@@ -31,6 +31,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-34990.patch \
file://CVE-2026-39314.patch \
file://CVE-2026-39316.patch \
+ file://CVE-2026-41079.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
@@ -22,9 +22,9 @@ diff --git a/CHANGES.md b/CHANGES.md
index 4a2e25d..0da2c55 100644
--- a/CHANGES.md
+++ b/CHANGES.md
-@@ -4,6 +4,8 @@ CHANGES - OpenPrinting CUPS 2.4.10 - (2024-06-18)
+@@ -21,6 +21,8 @@
Changes in CUPS v2.4.10 (2024-06-18)
- -----------------------------
+ ------------------------------------
+- CVE-2026-27447: The scheduler treated local user and group names as case-
+ insensitive.
@@ -22,13 +22,10 @@ diff --git a/CHANGES.md b/CHANGES.md
index 7a5e8813f..429ee874f 100644
--- a/CHANGES.md
+++ b/CHANGES.md
-@@ -21,9 +21,11 @@ Changes in CUPS v2.4.11 (2024-09-30)
- Changes in CUPS v2.4.10 (2024-06-18)
- ------------------------------------
-
+@@ -24,6 +24,8 @@
- CVE-2026-27447: The scheduler treated local user and group names as case-
insensitive.
-- Fixed cupsd crash if user does not exist (Issue #1555)
+ - Fixed cupsd crash if user does not exist (Issue #1555)
+- CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
+ directory.
- Fixed error handling when reading a mixed `1setOf` attribute.
@@ -100,3 +97,21 @@ index 2d80a960e..2dc7376c1 100644
+ {
+ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
+ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
++ return;
++ }
+ }
+ else if (!strcmp(attr->name, "notify-pull-method") &&
+ attr->value_tag == IPP_TAG_KEYWORD)
+@@ -6010,6 +6016,12 @@ create_subscriptions(
+ "notify-status-code", IPP_ATTRIBUTES);
+ return;
+ }
++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL)
++ {
++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
++ return;
++ }
+ }
+ else if (!strcmp(attr->name, "notify-pull-method") &&
+ attr->value_tag == IPP_TAG_KEYWORD)
@@ -43,10 +43,10 @@ index 25e9d65..fe60890 100644
#
# Test the lp command.
#
--# Copyright © 2020-2024 by OpenPrinting.
-+# Copyright © 2020-2026 by OpenPrinting.
- # Copyright © 2007-2019 by Apple Inc.
- # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
+-# Copyright © 2020-2024 by OpenPrinting.
++# Copyright © 2020-2026 by OpenPrinting.
+ # Copyright © 2007-2019 by Apple Inc.
+ # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
#
@@ -72,8 +72,8 @@ echo ""
@@ -147,10 +147,10 @@ index 1dd520d..56855fc 100644
{
OSStatus status; /* Status */
char authdata[HTTP_MAX_VALUE];
-@@ -399,7 +399,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
+@@ -399,6 +399,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
#endif /* HAVE_AUTHORIZATION_H */
#if defined(SO_PEERCRED) && defined(AF_LOCAL)
-- else if (!strncmp(authorization, "PeerCred ", 9) &&
+- else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) &&
- con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
+ else if (PeerCred != CUPSD_PEERCRED_OFF &&
+ !strncmp(authorization, "PeerCred ", 9) &&
@@ -202,24 +202,19 @@ index b0d1f5b..11dcd39 100644
{
send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Only local users can create a local printer."));
return;
-@@ -5621,9 +5621,15 @@ create_local_printer(
-
- ptr = ippGetString(device_uri, 0, NULL);
-
-- if (!ptr || !ptr[0])
-+ if (!ptr || !ptr[0])
- {
-- send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
-+ send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
+@@ -5634,6 +5634,12 @@ create_local_printer(
return;
}
+ else if (strncmp(ptr, "ipp://", 6) && strncmp(ptr, "ipps://", 7))
+ {
+ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad device-uri \"%s\"."), ptr);
-+
++
+ return;
+ }
+
+ printer_geo_location = ippFindAttribute(con->request, "printer-geo-location", IPP_TAG_URI);
+ printer_info = ippFindAttribute(con->request, "printer-info", IPP_TAG_TEXT);
diff --git a/scheduler/job.c b/scheduler/job.c
index 880c25f..6c033de 100644
--- a/scheduler/job.c
new file mode 100644
@@ -0,0 +1,72 @@
+From b8730b3e18852d203f7fa86a05ed0a8aa3a791e5 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 13 Apr 2026 11:50:23 -0400
+Subject: [PATCH] Limit num_bytes for SNMP string values.
+
+CVE: CVE-2026-41079
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080]
+
+(cherry picked from commit b7c2525a885f528d243c3a92197ca99609b3f080)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ cups/snmp-private.h | 6 +++---
+ cups/snmp.c | 8 ++++++--
+ 2 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/cups/snmp-private.h b/cups/snmp-private.h
+index 52b8740..015f53e 100644
+--- a/cups/snmp-private.h
++++ b/cups/snmp-private.h
+@@ -1,7 +1,7 @@
+ /*
+ * Private SNMP definitions for CUPS.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2014 by Apple Inc.
+ * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
+ *
+@@ -58,9 +58,9 @@ typedef enum cups_asn1_e cups_asn1_t; /**** ASN1 request/object types ****/
+
+ typedef struct cups_snmp_string_s /**** String value ****/
+ {
+- unsigned char bytes[CUPS_SNMP_MAX_STRING];
+- /* Bytes in string */
+ unsigned num_bytes; /* Number of bytes */
++ unsigned char bytes[CUPS_SNMP_MAX_STRING + 1];
++ /* Bytes in string */
+ } cups_snmp_string_t;
+
+ union cups_snmp_value_u /**** Object value ****/
+diff --git a/cups/snmp.c b/cups/snmp.c
+index 54e348f..3222ff3 100644
+--- a/cups/snmp.c
++++ b/cups/snmp.c
+@@ -1,7 +1,7 @@
+ /*
+ * SNMP functions for CUPS.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
+ *
+@@ -1042,10 +1042,14 @@ asn1_decode_snmp(unsigned char *buffer, /* I - Buffer */
+ case CUPS_ASN1_OCTET_STRING :
+ case CUPS_ASN1_BIT_STRING :
+ case CUPS_ASN1_HEX_STRING :
+- packet->object_value.string.num_bytes = length;
+ asn1_get_string(&bufptr, bufend, length,
+ (char *)packet->object_value.string.bytes,
+ sizeof(packet->object_value.string.bytes));
++
++ if (length >= sizeof(packet->object_value.string.bytes))
++ packet->object_value.string.num_bytes = sizeof(packet->object_value.string.bytes) - 1;
++ else
++ packet->object_value.string.num_bytes = length;
+ break;
+
+ case CUPS_ASN1_OID :
+--
+2.43.7
+