!36 fix CVE-2024-47850

From: @yangl777 
Reviewed-by: @compile_success 
Signed-off-by: @compile_success

backport-CVE-2023-24805.patch

@@ -0,0 +1,218 @@
+From 8f274035756c04efeb77eb654e9d4c4447287d65 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Wed, 17 May 2023 11:12:37 +0200
+Subject: [PATCH] Merge pull request from GHSA-gpxc-v2m8-fr3x
+
+* beh backend: Use execv() instead of system() - CVE-2023-24805
+
+With execv() command line arguments are passed as separate strings and
+not the full command line in a single string. This prevents arbitrary
+command execution by escaping the quoting of the arguments in a job
+with forged job title.
+
+* beh backend: Extra checks against odd/forged input - CVE-2023-24805
+
+- Do not allow '/' in the scheme of the URI (= backend executable
+  name), to assure that only backends inside /usr/lib/cups/backend/
+  are used.
+
+- Pre-define scheme buffer to empty string, to be defined for case of
+  uri being NULL.
+
+- URI must have ':', to split off scheme, otherwise error.
+
+- Check return value of snprintf() to create call path for backend, to
+  error out on truncation of a too long scheme or on complete failure
+  due to a completely odd scheme.
+
+* beh backend: Further improvements - CVE-2023-24805
+
+- Use strncat() instead of strncpy() for getting scheme from URI, the latter
+  does not require setting terminating zero byte in case of truncation.
+
+- Also exclude "." or ".." as scheme, as directories are not valid CUPS
+  backends.
+
+- Do not use fprintf() in sigterm_handler(), to not interfere with a
+  fprintf() which could be running in the main process when
+  sigterm_handler() is triggered.
+
+- Use "static volatile int" for global variable job_canceled.
+
+Reference:https://github.com/OpenPrinting/cups-filters/commit/8f274035756c04efeb77eb654e9d4c4447287d65
+Conflict:Adaptation Context
+
+---
+ backend/beh.c | 110 ++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 85 insertions(+), 25 deletions(-)
+
+diff --git a/backend/beh.c b/backend/beh.c
+index 225fd27..0b60518 100644
+--- a/backend/beh.c
++++ b/backend/beh.c
+@@ -22,12 +22,13 @@
+ #include "backend-private.h"
+ #include <cups/array.h>
+ #include <ctype.h>
++#include <sys/wait.h>
+ 
+ /*
+  * Local globals...
+  */
+ 
+-static int		job_canceled = 0; /* Set to 1 on SIGTERM */
++static volatile int	job_canceled = 0; // Set to 1 on SIGTERM
+ 
+ /*
+  * Local functions...
+@@ -213,21 +214,44 @@ call_backend(char *uri,                 /* I - URI of final destination */
+ 	     char **argv,		/* I - Command-line arguments */
+ 	     char *filename) {          /* I - File name of input data */
+   const char	*cups_serverbin;	/* Location of programs */
++  char          *backend_argv[8];       // Arguments for called CUPS backend
+   char		scheme[1024],           /* Scheme from URI */
+                 *ptr,			/* Pointer into scheme */
+-		cmdline[65536];		/* Backend command line */
+-  int           retval;
++		backend_path[2048];	// Backend path
++  int           pid,
++                wait_pid,
++                wait_status,
++                retval = 0;
++  int           bytes;
++
+ 
+  /*
+   * Build the backend command line...
+   */
+ 
+-  strncpy(scheme, uri, sizeof(scheme) - 1);
+-  if (strlen(uri) > 1023)
+-    scheme[1023] = '\0';
++  scheme[0] = '\0';
++  strncat(scheme, uri, sizeof(scheme) - 1);
+   if ((ptr = strchr(scheme, ':')) != NULL)
+     *ptr = '\0';
+-
++  else
++  {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme part.\n");
++    exit (CUPS_BACKEND_FAILED);
++  }
++  if (strchr(scheme, '/'))
++  {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n");
++    exit (CUPS_BACKEND_FAILED);
++  }
++  if (!strcmp(scheme, ".") || !strcmp(scheme, ".."))
++  {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid URI, scheme (\"%s\") is a directory.\n",
++	    scheme);
++    exit (CUPS_BACKEND_FAILED);
++  }
+   if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL)
+     cups_serverbin = CUPS_SERVERBIN;
+ 
+@@ -235,16 +259,26 @@ call_backend(char *uri,                 /* I - URI of final destination */
+     fprintf(stderr,
+ 	    "ERROR: beh: Direct output into a file not supported.\n");
+     exit (CUPS_BACKEND_FAILED);
+-  } else
+-    snprintf(cmdline, sizeof(cmdline),
+-	     "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
+-	     cups_serverbin, scheme, argv[1], argv[2], argv[3],
+-	     /* Apply number of copies only if beh was called with a
+-		file name and not with the print data in stdin, as
+-	        backends should handle copies only if they are called
+-	        with a file name */
+-	     (argc == 6 ? "1" : argv[4]),
+-	     argv[5], filename);
++  }
++
++  backend_argv[0] = uri;
++  backend_argv[1] = argv[1];
++  backend_argv[2] = argv[2];
++  backend_argv[3] = argv[3];
++  backend_argv[4] = (argc == 6 ? "1" : argv[4]);
++  backend_argv[5] = argv[5];
++  backend_argv[6] = filename;
++  backend_argv[7] = NULL;
++
++  bytes = snprintf(backend_path, sizeof(backend_path),
++		   "%s/backend/%s", cups_serverbin, scheme);
++  if (bytes < 0 || bytes >= sizeof(backend_path))
++  {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid scheme (\"%s\"), could not determing backend path.\n",
++	    scheme);
++    exit (CUPS_BACKEND_FAILED);
++  }
+ 
+  /*
+   * Overwrite the device URI and run the actual backend...
+@@ -253,17 +287,41 @@ call_backend(char *uri,                 /* I - URI of final destination */
+   setenv("DEVICE_URI", uri, 1);
+ 
+   fprintf(stderr,
+-	  "DEBUG: beh: Executing backend command line \"%s\"...\n",
+-	  cmdline);
++	  "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s' '%s'%s%s\"...\n",
++	  backend_path, backend_argv[1], backend_argv[2], backend_argv[3],
++	  backend_argv[4], backend_argv[5],
++	  (backend_argv[6] && backend_argv[6][0] ? " " : ""),
++	  (backend_argv[6] && backend_argv[6][0] ? backend_argv[6] : ""));
+   fprintf(stderr,
+ 	  "DEBUG: beh: Using device URI: %s\n",
+ 	  uri);
+ 
+-  retval = system(cmdline) >> 8;
++  if ((pid = fork()) == 0)
++  {
++    retval = execv(backend_path, backend_argv);
+ 
+-  if (retval == -1)
+-    fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n",
+-	    strerror(errno));
++    if (retval == -1)
++      fprintf(stderr, "ERROR: Unable to execute backend: %s\n",
++	      strerror(errno));
++    exit (CUPS_BACKEND_FAILED);
++  }
++  else if (pid < 0)
++  {
++    fprintf(stderr, "ERROR: Unable to fork for backend\n");
++    return (CUPS_BACKEND_FAILED);
++  }
++
++  while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR);
++
++  if (wait_pid >= 0 && wait_status)
++  {
++    if (WIFEXITED(wait_status))
++      retval = WEXITSTATUS(wait_status);
++    else if (WTERMSIG(wait_status) != SIGTERM)
++      retval = WTERMSIG(wait_status);
++    else
++      retval = 0;
++  }
+ 
+   return (retval);
+ }
+@@ -277,8 +335,10 @@ static void
+ sigterm_handler(int sig) {		/* I - Signal number (unused) */
+   (void)sig;
+ 
+-  fprintf(stderr,
+-	  "DEBUG: beh: Job canceled.\n");
++  const char * const msg = "DEBUG: beh: Job canceled.\n";
++  // The if() is to eliminate the return value and silence the warning
++  // about an unused return value.
++  if (write(2, msg, strlen(msg)));
+ 
+   if (job_canceled)
+     _exit(CUPS_BACKEND_OK);
+-- 
+2.33.0

backport-CVE-2024-47076.patch

@@ -0,0 +1,36 @@
+From 95576ec3d20c109332d14672a807353cdc551018 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 26 Sep 2024 23:09:29 +0200
+Subject: [PATCH] cfGetPrinterAttributes5(): Validate response attributes
+ before return
+
+The destination can be corrupted or forged, so validate the response
+to strenghten security measures.
+
+Fixes CVE-2024-47076
+---
+ cupsfilters/ipp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/cupsfilters/ipp.c b/cupsfilters/ipp.c
+index d703327..88f66b5 100644
+--- a/cupsfilters/ipp.c
++++ b/cupsfilters/ipp.c
+@@ -402,6 +402,14 @@ get_printer_attributes5(http_t *http_printer,
+ 		     total_attrs);
+ 	ippDelete(response);
+       } else {
++
++	// Check if the response is valid
++	if (!ippValidateAttributes(response))
++	{
++	  ippDelete(response);
++	  response = NULL;
++	}
++
+ 	/* Suitable response, we are done */
+ 	if (have_http == 0) httpClose(http_printer);
+ 	if (uri) free(uri);
+-- 
+2.43.0
+

backport-CVE-2024-47175.patch

@@ -0,0 +1,392 @@
+From d681747ebf12602cb426725eb8ce2753211e2477 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 26 Sep 2024 23:12:14 +0200
+Subject: [PATCH] Prevent PPD generation based on invalid IPP response
+
+Author: Mike Sweet
+Minor fixes: Zdenek Dohnal
+
+Fixes CVE-2024-47175
+---
+ cupsfilters/ppdgenerator.c | 225 +++++++++++++++++++++++++------------
+ 1 file changed, 156 insertions(+), 69 deletions(-)
+
+diff --git a/cupsfilters/ppdgenerator.c b/cupsfilters/ppdgenerator.c
+index 23d519d..1bfcc8a 100644
+--- a/cupsfilters/ppdgenerator.c
++++ b/cupsfilters/ppdgenerator.c
+@@ -92,6 +92,7 @@ typedef struct _pwg_finishings_s	/**** PWG finishings mapping data ****/
+ static void	pwg_ppdize_name(const char *ipp, char *name, size_t namesize);
+ static void	pwg_ppdize_resolution(ipp_attribute_t *attr, int element,
+                                  int *xres, int *yres, char *name, size_t namesize);
++static void	ppd_put_string(cups_file_t *fp, cups_lang_t *lang, const char *ppd_option, const char *ppd_choice, const char *pwg_msgid);
+ 
+ /*
+  * '_cupsSetError()' - Set the last PPD generator status-message.
+@@ -1581,9 +1582,10 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+   ipp_t			*media_col,	/* Media collection */
+ 			*media_size;	/* Media size collection */
+   char			make[256],	/* Make and model */
+-			*model,		/* Model name */
++			*mptr,		// Pointer into make and model
+ 			ppdname[PPD_MAX_NAME];
+ 		    			/* PPD keyword */
++  const char            *model;         /* Model name */
+   int			i, j,		/* Looping vars */
+ 			count = 0,	/* Number of values */
+ 			bottom,		/* Largest bottom margin */
+@@ -1663,6 +1665,68 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+     return (NULL);
+   }
+ 
++  //
++  // Get a sanitized make and model...
++  //
++
++  if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr))
++  {
++    // Sanitize the model name to only contain PPD-safe characters.
++    strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make));
++
++    for (mptr = make; *mptr; mptr ++)
++    {
++      if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"')
++      {
++        // Truncate the make and model on the first bad character...
++	*mptr = '\0';
++	break;
++      }
++    }
++
++    while (mptr > make)
++    {
++      // Strip trailing whitespace...
++      mptr --;
++      if (*mptr == ' ')
++	*mptr = '\0';
++    }
++
++    if (!make[0])
++    {
++      // Use a default make and model if nothing remains...
++      strlcpy(make, "Unknown", sizeof(make));
++    }
++  }
++  else
++  {
++    // Use a default make and model...
++    strlcpy(make, "Unknown", sizeof(make));
++  }
++
++  if (!strncasecmp(make, "Hewlett Packard ", 16) || !strncasecmp(make, "Hewlett-Packard ", 16))
++  {
++    // Normalize HP printer make and model...
++    model = make + 16;
++    strlcpy(make, "HP", sizeof(make));
++
++    if (!strncasecmp(model, "HP ", 3))
++      model += 3;
++  }
++  else if ((mptr = strchr(make, ' ')) != NULL)
++  {
++    // Separate "MAKE MODEL"...
++    while (*mptr && *mptr == ' ')
++      *mptr++ = '\0';
++
++    model = mptr;
++  }
++  else
++  {
++    // No separate model name...
++    model = "Printer";
++  }
++
+  /*
+   * Standard stuff for PPD file...
+   */
+@@ -1691,24 +1755,6 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+     }
+   }
+ 
+-  if ((attr = ippFindAttribute(response, "printer-make-and-model",
+-			       IPP_TAG_TEXT)) != NULL)
+-    strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make));
+-  else if (make_model && make_model[0] != '\0')
+-    strlcpy(make, make_model, sizeof(make));
+-  else
+-    strlcpy(make, "Unknown Printer", sizeof(make));
+-
+-  if (!_cups_strncasecmp(make, "Hewlett Packard ", 16) ||
+-      !_cups_strncasecmp(make, "Hewlett-Packard ", 16)) {
+-    model = make + 16;
+-    strlcpy(make, "HP", sizeof(make));
+-  }
+-  else if ((model = strchr(make, ' ')) != NULL)
+-    *model++ = '\0';
+-  else
+-    model = make;
+-
+   cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make);
+   cupsFilePrintf(fp, "*ModelName: \"%s %s\"\n", make, model);
+   cupsFilePrintf(fp, "*Product: \"(%s %s)\"\n", make, model);
+@@ -1805,14 +1851,11 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+   cupsFilePuts(fp, "*cupsSNMPSupplies: False\n");
+   cupsFilePuts(fp, "*cupsLanguages: \"en\"\n");
+ 
+-  if ((attr = ippFindAttribute(response, "printer-more-info", IPP_TAG_URI)) !=
+-      NULL)
++  if ((attr = ippFindAttribute(response, "printer-more-info", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+     cupsFilePrintf(fp, "*APSupplies: \"%s\"\n", ippGetString(attr, 0, NULL));
+ 
+-  if ((attr = ippFindAttribute(response, "printer-charge-info-uri",
+-			       IPP_TAG_URI)) != NULL)
+-    cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0,
+-								    NULL));
++  if ((attr = ippFindAttribute(response, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
++    cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL));
+ 
+   /* Message catalogs for UI strings */
+   if (opt_strings_catalog == NULL) {
+@@ -1820,7 +1863,8 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+     load_opt_strings_catalog(NULL, opt_strings_catalog);
+   }
+   if ((attr = ippFindAttribute(response, "printer-strings-uri",
+-			       IPP_TAG_URI)) != NULL) {
++			       IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
++  {
+     printer_opt_strings_catalog = optArrayNew();
+     load_opt_strings_catalog(ippGetString(attr, 0, NULL),
+ 			     printer_opt_strings_catalog);
+@@ -2565,13 +2609,15 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 	  break;
+ 	}
+       if (j >= 0)
+-	cupsFilePrintf(fp, "*InputSlot %s/%s: \"<</MediaPosition %d>>setpagedevice\"\n",
+-		       ppdname, human_readable, j);
++      {
++	cupsFilePrintf(fp, "*InputSlot %s: \"<</MediaPosition %d>>setpagedevice\"\n", ppdname, j);
++	ppd_put_string(fp, lang, "InputSlot", ppdname, human_readable);
++      }
+       else
+-	cupsFilePrintf(fp, "*InputSlot %s%s%s: \"\"\n",
+-		       ppdname,
+-		       (human_readable ? "/" : ""),
+-		       (human_readable ? human_readable : ""));
++      {
++	cupsFilePrintf(fp, "*InputSlot %s%s%s:\"\"\n", ppdname, human_readable ? "/" : "", human_readable ? human_readable : "");
++	ppd_put_string(fp, lang, "InputSlot", ppdname, human_readable);
++      }
+     }
+     cupsFilePuts(fp, "*CloseUI: *InputSlot\n");
+   }
+@@ -2755,11 +2801,8 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 	    human_readable = (char *)_cupsLangString(lang, media_types[j][1]);
+ 	    break;
+ 	  }
+-      cupsFilePrintf(fp, "*MediaType %s%s%s: \"<</MediaType(%s)>>setpagedevice\"\n",
+-		     ppdname,
+-		     (human_readable ? "/" : ""),
+-		     (human_readable ? human_readable : ""),
+-		     ppdname);
++      cupsFilePrintf(fp, "*MediaType %s: \"<</MediaType(%s)>>setpagedevice\"\n", ppdname, ppdname);
++      ppd_put_string(fp, lang, "MediaType", ppdname, human_readable);
+     }
+     cupsFilePuts(fp, "*CloseUI: *MediaType\n");
+   }
+@@ -3213,10 +3256,8 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 	    human_readable = (char *)_cupsLangString(lang, output_bins[j][1]);
+ 	    break;
+ 	  }
+-      cupsFilePrintf(fp, "*OutputBin %s%s%s: \"\"\n",
+-		     ppdname,
+-		     (human_readable ? "/" : ""),
+-		     (human_readable ? human_readable : ""));
++      cupsFilePrintf(fp, "*OutputBin %s: \"\"\n", ppdname);
++      ppd_put_string(fp, lang, "OutputBin", ppdname, human_readable);
+       outputorderinfofound = 0;
+       faceupdown = 1;
+       firsttolast = 1;
+@@ -3454,9 +3495,8 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 	      human_readable = (char *)_cupsLangString(lang, finishings[j][1]);
+ 	      break;
+ 	    }
+-	cupsFilePrintf(fp, "*StapleLocation %s%s%s: \"\"\n", ppd_keyword,
+-		       (human_readable ? "/" : ""),
+-		       (human_readable ? human_readable : ""));
++	cupsFilePrintf(fp, "*StapleLocation %s: \"\"\n", ppd_keyword);
++	ppd_put_string(fp, lang, "StapleLocation", ppd_keyword, human_readable);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*StapleLocation %s\"\n",
+ 		       value, keyword, ppd_keyword);
+       }
+@@ -3547,9 +3587,8 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 	      human_readable = (char *)_cupsLangString(lang, finishings[j][1]);
+ 	      break;
+ 	    }
+-	cupsFilePrintf(fp, "*FoldType %s%s%s: \"\"\n", ppd_keyword,
+-		       (human_readable ? "/" : ""),
+-		       (human_readable ? human_readable : ""));
++	cupsFilePrintf(fp, "*FoldType %s: \"\"\n", ppd_keyword);
++	ppd_put_string(fp, lang, "FoldType", ppd_keyword, human_readable);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*FoldType %s\"\n",
+ 		       value, keyword, ppd_keyword);
+       }
+@@ -3647,9 +3686,8 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 	      human_readable = (char *)_cupsLangString(lang, finishings[j][1]);
+ 	      break;
+ 	    }
+-	cupsFilePrintf(fp, "*PunchMedia %s%s%s: \"\"\n", ppd_keyword,
+-		       (human_readable ? "/" : ""),
+-		       (human_readable ? human_readable : ""));
++	cupsFilePrintf(fp, "*PunchMedia %s: \"\"\n", ppd_keyword);
++	ppd_put_string(fp, lang, "PunchMedia", ppd_keyword, human_readable);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*PunchMedia %s\"\n",
+ 		       value, keyword, ppd_keyword);
+       }
+@@ -3740,9 +3778,8 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 	      human_readable = (char *)_cupsLangString(lang, finishings[j][1]);
+ 	      break;
+ 	    }
+-	cupsFilePrintf(fp, "*CutMedia %s%s%s: \"\"\n", ppd_keyword,
+-		       (human_readable ? "/" : ""),
+-		       (human_readable ? human_readable : ""));
++	cupsFilePrintf(fp, "*CutMedia %s: \"\"\n", ppd_keyword);
++	ppd_put_string(fp, lang, "CutMedia", ppd_keyword, human_readable);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*CutMedia %s\"\n",
+ 		       value, keyword, ppd_keyword);
+       }
+@@ -3788,8 +3825,9 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 				     printer_opt_strings_catalog);
+       if (human_readable == NULL)
+ 	human_readable = (char *)keyword;
+-      cupsFilePrintf(fp, "*cupsFinishingTemplate %s/%s: \"\n", keyword,
+-		     human_readable);
++      pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
++      cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname);
++      ppd_put_string(fp, lang, "cupsFinishingTemplate", ppdname, human_readable);
+       for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr;
+ 	   finishing_attr = ippNextAttribute(finishing_col)) {
+         if (ippGetValueTag(finishing_attr) == IPP_TAG_BEGIN_COLLECTION) {
+@@ -4101,13 +4139,11 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+       if (!preset || !preset_name)
+         continue;
+ 
+-      if ((localized_name = lookup_option((char *)preset_name,
+-					  opt_strings_catalog,
+-					  printer_opt_strings_catalog)) == NULL)
+-        cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", preset_name);
+-      else
+-        cupsFilePrintf(fp, "*APPrinterPreset %s/%s: \"\n", preset_name,
+-		       localized_name);
++      pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
++
++      localized_name = lookup_option((char *)preset_name, opt_strings_catalog, printer_opt_strings_catalog);
++      cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", ppdname);
++      ppd_put_string(fp, lang, "APPrinterPreset", ppdname, localized_name);
+ 
+       for (member = ippFirstAttribute(preset); member;
+ 	   member = ippNextAttribute(preset)) {
+@@ -4148,7 +4184,10 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 		 ippGetString(ippFindAttribute(fin_col,
+ 					       "finishing-template",
+ 					       IPP_TAG_ZERO), 0, NULL)) != NULL)
+-              cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", keyword);
++            {
++	      pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
++              cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", ppdname);
++            }
+           }
+         } else if (!strcmp(member_name, "media")) {
+          /*
+@@ -4181,14 +4220,14 @@ ppdCreateFromIPP2(char         *buffer,          /* I - Filename buffer */
+ 						       IPP_TAG_ZERO), 0,
+ 				      NULL)) != NULL) {
+             pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+-            cupsFilePrintf(fp, "*InputSlot %s\n", keyword);
++            cupsFilePrintf(fp, "*InputSlot %s\n", ppdname);
+ 	  }
+ 
+           if ((keyword = ippGetString(ippFindAttribute(media_col, "media-type",
+ 						       IPP_TAG_ZERO), 0,
+ 				      NULL)) != NULL) {
+             pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+-            cupsFilePrintf(fp, "*MediaType %s\n", keyword);
++            cupsFilePrintf(fp, "*MediaType %s\n", ppdname);
+ 	  }
+         } else if (!strcmp(member_name, "print-quality")) {
+ 	 /*
+@@ -4452,15 +4491,28 @@ pwg_ppdize_name(const char *ipp,	/* I - IPP keyword */
+ 	*end;				/* End of name buffer */
+ 
+ 
++  if (!ipp || !_cups_isalnum(*ipp))
++  {
++    *name = '\0';
++    return;
++  }
++
+   *name = (char)toupper(*ipp++);
+ 
+   for (ptr = name + 1, end = name + namesize - 1; *ipp && ptr < end;) {
+-    if (*ipp == '-') {
++    if (*ipp == '-' && isalnum(ipp[1]))
++    {
+       ipp ++;
+-      if (_cups_isalpha(*ipp))
+-	*ptr++ = (char)toupper(*ipp++ & 255);
+-    } else
++      *ptr++ = (char)toupper(*ipp++ & 255);
++    }
++    else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || isalnum(*ipp))
++    {
+       *ptr++ = *ipp++;
++    }
++    else
++    {
++      ipp ++;
++    }
+   }
+ 
+   *ptr = '\0';
+@@ -4497,4 +4549,39 @@ pwg_ppdize_resolution(
+       snprintf(name, namesize, "%dx%ddpi", *xres, *yres);
+   }
+ }
++
++
++/*
++ * 'ppd_put_strings()' - Write localization attributes to a PPD file.
++ */
++
++static void
++ppd_put_string(cups_file_t  *fp,	/* I - PPD file */
++               cups_lang_t  *lang,	/* I - Language */
++	       const char   *ppd_option,/* I - PPD option */
++	       const char   *ppd_choice,/* I - PPD choice */
++	       const char   *text)	/* I - Localized text */
++{
++  if (!text)
++    return;
++
++  // Add the first line of localized text...
++#if CUPS_VERSION_MAJOR > 2
++  cupsFilePrintf(fp, "*%s.%s %s/", cupsLangGetName(lang), ppd_option, ppd_choice);
++#else
++  cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice);
++#endif // CUPS_VERSION_MAJOR > 2
++
++  while (*text && *text != '\n')
++  {
++    // Escape ":" and "<"...
++    if (*text == ':' || *text == '<')
++      cupsFilePrintf(fp, "<%02X>", *text);
++    else
++      cupsFilePutChar(fp, *text);
++
++    text ++;
++  }
++  cupsFilePuts(fp, ": \"\"\n");
++}
+ #endif /* HAVE_CUPS_1_6 */
+-- 
+2.43.0
+

backport-CVE-2024-47176.patch

@@ -0,0 +1,31 @@
+From 1debe6b140c37e0aa928559add4abcc95ce54aa2 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 26 Sep 2024 23:03:32 +0200
+Subject: [PATCH] Default BrowseRemoteProtocols should not include "cups"
+ protocol
+
+Works around CVE-2024-47176, the fix will be complete removal of CUPS
+Browsing functionality
+---
+ configure.ac | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 32f9a4e..65c0d01 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -402,9 +402,9 @@ AC_SUBST(GIO_UNIX_CFLAGS)
+ AC_SUBST(GIO_UNIX_LIBS)
+ 
+ AC_ARG_WITH([browseremoteprotocols],
+-	[AS_HELP_STRING([--with-browseremoteprotocols=value], [Set which protocols to listen for in cups-browsed (default: dnssd cups)])],
++	[AS_HELP_STRING([--with-browseremoteprotocols=value], [Set which protocols to listen for in cups-browsed (default: dnssd)])],
+ 	[with_browseremoteprotocols="$withval"],
+-	[with_browseremoteprotocols="dnssd cups"]
++	[with_browseremoteprotocols="dnssd"]
+ )
+ BROWSEREMOTEPROTOCOLS="$with_browseremoteprotocols"
+ AC_SUBST(BROWSEREMOTEPROTOCOLS)
+-- 
+2.43.0
+

cups-filters.spec

@@ -1,12 +1,18 @@
 %global _service cups-browsed.service
 Summary: OpenPrinting CUPS filters, backends, and cups-browsed
 Name:    cups-filters
-Version: 1.28.9
-Release: 1
+Version: 1.28.15
+Release: 4
 License: GPLv2 and GPLv2+ and GPLv3 and GPLv3+ and LGPLv2+ and MIT and BSD with advertising
 Url:     http://www.linuxfoundation.org/collaborate/workgroups/openprinting/cups-filters
 Source0: http://www.openprinting.org/download/cups-filters/cups-filters-%{version}.tar.xz
 
+Patch6000: backport-CVE-2023-24805.patch
+Patch6001: backport-CVE-2024-47175.patch
+Patch6002: backport-CVE-2024-47076.patch
+Patch6003: backport-CVE-2024-47176.patch
+Patch6004: backport-CVE-2024-47850.patch
+
 BuildRequires: pkgconf-pkg-config pkgconfig(libqpdf) pkgconfig(libpng) pkgconfig(dbus-1)
 BuildRequires: poppler-cpp-devel libtiff-devel avahi-devel libjpeg-turbo-devel pkgconfig(zlib)
 BuildRequires: pkgconfig(ijs) pkgconfig(freetype2) pkgconfig(lcms2) pkgconfig(poppler)
@@ -68,7 +74,8 @@ install -d %{buildroot}%{_pkgdocdir}/fontembed/
 cp -p fontembed/README %{buildroot}%{_pkgdocdir}/fontembed/
 install -d  %{buildroot}%{_unitdir}
 install -p -m 644 utils/%{_service} %{buildroot}%{_unitdir}
-cp -a %{_cups_serverbin}/filter/foomatic-rip %{buildroot}%{_bindir}/foomatic-rip
+ln -sf %{_cups_serverbin}/filter/foomatic-rip %{buildroot}%{_bindir}/foomatic-rip
+
 sed -i '/urftopdf/d' %{buildroot}%{_datadir}/cups/mime/cupsfilters.convs
 
 %check
@@ -157,6 +164,21 @@ fi
 %{_mandir}/man8/cups-browsed.8.gz
 
 %changelog
+* Wed Oct 9 2024 yanglu <yanglu72@h-partners.com> - 1.28.15-4
+- fix CVE-2024-47850
+
+* Sun Sep 29 2024 zhangxianting <zhangxianting@uniontech.com> - 1.28.15-3
+- fix CVE-2024-47175 CVE-2024-47076 CVE-2024-47176
+
+* Fri May 26 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 1.28.15-2
+- fix CVE-2023-24805
+
+* Wed Aug 31 2022 tianlijing <tianlijing@kylinos.cn> - 1.28.15-1
+- update to 1.28.15
+
+* Sun Jan 10 2021 hanhui <hanhui15@huawei.com> - 1.28.9-2
+- fix build err,can not find foomatic-rip
+
 * Fri Jul 30 2021 yushaogui <yusahogui@huawei.com> - 1.28.9-1
 - update cups-filtres package to 1.28.9