Removed support for legacy CUPS browsing and for LDAP

Legacy CUPS browsing is not needed any more. this functionality got
removed from CUPS with version 1.6, more than a decade ago. In
cups-browsed it was implemented as a legacy support layer for servers
or clients running long-term-support enterprise distributions still
using CUPS 1.5.x or older. Now the support life of all these
distributions should have expired and so this legacy support by
cups-browsed is not needed any more.

In addition, the legacy CUPS browsing implementation in cups-browsed
was listening for UDP packaets on port 631 and by default it accepted
packets from any source, making it easy for attackers to set up forged
printers which could make use of vulnerabilities of CUPS or just find
out about the identity and properties of clients. This is
CVE-2024-47176:

    https://ubuntu.com/security/CVE-2024-47176
    GHSA-rj88-6mr5-rcw8
    https://openprinting.github.io/OpenPrinting-News-Flash-cups-browsed-Remote-Code-Execution-vulnerability/

Shortly after it was also found a another vulnerability of the legacy
CUPS browsing support. It was possible to send a well-formed CUPS
broadcast packet to UDP port 631 of cups-browsed, but with a port 80
URL of a web site which redirects on the port and then cups-browsed
falls into an infinite loop sending HTTP requests which can only be
stopped by "kill -9":

    GHSA-rq86-c7g6-r2h8

The removal of the legacy CUPS browsing support removes these 2
vulnerabilities.

The LDAP implementation in cups-browsed does not follow the LDAP
printer schema RFC 7612 and is therefore of very limited use.

README

@@ -237,43 +237,34 @@ POSTSCRIPT PRINTING DEBUG MODE
 HELPER DAEMON FOR BROWSING REMOTE CUPS PRINTERS AND IPP NETWORK PRINTERS
 
     From version 1.6.0 on in CUPS the CUPS broadcasting/browsing
-    facility was dropped, in favour of Bonjour-based broadcasting of
-    shared printers. This is done as Bonjour broadcasting of shared
+    facility was dropped, in favour of DNS-SD-based broadcasting of
+    shared printers. This is done as DNS-SD broadcasting of shared
     printers is a standard, established by the PWG (Printing Working
     Group, http://www.pwg.org/), and most other network services
     (shared file systems, shared media files/streams, remote desktop
-    services, ...) are also broadcasted via Bonjour.
+    services, ...) are also broadcasted via DNS-SD.
 
     Problem is that CUPS only broadcasts its shared printers but does
     not browse broadcasts of other CUPS servers to make the shared
     remote printers available locally without any configuration
     efforts. This is a regression compared to the old CUPS
     broadcasting/browsing. The intention of CUPS upstream is that the
-    application's print dialogs browse the Bonjour broadcasts as an
+    application's print dialogs browse the DNS-SD broadcasts as an
     AirPrint-capable iPhone does, but it will take its time until all
     toolkit developers add the needed functionality, and programs
     using old toolkits or no toolkits at all, or the command line stay
     uncovered.
 
     The solution is cups-browsed, a helper daemon running in parallel
-    to the CUPS daemon which listens to Bonjour broadcasts of shared
-    CUPS printers on remote machines in the local network via Avahi,
-    and can also listen for (and send) CUPS Browsing broadcasts. For
-    each reported remote printer it creates a local raw queue pointing
-    to the remote printer so that the printer appears in local print
-    dialogs and is also available for printing via the command
-    line. As with the former CUPS broadcasting/browsing with this
-    queue the driver on the server is used and the local print dialogs
-    give access to all options of the server-side printer driver.
-
-    Note that CUPS broadcasting/browsing is available for legacy
-    support, to let the local CUPS daemon work seamlessly together
-    with remote CUPS daemons of version 1.5.x and older which only
-    support CUPS broadcasting/browsing. In networks with only CUPS
-    1.6.x servers (or Ubuntu or Fedora/Red Hat servers with CUPS
-    1.5.x) please use the native Bonjour broadcasting of your servers
-    and cups-browsed, configured for Bonjour browsing only on the
-    clients.
+    to the CUPS daemon which listens to DNS-SD broadcasts of shared
+    CUPS printers on remote machines in the local network via
+    Avahi. For each reported remote printer it creates a local raw
+    queue pointing to the remote printer so that the printer appears
+    in local print dialogs and is also available for printing via the
+    command line. As with the former CUPS broadcasting/browsing with
+    this queue the driver on the server is used and the local print
+    dialogs give access to all options of the server-side printer
+    driver.
 
     Also high availability with redundant print servers and load
     balancing is supported. If there is more than one server providing
@@ -388,7 +379,7 @@ HELPER DAEMON FOR BROWSING REMOTE CUPS PRINTERS AND IPP NETWORK PRINTERS
     of avahi-daemon.
 
     Here is some info on how cups-browsed works internally (first concept of a
-    daemon which does only Bonjour browsing):
+    daemon which does only DNS-SD browsing):
 
     - Daemon start
       o Wait for CUPS daemon if it is not running
@@ -444,7 +435,7 @@ HELPER DAEMON FOR BROWSING REMOTE CUPS PRINTERS AND IPP NETWORK PRINTERS
     of the others by one with simple name (mark old queue disappeared
     with timeout now-1 sec and create new queue with simple name).
 
-    Fill description of the created CUPS queue with the Bonjour
+    Fill description of the created CUPS queue with the DNS-SD
     service name (= original description) and location with the server
     name without .local.
 

configure.ac

@@ -364,50 +364,6 @@ fi
 AC_SUBST(AVAHI_LIBS)
 AC_SUBST(AVAHI_CFLAGS)
 
-dnl
-dnl   LDAP configuration stuff for CUPS.
-dnl
-dnl   Copyright 2007-2011 by Apple Inc.
-dnl   Copyright 2003-2006 by Easy Software Products, all rights reserved.
-dnl
-dnl   These coded instructions, statements, and computer programs are the
-dnl   property of Apple Inc. and are protected by Federal copyright
-dnl   law.  Distribution and use rights are outlined in the file "COPYING"
-dnl   which should have been included with this file.
-dnl
-
-AC_ARG_ENABLE([ldap], [AS_HELP_STRING([--disable-ldap], [disable LDAP support.])],
-        [enable_ldap="$enableval"],
-        [enable_ldap=yes]
-)
-AC_ARG_WITH([ldap-libs], [AS_HELP_STRING([--with-ldap-libs], [set directory for LDAP library.])],
-    LDFLAGS="-L$withval $LDFLAGS"
-    DSOFLAGS="-L$withval $DSOFLAGS",)
-AC_ARG_WITH([ldap-includes], [AS_HELP_STRING([--with-ldap-includes], [set directory for LDAP includes.])],
-    CFLAGS="-I$withval $CFLAGS"
-    CPPFLAGS="-I$withval $CPPFLAGS",)
-
-if test x$enable_ldap != xno; then
-
-    AC_CHECK_HEADER([ldap.h], [
-	AC_SEARCH_LIBS([ldap_initialize], [ldap], [
-	    AC_DEFINE([HAVE_LDAP], [], [Define if LDAP support should be enabled])
-	    AC_DEFINE([HAVE_OPENLDAP], [], [If LDAP support is that of OpenLDAP])
-	    AC_CHECK_LIB([ldap], [ldap_start_tls],
-		AC_DEFINE([HAVE_LDAP_SSL], [], [If LDAP has SSL/TLS support enabled]))],[
-
-	    AC_CHECK_LIB([ldap], [ldap_init], [
-		AC_DEFINE([HAVE_LDAP], [], [Define if LDAP support should be enabled])
-		AC_DEFINE([HAVE_MOZILLA_LDAP], [], [If LDAP support is that of Mozilla])
-		AC_CHECK_HEADERS([ldap_ssl.h], [], [], [#include <ldap.h>])
-		AC_CHECK_LIB([ldap], [ldapssl_init],
-		    AC_DEFINE([HAVE_LDAP_SSL], [], [If LDAP has SSL/TLS support enabled]))])]
-	)
-	AC_CHECK_LIB([ldap], [ldap_set_rebind_proc], AC_DEFINE([HAVE_LDAP_REBIND_PROC], [], [If libldap implements ldap_set_rebind_proc]))
-    ])
-
-fi
-
 PKG_CHECK_MODULES(GLIB, [glib-2.0 >= 2.30.2])
 AC_SUBST(GLIB_CFLAGS)
 AC_SUBST(GLIB_LIBS)

utils/cups-browsed.8

@@ -16,20 +16,14 @@
 .fam T
 .fi
 .SH DESCRIPTION
-\fBcups-browsed\fP has four independently switchable functions:
+\fBcups-browsed\fP has two independently switchable functions:
 .IP 1. 4
-Browse Bonjour broadcasts of remote printers and create/remove local
-raw queues pointing to these printers.
+Browse DNS-SD broadcasts of remote printers and create/remove local
+CUPS queues pointing to these printers.
 .IP 2. 4
-Browse CUPS broadcasts of remote printers and create/remove local raw
-queues pointing to these printers.
-.IP 3. 4
-Browse an LDAP server for printers and create/remove local raw
-queues pointing to these printers.
-.IP 4. 4
-Broadcast local queues with the CUPS protocol.
+Find shared printers on given CUPS servers and create local CUPS queues
+pointing to them.
 .PP
-Note that 2. and 4. are only to allow communication with legacy CUPS servers (1.5.x or older) on the remote machine(s). The standard method to broadcast for shared/network printers to broadcast their presence is Bonjour. The CUPS broadcasting/browsing protocol is deprecated.
 
 cups-browsed can be run permanently (from system boot to shutdown) or on-demand (for example to save resources on mobile devices). For running it on-demand an auto-shutdown feature can be activated to let cups-browsed terminate when it does not have queues any more to take care of.
 
@@ -76,28 +70,8 @@ Display usage and version info and do not start the daemon.
 \fISIGUSR2\f1: Switches cups-browsed into auto shutdown mode.
 
 .SH NOTES
-Please take references to cups 1.6.x to include newer versions.
-Similarly, cups 1.5.x is intended to encompass older versions too.
-.PP
-In environments with only cups 1.6.x servers and clients (plus
-\fBcups-browsed\fP on either server or client or both) the function described in 1.
-enables the automatic discovery of remote queues and their display in
-printing dialogues of applications and with command line tools.
-.PP
-The facility provided by 3. allows printers that are registered in an LDAP
-server to be added as local queues. CUPS servers 1.5.x are able to automatically
-register printers in LDAP. The facility provided by \fBcups-browsed\fP allows
-a filter string to further limit the printers that are browsed from LDAP.
-.PP
-The facility provided by 4. means that servers running cups 1.6.x plus
-\fBcups-browsed\fP can broadcast their local queues so that clients with cups
-1.5.x get these queues automatically available. The outcome of 2. is
-that clients running cups 1.6.x plus \fBcups-browsed\fP can use the CUPS
-broadcasts from servers with cups 1.5.x. As with browsing of Bonjour
-broadcasts, the created local raw queues are available to applications
-and command line tools.
-.PP
 This manual page was written for the Debian Project, but it may be used by others.
+
 .SH SEE ALSO
 
 \fBcups-browsed.conf\fP(5)