From patchwork Mon Jun 1 19:57:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Abhishek Bachiphale X-Patchwork-Id: 89105 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0ACE5CD6E55 for ; Mon, 1 Jun 2026 19:59:43 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8346.1780343979724723604 for ; Mon, 01 Jun 2026 12:59:39 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@windriver.com header.s=PPS06212021 header.b=JHjnmmok; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=06123b62e6=abhishek.bachiphale@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 651Gx58T3929223 for ; Mon, 1 Jun 2026 19:59:38 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=3pUSZFgQjtWhdm++GWCaEdOmHJ+YCLZX7JXIprDKbSA=; b=JHjnmmoku2f1 NgsX8wagsYWdu6Yb6hSswhSDLn5sAbUz13/4wksXHqZWjdEaS2wSXodrBtMFe+vB ingybuW4REqug67wGitzXo1LnfyM8FdijI9Z/joclefI4qNZuN5J6mCtfvh6T9FF 52Z9hDcv5uX+q+S+zURTDbz5/+Kyr3Fk/JY5UQCxbMIUHbGKDtO6DfGSUcv16gKB OxbZtACIaP9wS3Vgoueke4SDCLwo7llLU2I9yaQkGpCp1/0HoYWVxv0anrPQu4gf N95XdbWt0TJNXShGWeUqM+pFl4fonUVPwgfPBn0J7BdVK3av3GHdtwaB8F90dNk+ ZK287Z0XQg== Received: from sn4pr0501cu005.outbound.protection.outlook.com (mail-southcentralusazon11011046.outbound.protection.outlook.com [40.93.194.46]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4efn403qtj-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Mon, 01 Jun 2026 19:59:38 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=rrLoOoUXNL1JIc3Pf1FVK7eB6xSCjX+uPG8NK5vF/ERr+UmrkYPBwSTMti4VYk8lO+rLwL/yHOU35jf5hZsAnO63G5aiBu+iqFFFzLqAyYB8kiBwBdwUrI4yqGi/J5iK7QmoimcmOIU/nAhkzAcgWsTelRlmmVtD57aaFN9RJDQzCXQS59TnD4GHlUZH8qO0Vf8M1nQuRBvJpJK21Obcxj7Hvq+A20HUeNjBo5MlQ9Tob4LlzjCmPBpB2ejcMmmqdVFZ1fQGI3u71qSboTQth+NBw8PVJaLEjhYqB1Y8+2J4h7Jbuvzp4qXyuUTPNnvI/nsnzFczUwUKSwNhPtfmTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3pUSZFgQjtWhdm++GWCaEdOmHJ+YCLZX7JXIprDKbSA=; b=iSl+1ZwMkRPzBk8uFTWk2R6LHv7MLLEPf9l/qHzbBP7fuNgO305A8eql0/hoc3IRcmo+XjZrKqMAcq2jHECzJ4DIefpU42lz0cD3k+uAa8ahXN+3Z696kqMG0uDlXmQ41mmsSDFXCqPJgxj0HHsigQ1AjFB604ST5Jel854uvrxZ+HN7z7VBIzYezi6XNsSqBdUD5dQPYxe/NlTf3Qb5QPkiehp9v73WqTwxHgrDttL4VZQwhP1fTNXkDpSIKXU1OUnMUewfTui8I2eonmKZCD5RDKhcGx31pjCHcp94cUeIBOXrUmU/esrZw8BIonGJWlqA6/IR7uxWidb/hBxFxw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from IA0PR11MB8399.namprd11.prod.outlook.com (2603:10b6:208:48d::9) by DM4PR11MB5278.namprd11.prod.outlook.com (2603:10b6:5:389::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.16; Mon, 1 Jun 2026 19:59:37 +0000 Received: from IA0PR11MB8399.namprd11.prod.outlook.com ([fe80::ea10:3d10:93bf:f83c]) by IA0PR11MB8399.namprd11.prod.outlook.com ([fe80::ea10:3d10:93bf:f83c%6]) with mapi id 15.21.0071.010; Mon, 1 Jun 2026 19:59:36 +0000 From: Abhishek Bachiphale To: openembedded-core@lists.openembedded.org Subject: [PATCH 1/6][wrynose] cups: fix CVE-2026-34978 Date: Tue, 2 Jun 2026 01:27:56 +0530 Message-Id: <20260601195801.4008899-2-Abhishek.Bachiphale@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> References: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> X-ClientProxiedBy: TY4PR01CA0094.jpnprd01.prod.outlook.com (2603:1096:405:37d::18) To IA0PR11MB8399.namprd11.prod.outlook.com (2603:10b6:208:48d::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: IA0PR11MB8399:EE_|DM4PR11MB5278:EE_ X-MS-Office365-Filtering-Correlation-Id: 513572e1-c69f-4882-3702-08dec0184e6a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|52116014|376014|366016|1800799024|38350700014|18002099003|22082099003|56012099006|11063799006; X-Microsoft-Antispam-Message-Info: 4eOm4FVVTlC6Gmc/UoCDtit+APYSO632SMMazCAQ0e7e0GXlw/AL93ntbICC3IGQR5fVdoNegn6h8nWyl0pmyHVn9metJpKkdMGHQyHNMPH8c5+AQuZ+Fdub5BCJGReQBHL+hGD6kLecHoNYf3d3x2yy+8YyXxESSJeMLLbtJTWCsRiI0bsGHeFkTaiJZJqo9qFG2EAeFzS/TfZJfFsiq6v3xryrCqoHc3D+0VO82raWVdTFUH/Evbx4BCHWp5FZN3OpsrNqEeF8y/PuHnwjKkKkM8DHGxxbq6x12zG+ENMoyWofDGSoWXGNNEY8amvlPxCNQ1XXVZLMOMIqtq4XbaeInkaXzfubYXrFxEJq9jKcmTJ+LL0NLGHFRoDZiJ9WIjW/45SBzkiefzIfswbCBWDQHrCKTKiO8fkzTViyKk1rLRSUSw8+Ms0PNgvrTEArpUSDN+XiG/iLPC8n+DHCLqVbzUkp13vQ5exP7QkBICnG4+1243cbCHp9usoHF10Xoqo0NMBvBJa9WiukVGqoArUDlQ03ONacQSsZOuEJSI9kvLwxKCSzsJV9Zxlq1rF2CWXZdqHQ+k4R3NqHcw/kh/ebSp/fp1KX4iCEEqFu+ICzMtSnRHniM/+1nYwtlzfat1d7jLyvPkgqDclnoDldiellEFCHYFrRwXUSE86GSmkYdo8BO0cIF/hUVTgTv/c9INFeUckQSBXJcQVL2IttMHECr2DaniUbhU9lnv3YMTRRfmdPMPEIltOgbTo6Y8GE X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:IA0PR11MB8399.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(52116014)(376014)(366016)(1800799024)(38350700014)(18002099003)(22082099003)(56012099006)(11063799006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?r5CMEl8AWsXmIMwgXVVWeRqF/2Vj?= =?utf-8?q?crD6C2Fp+gZ+qyusEvaegGqQRD5cAcx/UuJF6OoFy/u4DPYuTAoWvToRJfxCkQvJ6?= =?utf-8?q?ziw2r0GU+ve5iZqfC/wkpFEJTzFJXIkl9gttScZNwoRPtcHIhJpfrRKyxrfLCzDib?= =?utf-8?q?DS1pM4HObhG11NXXNUbDQQ3N0KkGrVdf45ceyHPgGq1GEzCpVqsPCHwLclVztUJJC?= =?utf-8?q?40/9rprlDuWWEwH+m6FkyM64LeVVTCBrV0oqc6Db2d255xhGGWxblp5UVOsakSx0M?= =?utf-8?q?hkJcs1e+hXori+qDvpByqOeZhFvdKYE6RmGgjbgXarF084twa9Z9UGaTlXW8oPEg7?= =?utf-8?q?fc+j/aqstkXooW72gdCA1IC9I9x2HKsqMzEuas79wm9dYgTK8Z1oN9wkUw3eTzhN+?= =?utf-8?q?R+A+QZ2764WymzHWh2odLac967Dx6G/WfVDYyrfOtQk/dzNdaelZeXlRLqXXsRtcg?= =?utf-8?q?IHamaFECBrozZiDEOOzH0uSFxINdeib5BgximNkIzwY4vzMuWSMuWHOy8RzfcHOFl?= =?utf-8?q?8LmkwXvMiwg3IuKSyDHmQEdq0g5lThzTKp1xaXRXY7Ewp1pAqfRFVoXEiwHDX8Ui3?= =?utf-8?q?4KXt+iAV0pidnuavNxaD2qMgzXJ1s9/ltszRqswjcoU8/y2pnCS2te0yoYrQxe5WR?= =?utf-8?q?64fz0wg4rH0DDSn7Bk1VB4c3iWd4Y7yIUPdCmpVmg4UuhTSAvTHiPpd1wIjxIC5jc?= =?utf-8?q?F8vRD3Y7zU5jXezovfXDkKdkShp3t/O1Et68v6dPf+kI0cmwbcld3RTx6MZ0eYx8n?= =?utf-8?q?5P9s+ddDIlOh96M4MH39eX+kkkImhGubv12f31Q4tLhT6WsPJ+vYZDaf+m/RVgkuE?= =?utf-8?q?mM57kaBVfIPHpWMaFLTaF1g7bAns63VbADsq7xB1rHa8/SbTFBvTg3tC+K/IV88aS?= =?utf-8?q?aDBkP9DaLKcfRUZD86QU5yFPbJ5utK6+yVlQrn+2ExhxTiZnBBD50nfY2CuJdRTS4?= =?utf-8?q?XORFCTeNwy5v1uS162DwaDxCqW4mG8G4bTrIGjRqm2kZrgD/OU1aXoLLgoMR0OsWb?= =?utf-8?q?JRQnDvCsxax6fcRavBIrGkfLIZdAeR1TLP7vk4PJwo5a2bIvJjpCuEuxhTkVTFxIH?= =?utf-8?q?bijo6PBc+/ZbLGGMOibHwniWT38zAJE5QAQoaJ3XPoGTFVH047pbmRfjzYlf3aXye?= =?utf-8?q?yGGZWolxaFZZ1hpyz+Ejm+MFoQ7ATy1bhigCipoSDvzNf8AdbsrH4htbpnFgtKLeb?= =?utf-8?q?9kaBuWC0fAGnnf3UY2XaFZgswiVXEcQBh5D4O8vxOUE+ey5xTEu3dsjKeKXeNRWoC?= =?utf-8?q?qeUIVMDyJJAS6Dm4ZBknf5jIHjJryLskqXvhtLaOx8iDCpGX1//0IDkSwbO4/DRBl?= =?utf-8?q?MFzQy19oQ/6ieaq5xyASgq1Au2clyc6N+9x68L+7YP+Os2Ql+PEaLoaDbuQDvFCs6?= =?utf-8?q?pS4KAN7A7/XCjqCrcCA0mVdjt3KL4QJBCVUych/uM8t23fZErFqhmVTz4qkC4v2oc?= =?utf-8?q?5LDTr3hHNCla/01MYizEkbp7RNlQFl/QC7NdPHRc5K1pt5FvrjRAaHm4PlB4Pkmv4?= =?utf-8?q?11LVZdh4Ibj0D6lQ+KSvpYhRpxpG2WFHexZXtp+Ow7D6fZmx8JFDVR2PQAc0msOTP?= =?utf-8?q?GpbgO+0LBCfo+Y1nuT5gH9S1x2QTGcZ/QNWFkviQyQjq+Imiun+KngT4gzAGRtGO7?= =?utf-8?q?mCtw+5iUug8IQntp1XCjvkvKFrUZhqWCh0VoLopWV2+BGf4pNxer88MzPwJWPPcgw?= =?utf-8?q?P9XSojKGT?= X-Exchange-RoutingPolicyChecked: JP9/diFXQg4Yqt0iYi0ZGPNUmvTVayC60O5yEdlcDmALQtw8oy9Y7vASknc3lrsppionwOIuepUqmVO/tiZkTIb2zxQ0YywlaUB++yfmE17GQHzVijKDQt73fhF2FvWO91NdPFpmxyV1fmVtF8s4YZg+HTZw3PfNQSHh3iHKi/H6L2p1IU7tVtjkXmcx4798z9gGDpwz8EXpR8jqXk9IlebZyhIUVtQ7qTxpNuSjAL1j0FJmC5pBRSOSfUv1rOveLzjoVDrkduO9tg99MfDxtrMR7g8yAr/9BI2U10bAG6ICIZh0DPH2ISiGP0w/dY/1arym6spndQMqv6l4nYE7FQ== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 513572e1-c69f-4882-3702-08dec0184e6a X-MS-Exchange-CrossTenant-AuthSource: IA0PR11MB8399.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jun 2026 19:59:36.2680 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: RbC0Kab6QifbEaHaAU6Vm36spD9klse2aGM0qfAcl3xmbL2khvCt5Y5FCapCUXuM1RtBpYN1FcbFfg3W67OKf7SjJ1JUhoFWKGh35Vw8nj3HuFheeCQlbT+1NmexDxck X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5278 X-Proofpoint-ORIG-GUID: 2AjaTOWAM54qAhL_nOUL0kiwmbtRnHu3 X-Proofpoint-GUID: 2AjaTOWAM54qAhL_nOUL0kiwmbtRnHu3 X-Authority-Analysis: v=2.4 cv=GI441ONK c=1 sm=1 tr=0 ts=6a1de4aa cx=c_pps a=kRgXGWC4h8N5Zk8PQP6WEw==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=FelO9ux0wxsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=klDOsUkWDRETUCZYPvoE:22 a=PYnjg3YJAAAA:8 a=F_ubicZDAAAA:20 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=aTVoPYTGAAAA:8 a=6YbOQfm3m-G4HXovdcgA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=FdTzh2GWekK77mhwV6Dw:22 a=rKT3Ez47ESLuxQAP_tCa:22 a=bA3UWDv6hWIuX7UZL3qL:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjAxMDE5NCBTYWx0ZWRfX2fyfLVcgCgTW EHX6MtJpguwGDS9KDiHntrPUz7G0yNH9laDKerPbbhoUIurDvS/6xUit3OrHNtbCsdJQd6CR522 pnDo7YR2LiUw8FJopego0ap7Gpf/LhOEqZ3ZnQ00aOpcZPjZ+TD9hnQGRUCIyoY0Ei5RNwMHzXD MdapuaO2JWuoSClwM5p1qY0jsQNfHjW93N0+69VlYL02qbG6XH/24lvBmFvHtcl0d+MucJfVcCa LzGBth6RY7RPyjRLbE60q24JcWvguimKvNdHZZVVIp6S0HN2jo1gJEd9T6mmkPexY1JR5/x2sVn d0UL37QKI79uDGsgNWQEfH4v/30KW3LORbDMZPaDH7CrhtoSftrvFgntt7RQH399JX43tPlHdzr eQs1MFDa+b0C18Qh/QCUabFRdhVJctf4Fdifr0dCSvPqTCO0sXwyss49AqWSEW6Aw5IPJ8admJg 6Wjb2+kZpdh/xZ+iMDw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-06-01_05,2026-05-28_03,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 malwarescore=0 phishscore=0 spamscore=0 bulkscore=0 adultscore=0 clxscore=1015 priorityscore=1501 lowpriorityscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605210000 definitions=main-2606010194 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 651Gx58T3929223 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 01 Jun 2026 19:59:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237989 In CUPS versions 2.4.16 and prior, the RSS notifier allows path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss. Because CacheDir is group-writable by default, the notifier (running as lp) can overwrite root-managed state files via temp-file + rename(), leading to job cache corruption and loss of queued jobs after restart. Apply upstream fix to prevent path traversal in RSS notifier. Reference: [ https://nvd.nist.gov/vuln/detail/CVE-2026-34978 ] Signed-off-by: Abhishek Bachiphale --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-34978.patch | 120 ++++++++++++++++++ 2 files changed, 121 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34978.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 2724ce72fb..e739cfa579 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -15,6 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://0004-cups-fix-multilib-install-file-conflicts.patch \ file://volatiles.99_cups \ file://cups-volatiles.conf \ + file://CVE-2026-34978.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch new file mode 100644 index 0000000000..043cab86ea --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch @@ -0,0 +1,120 @@ +From 730347c5bbd5e1271149c6739aa858c0c83a7568 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 31 Mar 2026 14:18:26 -0400 +Subject: [PATCH] Fix RSS notifier. + +OpenPrinting CUPS is an open source printing system for Linux and other +Unix-like operating systems. In versions 2.4.16 and prior, the RSS +notifier allows .. path traversal in notify-recipient-uri (e.g., +rss:///../job.cache), letting a remote IPP client write RSS XML bytes +outside CacheDir/rss (anywhere that is lp-writable). In particular, +because CacheDir is group-writable by default (typically root:lp and +mode 0770), the notifier (running as lp) can replace root-managed state +files via temp-file + rename(). This PoC clobbers CacheDir/job.cache +with RSS XML, and after restarting cupsd the scheduler fails to parse +the job cache and previously queued jobs disappear. + +CVE: CVE-2026-34978 + +Upstream-Status: Backport [ https://github.com/OpenPrinting/cups/commit/730347c5bbd5e1271149c6739aa858c0c83a7568 ] + +Signed-off-by: Abhishek Bachiphale + +--- + notifier/rss.c | 20 ++++++++++++++------ + scheduler/ipp.c | 14 +++++++++++++- + 3 files changed, 29 insertions(+), 7 deletions(-) + +diff --git a/notifier/rss.c b/notifier/rss.c +index f17e1494c6..250ad877e7 100644 +--- a/notifier/rss.c ++++ b/notifier/rss.c +@@ -1,11 +1,12 @@ + /* + * RSS notifier for CUPS. + * +- * Copyright © 2020-2024 by OpenPrinting. +- * Copyright 2007-2015 by Apple Inc. +- * Copyright 2007 by Easy Software Products. ++ * Copyright © 2020-2026 by OpenPrinting. ++ * Copyright © 2007-2015 by Apple Inc. ++ * Copyright © 2007 by Easy Software Products. + * +- * Licensed under Apache License v2.0. See the file "LICENSE" for more information. ++ * Licensed under Apache License v2.0. See the file "LICENSE" for more ++ * information. + */ + + /* +@@ -80,6 +81,7 @@ main(int argc, /* I - Number of command-line arguments */ + http_status_t status; /* HTTP GET/PUT status code */ + char filename[1024], /* Local filename */ + newname[1024]; /* filename.N */ ++ struct stat fileinfo; /* Local file information */ + cups_lang_t *language; /* Language information */ + ipp_attribute_t *printer_up_time, /* Timestamp on event */ + *notify_sequence_number,/* Sequence number */ +@@ -111,9 +113,9 @@ main(int argc, /* I - Number of command-line arguments */ + + if (httpSeparateURI(HTTP_URI_CODING_ALL, argv[1], scheme, sizeof(scheme), + username, sizeof(username), host, sizeof(host), &port, +- resource, sizeof(resource)) < HTTP_URI_OK) ++ resource, sizeof(resource)) < HTTP_URI_OK || strstr(resource, "../") != NULL) + { +- fprintf(stderr, "ERROR: Bad RSS URI \"%s\"!\n", argv[1]); ++ fprintf(stderr, "ERROR: Bad RSS URI \"%s\".\n", argv[1]); + return (1); + } + +@@ -209,6 +211,12 @@ main(int argc, /* I - Number of command-line arguments */ + snprintf(filename, sizeof(filename), "%s/rss%s", cachedir, resource); + snprintf(newname, sizeof(newname), "%s.N", filename); + ++ if (!lstat(filename, &fileinfo) && !S_ISREG(fileinfo.st_mode)) ++ { ++ fprintf(stderr, "ERROR: Local RSS path \"%s\" is not a file.\n", filename); ++ return (1); ++ } ++ + httpAssembleURIf(HTTP_URI_CODING_ALL, baseurl, sizeof(baseurl), "http", + NULL, server_name, atoi(server_port), "/rss%s", resource); + } +diff --git a/scheduler/ipp.c b/scheduler/ipp.c +index 174871741b..cb228b87c8 100644 +--- a/scheduler/ipp.c ++++ b/scheduler/ipp.c +@@ -1,7 +1,7 @@ + /* + * IPP routines for the CUPS scheduler. + * +- * Copyright © 2020-2025 by OpenPrinting ++ * Copyright © 2020-2026 by OpenPrinting + * Copyright © 2007-2021 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products, all rights reserved. + * +@@ -1997,6 +1997,12 @@ add_job_subscriptions( + "notify-status-code", IPP_ATTRIBUTES); + return; + } ++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL) ++ { ++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient); ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES); ++ return; ++ } + } + else if (!strcmp(attr->name, "notify-pull-method") && + attr->value_tag == IPP_TAG_KEYWORD) +@@ -6067,6 +6073,12 @@ create_subscriptions( + "notify-status-code", IPP_ATTRIBUTES); + return; + } ++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL) ++ { ++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient); ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES); ++ return; ++ } + } + else if (!strcmp(attr->name, "notify-pull-method") && + attr->value_tag == IPP_TAG_KEYWORD)