From 16caf1231bf847016eabe7c701af04cf09732212 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Mon, 7 Oct 2024 22:26:24 +0200 Subject: [PATCH] cups-filters: remove support for legacy CUPS browsing and for LDAP Fixes CVE-2024-47176 and CVE-2024-47850. NixOS is not affected by these security issues by default because we do not ship the default configuration file so it fallbacks to `BrowseRemoteProtocols dnssd`. 631/udp is removed from the open firewall ports, it was by the CUPS browsing protocol. --- nixos/doc/manual/release-notes/rl-2411.section.md | 2 ++ nixos/modules/services/printing/cupsd.nix | 5 ++--- pkgs/misc/cups/filters.nix | 8 +++++++- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index 7c1cb9801a3c..b3b2af8d0778 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -494,6 +494,8 @@ - The `xdg.portal.gtkUsePortal` option has been removed, as it had been deprecated for over 2 years. Using the `GTK_USE_PORTAL` environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via `environment.sessionVariables`. +- Support for the legacy CUPS browsing and LDAP have been removed from `services.printing`. If `cups` or `ldap` are in the `BrowseRemoteProtocols` setting in `services.printing.browsedConf`, it needs to be removed. + - The `services.trust-dns` module has been renamed to `services.hickory-dns`. - The option `services.prometheus.exporters.pgbouncer.connectionStringFile` has been removed since diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index ef80ffe0ad41..a1fb0b3951e4 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -184,8 +184,8 @@ in type = types.bool; default = false; description = '' - Whether to open the firewall for TCP/UDP ports specified in - listenAdrresses option. + Whether to open the firewall for TCP ports specified in + listenAddresses option. ''; }; @@ -493,7 +493,6 @@ in listenPorts = parsePorts cfg.listenAddresses; in mkIf cfg.openFirewall { allowedTCPPorts = listenPorts; - allowedUDPPorts = listenPorts; }; }; diff --git a/pkgs/misc/cups/filters.nix b/pkgs/misc/cups/filters.nix index b4a7b66c02e3..d5688d3bc351 100644 --- a/pkgs/misc/cups/filters.nix +++ b/pkgs/misc/cups/filters.nix @@ -18,6 +18,7 @@ , liblouis , libpng , makeWrapper +, autoreconfHook , mupdf , perl , pkg-config @@ -53,9 +54,14 @@ stdenv.mkDerivation rec { url = "https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3d20c109332d14672a807353cdc551018.patch"; hash = "sha256-MXWllrdWt8n7zqvumQNg34dBgWMwMTwf9lrD+ZZP8Wk="; }) + (fetchpatch { + name = "remove-cups-ldap-browse-protocols_CVE-2024-47176_CVE-2024-47850.patch"; + url = "https://github.com/OpenPrinting/cups-filters/commit/6fd2bdfbdce76149af531ce9fca9062304238451.patch"; + hash = "sha256-XS1ODy7i7ilgEjsKuEvOUiRN9pqsj+bOktKoshKcg8Q="; + }) ]; - nativeBuildInputs = [ pkg-config makeWrapper ]; + nativeBuildInputs = [ pkg-config makeWrapper autoreconfHook ]; buildInputs = [ cups