Commit 16caf123 authored by Thomas Gerbet's avatar Thomas Gerbet
Browse files

cups-filters: remove support for legacy CUPS browsing and for LDAP 

Fixes CVE-2024-47176 and CVE-2024-47850. NixOS is not affected by these security issues by
default because we do not ship the default configuration file so it fallbacks to `BrowseRemoteProtocols dnssd`.

631/udp is removed from the open firewall ports, it was by the CUPS
browsing protocol.
parent 5edc9a24

nixos/doc/manual/release-notes/rl-2411.section.md

+2 −0
Original line number Diff line number Diff line
@@ -494,6 +494,8 @@ 


- The `xdg.portal.gtkUsePortal` option has been removed, as it had been deprecated for over 2 years. Using the `GTK_USE_PORTAL` environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via `environment.sessionVariables`.



- Support for the legacy CUPS browsing and LDAP have been removed from `services.printing`. If `cups` or `ldap` are in the `BrowseRemoteProtocols` setting in `services.printing.browsedConf`, it needs to be removed.



- The `services.trust-dns` module has been renamed to `services.hickory-dns`.



- The option `services.prometheus.exporters.pgbouncer.connectionStringFile` has been removed since

nixos/modules/services/printing/cupsd.nix

+2 −3
Original line number Diff line number Diff line
@@ -184,8 +184,8 @@ in 
        type = types.bool;

        default = false;

        description = ''

          Whether to open the firewall for TCP/UDP ports specified in

          listenAdrresses option.

          Whether to open the firewall for TCP ports specified in

          listenAddresses option.

        '';

      };
@@ -493,7 +493,6 @@ in 
      listenPorts = parsePorts cfg.listenAddresses;

    in mkIf cfg.openFirewall {

      allowedTCPPorts = listenPorts;

      allowedUDPPorts = listenPorts;

    };



  };

pkgs/misc/cups/filters.nix

+7 −1
Original line number Diff line number Diff line
@@ -18,6 +18,7 @@ 
, liblouis

, libpng

, makeWrapper

, autoreconfHook

, mupdf

, perl

, pkg-config
@@ -53,9 +54,14 @@ stdenv.mkDerivation rec { 
      url = "https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3d20c109332d14672a807353cdc551018.patch";

      hash = "sha256-MXWllrdWt8n7zqvumQNg34dBgWMwMTwf9lrD+ZZP8Wk=";

    })

    (fetchpatch {

      name = "remove-cups-ldap-browse-protocols_CVE-2024-47176_CVE-2024-47850.patch";

      url = "https://github.com/OpenPrinting/cups-filters/commit/6fd2bdfbdce76149af531ce9fca9062304238451.patch";

      hash = "sha256-XS1ODy7i7ilgEjsKuEvOUiRN9pqsj+bOktKoshKcg8Q=";

    })

  ];



  nativeBuildInputs = [ pkg-config makeWrapper ];

  nativeBuildInputs = [ pkg-config makeWrapper autoreconfHook ];



  buildInputs = [

    cups