diff mbox series

[wrynose,09/21] cups: fix CVE-2026-39316

Message ID edbd628efd14cbc829d3176e908f1bb97f213e81.1781132051.git.yoann.congal@smile.fr
State New
Headers show
Series [wrynose,01/21] libpcap: fix error message on 32-bit integer overflow | expand

Commit Message

Yoann Congal June 10, 2026, 10:55 p.m. UTC 
From: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>

In CUPS versions 2.4.16 and prior, a use-after-free
vulnerability exists in the scheduler when temporary
printers are automatically deleted. The function
cupsdDeleteTemporaryPrinters() in scheduler/printers.c
calls cupsdDeletePrinter() without first expiring
subscriptions that reference the printer, leaving
cupsd_subscription_t.dest as a dangling pointer to freed
heap memory. The dangling pointer is subsequently
dereferenced at multiple code sites, causing a crash
(denial of service) of the cupsd daemon. With heap
grooming, this issue can be leveraged for code execution.

Apply upstream fix to expire subscriptions before
deleting printers, preventing dangling pointers and
use-after-free conditions.

Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-extended/cups/cups.inc           |  1 +
 .../cups/cups/CVE-2026-39316.patch            | 42 +++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39316.patch
diff mbox series

Patch

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index a12965bb6e5..194b9c2638f 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -20,6 +20,7 @@  SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
            file://CVE-2026-34980.patch \
            file://CVE-2026-34990.patch \
            file://CVE-2026-39314.patch \
+           file://CVE-2026-39316.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-39316.patch b/meta/recipes-extended/cups/cups/CVE-2026-39316.patch
new file mode 100644
index 00000000000..c8d7e10ac2e
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-39316.patch
@@ -0,0 +1,42 @@ 
+From 0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Sun, 5 Apr 2026 11:33:23 -0400
+Subject: [PATCH] Expire per-printer subscriptions before deleting.
+
+OpenPrinting CUPS is an open source printing system for Linux and other
+Unix-like operating systems. In versions 2.4.16 and prior, a
+use-after-free vulnerability exists in the CUPS scheduler (cupsd) when
+temporary printers are automatically deleted.
+cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls
+cupsdDeletePrinter() without first expiring subscriptions that reference
+the printer, leaving cupsd_subscription_t.dest as a dangling pointer to
+freed heap memory. The dangling pointer is subsequently dereferenced at
+multiple code sites, causing a crash (denial of service) of the cupsd
+daemon. With heap grooming, this can be leveraged for code execution.
+
+CVE: CVE-2026-39316
+
+Upstream-Status: Backport [ https://github.com/OpenPrinting/cups/commit/0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f ]
+
+Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
+---
+ scheduler/printers.c | 6 ++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/scheduler/printers.c b/scheduler/printers.c
+index 4aba6241c..50778b89a 100644
+--- a/scheduler/printers.c
++++ b/scheduler/printers.c
+@@ -644,6 +644,12 @@ cupsdDeletePrinter(
+                      update ? "Job stopped due to printer being deleted." :
+ 		              "Job stopped.");
+ 
++ /*
++  * Expire subscriptions on the printer...
++  */
++
++  cupsdExpireSubscriptions(p, /*job*/NULL);
++
+  /*
+   * Remove the printer from the list...
+   */