LPRng: ANNOUNCEMENT: Foomatic 3.0.2 released!

[Till Kamppeter]

Oi,
this is Foomatic 3.0.2, the third stable release in the Foomatic 3.0.x
series.
This is a bug fix release, especially to fix a security problem in 
foomatic-rip.

It was possible to make foomatic-rip executing arbitrary commands as the 
user lp (or however the spooler's special user is called) on the print
server. The securoty advisory ID of this problem is CAN-2004-0801.

Other fixes are: Workaround for PostScript generation bug in all 
OpenOffice.org 1.1.x versions, compatibility fix of manufacturer names 
in the the generated PPDs with the Adobe specs, usage of Gimp-Print 
instead of GIMP-Print, and more.

Give your comments and suggestions for the further development on the
Foomatic Development List/Newsgroup on linuxprinting.org.
See details and how to proceed below.
Happy printing!
Till
Changes
---
 - Some fixes to make foomatic-rip more robust against weird input via
   the command line or environment variables are done. This solves the
   problem of an attacker being able to run arbitrary commands as lp
   (or however the spooler's special user is named) on the print
   server (Security Advisory CAN-2004-0801).
 - Workaround for PostScript generation bug in all OpenOffice.org
   1.1.x versions.
 - Let the PPD generator use the manufacturer as defined in the
   Foomatic database and not the one from the IEEE-1284 auto-detection
   ID string for the *Manufacturer: ... tag of the PPD files, as in
   the IDs the manufacturer names often do not comply with the Adobe
   specs (as Hewlett-Packard, HP has to be used.
 - Replaced GIMP-Print by Gimp-Print in all texts in the Foomatic
   database, the software and the linuxprinting.org web site.
 - Compatibility fixes for newest gcc.
 - Read paper size with unit out of the driverval (needed for Omni),
   restrict paper sizes in the PPD to 2 digits after the decimal point.
 - Let options for red and blue ink settings (of Gimp-Print) be
   correctly sorted in in the PPD files.
Packages

The release consists of two packages:
http://www.linuxprinting.org/download/foomatic/foomatic-filters-3.0.2.tar.gz
http://www.linuxprinting.org/download/foomatic/foomatic-db-engine-3.0.2.tar.gz
It is recommended to also update foomatic-db and foomatic-db-hpijs from
the CVS or from http://www.linuxprinting.org/download/foomatic/ (daily
snapshots look for the -current files). As the database is regularly
updated for new printers and drivers, there are no special releases for
it, please use the last daily snapshot for distributions (the date can
be considered as version number). foomatic-db-hpijs releases are coupled
with releases of HPIJS (http://hpinkjet.sf.net/).
The packages should be installed in the following order:
   1. foomatic-filters
   2. foomatic-db
   3. foomatic-db-hpijs
   4. foomatic-db-engine
Please read the USAGE files to know how to install and use these
packages. You do not necessarily need to install foomatic-db-hpijs, you
only need it when you want to use a printer with the HPIJS driver.
Uninstall any old version of Foomatic before you install these packages.
To set up print queues for any supported spooler (CUPS, LPRng, LPD,
GNUlpr, PPR, PDQ, CPS, no spooler) use foomatic-configure as described
in the USAGE file of foomatic-db-engine. You can set up printer queues
based on the Foomatic database, with PPD files for PostScript printers,
with CUPS raster drivers, or raw queues. This is possible for all
spoolers. You can also print a wide range of file types with every
spooler (when you use LPRng, LPD, GNUlpr, PDQ, CPS, or no spooler you
need a2ps on your machine).
If you want to know how all this works, see the README files of both the
foomatic-db-engine and foomatic-filters packages.
Web site

Alternatively you can download all what you need for setting up a print
queue from the web. Go simply to the usual site:
   http://www.linuxprinting.org/



-
YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRng MAILING LIST
The address you post from or your Reply-To address MUST be your
subscription address
If you need help, send email to [EMAIL PROTECTED] (or lprng-requests
or lprng-digest-requests) with the word 'help' in the body.
To subscribe to a list with name LIST,  send mail to [EMAIL PROTECTED]
with:   | example:
subscribe LIST mailaddr   |  subscribe lprng-digest [EMAIL PROTECTED]
unsubscribe LIST mailaddr |  unsubscribe lprng [EMAIL PROTECTED]
If you have major problems,  call Patrick Powell or one of the friendly
staff at Astart Technologies for help.  Astart also does support for LPRng.
Also, check the Web Page at: http://www.lprng.com for any announcements.
Astart Technologies  (LPRng - Print Spooler http://www.lprng.com)
6741 Convoy Court
San Diego, CA 92111
858-874-6543 FAX 858-751-2435
-

LPRng: Using /dev/fd/0 and learning from (bad) experiences

[Patrick Powell]

   /dev/fd/0 Considered Harmful
   Patrick (No good deed goes unpunished) Powell
   papowell _AT_ astart _dot_ com

Preface:

After writing the first draft of this article,  I started looking at various
archives for discussion about /dev/fd/0 support in various operating systems.

In the foomatic-developer mailing lists there was a discussion
about the differences between using /dev/fd/0 and '-' as input
file specifications for GhostScript and other programs.

This issue strikes again. Read on and weep, gnash your teeth, or laugh
at me as you find suitable.  And then look at the code that you have
been writing and weep, gnash your teeth, or scream in rage that you have
fallen into the trap of /dev/fd/0.

Introduction:

I have just spent the last couple of days trying to discover
why part of the LPRng printing system died after an upgrade to
some of the components.  The cause was finally traced to the
use of /dev/fd/0 for a pathname instead of the classic '-' for
some utilities.  To say that this was a suprise was, shall we
say,  a tremendous understatement, and led to exploring the
depths of the source code of various programs, including
GhostScript, a2ps, enscript, and others where a '-' argument
for a pathname means 'read from fd 0' (i.e. - stdin).

What is the purpose of the /dev/fd/0 stuff?

Lets look at a typical example,  say,  the 'file' utility.  It expects a
command line such as:

 file /tmp/file

It will open /tmp/file, read its contents, and determine the file
type.  Sometimes you would like to determine the file type of the
output of a pipe:

 perl run_script | file 

But file,  bless its little heart,  may REQUIRE a path.  So, /dev/fd/0
to the rescue:

 perl run_script | file  /dev/fd/0

Through the magic of the Operation System, 
   fd = open(/dev/fd/0,...)
will have the same effect (broadly speaking) as
   fd = dup(0)
and fd will be a 'duplicate' of fd 0.

The Dark Side of /dev/fd/0

On the surface, /dev/fd/0 appears to be harmless and a Good Idea.
But lets look at another convention.  If no input files are
specified, then input will be taken from STDIN (fd 0).  If there
is a path specified,  then the file file will be opened and
input read from it.  By convention,  '-' will ALSO stand for
reading from stdin.

   /* Good and reasonable implementation but screws up when /dev/fd/0 passed */

   if( path  strcmp(path,-) ){
   close(0);   /* covers the case where fd 0 is not open,  note the
  lack of error checking,  which is deliberate here */
   if( (fd = open(path,)) == -1 ){
 Die(cannot open '%s' - %s, path, strerror(errno) );
   } else if( fd ){
 Die(open '%s' returned FD %d, path, fd );
   }
   }

   Lets see what happens here.  FD 0 is closed.  The Operating
   System takes the usual actions associated with closing the file
   descriptor, probably updating the internal process structure.
   Then we open 'path'.  If, as we expect, opening /dev/fd/0 should
   try to open an 'unopenable' file,  the open should fail.  But
   for some programs it does not.  Why?

   /* Evil and poor implementation */
   if( path  strcmp(path,-) ){
   close(0);
   open(path,)
   }
   ...
   if( read(0,...)  0 ){
   /* treat as EOF */
   }

   As you see, the brutal assumpation is made that the file open
   will always succeed, or if it fails, we get -1, which will case
   an -1 value to be returned when used with read().  You would
   suspect that nobody would write code like that, right?  Ummm...
   lets change the subject really fast.  And stop using grep
   to look at my code,  you suspicious person, you.

   Say you have a simple PostScript file:

   %!PS-Adobe-3.0
   /Courier findfont 200 scalefont setfont
   72 300 moveto
   (1) show showpage


% gs --help
AFPL Ghostscript 8.13 (2003-12-31)

% gs /tmp/one.ps
you get page output
% gs /dev/fd/0 /tmp/one.ps
AFPL Ghostscript 8.14 (2004-02-20)
Copyright (C) 2004 artofcode LLC, Benicia, CA.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Loading NimbusMonL-Regu font from 
/usr/local/share/ghostscript/fonts/n022003l.pfb... 2267236 903936 1456484 168258 1 
done.
showpage, press return to continue

you get no page output
% gs - /tmp/one.ps
you get page output

Umm... interesting.  Very interesting.  It appears that AFPL ghostscript
has a /dev/fd/0 related problem.

So lets try Gnu-GhostScript:

# gs /tmp/one.ps
GNU Ghostscript 7.07 (2003-05-17)
Copyright (C) 2003 artofcode LLC, Benicia, CA.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Loading NimbusMonL-Regu font from 
/usr/local/share/ghostscript/fonts/n022003l.pfb...