From 31a2504bea966251a391646380ca781ab15588ab Mon Sep 17 00:00:00 2001
From: Andre <andre@8bitbuddhism.com>
Date: Sat, 28 Sep 2024 01:07:47 -0400
Subject: [PATCH] Security: disable cups-browsed due to CVE

---
 flake.lock                     | 12 ++++++------
 modules/ui/desktops/common.nix | 14 ++++++++++++--
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/flake.lock b/flake.lock
index 9be3d7b..39fdb77 100644
--- a/flake.lock
+++ b/flake.lock
@@ -252,11 +252,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1727040444,
-        "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=",
+        "lastModified": 1727437159,
+        "narHash": "sha256-v4qLwEw5OmprgQZTT7KZMNU7JjXJzRypw8+Cw6++fWk=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac",
+        "rev": "d830ad47cc992b4a46b342bbc79694cbd0e980b2",
         "type": "github"
       },
       "original": {
@@ -300,11 +300,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1727122398,
-        "narHash": "sha256-o8VBeCWHBxGd4kVMceIayf5GApqTavJbTa44Xcg5Rrk=",
+        "lastModified": 1727348695,
+        "narHash": "sha256-J+PeFKSDV+pHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "30439d93eb8b19861ccbe3e581abf97bdc91b093",
+        "rev": "1925c603f17fc89f4c8f6bf6f631a802ad85d784",
         "type": "github"
       },
       "original": {
diff --git a/modules/ui/desktops/common.nix b/modules/ui/desktops/common.nix
index 1cfd294..81c943f 100644
--- a/modules/ui/desktops/common.nix
+++ b/modules/ui/desktops/common.nix
@@ -78,8 +78,18 @@ in
       # Enable touchpad support (enabled by default in most desktop managers, buuuut just in case).
       libinput.enable = true;
 
-      # Enable printing support.
-      printing.enable = true;
+      # Enable printing support, but disable browsed per .
+      printing = {
+        enable = true;
+        # FIXME: Once this option's available, uncomment it and remove the `systemd.services.cups-browsed` section below.
+        # browsed.enable = false;
+      };
+    };
+
+    # Disable broswed per https://discourse.nixos.org/t/cups-cups-filters-and-libppd-security-issues/52780
+    systemd.services.cups-browsed = {
+      enable = false;
+      unitConfig.Mask = true;
     };
 
     # Support for AppImage files