diff --git a/CHANGES.md b/CHANGES.md index fc59a881a..e627c3427 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,4 +1,45 @@ -# CHANGES - OpenPrinting CUPS Filters v2.0rc1 - 2023-04-12 +# CHANGES - OpenPrinting CUPS Filters v2.0rc2 - 2023-06-20 + +## CHANGES IN V2.0rc2 (20th June 2023) + +- beh backend: Use `execv()` instead of `system()` - CVE-2023-24805 + With `execv()` command line arguments are passed as separate strings + and not the full command line in a single string. This prevents + arbitrary command execution by escaping the quoting of the arguments + in a job with forged job title. + +- beh backend: Extra checks against odd/forged input - CVE-2023-24805 + + * Do not allow `/` in the scheme of the URI (= backend executable + name), to assure that only backends inside + `/usr/lib/cups/backend/` are used. + + * Pre-define scheme buffer to empty string, to be defined for case + of URI being NULL. + + * URI must have `:`, to split off scheme, otherwise error. + + * Check return value of `snprintf()` to create call path for + backend, to error out on truncation of a too long scheme or on + complete failure due to a completely odd scheme. + +- beh backend: Further improvements - CVE-2023-24805 + + * Use `strncat()` instead of `strncpy()` for getting scheme from + URI, the latter does not require setting terminating zero byte in + case of truncation. + + * Also exclude `.` or `..` as scheme, as directories are not valid + CUPS backends. + + * Do not use `fprintf()` in `sigterm_handler()`, to not interfere + with a `fprintf()` which could be running in the main process when + `sigterm_handler()` is triggered. + + * Use `static volatile int` for global variable job_canceled. + +- `parallel` backend: Added missing `#include` lines + ## CHANGES IN V2.0rc1 (12th April 2023) diff --git a/INSTALL b/INSTALL index 4eb9ce732..f9c1b6220 100644 --- a/INSTALL +++ b/INSTALL @@ -1,4 +1,4 @@ -INSTALL - OpenPrinting CUPS Filters v2.0rc1 - 2023-04-12 +INSTALL - OpenPrinting CUPS Filters v2.0rc2 - 2023-06-20 -------------------------------------------------------- This file describes how to compile and install OpenPrinting CUPS diff --git a/README.md b/README.md index 47cde732d..29493e54d 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# OpenPrinting CUPS Filters v2.0rc1 - 2023-04-12 +# OpenPrinting CUPS Filters v2.0rc2 - 2023-06-20 Looking for compile instructions? Read the file "INSTALL" instead... diff --git a/configure.ac b/configure.ac index 837cd1cd6..9dea62b50 100644 --- a/configure.ac +++ b/configure.ac @@ -5,7 +5,7 @@ AC_PREREQ([2.65]) # ==================== # Version informations # ==================== -AC_INIT([cups-filters], [2.0rc1], [https://github.com/OpenPrinting/cups-filters/issues], [cups-filters], [https://github.com/OpenPrinting/cups-filters/]) +AC_INIT([cups-filters], [2.0rc2], [https://github.com/OpenPrinting/cups-filters/issues], [cups-filters], [https://github.com/OpenPrinting/cups-filters/]) cups_filters_version="AC_PACKAGE_VERSION" cups_filters_version_major="`echo AC_PACKAGE_VERSION | awk -F. '{print $1}'`" cups_filters_version_major="`echo AC_PACKAGE_VERSION | awk -F. '{printf("%d\n",$2);}'`"