-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[24.05] cups: fix socket-only usage after CVE-2024-35235 #337748
Conversation
The patch from commit NixOS@bdf63d7 is also available in the cups source repository (up to some variations in code comments).
If cups is started with no network listeners, i.e., only with `Listen /path/to/unix.socket` lines in cupsd.conf, it fails to start. This is caused by the patch of CVE-2024-35235, see also NixOS@bdf63d7 NixOS@dfe9603 Upstream documented the problem here OpenPrinting/cups#985 and fixed it here OpenPrinting/cups#988 . In NixOS, the problem manifests itself with this configuration: > services.printing.listenAddresses = []; The commit at hand adds three more patches from the upstream repository. This is the smalles possible change that fixes the regression caused by the initial patch.
Huh for some reason I failed to find the commit on the 2.4.x branch.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cherry-picked to release-24.05, built passthru.tests
on nixos x86_64 & cups on macos 12 x86_64 successfully. Patches check out.
Thanks, @risicle, for your fast reaction!
How about this: We add |
I broadly approve, but I am of course not a cups/printing maintainer. Anyway, I think this is merge-worthy as it is. |
Add two new vm tests for the printing configuration that test `listenAddresses = []`, i.e., the situation where cups only listens on the unix domain socket `/run/cups/cups.sock`. This helps catching bugs like this: OpenPrinting/cups#985 NixOS#337748
Description of changes
With the patch for CVE-2024-35235, cups refuses to start if only domain sockets (
Listen /path/to/unix.socket
incupsd.conf
) are used. In NixOS, it can be triggered by settingservices.printing.listenAddresses = [];
(e.g. in thecups-pdf
vm test).The pull request at hand does two thing:
fetchpatch
that pulls the commit from the upstream repository. This does not change the resulting C code -- the patches only differ w.r.t. comments in the code.Reference: Upstream issue and fixup.
Notifying cups maintainer @matthewbauer and author of #330650 @risicle
The pull request at hand (like #330650) targets
staging-24.05
, as changing cups causes a mass rebuild.The patches added here (like the patch from #330650) is already included in the cups version used on
master
branch, hence there is nothing to do for NixOS unstable.Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Also:
nixosTests.{printing-{service,socket},cups-pdf}
on both commits of this pull requestnixosTests.cups-pdf
withservices.printing.listenAddresses = [];
added to the test configuration on the top-most commit of this pull request (theprinting-*
tests also check for port 631 and hence cannot be used to verify a socket-only configuration).Add a 👍 reaction to pull requests you find important.