@@ -19,6 +19,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-34979.patch \
file://CVE-2026-34980.patch \
file://CVE-2026-34990.patch \
+ file://CVE-2026-39314.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
new file mode 100644
@@ -0,0 +1,47 @@
+From 928a86b1b794f738f0a3dc87561b2e054bff7ce4 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Sun, 5 Apr 2026 10:45:25 -0400
+Subject: [PATCH] Range check job-password-supported.
+
+OpenPrinting CUPS is an open source printing system for Linux and other
+Unix-like operating systems. In versions 2.4.16 and prior, an integer
+underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows
+any unprivileged local user to crash the cupsd root process by supplying
+a negative job-password-supported IPP attribute. The bounds check only
+caps the upper bound, so a negative value passes validation, is cast to
+size_t (wrapping to ~2^64), and is used as the length argument to
+memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in
+the cupsd root process. Combined with systemd's Restart=on-failure, an
+attacker can repeat the crash for sustained denial of service.
+
+CVE: CVE-2026-39314
+
+Upstream-Status: Backport [ https://github.com/OpenPrinting/cups/commit/928a86b1b794f738f0a3dc87561b2e054bff7ce4 ]
+
+Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
+---
+ cups/ppd-cache.c | 4 ++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
+index f5386532ca..ef6caa28a7 100644
+--- a/cups/ppd-cache.c
++++ b/cups/ppd-cache.c
+@@ -1,7 +1,7 @@
+ /*
+ * PPD cache implementation for CUPS.
+ *
+- * Copyright © 2022-2025 by OpenPrinting.
++ * Copyright © 2022-2026 by OpenPrinting.
+ * Copyright © 2010-2021 by Apple Inc.
+ *
+ * Licensed under Apache License v2.0. See the file "LICENSE" for more
+@@ -3530,7 +3530,7 @@ _ppdCreateFromIPP2(
+ * Password/PIN printing...
+ */
+
+- if ((attr = ippFindAttribute(supported, "job-password-supported", IPP_TAG_INTEGER)) != NULL)
++ if ((attr = ippFindAttribute(supported, "job-password-supported", IPP_TAG_INTEGER)) != NULL && ippGetInteger(attr, 0) > 0)
+ {
+ char pattern[33]; /* Password pattern */
+ int maxlen = ippGetInteger(attr, 0);
In CUPS versions 2.4.16 and prior, an integer underflow exists in _ppdCreateFromIPP() (cups/ppd-cache.c). A local unprivileged user can supply a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service. Apply upstream fix to validate negative values and prevent integer underflow in _ppdCreateFromIPP(). Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com> --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-39314.patch | 47 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39314.patch