wrong orientation
(LP: #47649, LP: #244840).
* debian/local/filters/cpdftocps: Made correct number of copies being
printed on PostScript printers with hardware copy handling (LP: #286048).
[ Martin Pitt ]
* debian/local/apparmor-profile: Allow cupsd to run Brother drivers.
(LP: #237256)
-- Martin Pitt <email address hidden> Wed, 17 Dec 2008 07:46:04 +0100
-
cups (1.3.9-9) experimental; urgency=low
[ Till Kamppeter ]
* debian/local/filters/pdf-filters/pdftopdf/P2PPage.cxx,
debian/local/filters/pdf-filters/pdftopdf/P2PResources.cxx: Added
processing of the rotate tag (LP: #300312).
[ Martin Pitt ]
* Add png-image-int-overflow.dpatch: Fix integer overflow in the PNG image
reader (Closes: #507183, STR #2974, CVE-2008-5286)
-- Martin Pitt <email address hidden> Mon, 01 Dec 2008 15:47:10 -0800
-
cups (1.3.9-8) experimental; urgency=low
* debian/local/filters/pdf-filters/pdftopdf/P2POutputStream.cxx,
debian/local/filters/pdf-filters/pdftopdf/P2POutputStream.h: Removed
an endianess dependency from the pdftopdf filter, so that it also
works on non-PC platforms like PowerPC (LP: #271350).
* debian/filters/pstopdf: Do not supply the margins from the PPD to the
ps2pdf process, as this breaks full-bleed printing and is also disturbs
the printing if PPDs have too conservative margin definitions (LP: #282186).
-- Martin Pitt <email address hidden> Wed, 26 Nov 2008 15:14:57 +0100
-
cups (1.3.9-7) experimental; urgency=low
* Previous upload had some cruft in the diff.gz which caused some changed
defaults in cupsd.conf. Reupload with a clean diff.gz. *Brown paperbag*
-- Martin Pitt <email address hidden> Thu, 20 Nov 2008 18:49:46 +0100
-
cups (1.3.9-6) experimental; urgency=low
[ Till Kamppeter ]
* debian/local/filters/cpdftocps: The cpdftocps filter did case-sensitive
checking for CUPS options to keep them away from the pstops filter. CUPS
treats such options case-insensitive, so in some cass CUPS options got
applied twice (LP: #299707).
[ Martin Pitt ]
* debian/rules: Install the serial backend with 0744 permissions to make it
run as root, since /dev/ttyS* are root:dialout and thus not accessible as
user "lp". Thanks to Chanoch (Ken) Bloom. (part of #506181, LP: #154277)
-- Martin Pitt <email address hidden> Thu, 20 Nov 2008 13:43:27 +0100
-
cups (1.3.9-5) experimental; urgency=low
* hpgl-regression.dpatch: Replaced with version which got committed
upstream.
* Add runloop-backchannel-eof-spin.dpatch: Fix backend runloop spin on
backchannel EOF (select() returns "ready for read" on EOF). This
completely broke printing with e. g. HPJetDirect. Thanks to
Samuel Thibault for tracking down the problem! (Closes: #489045)
* debian/cups-bsd.postinst: Assume default printcap path (in /var/run/cups/)
if not specified in cupsd.conf. This brings back the lost /etc/printcap
for legacy applications. (Closes: #482186, LP: #282667)
* debian/rules: Drop arm/armel -f-no-stack-protector workaround, since SSP
works on these architectures now. (See #469517)
* debian/cups-bsd.postinst: Robustify the cupsd.conf parsing for Printcap,
as per suggestion from Jo Mills.
* rootbackends-worldreadable.dpatch: Apply the same relaxed permission check
to cups-deviced, so that backends installed as 0744 don't disappear from
printer detecttion. (Closes: #503644, LP: #275407)
-- Martin Pitt <email address hidden> Mon, 17 Nov 2008 08:50:34 +0100
-
cups (1.3.9-4) experimental; urgency=low
[ Till Kamppeter ]
* debian/local/filters/pdf-filters/conf/pdftoraster.convs,
debian/local/filters/pdf-filters/filter/pdftoraster.cxx,
debian/local/filters/pdf-filters/README,
debian/local/filters/pdf-filters/addtocups,
debian/local/filters/pdf-filters/removefromcups, debian/rules,
debian/copyright: Removed Poppler-based pdftoraster filter. It will be
replaced by a Ghostscript-based pdftoraster filter filter provided by the
Ghostscript package, requested via Debian bug #505282 (fixes LP: #290395).
* debian/filters/pstopdf: Fixed debug output.
-- Martin Pitt <email address hidden> Tue, 11 Nov 2008 13:46:55 +0100
-
cups (1.3.9-3) experimental; urgency=low
[ Till Kamppeter ]
* debian/filters/pstopdf: Fixed several bugs in the pstopdf filter. First,
removed the use of CUPS' pstops filter for inserting option settings. This
also inserts PJL headers and then Ghostscript cannot convert the PostScript
to PDF in the next step. Fixed also the sed magic so that the paper size
and the margins get really read from the PPD and fixed the calculation of
the top and bottom margins, they were exchanged. Fixes LP: #289759,
LP: #292690, LP: #282186. Possible fix for LP #293883.
[ Martin Pitt ]
* debian/local/apparmor-profile: Allow dnssd backend to create various less
common network protocols (x25, appletalk, etc.) for detection. Also allow
it to read /proc/*/net/, which the bonjour avahi library apparently uses.
(LP: #254022)
-- Martin Pitt <email address hidden> Wed, 29 Oct 2008 11:41:38 +0100
-
cups (1.3.9-2) experimental; urgency=low
* debian/local/filters/cpdftocps, debian/filters/pstopdf: Avoid duplicate
execution of the number of copies. Sending a PostScript job to a
non-PostScript printer produced n*n copies instead of n copies, also
sending a non-PostScript job to a PostScript printer. A PostScript job
sent to a PostScript printer could even produce n*n*n copies (LP: #286048).
-- Martin Pitt <email address hidden> Mon, 20 Oct 2008 08:18:20 +0200
