diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 2724ce72fb..e3562c10dd 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -15,6 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://0004-cups-fix-multilib-install-file-conflicts.patch \ file://volatiles.99_cups \ file://cups-volatiles.conf \ + file://CVE-2026-27447.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch new file mode 100644 index 0000000000..a4d444078b --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch @@ -0,0 +1,102 @@ +From 99750490becf1ce88a280451e056d09fe765c5c3 Mon Sep 17 00:00:00 2001 +From: Abhishek Bachiphale +Date: Fri, 24 Apr 2026 11:22:22 +0000 +Subject: [PATCH] CVE-2026-27447: The scheduler treated local user and group + names as case-insensitive. + +CVE: CVE-2026-27447 + +Upstream-Status: Backport [ https://github.com/OpenPrinting/cups/commit/88516bf6d9e34cef7a64a704b856b837f70cd220 ] + +Signed-off-by: Abhishek Bachiphale +--- + scheduler/auth.c | 33 ++++++++++++++++----------------- + 1 file changed, 16 insertions(+), 17 deletions(-) + +diff --git a/scheduler/auth.c b/scheduler/auth.c +index bd0d28a..c05b1b8 100644 +--- a/scheduler/auth.c ++++ b/scheduler/auth.c +@@ -1,7 +1,7 @@ + /* + * Authorization routines for the CUPS scheduler. + * +- * Copyright © 2020-2024 by OpenPrinting. ++ * Copyright © 2020-2026 by OpenPrinting. + * Copyright © 2007-2019 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products, all rights reserved. + * +@@ -1184,7 +1184,7 @@ cupsdCheckGroup( + group = getgrnam(groupname); + endgrent(); + +- if (group != NULL) ++ if (user && group) + { + /* + * Group exists, check it... +@@ -1198,7 +1198,7 @@ cupsdCheckGroup( + * User appears in the group membership... + */ + +- if (!_cups_strcasecmp(username, group->gr_mem[i])) ++ if (!strcmp(user->pw_name, group->gr_mem[i])) + return (1); + } + +@@ -1209,25 +1209,24 @@ cupsdCheckGroup( + * belongs to... + */ + +- if (user) +- { +- int ngroups; /* Number of groups */ ++ int ngroups; /* Number of groups */ + # ifdef __APPLE__ +- int groups[2048]; /* Groups that user belongs to */ ++ int groups[2048]; /* Groups that user belongs to */ + # else +- gid_t groups[2048]; /* Groups that user belongs to */ ++ gid_t groups[2048]; /* Groups that user belongs to */ + # endif /* __APPLE__ */ + +- ngroups = (int)(sizeof(groups) / sizeof(groups[0])); ++ ngroups = (int)(sizeof(groups) / sizeof(groups[0])); + # ifdef __APPLE__ +- getgrouplist(username, (int)user->pw_gid, groups, &ngroups); ++ getgrouplist(user->pw_name, (int)user->pw_gid, groups, &ngroups); + # else +- getgrouplist(username, user->pw_gid, groups, &ngroups); ++ getgrouplist(user->pw_name, user->pw_gid, groups, &ngroups); + #endif /* __APPLE__ */ + +- for (i = 0; i < ngroups; i ++) +- if ((int)groupid == (int)groups[i]) +- return (1); ++ for (i = 0; i < ngroups; i ++) ++ { ++ if ((int)groupid == (int)groups[i]) ++ return (1); + } + #endif /* HAVE_GETGROUPLIST */ + } +@@ -1836,8 +1835,8 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ + name; + name = (char *)cupsArrayNext(best->names)) + { +- if (!_cups_strcasecmp(name, "@OWNER") && owner && +- !_cups_strcasecmp(username, ownername)) ++ if (!_cups_strcasecmp(name, "@OWNER") && owner && pw && ++ !strcmp(pw->pw_name, ownername)) + return (HTTP_OK); + else if (!_cups_strcasecmp(name, "@SYSTEM")) + { +@@ -1849,7 +1848,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ + if (cupsdCheckGroup(username, pw, name + 1)) + return (HTTP_OK); + } +- else if (!_cups_strcasecmp(username, name)) ++ else if (pw && !strcmp(pw->pw_name, name)) + return (HTTP_OK); + } +