@@ -17,6 +17,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://cups-volatiles.conf \
file://CVE-2025-58060.patch \
file://CVE-2025-58364.patch \
+ file://CVE-2025-58436.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
new file mode 100644
@@ -0,0 +1,634 @@
+From d8707cbc36ce3daf03a8bc683b347359e058b9f6 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Mon, 13 Oct 2025 10:16:48 +0200
+Subject: [PATCH] Fix unresponsive cupsd process caused by a slow client
+
+If client is very slow, it will slow cupsd process for other clients.
+The fix is the best effort without turning scheduler cupsd into
+multithreaded process which would be too complex and error-prone when
+backporting to 2.4.x series.
+
+The fix for unencrypted communication is to follow up on communication
+only if there is the whole line on input, and the waiting time is
+guarded by timeout.
+
+Encrypted communication now starts after we have the whole client hello
+packet, which conflicts with optional upgrade support to HTTPS via
+methods other than method OPTIONS, so this optional support defined in
+RFC 2817, section 3.1 is removed. Too slow or incomplete requests are
+handled by connection timeout.
+
+Fixes CVE-2025-58436
+
+CVE: CVE-2025-58436
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/5d414f1f91bd]
+
+(cherry picked from commit 5d414f1f91bdca118413301b148f0b188eb1cdc6)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ cups/http-private.h | 7 +-
+ cups/http.c | 80 +++++++++++++-------
+ cups/tls-openssl.c | 15 +++-
+ scheduler/client.c | 178 ++++++++++++++++++++++++++++----------------
+ scheduler/client.h | 3 +
+ scheduler/select.c | 12 +++
+ 6 files changed, 198 insertions(+), 97 deletions(-)
+
+diff --git a/cups/http-private.h b/cups/http-private.h
+index 5f77b8ef0..b8e200bf6 100644
+--- a/cups/http-private.h
++++ b/cups/http-private.h
+@@ -121,6 +121,7 @@ extern "C" {
+ * Constants...
+ */
+
++# define _HTTP_MAX_BUFFER 32768 /* Size of read buffer */
+ # define _HTTP_MAX_SBUFFER 65536 /* Size of (de)compression buffer */
+ # define _HTTP_RESOLVE_DEFAULT 0 /* Just resolve with default options */
+ # define _HTTP_RESOLVE_STDERR 1 /* Log resolve progress to stderr */
+@@ -232,8 +233,8 @@ struct _http_s /**** HTTP connection structure ****/
+ http_encoding_t data_encoding; /* Chunked or not */
+ int _data_remaining;/* Number of bytes left (deprecated) */
+ int used; /* Number of bytes used in buffer */
+- char buffer[HTTP_MAX_BUFFER];
+- /* Buffer for incoming data */
++ char _buffer[HTTP_MAX_BUFFER];
++ /* Old read buffer (deprecated) */
+ int _auth_type; /* Authentication in use (deprecated) */
+ unsigned char _md5_state[88]; /* MD5 state (deprecated) */
+ char nonce[HTTP_MAX_VALUE];
+@@ -307,6 +308,8 @@ struct _http_s /**** HTTP connection structure ****/
+ /* Allocated field values */
+ *default_fields[HTTP_FIELD_MAX];
+ /* Default field values, if any */
++ char buffer[_HTTP_MAX_BUFFER];
++ /* Read buffer */
+ };
+ # endif /* !_HTTP_NO_PRIVATE */
+
+diff --git a/cups/http.c b/cups/http.c
+index 31a8be361..599703c7b 100644
+--- a/cups/http.c
++++ b/cups/http.c
+@@ -53,7 +53,7 @@ static http_t *http_create(const char *host, int port,
+ static void http_debug_hex(const char *prefix, const char *buffer,
+ int bytes);
+ #endif /* DEBUG */
+-static ssize_t http_read(http_t *http, char *buffer, size_t length);
++static ssize_t http_read(http_t *http, char *buffer, size_t length, int timeout);
+ static ssize_t http_read_buffered(http_t *http, char *buffer, size_t length);
+ static ssize_t http_read_chunk(http_t *http, char *buffer, size_t length);
+ static int http_send(http_t *http, http_state_t request,
+@@ -1200,7 +1200,7 @@ httpGets(char *line, /* I - Line to read into */
+ return (NULL);
+ }
+
+- bytes = http_read(http, http->buffer + http->used, (size_t)(HTTP_MAX_BUFFER - http->used));
++ bytes = http_read(http, http->buffer + http->used, (size_t)(_HTTP_MAX_BUFFER - http->used), http->wait_value);
+
+ DEBUG_printf(("4httpGets: read " CUPS_LLFMT " bytes.", CUPS_LLCAST bytes));
+
+@@ -1720,24 +1720,13 @@ httpPeek(http_t *http, /* I - HTTP connection */
+
+ ssize_t buflen; /* Length of read for buffer */
+
+- if (!http->blocking)
+- {
+- while (!httpWait(http, http->wait_value))
+- {
+- if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
+- continue;
+-
+- return (0);
+- }
+- }
+-
+ if ((size_t)http->data_remaining > sizeof(http->buffer))
+ buflen = sizeof(http->buffer);
+ else
+ buflen = (ssize_t)http->data_remaining;
+
+ DEBUG_printf(("2httpPeek: Reading %d bytes into buffer.", (int)buflen));
+- bytes = http_read(http, http->buffer, (size_t)buflen);
++ bytes = http_read(http, http->buffer, (size_t)buflen, http->wait_value);
+
+ DEBUG_printf(("2httpPeek: Read " CUPS_LLFMT " bytes into buffer.",
+ CUPS_LLCAST bytes));
+@@ -1758,9 +1747,9 @@ httpPeek(http_t *http, /* I - HTTP connection */
+ int zerr; /* Decompressor error */
+ z_stream stream; /* Copy of decompressor stream */
+
+- if (http->used > 0 && ((z_stream *)http->stream)->avail_in < HTTP_MAX_BUFFER)
++ if (http->used > 0 && ((z_stream *)http->stream)->avail_in < _HTTP_MAX_BUFFER)
+ {
+- size_t buflen = HTTP_MAX_BUFFER - ((z_stream *)http->stream)->avail_in;
++ size_t buflen = _HTTP_MAX_BUFFER - ((z_stream *)http->stream)->avail_in;
+ /* Number of bytes to copy */
+
+ if (((z_stream *)http->stream)->avail_in > 0 &&
+@@ -2018,7 +2007,7 @@ httpRead2(http_t *http, /* I - HTTP connection */
+
+ if (bytes == 0)
+ {
+- ssize_t buflen = HTTP_MAX_BUFFER - (ssize_t)((z_stream *)http->stream)->avail_in;
++ ssize_t buflen = _HTTP_MAX_BUFFER - (ssize_t)((z_stream *)http->stream)->avail_in;
+ /* Additional bytes for buffer */
+
+ if (buflen > 0)
+@@ -2768,7 +2757,7 @@ int /* O - 1 to continue, 0 to stop */
+ _httpUpdate(http_t *http, /* I - HTTP connection */
+ http_status_t *status) /* O - Current HTTP status */
+ {
+- char line[32768], /* Line from connection... */
++ char line[_HTTP_MAX_BUFFER], /* Line from connection... */
+ *value; /* Pointer to value on line */
+ http_field_t field; /* Field index */
+ int major, minor; /* HTTP version numbers */
+@@ -2776,12 +2765,46 @@ _httpUpdate(http_t *http, /* I - HTTP connection */
+
+ DEBUG_printf(("_httpUpdate(http=%p, status=%p), state=%s", (void *)http, (void *)status, httpStateString(http->state)));
+
++ /* When doing non-blocking I/O, make sure we have a whole line... */
++ if (!http->blocking)
++ {
++ ssize_t bytes; /* Bytes "peeked" from connection */
++
++ /* See whether our read buffer is full... */
++ DEBUG_printf(("2_httpUpdate: used=%d", http->used));
++
++ if (http->used > 0 && !memchr(http->buffer, '\n', (size_t)http->used) && (size_t)http->used < sizeof(http->buffer))
++ {
++ /* No, try filling in more data... */
++ if ((bytes = http_read(http, http->buffer + http->used, sizeof(http->buffer) - (size_t)http->used, /*timeout*/0)) > 0)
++ {
++ DEBUG_printf(("2_httpUpdate: Read %d bytes.", (int)bytes));
++ http->used += (int)bytes;
++ }
++ }
++
++ /* Peek at the incoming data... */
++ if (!http->used || !memchr(http->buffer, '\n', (size_t)http->used))
++ {
++ /* Don't have a full line, tell the reader to try again when there is more data... */
++ DEBUG_puts("1_htttpUpdate: No newline in buffer yet.");
++ if ((size_t)http->used == sizeof(http->buffer))
++ *status = HTTP_STATUS_ERROR;
++ else
++ *status = HTTP_STATUS_CONTINUE;
++ return (0);
++ }
++
++ DEBUG_puts("2_httpUpdate: Found newline in buffer.");
++ }
++
+ /*
+ * Grab a single line from the connection...
+ */
+
+ if (!httpGets(line, sizeof(line), http))
+ {
++ DEBUG_puts("1_httpUpdate: Error reading request line.");
+ *status = HTTP_STATUS_ERROR;
+ return (0);
+ }
+@@ -4134,7 +4157,8 @@ http_debug_hex(const char *prefix, /* I - Prefix for line */
+ static ssize_t /* O - Number of bytes read or -1 on error */
+ http_read(http_t *http, /* I - HTTP connection */
+ char *buffer, /* I - Buffer */
+- size_t length) /* I - Maximum bytes to read */
++ size_t length, /* I - Maximum bytes to read */
++ int timeout) /* I - Wait timeout */
+ {
+ ssize_t bytes; /* Bytes read */
+
+@@ -4143,7 +4167,7 @@ http_read(http_t *http, /* I - HTTP connection */
+
+ if (!http->blocking || http->timeout_value > 0.0)
+ {
+- while (!httpWait(http, http->wait_value))
++ while (!_httpWait(http, timeout, 1))
+ {
+ if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
+ continue;
+@@ -4246,7 +4270,7 @@ http_read_buffered(http_t *http, /* I - HTTP connection */
+ else
+ bytes = (ssize_t)length;
+
+- DEBUG_printf(("8http_read: Grabbing %d bytes from input buffer.",
++ DEBUG_printf(("8http_read_buffered: Grabbing %d bytes from input buffer.",
+ (int)bytes));
+
+ memcpy(buffer, http->buffer, (size_t)bytes);
+@@ -4256,7 +4280,7 @@ http_read_buffered(http_t *http, /* I - HTTP connection */
+ memmove(http->buffer, http->buffer + bytes, (size_t)http->used);
+ }
+ else
+- bytes = http_read(http, buffer, length);
++ bytes = http_read(http, buffer, length, http->wait_value);
+
+ return (bytes);
+ }
+@@ -4597,15 +4621,15 @@ http_set_timeout(int fd, /* I - File descriptor */
+ static void
+ http_set_wait(http_t *http) /* I - HTTP connection */
+ {
+- if (http->blocking)
+- {
+- http->wait_value = (int)(http->timeout_value * 1000);
++ http->wait_value = (int)(http->timeout_value * 1000);
+
+- if (http->wait_value <= 0)
++ if (http->wait_value <= 0)
++ {
++ if (http->blocking)
+ http->wait_value = 60000;
++ else
++ http->wait_value = 1000;
+ }
+- else
+- http->wait_value = 10000;
+ }
+
+
+diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c
+index 9fcbe0af3..f746f4cba 100644
+--- a/cups/tls-openssl.c
++++ b/cups/tls-openssl.c
+@@ -215,12 +215,14 @@ cupsMakeServerCredentials(
+ // Save them...
+ if ((bio = BIO_new_file(keyfile, "wb")) == NULL)
+ {
++ DEBUG_printf(("1cupsMakeServerCredentials: Unable to create private key file '%s': %s", keyfile, strerror(errno)));
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
+ goto done;
+ }
+
+ if (!PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL))
+ {
++ DEBUG_puts("1cupsMakeServerCredentials: PEM_write_bio_PrivateKey failed.");
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to write private key."), 1);
+ BIO_free(bio);
+ goto done;
+@@ -230,12 +232,14 @@ cupsMakeServerCredentials(
+
+ if ((bio = BIO_new_file(crtfile, "wb")) == NULL)
+ {
++ DEBUG_printf(("1cupsMakeServerCredentials: Unable to create certificate file '%s': %s", crtfile, strerror(errno)));
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
+ goto done;
+ }
+
+ if (!PEM_write_bio_X509(bio, cert))
+ {
++ DEBUG_puts("1cupsMakeServerCredentials: PEM_write_bio_X509 failed.");
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to write X.509 certificate."), 1);
+ BIO_free(bio);
+ goto done;
+@@ -1082,10 +1086,10 @@ _httpTLSStart(http_t *http) // I - Connection to server
+
+ if (!cupsMakeServerCredentials(tls_keypath, cn, 0, NULL, time(NULL) + 3650 * 86400))
+ {
+- DEBUG_puts("4_httpTLSStart: cupsMakeServerCredentials failed.");
++ DEBUG_printf(("4_httpTLSStart: cupsMakeServerCredentials failed: %s", cupsLastErrorString()));
+ http->error = errno = EINVAL;
+ http->status = HTTP_STATUS_ERROR;
+- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1);
++// _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1);
+ SSL_CTX_free(context);
+ _cupsMutexUnlock(&tls_mutex);
+
+@@ -1346,14 +1350,17 @@ http_bio_read(BIO *h, // I - BIO data
+
+ http = (http_t *)BIO_get_data(h);
+
+- if (!http->blocking)
++ if (!http->blocking || http->timeout_value > 0.0)
+ {
+ /*
+ * Make sure we have data before we read...
+ */
+
+- if (!_httpWait(http, 10000, 0))
++ while (!_httpWait(http, http->wait_value, 0))
+ {
++ if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
++ continue;
++
+ #ifdef WIN32
+ http->error = WSAETIMEDOUT;
+ #else
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 233f9017d..d495d9a75 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -34,11 +34,11 @@
+
+ static int check_if_modified(cupsd_client_t *con,
+ struct stat *filestats);
+-static int compare_clients(cupsd_client_t *a, cupsd_client_t *b,
+- void *data);
+ #ifdef HAVE_TLS
+-static int cupsd_start_tls(cupsd_client_t *con, http_encryption_t e);
++static int check_start_tls(cupsd_client_t *con);
+ #endif /* HAVE_TLS */
++static int compare_clients(cupsd_client_t *a, cupsd_client_t *b,
++ void *data);
+ static char *get_file(cupsd_client_t *con, struct stat *filestats,
+ char *filename, size_t len);
+ static http_status_t install_cupsd_conf(cupsd_client_t *con);
+@@ -360,14 +360,20 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+ if (lis->encryption == HTTP_ENCRYPTION_ALWAYS)
+ {
+ /*
+- * https connection; go secure...
++ * HTTPS connection, force TLS negotiation...
+ */
+
+- if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS))
+- cupsdCloseClient(con);
++ con->tls_start = time(NULL);
++ con->encryption = HTTP_ENCRYPTION_ALWAYS;
+ }
+ else
++ {
++ /*
++ * HTTP connection, but check for HTTPS negotiation on first data...
++ */
++
+ con->auto_ssl = 1;
++ }
+ #endif /* HAVE_TLS */
+ }
+
+@@ -606,17 +612,46 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
+
+ con->auto_ssl = 0;
+
+- if (recv(httpGetFd(con->http), buf, 1, MSG_PEEK) == 1 &&
+- (!buf[0] || !strchr("DGHOPT", buf[0])))
++ if (recv(httpGetFd(con->http), buf, 5, MSG_PEEK) == 5 && buf[0] == 0x16 && buf[1] == 3 && buf[2])
+ {
+ /*
+- * Encrypt this connection...
++ * Client hello record, encrypt this connection...
+ */
+
+- cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw first byte %02X, auto-negotiating SSL/TLS session.", buf[0] & 255);
++ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw client hello record, auto-negotiating TLS session.");
++ con->tls_start = time(NULL);
++ con->encryption = HTTP_ENCRYPTION_ALWAYS;
++ }
++ }
+
+- if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS))
+- cupsdCloseClient(con);
++ if (con->tls_start)
++ {
++ /*
++ * Try negotiating TLS...
++ */
++
++ int tls_status = check_start_tls(con);
++
++ if (tls_status < 0)
++ {
++ /*
++ * TLS negotiation failed, close the connection.
++ */
++
++ cupsdCloseClient(con);
++ return;
++ }
++ else if (tls_status == 0)
++ {
++ /*
++ * Nothing to do yet...
++ */
++
++ if ((time(NULL) - con->tls_start) > 5)
++ {
++ // Timeout, close the connection...
++ cupsdCloseClient(con);
++ }
+
+ return;
+ }
+@@ -780,9 +815,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
+ * Parse incoming parameters until the status changes...
+ */
+
+- while ((status = httpUpdate(con->http)) == HTTP_STATUS_CONTINUE)
+- if (!httpGetReady(con->http))
+- break;
++ status = httpUpdate(con->http);
+
+ if (status != HTTP_STATUS_OK && status != HTTP_STATUS_CONTINUE)
+ {
+@@ -944,11 +977,10 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
+ return;
+ }
+
+- if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED))
+- {
+- cupsdCloseClient(con);
+- return;
+- }
++ con->tls_start = time(NULL);
++ con->tls_upgrade = 1;
++ con->encryption = HTTP_ENCRYPTION_REQUIRED;
++ return;
+ #else
+ if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE))
+ {
+@@ -987,32 +1019,11 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
+ if (!_cups_strcasecmp(httpGetField(con->http, HTTP_FIELD_CONNECTION),
+ "Upgrade") && !httpIsEncrypted(con->http))
+ {
+-#ifdef HAVE_TLS
+- /*
+- * Do encryption stuff...
+- */
+-
+- httpClearFields(con->http);
+-
+- if (!cupsdSendHeader(con, HTTP_STATUS_SWITCHING_PROTOCOLS, NULL,
+- CUPSD_AUTH_NONE))
+- {
+- cupsdCloseClient(con);
+- return;
+- }
+-
+- if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED))
+- {
+- cupsdCloseClient(con);
+- return;
+- }
+-#else
+ if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE))
+ {
+ cupsdCloseClient(con);
+ return;
+ }
+-#endif /* HAVE_TLS */
+ }
+
+ if ((status = cupsdIsAuthorized(con, NULL)) != HTTP_STATUS_OK)
+@@ -2685,6 +2696,69 @@ check_if_modified(
+ }
+
+
++#ifdef HAVE_TLS
++/*
++ * 'check_start_tls()' - Start encryption on a connection.
++ */
++
++static int /* O - 0 to continue, 1 on success, -1 on error */
++check_start_tls(cupsd_client_t *con) /* I - Client connection */
++{
++ unsigned char chello[4096]; /* Client hello record */
++ ssize_t chello_bytes; /* Bytes read/peeked */
++ int chello_len; /* Length of record */
++
++
++ /*
++ * See if we have a good and complete client hello record...
++ */
++
++ if ((chello_bytes = recv(httpGetFd(con->http), (char *)chello, sizeof(chello), MSG_PEEK)) < 5)
++ return (0); /* Not enough bytes (yet) */
++
++ if (chello[0] != 0x016 || chello[1] != 3 || chello[2] == 0)
++ return (-1); /* Not a TLS Client Hello record */
++
++ chello_len = (chello[3] << 8) | chello[4];
++
++ if ((chello_len + 5) > chello_bytes)
++ return (0); /* Not enough bytes yet */
++
++ /*
++ * OK, we do, try negotiating...
++ */
++
++ con->tls_start = 0;
++
++ if (httpEncryption(con->http, con->encryption))
++ {
++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s", cupsLastErrorString());
++ return (-1);
++ }
++
++ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted.");
++
++ if (con->tls_upgrade)
++ {
++ // Respond to the original OPTIONS command...
++ con->tls_upgrade = 0;
++
++ httpClearFields(con->http);
++ httpClearCookie(con->http);
++ httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0");
++
++ if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE))
++ {
++ cupsdCloseClient(con);
++ return (-1);
++ }
++ }
++
++ return (1);
++}
++#endif /* HAVE_TLS */
++
++
+ /*
+ * 'compare_clients()' - Compare two client connections.
+ */
+@@ -2705,28 +2779,6 @@ compare_clients(cupsd_client_t *a, /* I - First client */
+ }
+
+
+-#ifdef HAVE_TLS
+-/*
+- * 'cupsd_start_tls()' - Start encryption on a connection.
+- */
+-
+-static int /* O - 0 on success, -1 on error */
+-cupsd_start_tls(cupsd_client_t *con, /* I - Client connection */
+- http_encryption_t e) /* I - Encryption mode */
+-{
+- if (httpEncryption(con->http, e))
+- {
+- cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s",
+- cupsLastErrorString());
+- return (-1);
+- }
+-
+- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted.");
+- return (0);
+-}
+-#endif /* HAVE_TLS */
+-
+-
+ /*
+ * 'get_file()' - Get a filename and state info.
+ */
+diff --git a/scheduler/client.h b/scheduler/client.h
+index 9fe4e2ea6..2939ce997 100644
+--- a/scheduler/client.h
++++ b/scheduler/client.h
+@@ -53,6 +53,9 @@ struct cupsd_client_s
+ cups_lang_t *language; /* Language to use */
+ #ifdef HAVE_TLS
+ int auto_ssl; /* Automatic test for SSL/TLS */
++ time_t tls_start; /* Do TLS negotiation? */
++ int tls_upgrade; /* Doing TLS upgrade via OPTIONS? */
++ http_encryption_t encryption; /* Type of TLS negotiation */
+ #endif /* HAVE_TLS */
+ http_addr_t clientaddr; /* Client's server address */
+ char clientname[256];/* Client's server name for connection */
+diff --git a/scheduler/select.c b/scheduler/select.c
+index 2e64f2a7e..ac6205c51 100644
+--- a/scheduler/select.c
++++ b/scheduler/select.c
+@@ -408,6 +408,9 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds */
+
+ cupsd_in_select = 1;
+
++ // Prevent 100% CPU by releasing control before the kevent call...
++ usleep(1);
++
+ if (timeout >= 0 && timeout < 86400)
+ {
+ ktimeout.tv_sec = timeout;
+@@ -452,6 +455,9 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds */
+ struct epoll_event *event; /* Current event */
+
+
++ // Prevent 100% CPU by releasing control before the epoll_wait call...
++ usleep(1);
++
+ if (timeout >= 0 && timeout < 86400)
+ nfds = epoll_wait(cupsd_epoll_fd, cupsd_epoll_events, MaxFDs,
+ timeout * 1000);
+@@ -544,6 +550,9 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds */
+ }
+ }
+
++ // Prevent 100% CPU by releasing control before the poll call...
++ usleep(1);
++
+ if (timeout >= 0 && timeout < 86400)
+ nfds = poll(cupsd_pollfds, (nfds_t)count, timeout * 1000);
+ else
+@@ -597,6 +606,9 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds */
+ cupsd_current_input = cupsd_global_input;
+ cupsd_current_output = cupsd_global_output;
+
++ // Prevent 100% CPU by releasing control before the select call...
++ usleep(1);
++
+ if (timeout >= 0 && timeout < 86400)
+ {
+ stimeout.tv_sec = timeout;
+--
+2.44.1