CHANGES - 2.3.3 - 2020-04-24

Changes in CUPS v2.3.3

• CVE-2020-3898: The ppdOpen function did not handle invalid UI
  constraint. ppdcSource::get_resolution function did not handle
  invalid resolution strings.
• CVE-2019-8842: The ippReadIO function may under-read an extension

Changes in CUPS v2.3.2 (never tagged)

• Localization updates.

CUPS 2.3.1 is a general bug fix release, including a fix for CVE-2019-2228. Changes include:

• Documentation updates (Issue #5661, #5674, #5682)
• CVE-2019-2228: The ippSetValuetag function did not validate the default
  language value.
• Fixed a crash bug in the web interface (Issue #5621)
• The PPD cache code now looks up page sizes using their dimensions
  (Issue #5633)
• PPD files containing "custom" option keywords did not work (Issue #5639)
• Added a workaround for the scheduler's systemd support (Issue #5640)
• On Windows, TLS certificates generated on February 29 would likely fail
  (Issue #5643)
• Added a DigestOptions directive for the client.conf file to control whether
  MD5-based Digest authentication is allowed (Issue #5647)
• Fixed a bug in the handling of printer resource files (Issue #5652)
• The libusb-based USB backend now reports an error when the distribution
  permissions are wrong (Issue #5658)
• Added paint can labels to Dymo driver (Issue #5662)
• The ippeveprinter program now supports authentication (Issue #5665)
• The ippeveprinter program now advertises DNS-SD services on the correct
  interfaces, and provides a way to turn them off (Issue #5666)
• The --with-dbusdir option was ignored by the configure script (Issue #5671)
• Sandboxed applications were not able to get the default printer (Issue #5676)
• Log file access controls were not preserved by cupsctl (Issue #5677)
• Default printers set with lpoptions did not work in all cases (Issue #5681,
  Issue #5683, Issue #5684)
• Fixed an error in the jobs web interface template (Issue #5694)
• Fixed an off-by-one error in ippEnumString (Issue #5695)
• Fixed some new compiler warnings (Issue #5700)
• Fixed a few issues with the Apple Raster support (rdar:https://55301114)
• The IPP backend did not detect all cases where a job should be retried using
  a raster format (rdar:https://56021091)
• Fixed spelling of "fold-accordion".
• Fixed the default common name for TLS certificates used by ippeveprinter.
• Fixed the option names used for IPP Everywhere finishing options.
• Added support for the second roll of the DYMO Twin/DUO label printers.

Enjoy!

CUPS 2.2.13 is the last general bug fix release in the 2.2.x series and includes
a fix for CVE-2019-2228. Changes include:

• CVE-2019-2228: The ippSetValuetag function did not validate the default
  language value.
• Added a workaround for the scheduler's systemd support (Issue #5640)
• Fixed spelling of "fold-accordion".
• Fixed the default common name for TLS certificates used by ippserver.
• The libusb-based USB backend now reports an error when the distribution
  permissions are wrong (Issue #5658)
• Default printers set with lpoptions did not work in all cases (Issue #5681,
  Issue #5683, Issue #5684)
• Fixed an off-by-one error in ippEnumString (Issue #5695)
• Fixed some new compiler warnings (Issue #5700)
• Fixed a few issues with the Apple Raster support (rdar:https://55301114)
• The IPP backend did not detect all cases where a job should be retried using
  a raster format (rdar:https://56021091)

Enjoy!

CUPS 2.3.0 is now available for download, which adopts the new CUPS license, adds support for IPP presets and finishing templates, fixes a number of bugs and "polish" issues, and includes the new ippeveprinter utility. Changes include:

• CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar:https://51685251)
• Added a GPL2/LGPL2 exception to the new CUPS license terms.
• Documentation updates (Issue #5604)
• Localization updates (Issue #5637)
• Fixed a bug in the scheduler job cleanup code (Issue #5588)
• Fixed builds when there is no TLS library (Issue #5590)
• Eliminated some new GCC compiler warnings (Issue #5591)
• Removed dead code from the scheduler (Issue #5593)
• "make" failed with GZIP options (Issue #5595)
• Fixed potential excess logging from the scheduler when removing job files
  (Issue #5597)
• Fixed a NULL pointer dereference bug in httpGetSubField2 (Issue #5598)
• Added FIPS-140 workarounds for GNU TLS (Issue #5601, Issue #5622)
• The scheduler no longer provides a default value for the description
  (Issue #5603)
• The scheduler now logs jobs held for authentication using the error level so
  it is clear what happened (Issue #5604)
• The lpadmin command did not always update the PPD file for changes to the
  cupsIPPSupplies and cupsSNMPSupplies keywords (Issue #5610)
• The scheduler now uses both the group's membership list as well as the
  various OS-specific membership functions to determine whether a user belongs
  to a named group (Issue #5613)
• Added USB quirks rule for HP LaserJet 1015 (Issue #5617)
• Fixed some PPD parser issues (Issue #5623, Issue #5624)
• The IPP parser no longer allows invalid member attributes in collections
  (Issue #5630)
• The configure script now treats the "wheel" group as a potential system
  group (Issue #5638)
• Fixed a USB printing issue on macOS (rdar:https://31433931)
• Fixed IPP buffer overflow (rdar:https://50035411)
• Fixed memory disclosure issue in the scheduler (rdar:https://51373853)
• Fixed DoS issues in the scheduler (rdar:https://51373929)
• Fixed an issue with unsupported "sides" values in the IPP backend
  (rdar:https://51775322)
• The scheduler would restart continuously when idle and printers were not
  shared (rdar:https://52561199)
• Fixed an issue with EXPECT !name WITH-VALUE ... tests.
• Fixed a command ordering issue in the Zebra ZPL driver.
• Fixed a memory leak in ppdOpen.

Enjoy!

CUPS 2.2.12 is now available and includes security, compatibility, and general bug fixes. Changes include:

• CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar:https://51685251)
• The cupsctl command now prevents setting "cups-files.conf" directives
  (Issue #5530)
• Updated the systemd service file for cupsd (Issue #5551)
• The cupsCheckDestSupported function did not check octetString values
  correctly (Issue #5557)
• The scheduler did not encode octetString values like "job-password" correctly
  for the print filters (Issue #5558)
• Restored minimal support for the Emulators keyword in PPD files to allow
  old Samsung printer drivers to continue to work (Issue #5562)
• Timed out job submission now yields an error (Issue #5570)
• The footer in the web interface covered some content on small displays
  (Issue #5574)
• The libusb-based USB backend now enforces read limits, improving print speed
  in many cases (Issue #5583)
• Fixed some compatibility issues with old releases of CUPS (Issue #5587)
• Fixed a bug in the scheduler job cleanup code (Issue #5588)
• "make" failed with GZIP options (Issue #5595)
• Added FIPS-140 workarounds for GNU TLS (Issue #5601, Issue #5622)
• The scheduler no longer provides a default value for the description
  (Issue #5603)
• The lpadmin command did not always update the PPD file for changes to the
  cupsIPPSupplies and cupsSNMPSupplies keywords (Issue #5610)
• The scheduler now uses both the group's membership list as well as the
  various OS-specific membership functions to determine whether a user belongs
  to a named group (Issue #5613)
• Added USB quirks rule for HP LaserJet 1015 (Issue #5617)
• Fixed some PPD parser issues (Issue #5623, Issue #5624)
• The IPP parser no longer allows invalid member attributes in collections
  (Issue #5630)
• Fixed IPP buffer overflow (rdar:https://50035411)
• Fixed memory disclosure issue in the scheduler (rdar:https://51373853)
• Fixed DoS issues in the scheduler (rdar:https://51373929)
• The scheduler would restart continuously when idle and printers were not
  shared (rdar:https://52561199)
• Fixed a command ordering issue in the Zebra ZPL driver.
• Fixed a memory leak in ppdOpen.

Enjoy!

CUPS 2.3rc1 is now available for download. This is the first release candidate for CUPS 2.3.0 which adopts the new CUPS license, adds support for IPP presets and finishing templates, and fixes a number of bugs and "polish" issues. This beta also includes the new ippeveprinter utility. Changes include:

• The cups-config script no longer adds extra libraries when linking against
  shared libraries (Issue #5261)
• The supplied example print documents have been optimized for size
  (Issue #5529)
• The cupsctl command now prevents setting "cups-files.conf" directives
  (Issue #5530)
• The "forbidden" message in the web interface is now explained (Issue #5547)
• The footer in the web interface covered some content on small displays
  (Issue #5574)
• The libusb-based USB backend now enforces read limits, improving print speed
  in many cases (Issue #5583)
• The ippeveprinter command now looks for print commands in the "command"
  subdirectory.
• The ipptool command now supports $date-current and $date-start variables
  to insert the current and starting date and time values, as well as ISO-8601
  relative time values such as "PT30S" for 30 seconds in the future.

Enjoy!

CUPS 2.3b8 is now available for download. This is the eighth beta of the CUPS 2.3 series which adopts the new CUPS license, adds support for IPP presets and finishing templates, and fixes a number of bugs and "polish" issues. This beta also includes the new ippeveprinter utility. Changes include:

• Media size matching now uses a tolerance of 0.5mm (rdar:https://33822024)
• The lpadmin command would hang with a bad PPD file (rdar:https://41495016)
• Fixed a potential crash bug in cups-driverd (rdar:https://46625579)
• Fixed a performance regression with large PPDs (rdar:https://47040759)
• Fixed a memory reallocation bug in HTTP header value expansion
  (rdar:https://problem/50000749)
• Timed out job submission now yields an error (Issue #5570)
• Restored minimal support for the Emulators keyword in PPD files to allow
  old Samsung printer drivers to continue to work (Issue #5562)
• The scheduler did not encode octetString values like "job-password" correctly
  for the print filters (Issue #5558)
• The cupsCheckDestSupported function did not check octetString values
  correctly (Issue #5557)
• Added support for UserAgentTokens directive in "client.conf" (Issue #5555)
• Updated the systemd service file for cupsd (Issue #5551)
• The ippValidateAttribute function did not catch all instances of invalid
  UTF-8 strings (Issue #5509)
• Fixed an issue with the self-signed certificates generated by GNU TLS
  (Issue #5506)
• Fixed a potential memory leak when reading at the end of a file (Issue #5473)
• Fixed potential unaligned accesses in the string pool (Issue #5474)
• Fixed a potential memory leak when loading a PPD file (Issue #5475)
• Added a USB quirks rule for the Lexmark E120n (Issue #5478)
• Updated the USB quirks rule for Zebra label printers (Issue #5395)
• Fixed a compile error on Linux (Issue #5483)
• The lpadmin command, web interface, and scheduler all queried an IPP
  Everywhere printer differently, resulting in different PPDs for the same
  printer (Issue #5484)
• The web interface no longer provides access to the log files (Issue #5513)
• Non-Kerberized printing to Windows via IPP was broken (Issue #5515)
• Eliminated use of private headers and some deprecated macOS APIs (Issue #5516)
• The scheduler no longer stops a printer if an error occurs when a job is
  canceled or aborted (Issue #5517)
• Added a USB quirks rule for the DYMO 450 Turbo (Issue #5521)
• Added a USB quirks rule for Xerox printers (Issue #5523)
• The scheduler's self-signed certificate did not include all of the alternate
  names for the server when using GNU TLS (Issue #5525)
• Fixed compiler warnings with newer versions of GCC (Issue #5532, Issue #5533)
• Fixed some PPD caching and IPP Everywhere PPD accounting/password bugs
  (Issue #5535)
• Fixed PreserveJobHistory bug with time values (Issue #5538)
• The scheduler no longer advertises the HTTP methods it supports (Issue #5540)
• Localization updates (Issue #5461, Issues #5471, Issue #5481, Issue #5486,
  Issue #5489, Issue #5491, Issue #5492, Issue #5493, Issue #5494, Issue #5495,
  Issue #5497, Issue #5499, Issue #5500, Issue #5501, Issue #5504)
• The scheduler did not always idle exit as quickly as it could.
• Added a new ippeveprinter command based on the old ippserver sample code.

Enjoy!

CUPS 2.2.11 is a bug fix release that addresses issues in the scheduler,
IPP Everywhere support, CUPS library, and USB printer support. Changes include:

• Running ppdmerge with the same input and output filenames did not work as
  advertised (Issue #5455)
• Fixed a potential memory leak when reading at the end of a file (Issue #5473)
• Fixed potential unaligned accesses in the string pool (Issue #5474)
• Fixed a potential memory leak when loading a PPD file (Issue #5475)
• Added a USB quirks rule for the Lexmark E120n (Issue #5478)
• Updated the USB quirks rule for Zebra label printers (Issue #5395)
• Fixed a compile error on Linux (Issue #5483)
• The lpadmin command, web interface, and scheduler all queried an IPP
  Everywhere printer differently, resulting in different PPDs for the same
  printer (Issue #5484)
• Fixed an issue with the self-signed certificates generated by GNU TLS
  (Issue #5506)
• The ippValidateAttribute function did not catch all instances of invalid
  UTF-8 strings (Issue #5509)
• Non-Kerberized printing to Windows via IPP was broken (Issue #5515)
• The scheduler no longer stops a printer if an error occurs when a job is
  canceled or aborted (Issue #5517)
• Added a USB quirks rule for the DYMO 450 Turbo (Issue #5521)
• Added a USB quirks rule for Xerox printers (Issue #5523)
• The scheduler's self-signed certificate did not include all of the alternate
  names for the server when using GNU TLS (Issue #5525)
• Fixed compiler warnings with newer versions of GCC (Issue #5532, Issue #5533)
• Fixed some PPD caching and IPP Everywhere PPD accounting/password bugs
  (Issue #5535)
• Fixed PreserveJobHistory bug with time values (Issue #5538)
• Media size matching now uses a tolerance of 0.5mm (rdar:https://33822024)
• The lpadmin command would hang with a bad PPD file (rdar:https://41495016)
• Fixed a potential crash bug in cups-driverd (rdar:https://46625579)
• Fixed a performance regression with large PPDs (rdar:https://47040759)
• The scheduler did not always idle exit as quickly as it could.

Enjoy!

CUPS 2.3b7 is now available for download. This is the sixth beta of the CUPS 2.3 series which adopts the new CUPS license, adds support for IPP presets and finishing templates, and fixes a number of bugs and "polish" issues.

Changes include:

• Fixed some build failures (Issue #5451, Issue #5463)
• Running ppdmerge with the same input and output filenames did not work as
  advertised (Issue #5455)

Enjoy!

CUPS 2.2.10 is a bug fix release that addresses issues in the scheduler, IPP Everywhere support, CUPS library, and USB printer support. Changes include:

• CVE-2018-4300: Linux session cookies used a predictable random number seed.
• The lpoptions command now works with IPP Everywhere printers that have not yet been added as local queues (Issue #5045)
• Added USB quirk rules (Issue #5395, Issue #5443)
• The generated PPD files for IPP Everywhere printers did not contain the cupsManualCopies keyword (Issue #5433)
• Kerberos credentials might be truncated (Issue #5435)
• The handling of MaxJobTime 0 did not match the documentation (Issue #5438)
• Incorporated the page accounting changes from CUPS 2.3 (Issue #5439)
• Fixed a bug adding a queue with the -E option (Issue #5440)
• Fixed a crash bug when mapping PPD duplex options to IPP attributes (rdar:https://46183976)

Enjoy!