net-print/cups-filters: apply patch for CVE-2023-24805

Bug: https://bugs.gentoo.org/906944
Signed-off-by: Matthias Maier <tamiko@gentoo.org>

2 files changed, 375 insertions, 0 deletions

diff --git a/net-print/cups-filters/cups-filters-1.28.17-r2.ebuild b/net-print/cups-filters/cups-filters-1.28.17-r2.ebuild
new file mode 100644
index 000000000000..95c9acf0f386
--- /dev/null
+++ b/net-print/cups-filters/cups-filters-1.28.17-r2.ebuild
@@ -0,0 +1,150 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+GENTOO_DEPEND_ON_PERL=no
+inherit perl-module systemd flag-o-matic
+
+DESCRIPTION="Cups filters"
+HOMEPAGE="https://wiki.linuxfoundation.org/openprinting/cups-filters"
+SRC_URI="
+	https://github.com/OpenPrinting/cups-filters/releases/download/${PV}/${P}.tar.xz
+	https://www.openprinting.org/download/${PN}/${P}.tar.xz
+"
+
+LICENSE="MIT GPL-2"
+SLOT="0"
+IUSE="dbus exif +foomatic jpeg ldap pclm pdf perl png +postscript test tiff zeroconf"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	>=app-text/poppler-0.32[cxx,jpeg?,lcms,tiff?,utils]
+	>=app-text/qpdf-8.3.0:=
+	dev-libs/glib:2
+	media-libs/fontconfig
+	media-libs/freetype:2
+	media-libs/lcms:2
+	>=net-print/cups-1.7.3
+	!<=net-print/cups-1.5.9999
+	sys-devel/bc
+	sys-libs/zlib
+	exif? ( media-libs/libexif )
+	dbus? ( sys-apps/dbus )
+	foomatic? ( !net-print/foomatic-filters )
+	jpeg? ( media-libs/libjpeg-turbo:= )
+	ldap? ( net-nds/openldap:= )
+	pdf? ( app-text/mupdf:= )
+	perl? ( dev-lang/perl:= )
+	png? ( media-libs/libpng:= )
+	postscript? ( >=app-text/ghostscript-gpl-9.09[cups] )
+	tiff? ( media-libs/tiff:= )
+	zeroconf? ( net-dns/avahi[dbus] )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="
+	dev-util/gdbus-codegen
+	>=sys-devel/gettext-0.18.3
+	virtual/pkgconfig
+	test? ( media-fonts/dejavu )
+"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.28.17-c++17.patch
+	"${FILESDIR}"/${PN}-1.28.17-CVE-2023-24805.patch
+)
+
+src_configure() {
+	# Bug #898156
+	append-cxxflags -std=c++17
+
+	local myeconfargs=(
+		--enable-imagefilters
+		--localstatedir="${EPREFIX}"/var
+		--with-browseremoteprotocols=DNSSD,CUPS
+		--with-cups-rundir="${EPREFIX}"/run/cups
+		--with-fontdir="fonts/conf.avail"
+		--with-pdftops=pdftops
+		--with-rcdir=no
+		--without-php
+
+		$(use_enable exif)
+		$(use_enable dbus)
+		$(use_enable foomatic)
+		$(use_enable ldap)
+		$(use_enable pclm)
+		$(use_enable pdf mutool)
+		$(use_enable postscript ghostscript)
+		$(use_enable zeroconf avahi)
+		$(use_with jpeg)
+		$(use_with png)
+		$(use_with tiff)
+	)
+
+	econf "${myeconfargs[@]}"
+
+	if use perl; then
+		pushd "${S}"/scripting/perl > /dev/null || die
+		perl-module_src_configure
+		popd > /dev/null || die
+	fi
+}
+
+src_compile() {
+	default
+
+	if use perl; then
+		pushd "${S}"/scripting/perl > /dev/null || die
+		perl-module_src_compile
+		popd > /dev/null || die
+	fi
+}
+
+src_test() {
+	# Avoid perl-module_src_test
+	default
+
+	if use perl; then
+		pushd "${S}/scripting/perl" > /dev/null || die
+		perl-module_src_test
+		popd > /dev/null || die
+	fi
+}
+
+src_install() {
+	default
+
+	if use perl; then
+		pushd "${S}"/scripting/perl > /dev/null || die
+		perl-module_src_install
+		perl_delete_localpod
+		popd > /dev/null || die
+	fi
+
+	if use postscript; then
+		# workaround: some printer drivers still require pstoraster and pstopxl, bug #383831
+		dosym gstoraster /usr/libexec/cups/filter/pstoraster
+		dosym gstopxl /usr/libexec/cups/filter/pstopxl
+	fi
+
+	find "${ED}" \( -name "*.a" -o -name "*.la" \) -delete || die
+
+	cp "${FILESDIR}"/cups-browsed.init.d-r2 "${T}"/cups-browsed || die
+
+	if ! use zeroconf ; then
+		sed -i -e 's:need cupsd avahi-daemon:need cupsd:g' "${T}"/cups-browsed || die
+		sed -i -e 's:cups\.service avahi-daemon\.service:cups.service:g' "${S}"/utils/cups-browsed.service || die
+	fi
+
+	doinitd "${T}"/cups-browsed
+	systemd_dounit "${S}"/utils/cups-browsed.service
+}
+
+pkg_postinst() {
+	if ! use foomatic ; then
+		ewarn "You are disabling the foomatic code in cups-filters. Please do that ONLY if absolutely"
+		ewarn "necessary. net-print/foomatic-filters as a replacement is deprecated and unmaintained."
+	fi
+}
diff --git a/net-print/cups-filters/files/cups-filters-1.28.17-CVE-2023-24805.patch b/net-print/cups-filters/files/cups-filters-1.28.17-CVE-2023-24805.patch
new file mode 100644
index 000000000000..58b562504d0d
--- /dev/null
+++ b/net-print/cups-filters/files/cups-filters-1.28.17-CVE-2023-24805.patch
@@ -0,0 +1,225 @@
+Modified version from:
+
+  https://packages.debian.org/de/sid/cups-filters
+
+  From: Thorsten Alteholz <debian@alteholz.de>
+  Date: Fri, 19 May 2023 10:49:35 +0200
+  Subject: fix CVE-2023-24805
+
+Original patch:
+
+https://github.com/OpenPrinting/cups-filters/commit/8f274035756c04efeb77eb654e9d4c4447287d65
+
+From 8f274035756c04efeb77eb654e9d4c4447287d65 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Wed, 17 May 2023 11:12:37 +0200
+Subject: [PATCH] Merge pull request from GHSA-gpxc-v2m8-fr3x
+
+* beh backend: Use execv() instead of system() - CVE-2023-24805
+
+With execv() command line arguments are passed as separate strings and
+not the full command line in a single string. This prevents arbitrary
+command execution by escaping the quoting of the arguments in a job
+with forged job title.
+
+* beh backend: Extra checks against odd/forged input - CVE-2023-24805
+
+- Do not allow '/' in the scheme of the URI (= backend executable
+  name), to assure that only backends inside /usr/lib/cups/backend/
+  are used.
+
+- Pre-define scheme buffer to empty string, to be defined for case of
+  uri being NULL.
+
+- URI must have ':', to split off scheme, otherwise error.
+
+- Check return value of snprintf() to create call path for backend, to
+  error out on truncation of a too long scheme or on complete failure
+  due to a completely odd scheme.
+
+* beh backend: Further improvements - CVE-2023-24805
+
+- Use strncat() instead of strncpy() for getting scheme from URI, the latter
+  does not require setting terminating zero byte in case of truncation.
+
+- Also exclude "." or ".." as scheme, as directories are not valid CUPS
+  backends.
+
+- Do not use fprintf() in sigterm_handler(), to not interfere with a
+  fprintf() which could be running in the main process when
+  sigterm_handler() is triggered.
+
+- Use "static volatile int" for global variable job_canceled.
+
+---
+ backend/beh.c | 107 +++++++++++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 84 insertions(+), 23 deletions(-)
+
+diff --git a/backend/beh.c b/backend/beh.c
+index 225fd27..8d51235 100644
+--- a/backend/beh.c
++++ b/backend/beh.c
+@@ -22,12 +22,13 @@
+ #include "backend-private.h"
+ #include <cups/array.h>
+ #include <ctype.h>
++#include <sys/wait.h>
+ 
+ /*
+  * Local globals...
+  */
+ 
+-static int		job_canceled = 0; /* Set to 1 on SIGTERM */
++static volatile int	job_canceled = 0; /* Set to 1 on SIGTERM */
+ 
+ /*
+  * Local functions...
+@@ -213,21 +214,40 @@ call_backend(char *uri,                 /* I - URI of final destination */
+ 	     char **argv,		/* I - Command-line arguments */
+ 	     char *filename) {          /* I - File name of input data */
+   const char	*cups_serverbin;	/* Location of programs */
++  char          *backend_argv[8];	/* Arguments for backend */
+   char		scheme[1024],           /* Scheme from URI */
+                 *ptr,			/* Pointer into scheme */
+-		cmdline[65536];		/* Backend command line */
+-  int           retval;
++		backend_path[2048];	/* Backend path */
++  int           pid = 0, 		/* Process ID of backend */
++                wait_pid,		/* Process ID from wait() */
++                wait_status, 		/* Status from child */
++                retval = 0;
++  int           bytes;
+ 
+  /*
+   * Build the backend command line...
+   */
+ 
+-  strncpy(scheme, uri, sizeof(scheme) - 1);
+-  if (strlen(uri) > 1023)
+-    scheme[1023] = '\0';
++  scheme[0] = '\0';
++  strncat(scheme, uri, sizeof(scheme) - 1);
+   if ((ptr = strchr(scheme, ':')) != NULL)
+     *ptr = '\0';
+-
++  else {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme part.\n");
++    exit (CUPS_BACKEND_FAILED);
++  }
++  if (strchr(scheme, '/')) {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n");
++    exit (CUPS_BACKEND_FAILED);
++  }
++  if (!strcmp(scheme, ".") || !strcmp(scheme, "..")) {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid URI, scheme (\"%s\") is a directory.\n",
++	    scheme);
++    exit (CUPS_BACKEND_FAILED);
++  }
+   if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL)
+     cups_serverbin = CUPS_SERVERBIN;
+ 
+@@ -235,16 +255,29 @@ call_backend(char *uri,                 /* I - URI of final destination */
+     fprintf(stderr,
+ 	    "ERROR: beh: Direct output into a file not supported.\n");
+     exit (CUPS_BACKEND_FAILED);
+-  } else
+-    snprintf(cmdline, sizeof(cmdline),
+-	     "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
+-	     cups_serverbin, scheme, argv[1], argv[2], argv[3],
+-	     /* Apply number of copies only if beh was called with a
+-		file name and not with the print data in stdin, as
+-	        backends should handle copies only if they are called
+-	        with a file name */
+-	     (argc == 6 ? "1" : argv[4]),
+-	     argv[5], filename);
++  }
++
++  backend_argv[0] = uri;
++  backend_argv[1] = argv[1];
++  backend_argv[2] = argv[2];
++  backend_argv[3] = argv[3];
++  /* Apply number of copies only if beh was called with a file name
++     and not with the print data in stdin, as backends should handle
++     copies only if they are called with a file name */
++  backend_argv[4] = (argc == 6 ? "1" : argv[4]);
++  backend_argv[5] = argv[5];
++  backend_argv[6] = filename;
++  backend_argv[7] = NULL;
++
++  bytes = snprintf(backend_path, sizeof(backend_path),
++		   "%s/backend/%s", cups_serverbin, scheme);
++  if (bytes < 0 || bytes >= sizeof(backend_path))
++  {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid scheme (\"%s\"), could not determing backend path.\n",
++	    scheme);
++    return (CUPS_BACKEND_FAILED);
++  }
+ 
+  /*
+   * Overwrite the device URI and run the actual backend...
+@@ -253,18 +286,44 @@ call_backend(char *uri,                 /* I - URI of final destination */
+   setenv("DEVICE_URI", uri, 1);
+ 
+   fprintf(stderr,
+-	  "DEBUG: beh: Executing backend command line \"%s\"...\n",
+-	  cmdline);
++	  "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s' '%s' %s\"...\n",
++	  backend_path, backend_argv[1], backend_argv[2], backend_argv[3],
++	  backend_argv[4], backend_argv[5], backend_argv[6]);
+   fprintf(stderr,
+ 	  "DEBUG: beh: Using device URI: %s\n",
+ 	  uri);
+ 
+-  retval = system(cmdline) >> 8;
++  if ((pid = fork()) == 0) {
++   /*
++    * Child comes here...
++    */
++
++    /* Run the backend */
++    execv(backend_path, backend_argv);
+ 
+-  if (retval == -1)
+     fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n",
+ 	    strerror(errno));
+ 
++    exit(1);
++  } else if (pid < 0) {
++   /*
++    * Unable to fork!
++    */
++
++    return (CUPS_BACKEND_FAILED);
++  }
++
++  while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR);
++
++  if (wait_pid >= 0 && wait_status) {
++    if (WIFEXITED(wait_status))
++      retval = WEXITSTATUS(wait_status);
++    else if (WTERMSIG(wait_status) != SIGTERM)
++      retval = WTERMSIG(wait_status);
++    else
++      retval = 0;
++  }
++
+   return (retval);
+ }
+ 
+@@ -277,8 +336,10 @@ static void
+ sigterm_handler(int sig) {		/* I - Signal number (unused) */
+   (void)sig;
+ 
+-  fprintf(stderr,
+-	  "DEBUG: beh: Job canceled.\n");
++  const char * const msg = "DEBUG: beh: Job canceled.\n";
++  /* The if() is to eliminate the return value and silence the warning
++     about an unused return value. */
++  if (write(2, msg, strlen(msg)));
+ 
+   if (job_canceled)
+     _exit(CUPS_BACKEND_OK);