[0/6,wrynose,wrynose] cups: fix multiple CVEs

Message ID	20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com
Headers	show Return-Path: <abhishek.bachiphale@windriver.com> ip: 205.220.178.238, mailfrom: prvs=06123b62e6=abhishek.bachiphale@windriver.com) From: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com> To: openembedded-core@lists.openembedded.org Subject: [PATCH 0/6][wrynose][wrynose] cups: fix multiple CVEs Date: Tue, 2 Jun 2026 01:27:55 +0530 Message-Id: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0
Series	cups: fix multiple CVEs \| expand [0/6,wrynose,wrynose] cups: fix multiple CVEs [1/6,wrynose] cups: fix CVE-2026-34978 [2/6,wrynose] cups: fix CVE-2026-34979 [3/6,wrynose] cups: fix CVE-2026-34980 [4/6,wrynose] cups: fix CVE-2026-34990 [5/6,wrynose] cups: fix CVE-2026-39314 [6/6,wrynose] cups: fix CVE-2026-39316

Message ID

20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com

Headers

From: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH 0/6][wrynose][wrynose] cups: fix multiple CVEs
Date: Tue,  2 Jun 2026 01:27:55 +0530
Message-Id: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 ND3Bl/5MApWfGHYiDQP7P5OXA8H9XFddaxnsMNjkFaecDAHUMTE0kX1l9gvBcvyJlfS4GjLNI03dR7FYFsqwJXwtkZ48kjMOWgowE81ZYmOpCFPtQdZXtTBa3PdtxWV5tzHOHoi64WUQHcixB8XFtwv2Uqx4PmlQoiHW2m7IuE9UKvGVKc7sVuU3YX6ES8oqQX+c5aM3YWyv7V+3tZiTu5iOl4YNXTeDQ0byFcmsyG3AMZ2otMUyjP7xYj0bJQ84eiVvWuj/D7Edmtcczg95PEe3Vy/C9cPe6iYMDpFIpfzl0PjaC9leYWMjZp25dgO1GVa9N62+aQTRZgnuufkf5MjCShVN5STcoTTnkWP/OaLZcRYbS2NF3mEAzyfyxNhy0bvDxxM6Yeo8gBP3Ux8bh/Nt25q8yZSwu83ZIVvGjCw70YMaVI6dDE7EaXE9/lwQepDN4bGuaGk6VQuLZWsjSUz/zr2JQo5D4YhAk/ZpqQSFy14VCS8J2rzR+bb0f0kQJi9fVMS6YoqvdG0BpLfTyJGmNDm1gW4y/SWn6WD5q18FWB+L65YVEZqQZmCQblPDubqoXjn/mlsk4sbELQl8RAxygHgA5bYaXNwe9t0+uFBfN3xAIki8xRB+cPoI4OE94REPx3AcxDtwdzSVO7gsde/r02h/C6XyPopBttUpG92ZYjyhBaYbVt6pwVOolqlDU2WOmV8yWZ8VsV8mDLLU4T6uDoQZ/OxMllFitJfKRvoPiw9/ujJgbuGpfav+aww2Bak/kYpjMSsqTdhJ0H/yzlequqjbBQBNKD8WLyilUABYtoELIFhSssdYExDiAhPy3xgqbvHyzCJkYt5bqVUnd0kri0vzu71oJcjG0+jb/Divg8lwcJuILsItjhr58O0mvOb5/nXyV7hHyl3ima9HHFxBIbYVI9h3jXruUiGp8CDwPdga1tTZIi6kFpPcsMhKUiE7uIkvLfjfwq/XLS94DBBT/luGDwqgiF34xifs2n1u2hb+RpjN3Dn6Pr1JI3mnNuYdgBZ3X71cGYYYEw5tlbwyw2J4WSQKIsHuxtQ5RVv62uEyB5hlqVbr6l1yzrGFZ6PottDwhVC6wsQZhpSFrswCVqGqwGa0NOw9ALItEFvVgjXwfxjNYWlDk72j+ZYHNVIEFwDbxl/UuVS1x4UZfCKdtNpAKvXB+3ezZJ8kWtYXXiCbRR7k/0uqext5N9uEEikZXO3bQuqqA3dqpYu9LbPnosOp9rJBGwalb8biIY5Rjbcsz4SlT1rL0Vxnf31/gvoiUOkWVEVpnt9C6ju/wWgi+zclpvJJoRfwdaSFloL95EsXXgELO3nKxbqFa3byc9sklDtNRU2yFbeOyAwsdmINgjWHZClcRN0YfGcaGZTkuBHcxao7Z3OeqgH4BoTkWJCReQHGskRSsNXkE2y51Z5ObKyo7aLrVxjZrtKLZHV1QoYn6mt8LwKgptVSFQDJnpNGNLhI+I5EvT53LXibEFdfg4Deu3e56AoEbOvsdU224iQRUJrGsBHuiAEidREevzhCRK7+2WyNx6C/4skZqWf7Lr6v0Aw7DdjFE7mWKB4TISmH8NWjQqIhOg8ChfZgXGNQguPJYqzMkMCHJQzlDOpfHaSzoO8PWrcPCMeQdDYruM2OmC5nqd4beY5/eL5UdzBInie8W7x/wjTuYTl1XghggwA6BlnwgA/f0r1h5581qHAlMsO7uLuoleFV2GGk6R76IafODxj32sfvUaPtzBkwjjMzIGDYF4qv6OKNV0Epoi8W1ONHaGHc/b/DNJmb
X-Exchange-RoutingPolicyChecked: 
	opkhlYDz5ZCPPXZxdisZHQPY9CKqC9nyoBYs3qmyuQE1AGhhbK83eawNe/r3Chf0vZ/m0PfsYmsCzgk+nGonH3ris5VtGEYtNAphg1niCqGqNklaFUqUDZTtLW9/2ff2VHBR7J4HJzX02zrF+VgWgix7nHVLsXd+AQPMK+3xoaSzwR1f40obJxqPycFtJ1Zo0yZh+nEw6E7IWCnlJsfHBYV+zSU29hfd9AcRlFtt6B9hYaqjx1/rdTJoVPbS1B8vtoV7F1SpJvsas8LOEo3nxFWt4Cm0fB+TrCL6dtFLcwxu6LHneeZgwTj0PxmwA6b3Xm3HQrDzIx41JE2ACgYkmA==
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 459b9322-d8d0-4c43-4615-08dec01844c3
X-MS-Exchange-CrossTenant-AuthSource: IA0PR11MB8399.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jun 2026 19:59:20.1827
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 6ws7xAZO3w/Tbsc0YdZXyQbUF0FAofUwOp+V6rs9v94q7N+XxeEPLc4uj6DjbpolzKdMiEllQeeE4Bmwidcaz45/nzzxupYnEEimNb2BaSUYnh0QEvwAGTO2gVcPedmC
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5278
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjAxMDE5NCBTYWx0ZWRfX+yYZV4deeO35
 JxwHN1RZ6TuXjUahTUvPm3eA0mWgA4JVuCMdsXJJTHrdWLh19aPCQRV1Zw45kdkQIaDnO7k5qai
 38Ham91T+dqGlCPogYbGOuPHIHdwahzDwcXCCTrrD+km+rRNTArmeCgWvRpWYVvFmKGHFQaHj8n
 CFV8aPdIgOusV5vjeZnGAXqAx3Is/N1bFxvxPXoOTgCeeRRtyMFrSS290Wuo4HmBqCwzX0bT3+Q
 U/scO4p0Wo0LNvTGI37kSJHubGwMrjtch8u4QW3ouC9VxdrkfoO5o1vDwc0fF5h8Z2FXXloWOag
 px1HxZBLo08/VygFeYdisql6do+/11vhw4R6Bair9i3RC/3Vx56sx7BMZ8+45NBfZstYxt0VwmZ
 majz/ojBrlV0qxTSB/XOxMdo2aDnudEhtozdcolzLQrhY8IRegcRMyyXgu8bB2/psvzxzIC1HoK
 L5wxW+eSPWBVzZxBmHg==
X-Authority-Analysis: v=2.4 cv=Opt/DS/t c=1 sm=1 tr=0 ts=6a1de49b cx=c_pps
 a=ISb/o6YKWqc6zLqDT+CYOg==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19
 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19
 a=xqWC_Br6kY4A:10 a=FelO9ux0wxsA:10 a=VkNPw1HP01LnGYTKEx00:22
 a=bi6dqmuHe4P4UrxVR6um:22 a=fTW__CHxibyLmBMfj2wP:22 a=-RnzOER2bHOHE0ycucQA:9
X-Proofpoint-GUID: qM0LXicvNQr3KjWLD1Bo2sITvpIj1tQs
X-Proofpoint-ORIG-GUID: qM0LXicvNQr3KjWLD1Bo2sITvpIj1tQs
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49
 definitions=2026-06-01_05,2026-05-28_03,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 suspectscore=0 spamscore=0 priorityscore=1501 bulkscore=0 impostorscore=0
 malwarescore=0 lowpriorityscore=0 phishscore=0 clxscore=1015 adultscore=0
 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0
 reason=mlx scancount=1 engine=8.22.0-2605210000 definitions=main-2606010194
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 01 Jun 2026 19:59:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/237988

Series

cups: fix multiple CVEs | expand

Message

Abhishek Bachiphale June 1, 2026, 7:57 p.m. UTC

This series fixes multiple security vulnerabilities in cups:

- CVE-2026-34978
- CVE-2026-34979
- CVE-2026-34980
- CVE-2026-34990
- CVE-2026-39314
- CVE-2026-39316

The fixes are backported from upstream commits where available
and adapted to apply cleanly to the version currently used in
oe-core.

Changes include:
- Importing upstream patches
- Updating cups.inc to apply the patches

Tested:
- Build tested successfully
- No regressions observed during basic runtime validation

---

Abhishek Bachiphale (6):
  cups: fix CVE-2026-34978
  cups: fix CVE-2026-34979
  cups: fix CVE-2026-34980
  cups: fix CVE-2026-34990
  cups: fix CVE-2026-39314
  cups: fix CVE-2026-39316

 meta/recipes-extended/cups/cups.inc           |   6 +
 .../cups/cups/CVE-2026-34978.patch            | 120 ++++++
 .../cups/cups/CVE-2026-34979.patch            |  57 +++
 .../cups/cups/CVE-2026-34980.patch            |  88 +++++
 .../cups/cups/CVE-2026-34990.patch            | 348 ++++++++++++++++++
 .../cups/cups/CVE-2026-39314.patch            |  47 +++
 .../cups/cups/CVE-2026-39316.patch            |  42 +++
 7 files changed, 708 insertions(+)
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34978.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34979.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34980.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34990.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39314.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39316.patch