cups-filters: remove support for legacy CUPS browsing and for LDAP

Fixes CVE-2024-47176 and CVE-2024-47850. NixOS is not affected by these security issues by default because we do not ship the default configuration file so it fallbacks to `BrowseRemoteProtocols dnssd`. 631/udp is removed from the open firewall ports, it was by the CUPS browsing protocol.
2024-11-25 00:12:56 +00:00 · 2024-10-07 22:26:24 +02:00 · 2024-10-07 22:26:24 +02:00 · 16caf1231b
commit 16caf1231b
parent 5edc9a24b0
3 changed files with 11 additions and 4 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -494,6 +494,8 @@

 - The `xdg.portal.gtkUsePortal` option has been removed, as it had been deprecated for over 2 years. Using the `GTK_USE_PORTAL` environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via `environment.sessionVariables`.

+- Support for the legacy CUPS browsing and LDAP have been removed from `services.printing`. If `cups` or `ldap` are in the `BrowseRemoteProtocols` setting in `services.printing.browsedConf`, it needs to be removed.
+
 - The `services.trust-dns` module has been renamed to `services.hickory-dns`.

 - The option `services.prometheus.exporters.pgbouncer.connectionStringFile` has been removed since
--- a/nixos/modules/services/printing/cupsd.nix
+++ b/nixos/modules/services/printing/cupsd.nix
@ -184,8 +184,8 @@ in
        type = types.bool;
        default = false;
        description = ''
-          Whether to open the firewall for TCP/UDP ports specified in
-          listenAdrresses option.
+          Whether to open the firewall for TCP ports specified in
+          listenAddresses option.
        '';
      };

@ -493,7 +493,6 @@ in
      listenPorts = parsePorts cfg.listenAddresses;
    in mkIf cfg.openFirewall {
      allowedTCPPorts = listenPorts;
-      allowedUDPPorts = listenPorts;
    };

  };
--- a/pkgs/misc/cups/filters.nix
+++ b/pkgs/misc/cups/filters.nix
@ -18,6 +18,7 @@
 , liblouis
 , libpng
 , makeWrapper
+, autoreconfHook
 , mupdf
 , perl
 , pkg-config
@ -53,9 +54,14 @@ stdenv.mkDerivation rec {
      url = "https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3d20c109332d14672a807353cdc551018.patch";
      hash = "sha256-MXWllrdWt8n7zqvumQNg34dBgWMwMTwf9lrD+ZZP8Wk=";
    })
+    (fetchpatch {
+      name = "remove-cups-ldap-browse-protocols_CVE-2024-47176_CVE-2024-47850.patch";
+      url = "https://github.com/OpenPrinting/cups-filters/commit/6fd2bdfbdce76149af531ce9fca9062304238451.patch";
+      hash = "sha256-XS1ODy7i7ilgEjsKuEvOUiRN9pqsj+bOktKoshKcg8Q=";
+    })
  ];

-  nativeBuildInputs = [ pkg-config makeWrapper ];
+  nativeBuildInputs = [ pkg-config makeWrapper autoreconfHook ];

  buildInputs = [
    cups