@@ -20,6 +20,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2025-58436.patch \
file://CVE-2025-61915.patch \
file://0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch \
+ file://CVE-2026-27447.patch \
+ file://CVE-2026-27447-regression_p1.patch \
+ file://CVE-2026-27447-regression_p2.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
new file mode 100644
@@ -0,0 +1,48 @@
+From 6d97ee39fedf12a7a5429a74f4156ef9bb67f562 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 22 Apr 2026 12:40:14 +0200
+Subject: [PATCH] Fix cupsd crash if user does not exist on server
+
+CVE: CVE-2026-27447
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/6d97ee39fedf12a7a5429a74f4156ef9bb67f562]
+
+Backport Changes:
+- Adapt the upstream CHANGES.md section for CUPS v2.4.18 to the
+ downstream CUPS v2.4.11 changelog.
+
+(cherry picked from commit 6d97ee39fedf12a7a5429a74f4156ef9bb67f562)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 1 +
+ scheduler/auth.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 0da2c55..59c131e 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -6,6 +6,7 @@ Changes in CUPS v2.4.10 (2024-06-18)
+
+ - CVE-2026-27447: The scheduler treated local user and group names as case-
+ insensitive.
++- Fixed cupsd crash if user does not exist (Issue #1555)
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 1678a29..4798e86 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -1810,7 +1810,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ name;
+ name = (char *)cupsArrayNext(best->names))
+ {
+- if (!_cups_strcasecmp(name, "@OWNER") && owner &&
++ if (!_cups_strcasecmp(name, "@OWNER") && owner && pw &&
+ !strcmp(pw->pw_name, ownername))
+ return (HTTP_OK);
+ else if (!_cups_strcasecmp(name, "@SYSTEM"))
+--
+2.43.7
+
+
new file mode 100644
@@ -0,0 +1,46 @@
+From 849fba7d7a1144e48d45c5e6ba2504765912ece0 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Fri, 24 Apr 2026 14:06:06 -0400
+Subject: [PATCH] Fix unauthenticated print policies (Issue #1557)
+
+CVE: CVE-2026-27447
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/849fba7d7a1144e48d45c5e6ba2504765912ece0]
+
+Backport Changes:
+- Drop the upstream CHANGES.md section for CUPS v2.4.19.
+
+(cherry picked from commit 849fba7d7a1144e48d45c5e6ba2504765912ece0)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ scheduler/auth.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 4798e86..1dd520d 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -1810,8 +1810,9 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ name;
+ name = (char *)cupsArrayNext(best->names))
+ {
+- if (!_cups_strcasecmp(name, "@OWNER") && owner && pw &&
+- !strcmp(pw->pw_name, ownername))
++ if (!_cups_strcasecmp(name, "@OWNER") && owner &&
++ ((pw && !strcmp(pw->pw_name, ownername)) ||
++ (!pw && type == CUPSD_AUTH_NONE && !_cups_strcasecmp(username, ownername))))
+ return (HTTP_OK);
+ else if (!_cups_strcasecmp(name, "@SYSTEM"))
+ {
+@@ -1825,6 +1826,8 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ }
+ else if (pw && !strcmp(pw->pw_name, name))
+ return (HTTP_OK);
++ else if (!pw && type == CUPSD_AUTH_NONE && !_cups_strcasecmp(username, name))
++ return (HTTP_STATUS_OK);
+ }
+
+ for (name = (char *)cupsArrayFirst(best->names);
+--
+2.43.7
+
+
new file mode 100644
@@ -0,0 +1,120 @@
+From 37b8a4387864eded1a15a45db8950a23e5c610d2 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 31 Mar 2026 14:04:21 -0400
+Subject: [PATCH] CVE-2026-27447: The scheduler treated local user and group
+ names as case-insensitive.
+
+CVE: CVE-2026-27447
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/a0c62c1e69604ff061089b750073199fab5a1beb]
+
+Backport Changes:
+- Rebase CHANGES.md and scheduler/auth.c context to the CUPS 2.4.11 source
+ carried by this recipe.
+
+(cherry picked from commit a0c62c1e69604ff061089b750073199fab5a1beb)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 2 ++
+ scheduler/auth.c | 31 +++++++++++++++----------------
+ 2 files changed, 17 insertions(+), 16 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 4a2e25d..0da2c55 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -4,6 +4,8 @@ CHANGES - OpenPrinting CUPS 2.4.10 - (2024-06-18)
+ Changes in CUPS v2.4.10 (2024-06-18)
+ -----------------------------
+
++- CVE-2026-27447: The scheduler treated local user and group names as case-
++ insensitive.
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index d0430b4..1678a29 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -1,7 +1,7 @@
+ /*
+ * Authorization routines for the CUPS scheduler.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
+ *
+@@ -1159,7 +1159,7 @@ cupsdCheckGroup(
+ group = getgrnam(groupname);
+ endgrent();
+
+- if (group != NULL)
++ if (user && group)
+ {
+ /*
+ * Group exists, check it...
+@@ -1173,7 +1173,7 @@ cupsdCheckGroup(
+ * User appears in the group membership...
+ */
+
+- if (!_cups_strcasecmp(username, group->gr_mem[i]))
++ if (!strcmp(user->pw_name, group->gr_mem[i]))
+ return (1);
+ }
+
+@@ -1184,25 +1184,24 @@ cupsdCheckGroup(
+ * belongs to...
+ */
+
+- if (user)
+- {
+- int ngroups; /* Number of groups */
++ int ngroups; /* Number of groups */
+ # ifdef __APPLE__
+- int groups[2048]; /* Groups that user belongs to */
++ int groups[2048]; /* Groups that user belongs to */
+ # else
+- gid_t groups[2048]; /* Groups that user belongs to */
++ gid_t groups[2048]; /* Groups that user belongs to */
+ # endif /* __APPLE__ */
+
+- ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
++ ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
+ # ifdef __APPLE__
+- getgrouplist(username, (int)user->pw_gid, groups, &ngroups);
++ getgrouplist(user->pw_name, (int)user->pw_gid, groups, &ngroups);
+ # else
+- getgrouplist(username, user->pw_gid, groups, &ngroups);
++ getgrouplist(user->pw_name, user->pw_gid, groups, &ngroups);
+ #endif /* __APPLE__ */
+
+- for (i = 0; i < ngroups; i ++)
+- if ((int)groupid == (int)groups[i])
+- return (1);
++ for (i = 0; i < ngroups; i ++)
++ {
++ if ((int)groupid == (int)groups[i])
++ return (1);
+ }
+ #endif /* HAVE_GETGROUPLIST */
+ }
+@@ -1812,7 +1811,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ name = (char *)cupsArrayNext(best->names))
+ {
+ if (!_cups_strcasecmp(name, "@OWNER") && owner &&
+- !_cups_strcasecmp(username, ownername))
++ !strcmp(pw->pw_name, ownername))
+ return (HTTP_OK);
+ else if (!_cups_strcasecmp(name, "@SYSTEM"))
+ {
+@@ -1824,7 +1823,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ if (cupsdCheckGroup(username, pw, name + 1))
+ return (HTTP_OK);
+ }
+- else if (!_cups_strcasecmp(username, name))
++ else if (pw && !strcmp(pw->pw_name, name))
+ return (HTTP_OK);
+ }
+
+--
+2.43.7