head 1.2; access; symbols; locks; strict; comment @# @; 1.2 date 2019.08.16.21.19.30; author leot; state dead; branches; next 1.1; commitid i4tK9IWTzHjwvizB; 1.1 date 2019.07.17.01.44.31; author manu; state Exp; branches; next ; commitid stFM7nXUc9keYkvB; desc @@ 1.2 log @cups{,-base}: Update to 2.2.12 pkgsrc changes: - Remove patches/patch-5613 (already present) Changes: 2.2.12 ------ - CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251) - The `cupsctl` command now prevents setting "cups-files.conf" directives (Issue #5530) - Updated the systemd service file for cupsd (Issue #5551) - The `cupsCheckDestSupported` function did not check octetString values correctly (Issue #5557) - The scheduler did not encode octetString values like "job-password" correctly for the print filters (Issue #5558) - Restored minimal support for the `Emulators` keyword in PPD files to allow old Samsung printer drivers to continue to work (Issue #5562) - Timed out job submission now yields an error (Issue #5570) - The footer in the web interface covered some content on small displays (Issue #5574) - The libusb-based USB backend now enforces read limits, improving print speed in many cases (Issue #5583) - Fixed some compatibility issues with old releases of CUPS (Issue #5587) - Fixed a bug in the scheduler job cleanup code (Issue #5588) - "make" failed with GZIP options (Issue #5595) - Added FIPS-140 workarounds for GNU TLS (Issue #5601, Issue #5622) - The scheduler no longer provides a default value for the description (Issue #5603) - The `lpadmin` command did not always update the PPD file for changes to the `cupsIPPSupplies` and `cupsSNMPSupplies` keywords (Issue #5610) - The scheduler now uses both the group's membership list as well as the various OS-specific membership functions to determine whether a user belongs to a named group (Issue #5613) - Added USB quirks rule for HP LaserJet 1015 (Issue #5617) - Fixed some PPD parser issues (Issue #5623, Issue #5624) - The IPP parser no longer allows invalid member attributes in collections (Issue #5630) - Fixed IPP buffer overflow (rdar://50035411) - Fixed memory disclosure issue in the scheduler (rdar://51373853) - Fixed DoS issues in the scheduler (rdar://51373929) - The scheduler would restart continuously when idle and printers were not shared (rdar://52561199) - Fixed a command ordering issue in the Zebra ZPL driver. - Fixed a memory leak in `ppdOpen`. @ text @$NetBSD: patch-5613,v 1.1 2019/07/17 01:44:31 manu Exp $ The scheduler now uses both the group's membership list as well as the various OS-specific membership functions to determine whether a user belongs to a named group (Issue #5613) From upstream https://github.com/apple/cups/commit/3c27d2a6ddf50a4cb02c0b7a464eaf7b6f1ea601 --- ./scheduler/auth.c +++ ./scheduler/auth.c @@@@ -1166,7 +1166,23 @@@@ cupsdCheckGroup( groupid = group->gr_gid; + for (i = 0; group->gr_mem[i]; i ++) + { + /* + * User appears in the group membership... + */ + + if (!_cups_strcasecmp(username, group->gr_mem[i])) + return (1); + } + #ifdef HAVE_GETGROUPLIST + /* + * If the user isn't in the group membership list, try the results from + * getgrouplist() which is supposed to return the full list of groups a user + * belongs to... + */ + if (user) { int ngroups; /* Number of groups */ @@@@ -1187,13 +1203,6 @@@@ cupsdCheckGroup( if ((int)groupid == (int)groups[i]) return (1); } - -#else - for (i = 0; group->gr_mem[i]; i ++) - { - if (!_cups_strcasecmp(username, group->gr_mem[i])) - return (1); - } #endif /* HAVE_GETGROUPLIST */ } else @ 1.1 log @The scheduler now uses both the group's membership list as well as the various OS-specific membership functions to determine whether a user belongs to a named group (Issue #5613) From upstream https://github.com/apple/cups/commit/3c27d2a6ddf50a4cb02c0b7a464eaf7b6f1ea601 @ text @d1 1 a1 1 $NetBSD$ @