diff mbox series

[6/6,wrynose] cups: fix CVE-2026-39316

Message ID 20260601195801.4008899-7-Abhishek.Bachiphale@windriver.com
State New
Headers show
Series cups: fix multiple CVEs | expand

Commit Message

Abhishek Bachiphale June 1, 2026, 7:58 p.m. UTC 
In CUPS versions 2.4.16 and prior, a use-after-free
vulnerability exists in the scheduler when temporary
printers are automatically deleted. The function
cupsdDeleteTemporaryPrinters() in scheduler/printers.c
calls cupsdDeletePrinter() without first expiring
subscriptions that reference the printer, leaving
cupsd_subscription_t.dest as a dangling pointer to freed
heap memory. The dangling pointer is subsequently
dereferenced at multiple code sites, causing a crash
(denial of service) of the cupsd daemon. With heap
grooming, this issue can be leveraged for code execution.

Apply upstream fix to expire subscriptions before
deleting printers, preventing dangling pointers and
use-after-free conditions.

Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
---
 meta/recipes-extended/cups/cups.inc           |  1 +
 .../cups/cups/CVE-2026-39316.patch            | 42 +++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39316.patch
diff mbox series

Patch

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index a12965bb6e..194b9c2638 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -20,6 +20,7 @@  SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
            file://CVE-2026-34980.patch \
            file://CVE-2026-34990.patch \
            file://CVE-2026-39314.patch \
+           file://CVE-2026-39316.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-39316.patch b/meta/recipes-extended/cups/cups/CVE-2026-39316.patch
new file mode 100644
index 0000000000..c8d7e10ac2
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-39316.patch
@@ -0,0 +1,42 @@ 
+From 0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Sun, 5 Apr 2026 11:33:23 -0400
+Subject: [PATCH] Expire per-printer subscriptions before deleting.
+
+OpenPrinting CUPS is an open source printing system for Linux and other
+Unix-like operating systems. In versions 2.4.16 and prior, a
+use-after-free vulnerability exists in the CUPS scheduler (cupsd) when
+temporary printers are automatically deleted.
+cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls
+cupsdDeletePrinter() without first expiring subscriptions that reference
+the printer, leaving cupsd_subscription_t.dest as a dangling pointer to
+freed heap memory. The dangling pointer is subsequently dereferenced at
+multiple code sites, causing a crash (denial of service) of the cupsd
+daemon. With heap grooming, this can be leveraged for code execution.
+
+CVE: CVE-2026-39316
+
+Upstream-Status: Backport [ https://github.com/OpenPrinting/cups/commit/0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f ]
+
+Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
+---
+ scheduler/printers.c | 6 ++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/scheduler/printers.c b/scheduler/printers.c
+index 4aba6241c..50778b89a 100644
+--- a/scheduler/printers.c
++++ b/scheduler/printers.c
+@@ -644,6 +644,12 @@ cupsdDeletePrinter(
+                      update ? "Job stopped due to printer being deleted." :
+ 		              "Job stopped.");
+ 
++ /*
++  * Expire subscriptions on the printer...
++  */
++
++  cupsdExpireSubscriptions(p, /*job*/NULL);
++
+  /*
+   * Remove the printer from the list...
+   */