diff --git a/pkgs/misc/cups/2.4.8-CVE-2024-35235.patch b/pkgs/misc/cups/2.4.8-CVE-2024-35235.patch deleted file mode 100644 index 243be682ceb6634..000000000000000 --- a/pkgs/misc/cups/2.4.8-CVE-2024-35235.patch +++ /dev/null @@ -1,86 +0,0 @@ -Based on upstream ff1f8a623e090dee8a8aadf12a6a4b25efac143d, adjusted to -apply to 2.4.8 - -diff --git a/cups/http-addr.c b/cups/http-addr.c -index 6aeeb8074..73a6b2f37 100644 ---- a/cups/http-addr.c -+++ b/cups/http-addr.c -@@ -206,27 +206,30 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */ - * Remove any existing domain socket file... - */ - -- unlink(addr->un.sun_path); -- -- /* -- * Save the current umask and set it to 0 so that all users can access -- * the domain socket... -- */ -- -- mask = umask(0); -+ // Remove any existing domain socket file... -+ if ((status = unlink(addr->un.sun_path)) < 0) -+ { -+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); - -- /* -- * Bind the domain socket... -- */ -+ if (errno == ENOENT) -+ status = 0; -+ } - -- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); -+ if (!status) -+ { -+ // Save the current umask and set it to 0 so that all users can access -+ // the domain socket... -+ mask = umask(0); - -- /* -- * Restore the umask and fix permissions... -- */ -+ // Bind the domain socket... -+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) -+ { -+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); -+ } - -- umask(mask); -- chmod(addr->un.sun_path, 0140777); -+ // Restore the umask... -+ umask(mask); -+ } - } - else - #endif /* AF_LOCAL */ -diff --git a/scheduler/conf.c b/scheduler/conf.c -index defca78aa..ebf8ca8cc 100644 ---- a/scheduler/conf.c -+++ b/scheduler/conf.c -@@ -3083,6 +3083,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ - cupsd_listener_t *lis; /* New listeners array */ - - -+ /* -+ * If we are launched on-demand, do not use domain sockets from the config -+ * file. Also check that the domain socket path is not too long... -+ */ -+ -+#ifdef HAVE_ONDEMAND -+ if (*value == '/' && OnDemand) -+ { -+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) -+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); -+ continue; -+ } -+#endif // HAVE_ONDEMAND -+ -+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) -+ { -+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); -+ continue; -+ } -+ - /* - * Get the address list... - */ diff --git a/pkgs/misc/cups/default.nix b/pkgs/misc/cups/default.nix index 5d4b6f00acae12f..396914479d4a596 100644 --- a/pkgs/misc/cups/default.nix +++ b/pkgs/misc/cups/default.nix @@ -19,6 +19,7 @@ , libpaper ? null , coreutils , nixosTests +, fetchpatch }: stdenv.mkDerivation rec { @@ -33,7 +34,28 @@ stdenv.mkDerivation rec { outputs = [ "out" "lib" "dev" "man" ]; patches = [ - ./2.4.8-CVE-2024-35235.patch + (fetchpatch { + name = "CVE-2024-35235.patch"; + url = "https://github.com/OpenPrinting/cups/commit/b273a1f29bda87317c551614cf9ab6125f56e317.patch"; + hash = "sha256-nzWKEMOEBKZMjqVPl2mcATtXZSrh++yhv9VMvbA+49E="; + }) + # the following three patches fix a regression introduced by the patch above + (fetchpatch { + name = "CVE-2024-35235-fixup-domainsocket-1.patch"; + url = "https://github.com/OpenPrinting/cups/commit/6131f6a73c188f3db0ec94ae488991ce80cfd7ea.patch"; + hash = "sha256-uftOI0zkwPXsW8CY8BoOkx4BysjDUc66LuzyZDjUHCI="; + }) + (fetchpatch { + name = "CVE-2024-35235-fixup-domainsocket-2.patch"; + url = "https://github.com/OpenPrinting/cups/commit/4417cd366f7baf64f4ada3efbb3ec13cd773a0f4.patch"; + hash = "sha256-ighA4Vmf43iiwkNl71//Ml8ynh8nF/bcNOKELeJFPKo="; + }) + (fetchpatch { + name = "CVE-2024-35235-fixup-domainsocket-3.patch"; + url = "https://github.com/OpenPrinting/cups/commit/145b946a86062aafab76c656ee9c1112bfd4f804.patch"; + includes = [ "scheduler/conf.c" ]; + hash = "sha256-2jQFHUFav8XDfqA/PVKNvbUnZI34na8Wbuu4XRy3uqc="; + }) ]; postPatch = ''