Hello community, here is the log from the commit of package hplip for openSUSE:13.1 checked in at 2013-10-25 12:59:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1/hplip (Old) and /work/SRC/openSUSE:13.1/.hplip.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "hplip" Changes: -------- --- /work/SRC/openSUSE:13.1/hplip/hplip.changes 2013-09-23 10:53:35.000000000 +0200 +++ /work/SRC/openSUSE:13.1/.hplip.new/hplip.changes 2013-10-25 12:59:40.000000000 +0200 @@ -1,0 +2,23 @@ +Wed Oct 16 15:36:08 CEST 2013 - [email protected] + +- Version upgrade to 3.13.10: + Several more supported printers and all-in-one devices. + Fix for CVE-2013-4325i (insecure Polkit use). + Users will not be added to "lp" group, users will be prompted + to provide necessary authentication (see the entry + dated "Tue Jul 9 16:18:35 CEST 2013" below). + Added firmware upload functionality during 'hp-setup'. + Some other bug fixes. + For details see + http://hplipopensource.com/hplip-web/release_notes.html +- change-udev-rules.diff: Adapted for HPLIP 3.13.10. +- disable-chgrp_lp.diff is obsolete since version 3.13.10 + because it is fixed in the source. +- neither-add_user_to_group-nor-open_mdns_port.diff is replaced by + do_not_open_mdns_port.diff because the "add_user_to_group" issue + is fixed in the source since version 3.13.10 but the + "open_mdns_port" issue still exists. +- deactivate-add_group-function.diff is obsolete since 3.13.10 + because there is no longer that "chgrp" stuff in HPLIP. + +------------------------------------------------------------------- Old: ---- deactivate-add_group-function.diff disable-chgrp_lp.diff hplip-3.13.9.tar.gz hplip-3.13.9.tar.gz.asc neither-add_user_to_group-nor-open_mdns_port.diff New: ---- do_not_open_mdns_port.diff hplip-3.13.10.tar.gz hplip-3.13.10.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ hplip.spec ++++++ --- /var/tmp/diff_new_pack.CxJz7c/_old 2013-10-25 12:59:41.000000000 +0200 +++ /var/tmp/diff_new_pack.CxJz7c/_new 2013-10-25 12:59:41.000000000 +0200 @@ -58,7 +58,7 @@ # where 'a' or 'b' do not mean 'alpha' or 'beta' but 'second' or 'third' release in the month # (usually bugfix releases have the suffix like 3.12.10a = first bugfix release for 3.12.10). # Official releases have a 3 digit number and release candidates have a 4 digit number: x.y.m.rc -Version: 3.13.9 +Version: 3.13.10 Release: 0 Url: http://hplipopensource.com # Source0...Source9 is for sources from HP: @@ -98,28 +98,21 @@ # Source106 hp-systray.wrapper was a wrapper for hp-systray which is no longer needed # see https://bugzilla.novell.com/show_bug.cgi?id=649280 # Patch100... is for special Suse patches: -# Patch101 changes the udev rules file 56-hpmud.rules +# Patch101 change-udev-rules.diff changes the udev rules file 56-hpmud.rules Patch101: change-udev-rules.diff -# Patch102 disable-chgrp_lp.diff deactivates the "chgrp lp" in Makefile.am -# because during build this results "Operation not permitted". -# Instead it is done in the files section via attr(0775,root,lp) -# where mode 0775 is used instead of mode 0777 as in Makefile.am -# because a public writable directory /var/log/hp/ is not allowed -# to avoid security issues: -Patch102: disable-chgrp_lp.diff +# Patch102 was disable-chgrp_lp.diff that deactivated the "chgrp lp" in Makefile.am +# because during build this results "Operation not permitted" which +# is no longer needed because there is no longer that "chgrp" stuff in HPLIP version 3.13.10. # Patch103 was no-hplip_cron.diff that deactivated the "cron" stuff in Makefile.am which # is no longer needed because there is no longer any "cron" stuff in HPLIP version 3.13.6 -# Patch104 removes add_user_to_group and open_mdns_port.diff from distros.dat for SUSE distros -# to avoid security issues when normal users get added to system groups 'lp' and 'sys' -# see https://bugs.launchpad.net/bugs/1197416 and https://bugs.launchpad.net/bugs/1112306 -# and to avoid security issues when ports in the firewall get opened -# see https://bugs.launchpad.net/bugs/426161 -Patch104: neither-add_user_to_group-nor-open_mdns_port.diff -# Patch105 deactivates the add_group function that would add the groups ('lp') to user -# which would cause security issues see https://bugs.launchpad.net/bugs/1197416 -# that would happen in any case via a fallback command in an "else" clause -# even if this functionality was explicitly disabled in distros.dat -Patch105: deactivate-add_group-function.diff +# Patch104 do_not_open_mdns_port.diff deactivates the open_mdns_port functionality +# in distros.dat for SUSE distros to avoid security issues when ports in the firewall +# get opened. see https://bugs.launchpad.net/bugs/426161 +Patch104: do_not_open_mdns_port.diff +# Patch105 was deactivate-add_group-function.diff that deactivated +# the add_group function that would add the groups ('lp') to user which +# would cause security issues see https://bugs.launchpad.net/bugs/1197416 +# which is no longer needed because there is no longer that "chgrp" stuff in HPLIP version 3.13.10. # Install into this non-root directory (required when norootforbuild is used): BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: coreutils @@ -328,29 +321,12 @@ %endif # Be quiet when unpacking: %setup -q -# Patch101 change-udev-rules.diff -# changes the udev rules file 56-hpmud.rules +# Patch101 change-udev-rules.diff changes the udev rules file 56-hpmud.rules %patch101 -b .change-udev-rules.orig -# Patch102 disable-chgrp_lp.diff deactivates the "chgrp lp" in Makefile.am -# because during build this results "Operation not permitted". -# Instead it is done in the files section via attr(0775,root,lp) -# where mode 0775 is used instead of mode 0777 as in Makefile.am -# because a public writable directory /var/log/hp/ is not allowed -# to avoid security issues: -%patch102 -b .disable-chgrp_lp.orig -# Patch104 neither-add_user_to_group-nor-open_mdns_port.diff -# removes add_user_to_group and open_mdns_port.diff from distros.dat for SUSE distros -# to avoid security issues when normal users get added to system groups 'lp' and 'sys' -# see https://bugs.launchpad.net/bugs/1197416 and https://bugs.launchpad.net/bugs/1112306 -# and to avoid security issues when ports in the firewall get opened -# see https://bugs.launchpad.net/bugs/426161 -%patch104 -b .neither-add_user_to_group-nor-open_mdns_port.orig -# Patch105 deactivate-add_group-function.diff -# deactivates the add_group function that would add the groups ('lp') to user -# which would cause security issues see https://bugs.launchpad.net/bugs/1197416 -# that would happen in any case via a fallback command in an "else" clause -# even if this functionality was explicitly disabled in distros.dat -%patch105 -b .deactivate-add_group-function.orig +# Patch104 do_not_open_mdns_port.diff deactivates the open_mdns_port functionality +# in distros.dat for SUSE distros to avoid security issues when ports in the firewall +# get opened. see https://bugs.launchpad.net/bugs/426161 +%patch104 -b .do_not_open_mdns_port.orig %build # If AUTOMAKE='automake --foreign' is not set, autoreconf (in fact automake) @@ -383,6 +359,8 @@ # foomatic-rip-hplip is no longer installed and foomatic-rip from foomatic-filters is used instead so that # --disable-foomatic-rip-hplip-install is explicitly set and as a consequence the "cupsFilter" entries # in the static PPDs are changed in the install section to use foomatic-rip. +# Since HPLIP 3.13.10 --with-htmldir is new but it does not inhertit its value from --with-docdir +# so that --with-htmldir must be explicitly set. ./configure --prefix=/usr \ --libdir=%{_libdir} \ --disable-qt3 \ @@ -407,7 +385,8 @@ --with-cupsfilterdir=/usr/lib/cups/filter \ --with-drvdir=/usr/lib/cups/driver \ --with-mimedir=%{_sysconfdir}/cups \ - --with-docdir=%{_defaultdocdir}/%{name} + --with-docdir=%{_defaultdocdir}/%{name} \ + --with-htmldir==%{_defaultdocdir}/%{name} make %install @@ -629,7 +608,6 @@ %{_bindir}/hp-logcapture %{_bindir}/hp-makecopies %{_bindir}/hp-makeuri -%{_bindir}/hp-mkuri %{_bindir}/hp-pkservice %{_bindir}/hp-plugin %{_bindir}/hp-pqdiag @@ -686,7 +664,7 @@ %{_datadir}/cups/model/manufacturer-PPDs/%{name}/ %{_datadir}/%{name}/data/models/models.dat # Use fixed "/var/log/hp" because this is hardcoded in the HPLIP sources. -# Regarding attr(0775,root,lp) see disable-chgrp_lp.diff (Patch102): +# Regarding attr(0775,root,lp) see the comment for /var/log/hp/tmp below: %dir %attr(0775,root,lp) /var/log/hp # Regarding attr(0775,root,lp) for /var/log/hp/tmp # see https://bugzilla.novell.com/show_bug.cgi?id=800312#c0 ++++++ change-udev-rules.diff ++++++ --- /var/tmp/diff_new_pack.CxJz7c/_old 2013-10-25 12:59:41.000000000 +0200 +++ /var/tmp/diff_new_pack.CxJz7c/_new 2013-10-25 12:59:41.000000000 +0200 @@ -1,21 +1,16 @@ ---- data/rules/56-hpmud.rules.change-udev-rules.orig 2013-08-07 08:02:33.000000000 +0200 -+++ data/rules/56-hpmud.rules 2013-09-10 13:24:09.000000000 +0200 -@@ -1,18 +1,50 @@ +--- data/rules/56-hpmud.rules.change-udev-rules.orig 2013-10-11 11:38:53.000000000 +0200 ++++ data/rules/56-hpmud.rules 2013-10-16 16:04:54.000000000 +0200 +@@ -1,18 +1,43 @@ # HPLIP udev rules file. Notify console user if plugin support is required for this device. +# SUSE changed: +# -+# MODE="0660" to MODE="0664" -+# because it is sufficiently secure to let any user read the device nodes -+# because HPLIP opens the device nodes exclusively so that sniffing -+# of print jobs or scanner image data should not be possible. -+# +# Exchanged the rule to GOTO hpmud_usb_rules if SUBSYSTEM is "usb" +# with the rule if SUBSYSTEM is "ppdev" to avoid that the "ppdev" rule +# is needlessly processed when SUBSYSTEM is "usb". +# -+# Added rules to skip the hpmud_usb_rules rules via GOTO hpmud_rules_end -+# if SUBSYSTEM is not "usb" or if ENV{DEVTYPE} is not "usb_device" ++# Added GOTO hpmud_rules_end rule to skip the hpmud_usb_rules ++# if SUBSYSTEM is not "usb" or if ENV{DEVTYPE} is not "usb_device" or if SUBSYSTEM is not "ppdev" +# to avoid that the hpmud_usb_rules are needlessly processed. +# +# The rule to automatically "add the printer and install plugin" is disabled @@ -32,20 +27,18 @@ +# a rule that only uploads firmware into printers that need it is added. + ACTION!="add", GOTO="hpmud_rules_end" --SUBSYSTEM=="ppdev", OWNER="root", GROUP="lp", MODE="0660" +-SUBSYSTEM=="ppdev", OWNER="root", GROUP="lp", MODE="0664" SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", GOTO="hpmud_usb_rules" - +SUBSYSTEM=="ppdev", OWNER="root", GROUP="lp", MODE="0664" -+SUBSYSTEM!="usb", GOTO="hpmud_rules_end" -+ENV{DEVTYPE}!="usb_device", GOTO="hpmud_rules_end" ++GOTO="hpmud_rules_end" LABEL="hpmud_usb_rules" # ENV{ID_HPLIP}="1" is for Ubuntu udev-acl --ATTR{idVendor}=="03f0", ATTR{idProduct}=="????", OWNER="root", GROUP="lp", MODE="0660", ENV{sane_hpaio}="yes", ENV{libsane_matched}="yes", ENV{hp_test}="yes", ENV{ID_HPLIP}="1" -+ATTR{idVendor}=="03f0", ATTR{idProduct}=="????", OWNER="root", GROUP="lp", MODE="0664", ENV{sane_hpaio}="yes", ENV{libsane_matched}="yes", ENV{hp_test}="yes", ENV{ID_HPLIP}="1" - + ATTR{idVendor}=="03f0", ATTR{idProduct}=="????", OWNER="root", GROUP="lp", MODE="0664", ENV{sane_hpaio}="yes", ENV{libsane_matched}="yes", ENV{hp_test}="yes", ENV{ID_HPLIP}="1" +- # This rule will add the printer and install plugin -ENV{hp_test}=="yes", PROGRAM="/bin/sh -c 'logger -p user.info loading HP Device $env{BUSNUM} $env{DEVNUM}'", RUN+="/bin/sh -c 'if [ -f /usr/bin/systemctl ]; then /usr/bin/systemctl --no-block start hplip-printer@$env{BUSNUM}:$env{DEVNUM}.service; else /usr/bin/nohup /usr/bin/hp-config_usb_printer $env{BUSNUM}:$env{DEVNUM} ; fi'" +# ENV{hp_test}=="yes", PROGRAM="/bin/sh -c 'logger -p user.info loading HP Device $env{BUSNUM} $env{DEVNUM}'", RUN+="/bin/sh -c 'if [ -f /usr/bin/systemctl ]; then /usr/bin/systemctl --no-block start hplip-printer@$env{BUSNUM}:$env{DEVNUM}.service; else /usr/bin/nohup /usr/bin/hp-config_usb_printer $env{BUSNUM}:$env{DEVNUM} ; fi'" @@ -55,8 +48,10 @@ # If sane-bankends is installed add hpaio backend support to dll.conf if needed. ENV{sane_hpaio}=="yes", RUN+="/bin/sh -c 'grep -q ^#hpaio /etc/sane.d/dll.conf;if [ $$? -eq 0 ];then sed -i -e s/^#hpaio/hpaio/ /etc/sane.d/dll.conf;else grep -q ^hpaio /etc/sane.d/dll.conf;if [ $$? -ne 0 ];then echo hpaio >>/etc/sane.d/dll.conf;fi;fi'" -@@ -22,3 +54,4 @@ ENV{libsane_matched}=="yes", RUN+="/bin/ - +@@ -20,5 +45,5 @@ ENV{sane_hpaio}=="yes", RUN+="/bin/sh -c + # The following rule will disable USB autosuspend for the device + ENV{libsane_matched}=="yes", RUN+="/bin/sh -c 'test -e /sys/$env{DEVPATH}/power/level && echo on > /sys/$env{DEVPATH}/power/level'" +- LABEL="hpmud_rules_end" + ++++++ do_not_open_mdns_port.diff ++++++ --- installer/distros.dat.orig 2013-10-11 11:36:44.000000000 +0200 +++ installer/distros.dat 2013-10-16 16:25:27.000000000 +0200 @@ -141,7 +141,7 @@ parallel_supported=0 usb_supported=1 packaged_version=3.11.6 release_date=2012-07-11 -notes=Please be sure to disable the CD repositories in YaST and after installation you must log out and back in to become a member of the lp and sys group to enable printing. +notes=Please be sure to disable the CD repositories in YaST. ppd_install=drv udev_mode_fix=1 ppd_dir=/usr/share/cups/model/HP @@ -150,7 +150,7 @@ drv_dir=/usr/share/cups/drv/HP cups_path_with_bitness=0 ui_toolkit=qt4 native_cups=1 -open_mdns_port=/bin/bash ./init-suse-firewall +open_mdns_port=/bin/true pre_depend_cmd=su -c "zypper refresh" [suse:12.2:cups] @@ -261,7 +261,7 @@ parallel_supported=0 usb_supported=1 packaged_version=3.12.11 release_date=2013-03-13 -notes=Please be sure to disable the CD repositories in YaST and after installation you must log out and back in to become a member of the lp and sys group to enable printing. +notes=Please be sure to disable the CD repositories in YaST. ppd_install=drv udev_mode_fix=1 ppd_dir=/usr/share/cups/model/HP @@ -270,7 +270,7 @@ drv_dir=/usr/share/cups/drv/HP cups_path_with_bitness=0 ui_toolkit=qt4 native_cups=1 -open_mdns_port=/bin/bash ./init-suse-firewall +open_mdns_port=/bin/true pre_depend_cmd=su -c "zypper refresh" [suse:12.3:cups] ++++++ hplip-3.13.9.tar.gz -> hplip-3.13.10.tar.gz ++++++ /work/SRC/openSUSE:13.1/hplip/hplip-3.13.9.tar.gz /work/SRC/openSUSE:13.1/.hplip.new/hplip-3.13.10.tar.gz differ: char 5, line 1 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
