From patchwork Mon Jun 1 19:57:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Abhishek Bachiphale X-Patchwork-Id: 89105 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0ACE5CD6E55 for ; Mon, 1 Jun 2026 19:59:43 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8346.1780343979724723604 for ; Mon, 01 Jun 2026 12:59:39 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@windriver.com header.s=PPS06212021 header.b=JHjnmmok; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=06123b62e6=abhishek.bachiphale@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 651Gx58T3929223 for ; Mon, 1 Jun 2026 19:59:38 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=3pUSZFgQjtWhdm++GWCaEdOmHJ+YCLZX7JXIprDKbSA=; b=JHjnmmoku2f1 NgsX8wagsYWdu6Yb6hSswhSDLn5sAbUz13/4wksXHqZWjdEaS2wSXodrBtMFe+vB ingybuW4REqug67wGitzXo1LnfyM8FdijI9Z/joclefI4qNZuN5J6mCtfvh6T9FF 52Z9hDcv5uX+q+S+zURTDbz5/+Kyr3Fk/JY5UQCxbMIUHbGKDtO6DfGSUcv16gKB OxbZtACIaP9wS3Vgoueke4SDCLwo7llLU2I9yaQkGpCp1/0HoYWVxv0anrPQu4gf N95XdbWt0TJNXShGWeUqM+pFl4fonUVPwgfPBn0J7BdVK3av3GHdtwaB8F90dNk+ ZK287Z0XQg== Received: from sn4pr0501cu005.outbound.protection.outlook.com (mail-southcentralusazon11011046.outbound.protection.outlook.com [40.93.194.46]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4efn403qtj-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Mon, 01 Jun 2026 19:59:38 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=rrLoOoUXNL1JIc3Pf1FVK7eB6xSCjX+uPG8NK5vF/ERr+UmrkYPBwSTMti4VYk8lO+rLwL/yHOU35jf5hZsAnO63G5aiBu+iqFFFzLqAyYB8kiBwBdwUrI4yqGi/J5iK7QmoimcmOIU/nAhkzAcgWsTelRlmmVtD57aaFN9RJDQzCXQS59TnD4GHlUZH8qO0Vf8M1nQuRBvJpJK21Obcxj7Hvq+A20HUeNjBo5MlQ9Tob4LlzjCmPBpB2ejcMmmqdVFZ1fQGI3u71qSboTQth+NBw8PVJaLEjhYqB1Y8+2J4h7Jbuvzp4qXyuUTPNnvI/nsnzFczUwUKSwNhPtfmTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3pUSZFgQjtWhdm++GWCaEdOmHJ+YCLZX7JXIprDKbSA=; b=iSl+1ZwMkRPzBk8uFTWk2R6LHv7MLLEPf9l/qHzbBP7fuNgO305A8eql0/hoc3IRcmo+XjZrKqMAcq2jHECzJ4DIefpU42lz0cD3k+uAa8ahXN+3Z696kqMG0uDlXmQ41mmsSDFXCqPJgxj0HHsigQ1AjFB604ST5Jel854uvrxZ+HN7z7VBIzYezi6XNsSqBdUD5dQPYxe/NlTf3Qb5QPkiehp9v73WqTwxHgrDttL4VZQwhP1fTNXkDpSIKXU1OUnMUewfTui8I2eonmKZCD5RDKhcGx31pjCHcp94cUeIBOXrUmU/esrZw8BIonGJWlqA6/IR7uxWidb/hBxFxw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from IA0PR11MB8399.namprd11.prod.outlook.com (2603:10b6:208:48d::9) by DM4PR11MB5278.namprd11.prod.outlook.com (2603:10b6:5:389::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.16; Mon, 1 Jun 2026 19:59:37 +0000 Received: from IA0PR11MB8399.namprd11.prod.outlook.com ([fe80::ea10:3d10:93bf:f83c]) by IA0PR11MB8399.namprd11.prod.outlook.com ([fe80::ea10:3d10:93bf:f83c%6]) with mapi id 15.21.0071.010; Mon, 1 Jun 2026 19:59:36 +0000 From: Abhishek Bachiphale To: openembedded-core@lists.openembedded.org Subject: [PATCH 1/6][wrynose] cups: fix CVE-2026-34978 Date: Tue, 2 Jun 2026 01:27:56 +0530 Message-Id: <20260601195801.4008899-2-Abhishek.Bachiphale@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> References: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> X-ClientProxiedBy: TY4PR01CA0094.jpnprd01.prod.outlook.com (2603:1096:405:37d::18) To IA0PR11MB8399.namprd11.prod.outlook.com (2603:10b6:208:48d::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: IA0PR11MB8399:EE_|DM4PR11MB5278:EE_ X-MS-Office365-Filtering-Correlation-Id: 513572e1-c69f-4882-3702-08dec0184e6a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|52116014|376014|366016|1800799024|38350700014|18002099003|22082099003|56012099006|11063799006; X-Microsoft-Antispam-Message-Info: 4eOm4FVVTlC6Gmc/UoCDtit+APYSO632SMMazCAQ0e7e0GXlw/AL93ntbICC3IGQR5fVdoNegn6h8nWyl0pmyHVn9metJpKkdMGHQyHNMPH8c5+AQuZ+Fdub5BCJGReQBHL+hGD6kLecHoNYf3d3x2yy+8YyXxESSJeMLLbtJTWCsRiI0bsGHeFkTaiJZJqo9qFG2EAeFzS/TfZJfFsiq6v3xryrCqoHc3D+0VO82raWVdTFUH/Evbx4BCHWp5FZN3OpsrNqEeF8y/PuHnwjKkKkM8DHGxxbq6x12zG+ENMoyWofDGSoWXGNNEY8amvlPxCNQ1XXVZLMOMIqtq4XbaeInkaXzfubYXrFxEJq9jKcmTJ+LL0NLGHFRoDZiJ9WIjW/45SBzkiefzIfswbCBWDQHrCKTKiO8fkzTViyKk1rLRSUSw8+Ms0PNgvrTEArpUSDN+XiG/iLPC8n+DHCLqVbzUkp13vQ5exP7QkBICnG4+1243cbCHp9usoHF10Xoqo0NMBvBJa9WiukVGqoArUDlQ03ONacQSsZOuEJSI9kvLwxKCSzsJV9Zxlq1rF2CWXZdqHQ+k4R3NqHcw/kh/ebSp/fp1KX4iCEEqFu+ICzMtSnRHniM/+1nYwtlzfat1d7jLyvPkgqDclnoDldiellEFCHYFrRwXUSE86GSmkYdo8BO0cIF/hUVTgTv/c9INFeUckQSBXJcQVL2IttMHECr2DaniUbhU9lnv3YMTRRfmdPMPEIltOgbTo6Y8GE X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:IA0PR11MB8399.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(52116014)(376014)(366016)(1800799024)(38350700014)(18002099003)(22082099003)(56012099006)(11063799006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?r5CMEl8AWsXmIMwgXVVWeRqF/2Vj?= =?utf-8?q?crD6C2Fp+gZ+qyusEvaegGqQRD5cAcx/UuJF6OoFy/u4DPYuTAoWvToRJfxCkQvJ6?= =?utf-8?q?ziw2r0GU+ve5iZqfC/wkpFEJTzFJXIkl9gttScZNwoRPtcHIhJpfrRKyxrfLCzDib?= =?utf-8?q?DS1pM4HObhG11NXXNUbDQQ3N0KkGrVdf45ceyHPgGq1GEzCpVqsPCHwLclVztUJJC?= =?utf-8?q?40/9rprlDuWWEwH+m6FkyM64LeVVTCBrV0oqc6Db2d255xhGGWxblp5UVOsakSx0M?= =?utf-8?q?hkJcs1e+hXori+qDvpByqOeZhFvdKYE6RmGgjbgXarF084twa9Z9UGaTlXW8oPEg7?= =?utf-8?q?fc+j/aqstkXooW72gdCA1IC9I9x2HKsqMzEuas79wm9dYgTK8Z1oN9wkUw3eTzhN+?= =?utf-8?q?R+A+QZ2764WymzHWh2odLac967Dx6G/WfVDYyrfOtQk/dzNdaelZeXlRLqXXsRtcg?= =?utf-8?q?IHamaFECBrozZiDEOOzH0uSFxINdeib5BgximNkIzwY4vzMuWSMuWHOy8RzfcHOFl?= =?utf-8?q?8LmkwXvMiwg3IuKSyDHmQEdq0g5lThzTKp1xaXRXY7Ewp1pAqfRFVoXEiwHDX8Ui3?= =?utf-8?q?4KXt+iAV0pidnuavNxaD2qMgzXJ1s9/ltszRqswjcoU8/y2pnCS2te0yoYrQxe5WR?= =?utf-8?q?64fz0wg4rH0DDSn7Bk1VB4c3iWd4Y7yIUPdCmpVmg4UuhTSAvTHiPpd1wIjxIC5jc?= =?utf-8?q?F8vRD3Y7zU5jXezovfXDkKdkShp3t/O1Et68v6dPf+kI0cmwbcld3RTx6MZ0eYx8n?= =?utf-8?q?5P9s+ddDIlOh96M4MH39eX+kkkImhGubv12f31Q4tLhT6WsPJ+vYZDaf+m/RVgkuE?= =?utf-8?q?mM57kaBVfIPHpWMaFLTaF1g7bAns63VbADsq7xB1rHa8/SbTFBvTg3tC+K/IV88aS?= =?utf-8?q?aDBkP9DaLKcfRUZD86QU5yFPbJ5utK6+yVlQrn+2ExhxTiZnBBD50nfY2CuJdRTS4?= =?utf-8?q?XORFCTeNwy5v1uS162DwaDxCqW4mG8G4bTrIGjRqm2kZrgD/OU1aXoLLgoMR0OsWb?= =?utf-8?q?JRQnDvCsxax6fcRavBIrGkfLIZdAeR1TLP7vk4PJwo5a2bIvJjpCuEuxhTkVTFxIH?= =?utf-8?q?bijo6PBc+/ZbLGGMOibHwniWT38zAJE5QAQoaJ3XPoGTFVH047pbmRfjzYlf3aXye?= =?utf-8?q?yGGZWolxaFZZ1hpyz+Ejm+MFoQ7ATy1bhigCipoSDvzNf8AdbsrH4htbpnFgtKLeb?= =?utf-8?q?9kaBuWC0fAGnnf3UY2XaFZgswiVXEcQBh5D4O8vxOUE+ey5xTEu3dsjKeKXeNRWoC?= =?utf-8?q?qeUIVMDyJJAS6Dm4ZBknf5jIHjJryLskqXvhtLaOx8iDCpGX1//0IDkSwbO4/DRBl?= =?utf-8?q?MFzQy19oQ/6ieaq5xyASgq1Au2clyc6N+9x68L+7YP+Os2Ql+PEaLoaDbuQDvFCs6?= =?utf-8?q?pS4KAN7A7/XCjqCrcCA0mVdjt3KL4QJBCVUych/uM8t23fZErFqhmVTz4qkC4v2oc?= =?utf-8?q?5LDTr3hHNCla/01MYizEkbp7RNlQFl/QC7NdPHRc5K1pt5FvrjRAaHm4PlB4Pkmv4?= =?utf-8?q?11LVZdh4Ibj0D6lQ+KSvpYhRpxpG2WFHexZXtp+Ow7D6fZmx8JFDVR2PQAc0msOTP?= =?utf-8?q?GpbgO+0LBCfo+Y1nuT5gH9S1x2QTGcZ/QNWFkviQyQjq+Imiun+KngT4gzAGRtGO7?= =?utf-8?q?mCtw+5iUug8IQntp1XCjvkvKFrUZhqWCh0VoLopWV2+BGf4pNxer88MzPwJWPPcgw?= =?utf-8?q?P9XSojKGT?= X-Exchange-RoutingPolicyChecked: JP9/diFXQg4Yqt0iYi0ZGPNUmvTVayC60O5yEdlcDmALQtw8oy9Y7vASknc3lrsppionwOIuepUqmVO/tiZkTIb2zxQ0YywlaUB++yfmE17GQHzVijKDQt73fhF2FvWO91NdPFpmxyV1fmVtF8s4YZg+HTZw3PfNQSHh3iHKi/H6L2p1IU7tVtjkXmcx4798z9gGDpwz8EXpR8jqXk9IlebZyhIUVtQ7qTxpNuSjAL1j0FJmC5pBRSOSfUv1rOveLzjoVDrkduO9tg99MfDxtrMR7g8yAr/9BI2U10bAG6ICIZh0DPH2ISiGP0w/dY/1arym6spndQMqv6l4nYE7FQ== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 513572e1-c69f-4882-3702-08dec0184e6a X-MS-Exchange-CrossTenant-AuthSource: IA0PR11MB8399.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jun 2026 19:59:36.2680 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: RbC0Kab6QifbEaHaAU6Vm36spD9klse2aGM0qfAcl3xmbL2khvCt5Y5FCapCUXuM1RtBpYN1FcbFfg3W67OKf7SjJ1JUhoFWKGh35Vw8nj3HuFheeCQlbT+1NmexDxck X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5278 X-Proofpoint-ORIG-GUID: 2AjaTOWAM54qAhL_nOUL0kiwmbtRnHu3 X-Proofpoint-GUID: 2AjaTOWAM54qAhL_nOUL0kiwmbtRnHu3 X-Authority-Analysis: v=2.4 cv=GI441ONK c=1 sm=1 tr=0 ts=6a1de4aa cx=c_pps a=kRgXGWC4h8N5Zk8PQP6WEw==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=FelO9ux0wxsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=klDOsUkWDRETUCZYPvoE:22 a=PYnjg3YJAAAA:8 a=F_ubicZDAAAA:20 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=aTVoPYTGAAAA:8 a=6YbOQfm3m-G4HXovdcgA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=FdTzh2GWekK77mhwV6Dw:22 a=rKT3Ez47ESLuxQAP_tCa:22 a=bA3UWDv6hWIuX7UZL3qL:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjAxMDE5NCBTYWx0ZWRfX2fyfLVcgCgTW EHX6MtJpguwGDS9KDiHntrPUz7G0yNH9laDKerPbbhoUIurDvS/6xUit3OrHNtbCsdJQd6CR522 pnDo7YR2LiUw8FJopego0ap7Gpf/LhOEqZ3ZnQ00aOpcZPjZ+TD9hnQGRUCIyoY0Ei5RNwMHzXD MdapuaO2JWuoSClwM5p1qY0jsQNfHjW93N0+69VlYL02qbG6XH/24lvBmFvHtcl0d+MucJfVcCa LzGBth6RY7RPyjRLbE60q24JcWvguimKvNdHZZVVIp6S0HN2jo1gJEd9T6mmkPexY1JR5/x2sVn d0UL37QKI79uDGsgNWQEfH4v/30KW3LORbDMZPaDH7CrhtoSftrvFgntt7RQH399JX43tPlHdzr eQs1MFDa+b0C18Qh/QCUabFRdhVJctf4Fdifr0dCSvPqTCO0sXwyss49AqWSEW6Aw5IPJ8admJg 6Wjb2+kZpdh/xZ+iMDw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-06-01_05,2026-05-28_03,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 malwarescore=0 phishscore=0 spamscore=0 bulkscore=0 adultscore=0 clxscore=1015 priorityscore=1501 lowpriorityscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605210000 definitions=main-2606010194 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 651Gx58T3929223 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 01 Jun 2026 19:59:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237989 In CUPS versions 2.4.16 and prior, the RSS notifier allows path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss. Because CacheDir is group-writable by default, the notifier (running as lp) can overwrite root-managed state files via temp-file + rename(), leading to job cache corruption and loss of queued jobs after restart. Apply upstream fix to prevent path traversal in RSS notifier. Reference: [ https://nvd.nist.gov/vuln/detail/CVE-2026-34978 ] Signed-off-by: Abhishek Bachiphale --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-34978.patch | 120 ++++++++++++++++++ 2 files changed, 121 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34978.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 2724ce72fb..e739cfa579 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -15,6 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://0004-cups-fix-multilib-install-file-conflicts.patch \ file://volatiles.99_cups \ file://cups-volatiles.conf \ + file://CVE-2026-34978.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch new file mode 100644 index 0000000000..043cab86ea --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch @@ -0,0 +1,120 @@ +From 730347c5bbd5e1271149c6739aa858c0c83a7568 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 31 Mar 2026 14:18:26 -0400 +Subject: [PATCH] Fix RSS notifier. + +OpenPrinting CUPS is an open source printing system for Linux and other +Unix-like operating systems. In versions 2.4.16 and prior, the RSS +notifier allows .. path traversal in notify-recipient-uri (e.g., +rss:///../job.cache), letting a remote IPP client write RSS XML bytes +outside CacheDir/rss (anywhere that is lp-writable). In particular, +because CacheDir is group-writable by default (typically root:lp and +mode 0770), the notifier (running as lp) can replace root-managed state +files via temp-file + rename(). This PoC clobbers CacheDir/job.cache +with RSS XML, and after restarting cupsd the scheduler fails to parse +the job cache and previously queued jobs disappear. + +CVE: CVE-2026-34978 + +Upstream-Status: Backport [ https://github.com/OpenPrinting/cups/commit/730347c5bbd5e1271149c6739aa858c0c83a7568 ] + +Signed-off-by: Abhishek Bachiphale + +--- + notifier/rss.c | 20 ++++++++++++++------ + scheduler/ipp.c | 14 +++++++++++++- + 3 files changed, 29 insertions(+), 7 deletions(-) + +diff --git a/notifier/rss.c b/notifier/rss.c +index f17e1494c6..250ad877e7 100644 +--- a/notifier/rss.c ++++ b/notifier/rss.c +@@ -1,11 +1,12 @@ + /* + * RSS notifier for CUPS. + * +- * Copyright © 2020-2024 by OpenPrinting. +- * Copyright 2007-2015 by Apple Inc. +- * Copyright 2007 by Easy Software Products. ++ * Copyright © 2020-2026 by OpenPrinting. ++ * Copyright © 2007-2015 by Apple Inc. ++ * Copyright © 2007 by Easy Software Products. + * +- * Licensed under Apache License v2.0. See the file "LICENSE" for more information. ++ * Licensed under Apache License v2.0. See the file "LICENSE" for more ++ * information. + */ + + /* +@@ -80,6 +81,7 @@ main(int argc, /* I - Number of command-line arguments */ + http_status_t status; /* HTTP GET/PUT status code */ + char filename[1024], /* Local filename */ + newname[1024]; /* filename.N */ ++ struct stat fileinfo; /* Local file information */ + cups_lang_t *language; /* Language information */ + ipp_attribute_t *printer_up_time, /* Timestamp on event */ + *notify_sequence_number,/* Sequence number */ +@@ -111,9 +113,9 @@ main(int argc, /* I - Number of command-line arguments */ + + if (httpSeparateURI(HTTP_URI_CODING_ALL, argv[1], scheme, sizeof(scheme), + username, sizeof(username), host, sizeof(host), &port, +- resource, sizeof(resource)) < HTTP_URI_OK) ++ resource, sizeof(resource)) < HTTP_URI_OK || strstr(resource, "../") != NULL) + { +- fprintf(stderr, "ERROR: Bad RSS URI \"%s\"!\n", argv[1]); ++ fprintf(stderr, "ERROR: Bad RSS URI \"%s\".\n", argv[1]); + return (1); + } + +@@ -209,6 +211,12 @@ main(int argc, /* I - Number of command-line arguments */ + snprintf(filename, sizeof(filename), "%s/rss%s", cachedir, resource); + snprintf(newname, sizeof(newname), "%s.N", filename); + ++ if (!lstat(filename, &fileinfo) && !S_ISREG(fileinfo.st_mode)) ++ { ++ fprintf(stderr, "ERROR: Local RSS path \"%s\" is not a file.\n", filename); ++ return (1); ++ } ++ + httpAssembleURIf(HTTP_URI_CODING_ALL, baseurl, sizeof(baseurl), "http", + NULL, server_name, atoi(server_port), "/rss%s", resource); + } +diff --git a/scheduler/ipp.c b/scheduler/ipp.c +index 174871741b..cb228b87c8 100644 +--- a/scheduler/ipp.c ++++ b/scheduler/ipp.c +@@ -1,7 +1,7 @@ + /* + * IPP routines for the CUPS scheduler. + * +- * Copyright © 2020-2025 by OpenPrinting ++ * Copyright © 2020-2026 by OpenPrinting + * Copyright © 2007-2021 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products, all rights reserved. + * +@@ -1997,6 +1997,12 @@ add_job_subscriptions( + "notify-status-code", IPP_ATTRIBUTES); + return; + } ++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL) ++ { ++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient); ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES); ++ return; ++ } + } + else if (!strcmp(attr->name, "notify-pull-method") && + attr->value_tag == IPP_TAG_KEYWORD) +@@ -6067,6 +6073,12 @@ create_subscriptions( + "notify-status-code", IPP_ATTRIBUTES); + return; + } ++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL) ++ { ++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient); ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES); ++ return; ++ } + } + else if (!strcmp(attr->name, "notify-pull-method") && + attr->value_tag == IPP_TAG_KEYWORD) From patchwork Mon Jun 1 19:57:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Abhishek Bachiphale X-Patchwork-Id: 89106 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04A25CD6E61 for ; Mon, 1 Jun 2026 19:59:53 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8349.1780343986852615621 for ; Mon, 01 Jun 2026 12:59:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=LvaCA7oE; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=06123b62e6=abhishek.bachiphale@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 651GxKrR3929350 for ; Mon, 1 Jun 2026 19:59:45 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=N7Rp2RBJ6x1zGgP+HxrltQj4w28Sbefhj3g4jVXM6sg=; b=LvaCA7oEnYeE 5YmCI/oHaRcCktOcEkwjqy7ddTB+2eBALFRjM5884yUZKJA+eS7lUyMXnKkM0VNl +20/sgkNxTGrU1zVsNPvEgRC+2WHCA61d4quEdskB4kw8PRRIrhvzOVOWOOynaX0 c/jbI/1HIn11hgM5tD0rAdzfjgglKnlo6k7i8Z78MM690ZAi04VWGLZ5G0jhM/2A VMaVE2Ni2jtv4UgdRxPWt7GsYS1DErLY3hJn1qAtuWLAEpBntmMzbmyY5ItGvN1Z jtZLuAXVYWQE8f1OfcpelsFMppvSym2INZJk1u1TXoPOrxNBWkFj1R4GW0QYoPx/ 5S5sIRot2g== Received: from bn1pr04cu002.outbound.protection.outlook.com (mail-eastus2azon11010026.outbound.protection.outlook.com [52.101.56.26]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4efn403qtu-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Mon, 01 Jun 2026 19:59:45 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=tw8GJQcgOXMO3JIeQQipeSe+ail8XFBe61zLpWgs2pP94PhkoGwFegbnVHtvpoiV3iX+CsPAz0tXHAOWrq29cztkrG0SIvhvrAPNGzszmgrZqawmbqjy3yRcvqqoHYAquJjQqm3Oko1iqaa4H3E5qo3iFiiYoOq3O3snmvCb+19mZYqeRzG7O/TPHwoBDspXp16/OxE4S37h2W0h1RcEja4A72YF5jzFyC0SY0bIzeVTbbUQriXB4LAYH7QQrhPaenPoRsVwZ6/9LbrSWHQVNtiKFirRJ6F4kwicvf/0bgSHRis/3KaCMLMMZur8IzMpzf8vXWHusRyZTfVVob3Gbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=N7Rp2RBJ6x1zGgP+HxrltQj4w28Sbefhj3g4jVXM6sg=; b=MgWoPpjxV8NpNsab57K7fzbxJmONvM3hVx+c284NJ8K4PpEAdifQ1UlTnb3B29odPkDZnuoYhiomi78Hqo6Y/4j/C99w1zW2obkgNg2+5xM0NieLwA38N7CEH2/ihvo61Z0Q+p9UrUGnjbZDCEuwSR8rMwsPOwdztJCXo8ZWyOR1dbSCFtML+JMnfC51vWbnT+rwGWnFrolCVZK8R82nT9erKTQiWz9fb2t6yigPjJpcoP8pXvySUr8hAJAX8OKcQti6pgldi6tKxVZo5uLSbpSQ/XTUKIjbH46fZuOuKtFP+m+8qeEzBAlWZ/JNbcUjcYzeNL1AjtdBpfWnDWFb3w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from IA0PR11MB8399.namprd11.prod.outlook.com (2603:10b6:208:48d::9) by SJ5PPF8F93806F5.namprd11.prod.outlook.com (2603:10b6:a0f:fc02::845) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.12; Mon, 1 Jun 2026 19:59:42 +0000 Received: from IA0PR11MB8399.namprd11.prod.outlook.com ([fe80::ea10:3d10:93bf:f83c]) by IA0PR11MB8399.namprd11.prod.outlook.com ([fe80::ea10:3d10:93bf:f83c%6]) with mapi id 15.21.0071.010; Mon, 1 Jun 2026 19:59:42 +0000 From: Abhishek Bachiphale To: openembedded-core@lists.openembedded.org Subject: [PATCH 2/6][wrynose] cups: fix CVE-2026-34979 Date: Tue, 2 Jun 2026 01:27:57 +0530 Message-Id: <20260601195801.4008899-3-Abhishek.Bachiphale@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> References: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> X-ClientProxiedBy: TY4PR01CA0094.jpnprd01.prod.outlook.com (2603:1096:405:37d::18) To IA0PR11MB8399.namprd11.prod.outlook.com (2603:10b6:208:48d::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: IA0PR11MB8399:EE_|SJ5PPF8F93806F5:EE_ X-MS-Office365-Filtering-Correlation-Id: eeb1da21-392b-4804-8170-08dec0185208 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|52116014|366016|1800799024|38350700014|11063799006|6133799003|18002099003|22082099003|56012099006; X-Microsoft-Antispam-Message-Info: P8bSZrixVQPsoXxp7YxhA/wHu0J17NSvfPVbacDrhtRTcEb0P9o0f6ndtQ29PA7nmd4/A3PSc8ZQqI043fkErAJo5F64eOFMmmkVCuIpNgdHWhqi1fufwIqp/KRMkZz4FMRTFV8HOiUIAoMjRKrTlS8YWsPMwt8QNsTidKA57qK2GrXiLrVSAo9S/PwGoY/snR2Weaz+yRDZ+/Q0nzjwQ8wxghv2VIyQI3debQS7dEC+b0dJ8YH734jkejHrzoPE3y+Qbz/NX+IMHBWmMTH6OifcyyQtlpebKhlDTaABzWwL74GRCtKMXhhKece1hSGtTKtARQipMDeN4lCTAJC6GqcfHfoWPwmMux6jdyL55L8U1QD9oeP6rFyUs+UfhBhn3dSdY7jHJUtyK7n7yktvkF2WRNI/sLM1GSv1uk+T1CW8dSXqMenf4f1sxM34i7ZTOOV+18YhDP6wtJtd+9D/Dmik5OXyeLSkdhKumMPyqkiS+XVwcqgY4dRJ15NgphPXsT8MyZfgalfEw2FY7Y5IlqVK+8oMUmiNCd7aByfKQOeWxPDFtDWzokxXYPaErIOnWqC4Q1p+5e6IzBDUOu6qFXFJjBYx7lNdSs86lxpeighPXATgM78roqtfW+dAsRZfoapXPJN8WEyZTF5qw09LsbBo+JeoFm5kH0yaQzVZDPR7oS+VnaGiqFd2QBgQc4bGC0YMFwz2xE92Q75oZpIpTrn06JJiM/AmRcfj5ynoW6O17Nih4KKhNJ2RzbWisqb6 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:IA0PR11MB8399.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(52116014)(366016)(1800799024)(38350700014)(11063799006)(6133799003)(18002099003)(22082099003)(56012099006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 4z58Ot63X69a6p2epYiyZPiHZfU7Tcxb3l/bQarOzJugMBAEJv0SSlQv4LqjGOjMvb9kMunaWUYzsmXy5+DzCr3HHwpQD+FnLtjDlxoFOOpumvSu5Z5x24n5yaq8TFyVg049OwFTEvMaPvlBz47lTL0n5UgIZ6BGQCPqs2QJzJRsN3IMYNidZ/SKqW2nvn9ONE4jBo3/M3MEd63ZJ1dYoqrNDaTJEgPonmAknWx1odJvcDcXR3TZ9Zk7iwqwXBgLdXKlZmHwSRFHFMKw1F0jMz2xiVw2Ji9ZPHx2JUppPMgp+BiZLSMRe3jKAeEtoQr4T6pn2gcH4bl0DRU15UlvUhXG9W8tySaIRQWXsqmgO+61f3wDIo3NGmoMSVNox7tZQR/prdOqNTVwuQgD69A/4seDhCVrcm3sJ8QkEn4z4LX7WOM+X+fpRrp4ptDiECCAnjSqCUrUD4J7cQCRtq8PwXzYPXPTfcDga+gRMW5L6CR7ePAiqgzBl7CifJ0nWHMagNkzURaFHSXhzwPnabl9qsShQPF2uVGaDPOAm/aiz1rHkLWiuq83TbHwm9W3HRlkt789Zxnx5Zsbtx32KwQ7SkclswTfiHcXPEoa+GOwr8mGTWyxuw1vzz3ljmh6J5tRxswPQnn68yWFDhNp6HFno0a2hEhjOD3LymDXz74W8VkTsyXqHOjJT2URjJHwPr8ffZbRWl+7SZvNcArMWr4JuR/7/UBO0acufD10gn3bIYJdf3TW+r9okREUq4L8D3bOqZXc3jZ2KH5FcfosnrtmjyPyS2V+v+0u8YetupeG/wjbS2ONnEt/eEeNH+/RHis78etS6aMtpXRwcPjZc1L+4IeLQ5qVqq2akfwNHtjPJIDdf/P9LIUJIVIysamqjb/PEUVr2O2FEWa9/U7lcPAqQcgwnk7ljFVsvn2YtEaF1LT6oyOYqFJD3nvvC6bNdSMxSG9gzT024/lyZUnynEX5a64EpaPVmhXfkaytN2c5WQid7fwNnw/wJN8fqC1Eie3VQ0mAydMEWP6l2FY541ZxiUtHlD5QmuJ0lNAFa5gl9lffv+H3aO0VQB/fp+eM5r+tO2x5oDfiOOSfmKh/CyPtGyAjVZls1H6Hb1UGCjOGZoV63116Chjh3Me9LOyHUXTfbKRbi4fKTleg0fJgIUP4iELGsw2qUAqhKbMi/xVJJ+nvsuf6jqU/oyY9hm5ssdfvqCGNgumncy/8+oCWP0BpK8nrpKFtAI3/pVas6yfuLAt12x3fUp8AC4vdT+Axnc6IEKb088WxyTyMuJEiRRRYEDGebwD7QBfRa5tXgli5CDMPuT62xo8wW3TxTKeBe7VHs8lUrsFm0iYE5EAVEJ0fFX/Ng/rxY4S8YGO8LAkND/fZcc28HOssk8bipCTvc65DPvqSx0cwY2cmaY/gy2WzbVXxBzHUDHctAVzQQI6bGFdltzvVL+7N1mM5QV4CKX/4pdG9ko/+o7ZYEdfOO4d1sy7XC+rmOEf+/yaIbEfMw7E2PUYa14ZsIVRFCj9bTByOjTZa5xYXVucNNpqNEUwLXunxe6XzG734IBnkUSHEp+/TYPKffhKsCCWTr/akjy/k6/bnlggjP0vsdDrzEYtys6NQF7LBDs+HqoIPZMfHsy4JxIFdM0uxS9AW9YCWykvVbz1vVV/WRPF6oIUippe3xQV0dDQTXlYnu+6pEtEKIyCjs8BGEoFtfdjs4QsCY97Ik7d1e0TpGD7GUe+kqC715AffayH/1DTIz6/e95my9hC1I1oAwHb2NpLate0HCqAM X-Exchange-RoutingPolicyChecked: M12jPISlaYKSonCFI3UAuiUr/Fz1z3WoDSmskJ4sj++BmiLctyeuwdCnFPGH0of4icq4mNeaarS6SUwX5oEwQ4inYlWsn8zQjTf89BV2IE1V/mruNB1YnrGIGjyNnunRs2Q1TnOxaPt4urdPJ4/AA/EtyZjKoaXwd1VnY1VOL2fi91/xU21wN9axqTunBRRxk1tdcdWHu/S1gFqJVOjbRYy3xtdzDgQ89xlx0OVDC/44Cu/eJiJbImdhCAqdh+yTXM8cTYGJJ3YLqMTrR2+NteU/MFHPaFhhA4y7mwrUaMw5Mt2xBThyxfqg76idCJWp+cP/+PF1rz7DdvxgX7pR4w== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: eeb1da21-392b-4804-8170-08dec0185208 X-MS-Exchange-CrossTenant-AuthSource: IA0PR11MB8399.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jun 2026 19:59:42.3182 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: kp0ld941/qFDGbTVDb6rSLOzoR36V9rIOLb6FXWn+LAmsaQ0an29RVzPKqnNimPnUU0ENPdYtWMlRk/KFtn3X3tW/5GThsCxkPsn5o9qK+SoM+m/ws89nEY5BR+/bzoZ X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ5PPF8F93806F5 X-Proofpoint-ORIG-GUID: IsBMG9cObFR6ZfjnN66Ldzo7r82BmiV9 X-Proofpoint-GUID: IsBMG9cObFR6ZfjnN66Ldzo7r82BmiV9 X-Authority-Analysis: v=2.4 cv=GI441ONK c=1 sm=1 tr=0 ts=6a1de4b1 cx=c_pps a=zHP1L1ZDY46t+2XtVYLmoA==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=FelO9ux0wxsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=klDOsUkWDRETUCZYPvoE:22 a=F_ubicZDAAAA:20 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=aTVoPYTGAAAA:8 a=cs5WjNhK9Um6JCP-w5wA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=rKT3Ez47ESLuxQAP_tCa:22 a=bA3UWDv6hWIuX7UZL3qL:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjAxMDE5NSBTYWx0ZWRfX1I/twSvxLeOa Vt2qDpcv55y2hPNLHMFsSwUx41xlvLhqOK0Hbph8sn5Red7D4TErP2aNgMa+3ViROnTyxd40fud RJQmmcEdZdvXSVWdY1JYbS9RoirJwVigHQxUl01fehQEuiaILqLYNyHGlE6aSrHfDqqv4Cya83L ieMKa7vQAZvybFNt/1vB6exa/PLjzoxFtra5VGa12ElBZCRrdqSgIoyxBCMzf1TBglyxaJg9iG9 7U1ikgAZY7ePEI5gSByjDu+6wlRENH3cb98AqnDeth3YDAhSwqQ51U5Dyh+GPktWGQFnaJy8088 s6K/7fLtMZ2slFu9JYjxaShaiRnzb1sw14Bqtvf6qr34fvtHNIVnkzTJQC5+H+siLH9Eh2Dpz9+ 8MVvF6h3zdSi63LJBaXzS/ERwWVnHJ4qwDmgGThKTcaBQMk8gprY4OUoqTbisBP6Bty4p9lPND1 ZhVYTE7uJ+L12xCRKMA== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-06-01_05,2026-05-28_03,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 malwarescore=0 phishscore=0 spamscore=0 bulkscore=0 adultscore=0 clxscore=1015 priorityscore=1501 lowpriorityscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605210000 definitions=main-2606010195 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 01 Jun 2026 19:59:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237990 In CUPS versions 2.4.16 and prior, a heap-based buffer overflow exists in the scheduler when building filter option strings from job attributes. A malicious IPP client can trigger this overflow, potentially leading to memory corruption and denial of service. Apply upstream fix to ensure safe handling of filter option strings and prevent buffer overflow. Signed-off-by: Abhishek Bachiphale --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-34979.patch | 57 +++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34979.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index e739cfa579..78e0495d1c 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -16,6 +16,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://volatiles.99_cups \ file://cups-volatiles.conf \ file://CVE-2026-34978.patch \ + file://CVE-2026-34979.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34979.patch b/meta/recipes-extended/cups/cups/CVE-2026-34979.patch new file mode 100644 index 0000000000..eefb2ed43b --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-34979.patch @@ -0,0 +1,57 @@ +From 0ff8897367c7341f2500770c3977038cdd7c0214 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 31 Mar 2026 14:50:06 -0400 +Subject: [PATCH] Expand allocation of options string. + +OpenPrinting CUPS is an open source printing system for Linux and other +Unix-like operating systems. In versions 2.4.16 and prior, there is a +heap-based buffer overflow in the CUPS scheduler when building filter +option strings from job attribute + +CVE: CVE-2026-34979 + +Upstream-Status: Backport [ https://github.com/OpenPrinting/cups/commit/0ff8897367c7341f2500770c3977038cdd7c0214 ] + +Signed-off-by: Abhishek Bachiphale +--- + scheduler/job.c | 16 ++++------------ + 1 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/scheduler/job.c b/scheduler/job.c +index af6390687..0494d7196 100644 +--- a/scheduler/job.c ++++ b/scheduler/job.c +@@ -4192,18 +4192,6 @@ ipp_length(ipp_t *ipp) /* I - IPP request */ + + for (attr = ipp->attrs; attr != NULL; attr = attr->next) + { +- /* +- * Skip attributes that won't be sent to filters... +- */ +- +- if (attr->value_tag == IPP_TAG_NOVALUE || +- attr->value_tag == IPP_TAG_MIMETYPE || +- attr->value_tag == IPP_TAG_NAMELANG || +- attr->value_tag == IPP_TAG_TEXTLANG || +- attr->value_tag == IPP_TAG_URI || +- attr->value_tag == IPP_TAG_URISCHEME) +- continue; +- + /* + * Add space for a leading space and commas between each value. + * For the first attribute, the leading space isn't used, so the +@@ -4279,10 +4267,14 @@ ipp_length(ipp_t *ipp) /* I - IPP request */ + + case IPP_TAG_TEXT : + case IPP_TAG_NAME : ++ case IPP_TAG_TEXTLANG : ++ case IPP_TAG_NAMELANG : ++ case IPP_TAG_MIMETYPE : + case IPP_TAG_KEYWORD : + case IPP_TAG_CHARSET : + case IPP_TAG_LANGUAGE : + case IPP_TAG_URI : ++ case IPP_TAG_URISCHEME : + /* + * Strings can contain characters that need quoting. We need + * at least 2 * len + 2 characters to cover the quotes and From patchwork Mon Jun 1 19:57:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Abhishek Bachiphale X-Patchwork-Id: 89107 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07DA3CD5BD1 for ; Mon, 1 Jun 2026 20:00:03 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.8373.1780343992886367838 for ; Mon, 01 Jun 2026 12:59:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=CkDymEsn; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=06123b62e6=abhishek.bachiphale@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 651GxSlL3668980 for ; Mon, 1 Jun 2026 19:59:51 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=KEXVCoC7BzpDOwyRpPofpbTKAETKjnOK2LXKCPWV7B0=; b=CkDymEsnCLhi jZKUNmVop+uIHKuRYNnKLRpqdv9BCtfyZ/fpGCnjR7izEo1obEoD+JcNKrTPEhB5 MuVfOSuOt/FZQh3k1X9OPReCl+uz1hgptAFJO3YzfA/EHxlCQLGnaJPWM9svV2/a NyQxiAVoiIcIpcO8cEwkS4/BB+4p5zz5PkGJOknJEZL5bnYrhujPfw5MIF64iWIX UbL20UpnYCdLAFXLva07bQwh2o0NG/J6EyoxfWSTGqo9MJCuOynT0JL6Nkw1ixqe rrI7t/VbdYowSJLXm32SoM/dOkcgtJvcToxKo4A74tfbNIeDHan7r9FsI8TmdIjg Od3Q3WAURw== Received: from bn1pr04cu002.outbound.protection.outlook.com (mail-eastus2azon11010002.outbound.protection.outlook.com [52.101.56.2]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4efpv8bmdt-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Mon, 01 Jun 2026 19:59:51 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Q1FRHDr3cCofot88E8LwNqwb0ZrLvFRaHTS3BpR65PvQpQ3+mVO0lSZFQxmO2qQcES7krOQHvUTdKVpAFFZkfS8flEF5vEwUv56Dns8Knq8Ry4tzpF+xfTovTeXjF1Qav/nLWH02Xr5gNAf0PueH7my9E4BtaS2OnHCUuSRvvNl7lrNuo2CDIEPRu8IQ7PIMKasr7w4DZda6sF8AhGBgp8JKD2XAMvBta8jQ1HkNGqg9h0t6Yaxo+erZiT5UzsWdmy+IYUt5799G+0adcM62sxPEXY3EIEQs9nRn3IRkKSQs4lo9MOekP3dyENwbgYImRZp3bv5Sayv11j+pLmd6+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KEXVCoC7BzpDOwyRpPofpbTKAETKjnOK2LXKCPWV7B0=; b=g8gZVQsiHl7ki2pUSqsXNacc4jPUa0qLtLW/fyBRgIrVpdfrDQUZdA0otkycO3kr6ECwdAFjCPd9F8Of8dUKowlZRZKE0tKDsjHGdezlHYSqnT1mD8eeNrW3DvmAUi9eRf4o1A7FDJQLN2C5pFa28yJHwCDZ58VMXZXwGhZPXCpbRclhaeFPc7UhuzlzsCwICnz2N8qHsTKEaUkFkz0vqjqCosqr3x+1ENnHF6Lx3R5R+xWpFeKYcn3UCX119vUdMLzTbnGRFRehav+07m9shyVqDsbGCK3zyz0hy2zIQfFTrEm9Tw4S+qWIAnbYZB7K2I/F9xlmOWsI2NwbiTDJeg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from IA0PR11MB8399.namprd11.prod.outlook.com (2603:10b6:208:48d::9) by SJ5PPF8F93806F5.namprd11.prod.outlook.com (2603:10b6:a0f:fc02::845) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.12; Mon, 1 Jun 2026 19:59:49 +0000 Received: from IA0PR11MB8399.namprd11.prod.outlook.com ([fe80::ea10:3d10:93bf:f83c]) by IA0PR11MB8399.namprd11.prod.outlook.com ([fe80::ea10:3d10:93bf:f83c%6]) with mapi id 15.21.0071.010; Mon, 1 Jun 2026 19:59:49 +0000 From: Abhishek Bachiphale To: openembedded-core@lists.openembedded.org Subject: [PATCH 3/6][wrynose] cups: fix CVE-2026-34980 Date: Tue, 2 Jun 2026 01:27:58 +0530 Message-Id: <20260601195801.4008899-4-Abhishek.Bachiphale@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> References: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> X-ClientProxiedBy: TY4PR01CA0094.jpnprd01.prod.outlook.com (2603:1096:405:37d::18) To IA0PR11MB8399.namprd11.prod.outlook.com (2603:10b6:208:48d::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: IA0PR11MB8399:EE_|SJ5PPF8F93806F5:EE_ X-MS-Office365-Filtering-Correlation-Id: 24e34df3-633f-4e24-cbe1-08dec0185668 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|52116014|366016|1800799024|38350700014|11063799006|3023799007|6133799003|18002099003|22082099003|56012099006; X-Microsoft-Antispam-Message-Info: pEgbcJDfa/EyBgplpsznUWPKy4Jcg0iBatwYYzEsrnnFffw9f1b5jUQ9zE3dl6aEBfBqK4HZCnHKe9yMR9oyvoQB/bojEvSkwkue+AUtCL/sBlrNVVEoQSf9yl2HEtvUU2rytyscWF+KEh0w3aZJDkQ+ngmix2nnF5kd7uwsEuGKGD59vidUFsgpOgmUZvXHishrGh1cJS5lOLP3P8u75pPdxKK7g1pX42DbS49fEYlPSuBiC5i4o68fqM91+GIj1DwWiLO7Uf5eyOKWdQUXuDRyzmQOqHJ7f6xOjzH+mBRVEiqrolZNv0LNIiAV+oKHzwIcPMax/W2PgoJXCyPrReg2IryvekERfXdxG6KzKrgsA7qvHrtpZur8edhMPoyAwvnkegXwXtloHj40UL1pPolIrv3UtfeP5rbAWmbuUukyL32CSrIy0+c8Y2WJQTju9w9fjP7RRlVn1MU+pdlc6AvJrZhQp08P7lRYa5VXRjykcl3vSJOZ/t9i9y0bCjNwEnAzuBR3TYE1/szLdRl/6AaoXGYkDchBit+iiM3d5yXIC+aBylY6l5n0Io872os4k8kYDAdWKwudsRpqCuIXfhWxbGdN8tvfJo8SAIgLmm/vs4Nbo7TkOSR35pXZM+wgVeub0DQyhA9h2160qn7vF4yRHf8TfHAyk8JHR2n8vf2gtfLxL6RU+AJ6zXdg3J8hNb2WcohZmQLhdTt/YJzyKAC/ey/7O7sL0f1u8ZglQJ/xy+bmLy7VGHFvUG/vMrjF X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:IA0PR11MB8399.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(52116014)(366016)(1800799024)(38350700014)(11063799006)(3023799007)(6133799003)(18002099003)(22082099003)(56012099006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: ZBdxrK9eMby3waQgtL03PFpyusnS+zEjV3ysYK5sPwikosFKnPDVN+vps7TLkfcTxRFQf2MNVPQzjkDug3kdSrccQ7R5W3zBFgJZunauQ+jHSansQe+T93yr6dgz32qCQC8NZKv6V9d+LCMYMjntzXn/X9tFDyEqCgQ32QtQwMaC68pOWzRgT3e9pNa0K+FamATtznH3TJjaOfMR2t+xzZ6/FPhUGJD5qIx8u8Ho/BihA6l13TBZV6pqmUIxhAn0cAykTc6Zqh33XqC1Fhs8vb1D+7OIDenYLbBSj84rosqFAiU5jvnVVMkQOmhCtQXoPSxxv6Xg9XzANJqzVP2XJrQsD5UgVy9Qhcoi9X1b00C7LpjUQ4KvYvLCdyxiH5ay1+E4baUDC/mlphwZXvwddavH73HfrooPQIIKaWgZermi6shknjQ+2ZQAMXR7cMPySnvK6HPog15eUYe5Fv5bst24SvuYSwj/kmd6sLREyhcYt93SvXj7Iv2zHgMZ3g4KS4n68+f/CXvva/dFOw1BEJs9eS0QkL42HXqLmXq35QXGd8qrl6pnURFCRKMmI/amQ5KTKCZ/jtf7+2N1VUIbdPPgIGgytfbF2w5zDPnKAnM53b+AnbxMB1Yt4CPqK91/adJ0gW6XDu6w3tb1Y2VrKdHoJ92yDIpvlNyrGqNcgt3Ea54cUQ8bpREJY/GwfrI2uRsrsPmjzHcxqu2FMXIu/fHnEaqXpWjXWcr/ZgpGPL5JvluazE+V/2rA8ubDCYy4ZPgLvKtstZ+qXwIf0tjNrBdW6aQzmZMQkKBCa/EDoMMdOuR+sx2SEoeleHIEg6i+41yIN1o+zqSf6VYoSd7iWE2WxQBYQEZppXYBwnai7JNtGZW4tSxrEWqLDTQMZ9AbiFToXyy9B6czLs9OksijPDRoIM3kgh7qv9zgYJF6wai9IaBXOneHbrzPu9t6LeiMlHFa7JltZtVvdg96GerpLN7X0iqIxn+EJEXeibfzhNlecEVtxVH0INjNPajpIR0cPYsmnfacRhB3qZp1xwGprlU8nLEk+RF3fgCaKwxTCGY6kw858zCMTkrU4Kr9bRl4q7xcUA1v/FrCswFyfy2Ub6GeILhTCjE91OmGHRLjuKxcRYwS6jSj4Kop+dp1l1ABFpjDcs22ChnTaOiakA8l3aLdxfLxHp1sYf+9yb3X2vuFYQSXAaf7fGjKEbM/yZqTUiqUez5faRxxokkspspdtXp3oX802ih9u9jtdj3AF4ctI52nQajaMTDt7wDOz/PqNcqJALMeW+NUH0nK1Yllpy+2PkpFFiUC6IupASneTuS5aThXt5qzgpIEndO0tdLyve/T1TQoYB9swkFjF6EoU8aJQ3vSccwS4KVSe0gBYDPRTNGPz8FS+8HiWYVhOg8FZda+w3FvIbzUcSy/YMmE9CtxQe2HvL8i4boXf/sHt7QLQWyaK7GsO5kLlkaFjJvDWlg478C6QknOrnVnN8YUrWcS5gD0jjMlgZvpnehUDcNQxVItyhOwJKLyeZTMVVoVu5kJxSuIbJgkolcY4U0f2p8ERbtVmOo6/Ab8it7KxzxAMhEc0ucnDD3fopGaR1X0cuRp2ictol4barxt7PGg32jpA1cSoGfYhYC7kHldVkSghyx91NF2KBpg9xnVid81I71LkDa0m5AUDuH0irFkwVUUNCsUbNjKdfo2gy9+09VtZbjDtcnp7WZdVNkuhxUVNDoN7NxYsGxVuYRnM8QonnS6M9kduJfxWKDFxFCWxr1RqwAejItBHP40+sv8XJtF X-Exchange-RoutingPolicyChecked: LnYLtYTD+oG7r+VV3b7AbR2fIwkIliMiyXBiMgbNHyo0Mf1SNBf8UBNAXmxIahuQhm7pSMtVu+AilIY+njMuGJlmD+DdF8vuWwVx5K7X7h2m7a4Pte9S1mTEtXzS9MrxK1kAsAWxul+9/W/CjmAAduIJLJtsEq3hUMo3PeUIcSsqT5WullrH4EcFKANk6SvO/dHWNAyXZam0OnOk340RUD511NbaX7PGJUE9BweFNOYqiVg7OU1/JKS2wH+5jj6UXke1vDRbx+7+izHYBElNzpzupjiicyzjMLc1XiaIzg1ISRqwqyPLCmhwRcISjto+s5QxNBxf+/SOcnR/MJ9Xgw== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 24e34df3-633f-4e24-cbe1-08dec0185668 X-MS-Exchange-CrossTenant-AuthSource: IA0PR11MB8399.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jun 2026 19:59:49.6809 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ZsQKFPHfLNpfdQLLX683pnG3LK8vu2RBMlfk2MDB30WQZ+F9J9SOzXfUbLleUUJxJ9GCL3hsusEeC/WH9UznUfpWph8C6kAGS/Eqmd6mbVFH+eQetboiwi0tlTDyspR3 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ5PPF8F93806F5 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjAxMDE5NSBTYWx0ZWRfX5tz6BTm0shsg TmmDtzQY/w1ZbjxRqok9Lua/wRCXGl02nYmfVkTK59U69oAZk6MbJpvKw33rM/q2JCnXGJ4kR3z mV8zSF4m0hZPzWxIBtELh1HpTNktT3Tia0fG7KdLYIUoYW7C/GWmzEe4fs/ThBlX7KcojWJeOFe xAY8rGu/+c5wRt0ymwzES0w6PJQ51qAQ0ITnYVxsTX7cN6kWWW5Xhvttx35TD+2aAEGhLFjD1Wd 6EJMo69nqvIqzglk2sx4ZCfMB3crLUEpLocqXgWv4eNQomCuBjiXyRbqxOjFbmZwTklndXDF9aG ORk0AA7NpSaxxl860+yYtAKbEmAK9mM3KJmJiJc5feF4akkF3qtlsSe6PpDNBNjfB0pJSigEZHK LZ4WMTPGtuQoYv3h3z06inemdFMnVocf509xU5G1TbwOL2VTILPSarzY6IPbfKyRqapAV4zrvyl 4bAwJakFeXb5MQXxmJw== X-Authority-Analysis: v=2.4 cv=Opt/DS/t c=1 sm=1 tr=0 ts=6a1de4b7 cx=c_pps a=l7cXxZGRKbMfBYROU17HtA==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=FelO9ux0wxsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=fTW__CHxibyLmBMfj2wP:22 a=F_ubicZDAAAA:20 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=aTVoPYTGAAAA:8 a=LyxU_5k5JVd1Fy2Yv-wA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=rKT3Ez47ESLuxQAP_tCa:22 a=bA3UWDv6hWIuX7UZL3qL:22 X-Proofpoint-GUID: RTfr2HX37OOjydovUwFZU_8PYa0o9ZDD X-Proofpoint-ORIG-GUID: RTfr2HX37OOjydovUwFZU_8PYa0o9ZDD X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-06-01_05,2026-05-28_03,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 spamscore=0 priorityscore=1501 bulkscore=0 impostorscore=0 malwarescore=0 lowpriorityscore=0 phishscore=0 clxscore=1015 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605210000 definitions=main-2606010195 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 01 Jun 2026 20:00:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237991 In CUPS versions 2.4.16 and prior, a network-exposed cupsd with a shared target queue allows an unauthorized client to send a Print-Job without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary (e.g., /usr/bin/vim) as lp. Apply upstream fix to prevent newline injection and unauthorized execution in shared PostScript queues. Signed-off-by: Abhishek Bachiphale --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-34980.patch | 88 +++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34980.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 78e0495d1c..f23411f44b 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -17,6 +17,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://cups-volatiles.conf \ file://CVE-2026-34978.patch \ file://CVE-2026-34979.patch \ + file://CVE-2026-34980.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980.patch new file mode 100644 index 0000000000..ebf7a3a353 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-34980.patch @@ -0,0 +1,88 @@ +From 8d0f51cac24cb5bf949c5b6a221e51a150d982e3 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 31 Mar 2026 14:45:13 -0400 +Subject: [PATCH] Filter out control characters from option values. + +OpenPrinting CUPS is an open source printing system for Linux and other +Unix-like operating systems. In versions 2.4.16 and prior, in a +network-exposed cupsd with a shared target queue, an unauthorized client +can send a Print-Job to that shared PostScript queue without +authentication. The server accepts a page-border value supplied as +textWithoutLanguage, preserves an embedded newline through option +escaping and reparse, and then reparses the resulting second-line PPD: +text as a trusted scheduler control record. A follow-up raw print job +can therefore make the server execute an attacker-chosen existing binary +such as /usr/bin/vim as lp. + +CVE: CVE-2026-34980 + +Upstream-Status: Backport [ https://github.com/OpenPrinting/cups/commit/8d0f51cac24cb5bf949c5b6a221e51a150d982e3 ] + +Signed-off-by: Abhishek Bachiphale +--- + scheduler/job.c | 41 +++++++++++++++++++++++++++++++++++------ + 1 file changed, 37 insertions(+), 6 deletions(-) + +diff --git a/scheduler/job.c b/scheduler/job.c +index 1fef9d0cd..af6390687 100644 +--- a/scheduler/job.c ++++ b/scheduler/job.c +@@ -4118,9 +4118,21 @@ get_options(cupsd_job_t *job, /* I - Job */ + case IPP_TAG_URI : + for (valptr = attr->values[i].string.text; *valptr;) + { +- if (strchr(" \t\n\\\'\"", *valptr)) +- *optptr++ = '\\'; +- *optptr++ = *valptr++; ++ /* ++ * Convert tabs and newlines to spaces, filter out control chars, ++ * and escape \, ', and ". ++ */ ++ ++ if (isspace(*valptr & 255)) ++ { ++ *optptr++ = ' '; ++ } ++ else if ((*valptr & 255) >= ' ' && *valptr != 0x7f) ++ { ++ if (strchr("\\\'\"", *valptr)) ++ *optptr++ = '\\'; ++ *optptr++ = *valptr++; ++ } + } + + *optptr = '\0'; +@@ -5395,13 +5407,30 @@ update_job(cupsd_job_t *job) /* I - Job to check */ + else if (loglevel == CUPSD_LOG_PPD) + { + /* +- * Set attribute(s)... ++ * Set PPD keyword(s)/value(s)... + */ + ++ int i, /* Looping var */ ++ num_keywords; /* Number of keywords */ ++ cups_option_t *keywords, /* Keywords */ ++ *keyword; /* Current keyword */ ++ + cupsdLogJob(job, CUPSD_LOG_DEBUG, "PPD: %s", message); + +- job->num_keywords = cupsParseOptions(message, job->num_keywords, +- &job->keywords); ++ keywords = NULL; ++ num_keywords = cupsParseOptions(message, 0, &keywords); ++ ++ for (i = 0, keyword = keywords; i < num_keywords; i ++) ++ { ++ /* ++ * Filter out "special" PPD keywords... ++ */ ++ ++ if (strcmp(keyword->name, "cupsFilter") && strcmp(keyword->name, "cupsFilter2") && strcmp(keyword->name, "cupsFinishingTemplate") && strcmp(keyword->name, "cupsIPPFinishings") && strcmp(keyword->name, "cupsIPPReason") && strcmp(keyword->name, "cupsMarkerName") && strcmp(keyword->name, "cupsMaxSize") && strncmp(keyword->name, "cupsMediaQualifier", 18) && strcmp(keyword->name, "cupsMinSize") && strcmp(keyword->name, "cupsPageSizeCategory") && strcmp(keyword->name, "cupsPortMonitor") && strcmp(keyword->name, "cupsPreFilter") && strcmp(keyword->name, "cupsPrintQuality") && strcmp(keyword->name, "APPrinterPreset")) ++ job->num_keywords = cupsAddOption(keyword->name, keyword->value, job->num_keywords, &job->keywords); ++ } ++ ++ cupsFreeOptions(num_keywords, keywords); + } + else + { From patchwork Mon Jun 1 19:57:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Abhishek Bachiphale X-Patchwork-Id: 89108 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19EA8CD6E60 for ; Mon, 1 Jun 2026 20:00:03 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8353.1780343997044313468 for ; Mon, 01 Jun 2026 12:59:57 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@windriver.com header.s=PPS06212021 header.b=oPVzbbej; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=06123b62e6=abhishek.bachiphale@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 651GtJkk3879996 for ; Mon, 1 Jun 2026 12:59:56 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=ajql4n2Dx4gODWONbxlwzJsXQX0czmzOoCZlFChQIo4=; b=oPVzbbej/NvK PEe0BQgUxdO4tHkiwdks6DpREwV7zblPfWYaskfjrFPc0e9Ry0V4/1bOKjGPkwyO JV1Po3Dw/bdXLGICxALmtaO/zyu0jmp2SHGisa/t1PRouiRyuFxgfAzxWMaP4ESc 4oujz2IBwFd3YYyMADTyUKSDTS4Czc+Gr+9hO6a74UM07r0AteFzvuIPiySfjR1o vpaRTlYoIPT4E0dgkyvWa3WPGu7FZpY0vHmD0QCP8n4rTtBeXlGRSdo1jUFVWBCy 1VaDCjPPid85LaccQxp5kTsEuID9Mra9UP301wS1a/KtJwPM+7k8d/5uhCcz1IWB 9Fi6+wuJwA== Received: from co1pr03cu002.outbound.protection.outlook.com (mail-westus2azon11010001.outbound.protection.outlook.com [52.101.46.1]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4efydeb9m7-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Mon, 01 Jun 2026 12:59:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Or8oOVIgKzbl1fI3AzrwtvVzsqkb3Ddceyt12H0czp4faosrZWDequy67WLsgBqKS19nhMB54N2iutf8ZQDQEVax76uHH+0pKhRx6KfKK8FPCGyUrjodgvdCBSMIqBNXuzocMEuL5er8pUXMOxjmB/GkTgQ4PXlJL95VqIckWyB60TxaK9iARaPFFg9pz9YLzxbv2XHT0w9PkvpA8NK6tnscf8qeCf6Q6t3j2/9oklAQx9RWyW7CJWUEn4XzNa5YTf2nkcYa/RLHrMnJUUorys3NlVjXMEN2paia+zACjZxHUDXQfZf32RZrXgxaKevL48vYuJBSeKaIQehE0UrLbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ajql4n2Dx4gODWONbxlwzJsXQX0czmzOoCZlFChQIo4=; b=WC5fJsMZJelWpwjWdidQ92tXjdHwBT6n2uakp18KFO8GERnr33gl8ZIdqukx+3G75MYItODmxOXwXVw01t414AJg/BVXN0942ieusta71LYRdadGFTXfkwFxoAv35xBk6hWAJsR3BSm6TLXar6zMKxKEv0KXUREGsILL97Thr/BE85Dprj8ST+jiIOG8Ikz7yzTsisZeYb96P5ySQwEGthCvjwj7iMrMq2G+JSydvPplbWusUmzMXexvq7ybbOMgumV7sxINwnaN85bl1Oiqk+cdxLCRYoAC0d1qRnfSFsEe08J/zvj9H+fSsbIqRJAUhZa2G+b8AUwBORM1KA79Jw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from IA0PR11MB8399.namprd11.prod.outlook.com (2603:10b6:208:48d::9) by SJ5PPF8F93806F5.namprd11.prod.outlook.com (2603:10b6:a0f:fc02::845) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.12; Mon, 1 Jun 2026 19:59:54 +0000 Received: from IA0PR11MB8399.namprd11.prod.outlook.com ([fe80::ea10:3d10:93bf:f83c]) by IA0PR11MB8399.namprd11.prod.outlook.com ([fe80::ea10:3d10:93bf:f83c%6]) with mapi id 15.21.0071.010; Mon, 1 Jun 2026 19:59:54 +0000 From: Abhishek Bachiphale To: openembedded-core@lists.openembedded.org Subject: [PATCH 4/6][wrynose] cups: fix CVE-2026-34990 Date: Tue, 2 Jun 2026 01:27:59 +0530 Message-Id: <20260601195801.4008899-5-Abhishek.Bachiphale@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> References: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> X-ClientProxiedBy: TY4PR01CA0094.jpnprd01.prod.outlook.com (2603:1096:405:37d::18) To IA0PR11MB8399.namprd11.prod.outlook.com (2603:10b6:208:48d::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: IA0PR11MB8399:EE_|SJ5PPF8F93806F5:EE_ X-MS-Office365-Filtering-Correlation-Id: b9e7d534-3148-4c4a-5aec-08dec018595c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|52116014|366016|1800799024|38350700014|11063799006|3023799007|6133799003|18002099003|22082099003|56012099006; X-Microsoft-Antispam-Message-Info: HcVWX2HW6DRLdumye3foknfrWEDwHLXlTQHbH6AMhEiYW474HCIi7MR3/cY2xR2lp5nKY7TZXJ1nmBwKFoLOIX2eLY7ng4Difw7WmlPrZLqjef3qtJ+2EAXSTvi2U5Lq/FgIBcfuWuoRkDJan1oyjxw3NbRqgRx2PVfPPGWZbHcR4WUKkYEfVu/YdV1gD/PgQzYtyrvubYgiQRcoAc7QjWQSIRRfINE5jZgWy0qPol/gku+oXlcq0xIBZ1G+XQasn8PAmPs6bgW6gkrxKlMzjwltdFXqoBr6hUnw6cGdIEmRVggRM24kw/UeTug4RU2palF2R0wndZoEwIdytnsK6NC0T9VeRd1fufT4XYn/WAhdFgarK4IDEDjPvpMMoBI1PEtpsjwGie6zr/OfTg6ryOUrjkLqbd18X02YxR/Ff5DiZuy+Sy57/DhblsToj7HBFS+E3TGJNIv2kP6zQ+5VftBbCfpshNvNxSzt4V95olfmmGKhB/evW7nwpOgqVIm1H7z8nmgcxGK+xFwb225kH4uH4pdjLt45hg1b8q9qfBZE7p/1ZN8qW/zorOBApapbghZqnWU+LMpURNg6GoUeYzK1u+oGg4WEHDtHiVMdmO6GpNjqu+dKt31smEUcfdoF8f9RvZAkyZPE/8NoSpGME8e46IsWp6Xk7Jxcahmfbbc5dFAGZuDuZaMCJ9geVpMyXJZASsDuMiUfUEV09CM/L/iGLorITvoUNIoktOiHYWHxX0Vb2yIFMhs9xL0vIE4O X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:IA0PR11MB8399.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(52116014)(366016)(1800799024)(38350700014)(11063799006)(3023799007)(6133799003)(18002099003)(22082099003)(56012099006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?kPHrj40SVkTFhgwQTgAiix9saEzv?= =?utf-8?q?9Dn6qhr5m5etQ5X6pbBCXoNeIP/UpZ5gGKgs2kbDsL8wvYr0TbMTvNgNI5WfE9cky?= =?utf-8?q?U3rShtpNCuOagjwKyXNixXT0DJTyo9icX1kCyjtf1ckTBzxcEqm+CSAzHtjFPL/01?= =?utf-8?q?jSn5XMLU8I8fK7mq9w6k/Unlduhb4+xMpLWdVZQ4SWzc1da4HesE3ACCTgW3IjgwS?= =?utf-8?q?er07w/XNNTpazlbwttbTUmDL9VA8hcf1rxjDkskk4xJEi9w46qi9IrDo72I3yNXxy?= =?utf-8?q?VOJk6rP/PafRBW7AGCx+6WjnZKded+E2lwACm4BjDfYeeLPOa+YA/+cbzy/6FI4P1?= =?utf-8?q?/XuL/BK8lGrHTLi4vIVknmqb+Crgr/mbYqVXJQx3b6iJNSZCDIS4VsRBWhwMMU3gk?= =?utf-8?q?BH8EXKPU8pmpkH9PGwSruyYFVOXafrer3YJnf5strNgt+v9Kw4sfemG0XlCsB6qeD?= =?utf-8?q?901lMZzULHnQ6Wn3fbMgiI4N7uK83HbCZbeLPAwE8gMG+aw7ePnj+NCHxWAExhgCg?= =?utf-8?q?v//eBK7Gjy8PcpL/huhrVuFDZ2H8dO/sU1lozGLiXw/6FaW0bvJqH4qouCNfl6YTN?= =?utf-8?q?um4Rrdcd9JVgdocK5W8draF5eckIsfw2mYHIdkpwp3tcGTonrxvyNsPxf8+xMgUQV?= =?utf-8?q?UUl/HRH/0lJ2yzmEa+u9OpG2n+dopLU/dO/U+dYT1j6qtVkJUAMxDGYupJCzCEoWn?= =?utf-8?q?Mq1i3iW/vOScTLD4nUHPzdfXWsYR6N36N1UtIYAWvB/69IZODFkiH0d6aI4vxTHTf?= =?utf-8?q?LNwiwkzqDTI/I2bejGiCuFmiv3IMRJmwV/SFJbSLFETpkWapK0TpybBjDLPwHZeVp?= =?utf-8?q?AvDctupZDpunusQLxO4Ip+kl46KePe7+AEso2a1OISx1qbLBXFjCgifg2jcYtCpar?= =?utf-8?q?BpUPVX1Du5aFvmegWo3jxqBHpYZLcYEa1xi4jhweUFo/lMlRTVhZdajl1rU5hDt09?= =?utf-8?q?vc05lX3CvuXR+Es6vVneANQNnstbCj5L2giNKP86tTPUElPtMS4GvpIGN8lt8KoSw?= =?utf-8?q?NFjraCmz0hfHW2DrfWM4HfkeakwyNMwUu15xasYfGyR1Anefkm1AAdU46TOJnZww8?= =?utf-8?q?M1a68OWVEOgWGkMUK+RChQqxtFuhk2Tpg9tgqgAMt4LthKHauBIWyUsjs2wbB+0Lq?= =?utf-8?q?WV5fgEKoUv9KXGeAPKvcfsuqqxsf2ZEtRLX/jFbtpyeIATShtSXx/0AOTm0/0Dtib?= =?utf-8?q?ZXl36h3mOBPrVDSMDiGKXdJwYKQXrf8n3pqpcFwShE4qGphFAsyC4qJbqMWKmeUF4?= =?utf-8?q?oizBKBMgHGy9vj2S3hAaOa64Sp0RJ+u8UKNTQHV/ahI3nwDBxJyNpDufqMAZPAK5r?= =?utf-8?q?+5ifETtPXp4QFuNHJHoKk7veTOfowWsT7w2/c+dWJzd0ZCc0mkFq0POMxtFzZ82d3?= =?utf-8?q?sk7QXdESqmS+lbbYyir5w01j5XDo9sbha2HRZfqkh082NPhj07zFqsYIwPNgIVAUW?= =?utf-8?q?F6nUHTXxkzJPWaKkMZsu8Mzl5iWJWyF8uRX4ZSsKl3sP6kSHmfksbhIJl+tMxG2yT?= =?utf-8?q?UUHhFj9+wXdwlGwCYOXDvXYi3wsga0z0MGHOa7CvwHU5qXLEvnww9nM8P0d9tkWbZ?= =?utf-8?q?iQN8VJIwTK7RkjzVcmK42lIRZdYzMEWuK3uA776vRE9PR+j8UesHJX242rs04mgUb?= =?utf-8?q?TwJBSocdYmhw2D0bFSvNbJ9DOrhep2X6E4NXm0meGDzR7pgUU3V5kWlP2r0jmdh+K?= =?utf-8?q?hSJYO3xMd?= X-Exchange-RoutingPolicyChecked: QBocvO17WAwF/dAQqoiDMhJboxLo/fpD3gW/qNX48JTIy1Ff9QWlq6zwVRtExJ809sTBFzZ6i1DGGlQp0XAZ0w2qGN1RllVoL4H9r2ZhFZOilAUGfLvvtCn410CylHwHqjdNGm6B/KoA8r4QBg1FDB+rzbi13KLBfi4/X3Fkj6E4iu9jib0xn/Qx4O0bwcvjR6HIxkuJ0K8OQ7XpgmPlN5FZq0LoQRhY0A4lrCXOJ6ZaqGWnt1XghyYn9npSqmw60anH1O8o1FWvXsiw4Lqdt+k3c/r0qEHZJVHDFJujQ1MhRwd2dN7Xiq6ajzuvv3gpa5EDq3w3w/LmGyILy7Re8A== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: b9e7d534-3148-4c4a-5aec-08dec018595c X-MS-Exchange-CrossTenant-AuthSource: IA0PR11MB8399.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jun 2026 19:59:54.6103 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: eKzYvB7uthNue+t3JOx0Kabsd5nIU7+slVJBODw88gs4O4uBskyZrGhUZyhcdnG4vWsLbYB/yCQhDobEFVX2k/KWp0PUJ3fyGQkokIIcvWZ4Pd/D0ELn0N269tWH44mh X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ5PPF8F93806F5 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjAxMDE5NSBTYWx0ZWRfX2cGAKZrZqDXJ qVfvdPBM5sepFDveH/PWccN+T5upTRd2Ok9kbtMvTLznaEbsqHVQ3zg77ozpe94LHZc5q+npO/r hQtQfPJNjJOCHUsmcVEmy5vALtLv/4yOKk3sCKpzWuTVEAJFdGcncNstBgb4YTYI6yBjlYmoaHQ 5izmynTtE5vWxyzVJixMwIKP2thJK4Jbfo2MAEj5e4ATEXgrbEqEgXIrQmUNxDDS7U/Luy1jFs9 EFh69x0RQseZ+dFufBtCyc03us6ESNwEu+RLl6qAyidj7igILvIW+1pNkkEH8c37O+p6zpP53Q8 ZzCH+2MJO+qU2veLI9+9a3+5uUtQOmTJQALw+SE1jCmx8I2uzqZj+gAsrxCkeVpzp/Sle+L/dZe mHUO/x8wbywYcWhFybZXyoXxepLYS2oTK6QuVunROBDSELjr7EjLbQ7tkqC5exC28SZy/R3ap8p DR1AnT+KLmIYiPpGVXg== X-Proofpoint-GUID: cbTxc-ZXAeHkr-pX1MFJwrbOc3i4SQpD X-Authority-Analysis: v=2.4 cv=Iq0utr/g c=1 sm=1 tr=0 ts=6a1de4bc cx=c_pps a=tLhGFq4bAmKo+yvJBjszOw==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=FelO9ux0wxsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=iKiJcTA2PjBS6x5JeXcw:22 a=F_ubicZDAAAA:20 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=aTVoPYTGAAAA:8 a=aG43QcXWUSGWee62vf0A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=FdTzh2GWekK77mhwV6Dw:22 a=rKT3Ez47ESLuxQAP_tCa:22 a=bA3UWDv6hWIuX7UZL3qL:22 X-Proofpoint-ORIG-GUID: cbTxc-ZXAeHkr-pX1MFJwrbOc3i4SQpD X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-06-01_05,2026-05-28_03,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 phishscore=0 adultscore=0 priorityscore=1501 clxscore=1015 malwarescore=0 impostorscore=0 suspectscore=0 lowpriorityscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605210000 definitions=main-2606010195 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 651GtJkk3879996 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 01 Jun 2026 20:00:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237992 In CUPS versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker- controlled localhost IPP service with a reusable Authorization: Local token. That token is sufficient to drive /admin/ requests on localhost. By combining CUPS-Create-Local-Printer with printer-is-shared=true, an attacker can persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue allows arbitrary root file overwrite. A proof-of-concept demonstrates dropping a sudoers fragment to achieve root command execution. Apply upstream fix to prevent misuse of Local authorization tokens and block unauthorized file:/// queues. Signed-off-by: Abhishek Bachiphale --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-34990.patch | 348 ++++++++++++++++++ 2 files changed, 349 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34990.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index f23411f44b..42107774e4 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -18,6 +18,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://CVE-2026-34978.patch \ file://CVE-2026-34979.patch \ file://CVE-2026-34980.patch \ + file://CVE-2026-34990.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch new file mode 100644 index 0000000000..3f7781c19e --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch @@ -0,0 +1,348 @@ +From e052dc44da9d12adfbebc51de4975fbadb2ce356 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 31 Mar 2026 15:55:50 -0400 +Subject: [PATCH] Don't allow local certificates over the loopback interface, + drop support for writing to plain files. + +OpenPrinting CUPS is an open source printing system for Linux and other +Unix-like operating systems. In versions 2.4.16 and prior, a local +unprivileged user can coerce cupsd into authenticating to an +attacker-controlled localhost IPP service with a reusable Authorization: +Local ... token. That token is enough to drive /admin/ requests on +localhost, and the attacker can combine CUPS-Create-Local-Printer with +printer-is-shared=true to persist a file: ///... queue even though the +normal FileDevice policy rejects such URIs. Printing to that queue gives +an arbitrary root file overwrite; the PoC below uses that primitive to +drop a sudoers fragment and demonstrate root command execution. + +CVE: CVE-2026-34990 + +Upstream-Status: Backport [ https://github.com/OpenPrinting/cups/commit/e052dc44da9d12adfbebc51de4975fbadb2ce356 ] + +Signed-off-by: Abhishek Bachiphale +--- + cups/auth.c | 30 ++++++---------------- + scheduler/auth.c | 6 ++--- + scheduler/client.c | 4 +-- + scheduler/ipp.c | 6 ++--- + scheduler/job.c | 46 ++++++++++++++++++---------------- + test/4.2-cups-printer-ops.test | 6 ++--- + test/5.1-lpadmin.sh | 14 +++++------ + 7 files changed, 52 insertions(+), 62 deletions(-) + +diff --git a/cups/auth.c b/cups/auth.c +index 5cb419458f..14661c7bef 100644 +--- a/cups/auth.c ++++ b/cups/auth.c +@@ -1,7 +1,7 @@ + /* + * Authentication functions for CUPS. + * +- * Copyright © 2020-2024 by OpenPrinting. ++ * Copyright © 2020-2026 by OpenPrinting. + * Copyright © 2007-2019 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products. + * +@@ -92,7 +92,6 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status, + # define cups_gss_printf(major, minor, message) + # endif /* DEBUG */ + #endif /* HAVE_GSSAPI */ +-static int cups_is_local_connection(http_t *http); + static int cups_local_auth(http_t *http); + + +@@ -948,14 +947,6 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */ + # endif /* DEBUG */ + #endif /* HAVE_GSSAPI */ + +-static int /* O - 0 if not a local connection */ +- /* 1 if local connection */ +-cups_is_local_connection(http_t *http) /* I - HTTP connection to server */ +-{ +- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0) +- return 0; +- return 1; +-} + + /* + * 'cups_local_auth()' - Get the local authorization certificate if +@@ -967,13 +958,7 @@ static int /* O - 0 if available */ + /* -1 error */ + cups_local_auth(http_t *http) /* I - HTTP connection to server */ + { +-#if defined(_WIN32) || defined(__EMX__) +- /* +- * Currently _WIN32 and OS-2 do not support the CUPS server... +- */ +- +- return (1); +-#else ++#if !_WIN32 && !__EMX__ && defined(AF_LOCAL) + int pid; /* Current process ID */ + FILE *fp; /* Certificate file */ + char trc[16], /* Try Root Certificate parameter */ +@@ -998,7 +983,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ + * See if we are accessing localhost... + */ + +- if (!cups_is_local_connection(http)) ++ if (httpAddrFamily(httpGetAddress(http)) != AF_LOCAL) + { + DEBUG_puts("8cups_local_auth: Not a local connection!"); + return (1); +@@ -1072,15 +1057,14 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ + } + # endif /* HAVE_AUTHORIZATION_H */ + +-# if defined(SO_PEERCRED) && defined(AF_LOCAL) ++# ifdef SO_PEERCRED + /* + * See if we can authenticate using the peer credentials provided over a + * domain socket; if so, specify "PeerCred username" as the authentication + * information... + */ + +- if (http->hostaddr->addr.sa_family == AF_LOCAL && +- !getenv("GATEWAY_INTERFACE") && /* Not via CGI programs... */ ++ if (!getenv("GATEWAY_INTERFACE") && /* Not via CGI programs... */ + cups_auth_find(www_auth, "PeerCred")) + { + /* +@@ -1104,7 +1088,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ + return (0); + } + } +-# endif /* SO_PEERCRED && AF_LOCAL */ ++# endif /* SO_PEERCRED */ + + if ((schemedata = cups_auth_find(www_auth, "Local")) == NULL) + return (1); +@@ -1164,7 +1148,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ + return (0); + } + } ++#endif /* !_WIN32 && !__EMX__ && AF_LOCAL */ + + return (1); +-#endif /* _WIN32 || __EMX__ */ + } +diff --git a/scheduler/auth.c b/scheduler/auth.c +index 471de0492f..3e7041e220 100644 +--- a/scheduler/auth.c ++++ b/scheduler/auth.c +@@ -318,7 +318,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + } + #ifdef HAVE_AUTHORIZATION_H + else if (!strncmp(authorization, "AuthRef ", 8) && +- httpAddrLocalhost(httpGetAddress(con->http))) ++ httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) + { + OSStatus status; /* Status */ + char authdata[HTTP_MAX_VALUE]; +@@ -399,7 +399,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + #endif /* HAVE_AUTHORIZATION_H */ + #if defined(SO_PEERCRED) && defined(AF_LOCAL) + else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) && +- con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best) ++ httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL && con->best) + { + /* + * Use peer credentials from domain socket connection... +@@ -489,7 +489,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + } + #endif /* SO_PEERCRED && AF_LOCAL */ + else if (!strncmp(authorization, "Local", 5) && +- httpAddrLocalhost(httpGetAddress(con->http))) ++ httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) + { + /* + * Get Local certificate authentication data... +diff --git a/scheduler/client.c b/scheduler/client.c +index 51be34f448..ab35bb7566 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -2188,7 +2188,7 @@ cupsdSendHeader( + strlcpy(auth_str, "Negotiate", sizeof(auth_str)); + } + +- if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost")) ++ if (con->best && !con->is_browser && httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) + { + /* + * Add a "trc" (try root certification) parameter for local +@@ -2208,7 +2208,7 @@ cupsdSendHeader( + auth_size = sizeof(auth_str) - (size_t)(auth_key - auth_str); + + #if defined(SO_PEERCRED) && defined(AF_LOCAL) +- if (PeerCred != CUPSD_PEERCRED_OFF && httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) ++ if (PeerCred != CUPSD_PEERCRED_OFF) + { + strlcpy(auth_key, ", PeerCred", auth_size); + auth_key += 10; +diff --git a/scheduler/ipp.c b/scheduler/ipp.c +index cb228b87c8..9a280e7525 100644 +--- a/scheduler/ipp.c ++++ b/scheduler/ipp.c +@@ -5625,7 +5625,7 @@ create_local_printer( + * Require local access to create a local printer... + */ + +- if (!httpAddrLocalhost(httpGetAddress(con->http))) ++ if (httpAddrFamily(httpGetAddress(con->http)) != AF_LOCAL) + { + send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Only local users can create a local printer.")); + return; +@@ -5685,9 +5685,9 @@ create_local_printer( + + ptr = ippGetString(device_uri, 0, NULL); + +- if (!ptr || !ptr[0]) ++ if (!ptr || !ptr[0] || (strncmp(ptr, "ipp://", 6) && strncmp(ptr, "ipps://", 7))) + { +- send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri"); ++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad device-uri \"%s\"."), ptr); + + return; + } +diff --git a/scheduler/job.c b/scheduler/job.c +index 0494d7196d..6599bfcf48 100644 +--- a/scheduler/job.c ++++ b/scheduler/job.c +@@ -1163,35 +1163,39 @@ cupsdContinueJob(cupsd_job_t *job) /* I - Job */ + } + else + { ++ char scheme[32], /* URI scheme */ ++ userpass[32], /* URI username:password */ ++ host[256], /* URI hostname */ ++ resource[1024]; /* URI resource path (filename) */ ++ int port; /* URI port number */ ++ ++ httpSeparateURI(HTTP_URI_CODING_ALL, job->printer->device_uri, scheme, sizeof(scheme), userpass, sizeof(userpass), host, sizeof(host), &port, resource, sizeof(resource)); ++ + job->print_pipes[0] = -1; +- if (!strcmp(job->printer->device_uri, "file:/dev/null") || +- !strcmp(job->printer->device_uri, "file:///dev/null")) +- job->print_pipes[1] = -1; +- else ++ job->print_pipes[1] = -1; ++ ++ if (strcmp(resource, "/dev/null")) + { +- if (!strncmp(job->printer->device_uri, "file:/dev/", 10)) +- job->print_pipes[1] = open(job->printer->device_uri + 5, +- O_WRONLY | O_EXCL); +- else if (!strncmp(job->printer->device_uri, "file:///dev/", 12)) +- job->print_pipes[1] = open(job->printer->device_uri + 7, +- O_WRONLY | O_EXCL); +- else if (!strncmp(job->printer->device_uri, "file:///", 8)) +- job->print_pipes[1] = open(job->printer->device_uri + 7, +- O_WRONLY | O_CREAT | O_TRUNC, 0600); +- else +- job->print_pipes[1] = open(job->printer->device_uri + 5, +- O_WRONLY | O_CREAT | O_TRUNC, 0600); ++ if (!FileDevice) ++ { ++ abort_message = "Stopping job because file: output is disabled."; + +- if (job->print_pipes[1] < 0) ++ goto abort_job; ++ } ++ else if ((job->print_pipes[1] = open(resource, O_WRONLY | O_EXCL)) < 0) + { +- abort_message = "Stopping job because the scheduler could not " +- "open the output file."; ++ abort_message = "Stopping job because the scheduler could not open the output file."; + + goto abort_job; + } ++ else ++ { ++ /* ++ * Close this file on execute... ++ */ + +- fcntl(job->print_pipes[1], F_SETFD, +- fcntl(job->print_pipes[1], F_GETFD) | FD_CLOEXEC); ++ fcntl(job->print_pipes[1], F_SETFD, fcntl(job->print_pipes[1], F_GETFD) | FD_CLOEXEC); ++ } + } + } + } +diff --git a/test/4.2-cups-printer-ops.test b/test/4.2-cups-printer-ops.test +index 1a011e011a..945a9bbd71 100644 +--- a/test/4.2-cups-printer-ops.test ++++ b/test/4.2-cups-printer-ops.test +@@ -1,7 +1,7 @@ + # + # Verify that the CUPS printer operations work. + # +-# Copyright © 2020-2024 by OpenPrinting. ++# Copyright © 2020-2026 by OpenPrinting. + # Copyright © 2007-2019 by Apple Inc. + # Copyright © 2001-2006 by Easy Software Products. All rights reserved. + # +@@ -180,7 +180,7 @@ + ATTR uri printer-uri $method://$hostname:$port/printers/Test2 + + GROUP printer +- ATTR uri device-uri file:/tmp/Test2 ++ ATTR uri device-uri file:///dev/null + ATTR enum printer-state 3 + ATTR boolean printer-is-accepting-jobs true + +@@ -206,7 +206,7 @@ + ATTR uri printer-uri $method://$hostname:$port/printers/Test1 + + GROUP printer +- ATTR uri device-uri file:/tmp/Test1 ++ ATTR uri device-uri file:///dev/null + ATTR enum printer-state 3 + ATTR boolean printer-is-accepting-jobs true + ATTR text printer-info "Test Printer 1" +diff --git a/test/5.1-lpadmin.sh b/test/5.1-lpadmin.sh +index aa398000a1..36f2822275 100644 +--- a/test/5.1-lpadmin.sh ++++ b/test/5.1-lpadmin.sh +@@ -2,7 +2,7 @@ + # + # Test the lpadmin command. + # +-# Copyright © 2020-2024 by OpenPrinting. ++# Copyright © 2020-2026 by OpenPrinting. + # Copyright © 2007-2018 by Apple Inc. + # Copyright © 1997-2005 by Easy Software Products, all rights reserved. + # +@@ -12,8 +12,8 @@ + + echo "Add Printer Test" + echo "" +-echo " lpadmin -p Test3 -v file:/dev/null -E -m drv:///sample.drv/deskjet.ppd" +-$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:/dev/null -E -m drv:///sample.drv/deskjet.ppd 2>&1 ++echo " lpadmin -p Test3 -v file:///dev/null -E -m drv:///sample.drv/deskjet.ppd" ++$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:///dev/null -E -m drv:///sample.drv/deskjet.ppd 2>&1 + if test $? != 0; then + echo " FAILED" + exit 1 +@@ -29,8 +29,8 @@ echo "" + + echo "Modify Printer Test" + echo "" +-echo " lpadmin -p Test3 -v file:/tmp/Test3 -o PageSize=A4" +-$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:/tmp/Test3 -o PageSize=A4 2>&1 ++echo " lpadmin -p Test3 -v file:///dev/null -o PageSize=A4" ++$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:///dev/null -o PageSize=A4 2>&1 + if test $? != 0; then + echo " FAILED" + exit 1 +@@ -65,8 +65,8 @@ echo "" + + echo "Add a printer for cupSNMP/IPPSupplies test" + echo "" +-echo " lpadmin -p Test4 -E -v file:/dev/null -m drv:///sample.drv/zebra.ppd" +-$runcups $VALGRIND ../systemv/lpadmin -p Test4 -E -v file:/dev/null -m drv:///sample.drv/zebra.ppd 2>&1 ++echo " lpadmin -p Test4 -E -v file:///dev/null -m drv:///sample.drv/zebra.ppd" ++$runcups $VALGRIND ../systemv/lpadmin -p Test4 -E -v file:///dev/null -m drv:///sample.drv/zebra.ppd 2>&1 + if test $? != 0; then + echo " FAILED" + exit 1 From patchwork Mon Jun 1 19:58:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Abhishek Bachiphale X-Patchwork-Id: 89110 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 047CACD6E55 for ; Mon, 1 Jun 2026 20:00:13 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8358.1780344003765746175 for ; Mon, 01 Jun 2026 13:00:03 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@windriver.com header.s=PPS06212021 header.b=QWSH4/Zk; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=06123b62e6=abhishek.bachiphale@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 651GxPOJ3668972 for ; Mon, 1 Jun 2026 20:00:02 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=hK3tEDPc+Y/l4dKn24VXOraMVQyIAOTWKmR17Kdz9pQ=; b=QWSH4/ZkP53k q9u6ke3lgHpaU8uCLOuI0YI5ml178qqvSWes8T1ErLVB1jK5/KDJ9x8wecwpgERq 3wRMIIREq7Qw7l1W6FdV4m4Hkdjqw/uE9ttiQ/hPJTTC1HzNfnEtVfJ95qbnI7B5 Ot5Pwo2f0mquUL7PQMsGkCSkB88dygUsbLLqTCfU10LMj7XzlyM7UfP66I3neAs9 Cma9h28G3EqTfwn3XvXcNswwXuQQoDcqsVwD0SmlU2fqhjvjN2N/0F92Oc+a1mh3 M3lZZSbVcbvg11LCWT4FpHBbMo/+V3Rv/Pj7Qziry+eQGewz/U4WxIT1W9rHxsfa WbmKqBWVdA== Received: from cy3pr05cu001.outbound.protection.outlook.com (mail-westcentralusazon11013046.outbound.protection.outlook.com [40.93.201.46]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4efpv8bmed-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Mon, 01 Jun 2026 20:00:02 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PY6dijUDAqrtC+a2f8xD6g/JPPu/Lp4lqeW/gmm7wmqFZvBrIbiTto8YnKh1yZL0raj4JwWBSoLVolHh4jOKUjseXEzn2RcsvgE7CUJ7bDSaTMHAbX3/TKv1qfe2APWwB7XpVI6Lah6HwYyql2JSs9CdtD9sitP26kdFjUzkFhMslP62Y1XVES7VY/Ha+YvX1M7YtotbHQVx9708WHpXGkrVlSNEeCq9oaypzxLooh8pf8p8DgKk7ifM+Okwi9ndDOdFsdRUCPFFhw2vJ2CVPxmCRoH8Six1GUFjNXh8n3HvimCTY2yzTWNOyotecsiUSD95p4mVMnMOoB4JUeWx+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hK3tEDPc+Y/l4dKn24VXOraMVQyIAOTWKmR17Kdz9pQ=; b=d6EcwR5Q8DfZ7XyavMrI+a7mggfveoLk3WXxqX2bC2/XgGvDwcLuOHBv4J9oZByjc1X0Akb3k4ENWlgQ4doMPYcpPcXmevEA3dy3eY394RJ90eTte+sr2ZWv8KXqo3vrs/IoNRiiEmgx/vnYk+pXvIuojbymMNSc/wce5UlbQQk7EHpnIaGIiTkBkcARL9NJjZJRikDQePcmwVsJMuCr6+i17XUWyxCSvVI6INugxRqpyYWufSXRbFFjZQeqif8WN2giKWdo8s9N7saUDRbMsqQu7uBLt2tHoJJIHRgsNkH+FRoZdVcL/w5X1ENH7WYt7awU5ddBPhzQDdG8MrLL6A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from IA0PR11MB8399.namprd11.prod.outlook.com (2603:10b6:208:48d::9) by SJ5PPF8F93806F5.namprd11.prod.outlook.com (2603:10b6:a0f:fc02::845) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.12; Mon, 1 Jun 2026 20:00:00 +0000 Received: from IA0PR11MB8399.namprd11.prod.outlook.com ([fe80::ea10:3d10:93bf:f83c]) by IA0PR11MB8399.namprd11.prod.outlook.com ([fe80::ea10:3d10:93bf:f83c%6]) with mapi id 15.21.0071.010; Mon, 1 Jun 2026 20:00:00 +0000 From: Abhishek Bachiphale To: openembedded-core@lists.openembedded.org Subject: [PATCH 5/6][wrynose] cups: fix CVE-2026-39314 Date: Tue, 2 Jun 2026 01:28:00 +0530 Message-Id: <20260601195801.4008899-6-Abhishek.Bachiphale@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> References: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> X-ClientProxiedBy: TY4PR01CA0094.jpnprd01.prod.outlook.com (2603:1096:405:37d::18) To IA0PR11MB8399.namprd11.prod.outlook.com (2603:10b6:208:48d::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: IA0PR11MB8399:EE_|SJ5PPF8F93806F5:EE_ X-MS-Office365-Filtering-Correlation-Id: 960b84d5-a6e0-4d39-714a-08dec0185ce9 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|52116014|366016|1800799024|38350700014|11063799006|18002099003|22082099003|56012099006; X-Microsoft-Antispam-Message-Info: DsfgwKWQspeSfLgDYzPJEHn+wNMbZK0ciDX6ZvL7YEUORiAj3ZqnOC5tHtHulQb9qHjofCKEqP4TAaMECMECVqbPJqf73BdzaOiubJWKMPECO9z1mfhFJMyHRPiuuUoZbm+y1Qs9cBTEff+E0M+aGli2aflAbROy0qEIljgNSYlhmDkJnW5TFlA6mUSX3uuezYbz/o9Cs4yhScs6HO5MHAz7R+9ey8yah2LWniGnoOIhxvLN5PVQ88vttgvffvmBUT7v81zg5cPWVRmtAwDobhnDxo1NgXW42NWuQsUOg4nXB/C97ESYvxfm/OXU8dIYOuAKUFB+27B9V8kOxqNx0njO0MPDvrSq/PMKvgZf5lyuFv/myb6FikHP2wP5xIuWww4xOq+MSMMPPJWXKq4Uo8TndvPMqd1j4n9J/So2sItO3EF7sya71wa/wSqZVAAx8ynXLi51DLIy6NZKNwBgWjrNSrCdKtt8RkPCdOA+fKCEYZ7Cw+RnfkqlK6eYy6TiGIjSaw8jscBpi0FupQxmo4FRwhkuoibJ+oEneEBF6wl7HOTB2AJ1k9GcJs6kdb6wiFlQerfT61lLZnrJW1UoCqbvQRWLyOecxRuyiUTeFwJolglS94hnrqhYvTMYsXIQa/JzCdWXoxD9U6OyHaX9a0MwQFayNeOf+wgcRodlqPNaXNJ0wb235cFxAkB9MhyZvoAsKOOlf188/nGmH51vq5upx4Jy4kdOfeJ65WaM2UjWszJwE3H0/vkjoA8Xc1ej X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:IA0PR11MB8399.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(52116014)(366016)(1800799024)(38350700014)(11063799006)(18002099003)(22082099003)(56012099006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?EFW2PGvOphLGY+9++9jVZqRijZPq?= =?utf-8?q?//9CksUy7qTVfYbajfwOArokr/piSXZULZ8bprhDGz/q4v/sD3lUNrw38+0S7T0H9?= =?utf-8?q?YASqMawKqlMx0mQsh9S5JJRiDKsT5H4vq+LsrIkknSwbddzzjWDrzcanJwja4rq7l?= =?utf-8?q?dpxewX9jasWXN8eh/OetWeM4dINoiKkBeO4APsXfnjbUz0MvuRgP+1rJz+z2hYxQg?= =?utf-8?q?0+3KrtCjaNnC7xGbTM+gBA9zPjRbjY4i88rMHPvBcGe9D1Ych4Z9gHgb8EX0TKbMM?= =?utf-8?q?22phnWzfCslh4hyi2rtgyt2TDU52Vr/gsW42ndytVF9ZoGeNEQHX+fndpQiiCVEJW?= =?utf-8?q?aNNBzQjI0IYzv7Akzhe4E5KrGSmEC+C2QHp1QSeqpgTWhTgAlarUPOAlPf+RQqyrU?= =?utf-8?q?afIsKE8WGQdodTfgaBL9MhDDYBNMHqOudjAd61rCeYpxPHhvZe0T3QA305w9F7IKX?= =?utf-8?q?TcVTauTzx52FhS75i/tkaViD1F6qmoB8io67Qe01Tteg5fOs2ZI1vfyccfjV/7d0M?= =?utf-8?q?EnTOeujiCR3xPL8slohhj7UGiCH6yuB/ZV/QT7AqAIsUIqSrLVoj4UMLLu4kuDUD7?= =?utf-8?q?1inFVw82nCCUSSHxgG9IpWr3ZvGX+ngLLqmplC8qBOYSSMbCm0fd/Col58Bi6Yi+e?= =?utf-8?q?OxAb7sfpDvyURBflXsiR2hUSuspgbCBoWUO0n2n++VomYZuxchj80sxJ/9mzEdvqH?= =?utf-8?q?AOVbXICRi/2Zg5wEaOPQSaTqtT5U7CM7LU+qFHqrgoRC1Zk/BNbsfLWp7z7OuNcLb?= =?utf-8?q?4ZlLKOE7UfXoX12ZvvmhOE6mfjP3lYIhkC7ihVtsnYijemWRLVS1ppNZo0S6EX7Ac?= =?utf-8?q?RBcSErFZr3zFsA7z5A+UnrBKlDNNbGMS8eR1Zc1GWtlEOGh3HZnb3ZJy2N17rvxuy?= =?utf-8?q?AwV5pqZoxpq+cIqUqz5GVN76N0ZMwHJxejDdRKfReSKMIW3a44xWvtmArFUEjQphF?= =?utf-8?q?sV533dE1WUiUUx1zDBT+S+v3/Oo/9dVunWWiaenK3dUoYKi790Iy9FfSb1zGpqpMr?= =?utf-8?q?AFfjoeQZopV2b/6cKgWeKSVTvWklsZ4O8EqeiPysoWQOwhAnJCctEY/Fa1xLAihUA?= =?utf-8?q?ydfKi6ePHESLH8tCNtbG3f+N3zuYqm9mwl15Rbae+sKeecTL7ZSOPCzQeyXHKw3/F?= =?utf-8?q?ccJlM5Hv9B4/0xaFrsBSHTj93zGuz8BPyNJ54ERAWQ88RYDyVoLgNGvAQkezA58CI?= =?utf-8?q?34AKymbGGsF1Rx/iNVI9sHfha+fu5WsAIzkRJo+IjadBS/gowWW5lDh54H5uzAkjF?= =?utf-8?q?jEMbj5beqpq4Kn495+uAJOIVST4ZJMgxvcaRW5mNav83qkychwNOFB2/3DFIZF5Ct?= =?utf-8?q?vpXcgi5/j1aydZ/0rWK9g3IuMXfJHKL+C0S78qVlgT6AKQg8w5LYJVxm/4PEAfAkR?= =?utf-8?q?o3dXbbSI5PZauSv66DXkCEE8pfTGQwFsSy8xPug+6JePEMAK7ek6A+0GVZHvuZT7y?= =?utf-8?q?/e3CHw3D9auX/+kFgJJBCUlhQzYxvy1XhaTtkP/dLxBme5IajlJO0kqc2nCwkYVDX?= =?utf-8?q?TBFBweqBAS0QujY/Z7ae/Wq0SQw+YiXKY3QWJBXYceQeZLeMh6sb5KG2dqgbIYiZs?= =?utf-8?q?GmUQHSmbPMHqlX9/QAtNJ4JYfIry84I0aMEXH2qhlAFyuQIy6DK0JvLOyvuiemjeu?= =?utf-8?q?ssiElS/+nnMGIKi/6rYArRvKOr5pIlz9ZGlLW4VTOS1p4bV7RXGCbyw/S4TwX7y/7?= =?utf-8?q?sjj79ga0K?= X-Exchange-RoutingPolicyChecked: aHisxJNIKqmrWcIK24OlofkRXz2Sm3ADKnaUa+3X7BCYDFFXwcla3hvtB9Rgm3tzFwmO7GbdTwkp5jEyyVS+elaRFlBicd/i+R8loRH7G6CXzHxyX8vfhm/hg4WdYqB7DB7++QDsQ4hzWm+YDYgTBwZQmGTT8fUi7k/r0ZoJurFQxlU0kbhVzRKFfMIE7xl281z/X/AlBY+Uq2Hi9v/Tu/d07e96aUa8kEMreHDxrSLakTlbhDo5i8+M4Ew+srUsjhtcqxfuo0LZOP7yCLEHxMt8yg96JJLQmfSp0t580fRPISibiZx/9mI2rgY6u7wsMqUw8in0SGFgwhdLU6uqBw== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 960b84d5-a6e0-4d39-714a-08dec0185ce9 X-MS-Exchange-CrossTenant-AuthSource: IA0PR11MB8399.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jun 2026 20:00:00.5691 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: z7DIFONXWCTjscI7MfRazr1UfoklK5AmD30r7c9+fcXHBexWUAB4M+f4GzJ3epEEIs61q/B2LN3Z4Yqr1O/KpM0EI1roUVA2nowB4feDWYPIS6Tc1njDesHnSAZZqp07 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ5PPF8F93806F5 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjAxMDE5NSBTYWx0ZWRfXzq+5rKs8Wdy2 nXXoPx0U1fcz/ERy0DkcqDj6c0rP3JcytFsgJteMmDk6beMVCKNLGbFp7zeIeXuEOD0qoyzpVZx Arts9OxC0EBGxvKF3JBKWuS+6S9VfgUpdOromSRxNPvvQ+UshyJn0NtQFd9SgY/TkNkzeKOXIxY nSVPoNleZclwmVh5lGhDNfuaXCIkfCzf3ATTBtvdg7Kl/y5xJBCX3l3azm/pQM2f2326HVdCoQS AECSsw7l8RJkWEj9yfaOMZq243ekZpyMjn4V1Gcjy2alpbYGqCw7fTc+AsVs1vXEqheYYB8n0G6 TYBhc7cJNSlCNGfdpLqrLK2LR7jJ8IHC7JKqfkzkw5N/MQUiHdEW9Pwn4NhctYb6DRuzR4am2QY J67itLk6NaP+9DIq7it8xisBOUvOKGkGvrnMmJBzNAUqOOAFxKlQ37BLIJSsxoXzaq7kIafstq0 N29A6XNTCFncoIImZFQ== X-Authority-Analysis: v=2.4 cv=Opt/DS/t c=1 sm=1 tr=0 ts=6a1de4c2 cx=c_pps a=hJOwGQj5EtsonyTFrxeutQ==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=FelO9ux0wxsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=fTW__CHxibyLmBMfj2wP:22 a=F_ubicZDAAAA:20 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=aTVoPYTGAAAA:8 a=dXSuXQMiNqg0H74xAnkA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=FdTzh2GWekK77mhwV6Dw:22 a=rKT3Ez47ESLuxQAP_tCa:22 a=bA3UWDv6hWIuX7UZL3qL:22 X-Proofpoint-GUID: LdzljBTdqsEY_WUewAYZTHXkdgVWPBbX X-Proofpoint-ORIG-GUID: LdzljBTdqsEY_WUewAYZTHXkdgVWPBbX X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-06-01_05,2026-05-28_03,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 spamscore=0 priorityscore=1501 bulkscore=0 impostorscore=0 malwarescore=0 lowpriorityscore=0 phishscore=0 clxscore=1015 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605210000 definitions=main-2606010195 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 651GxPOJ3668972 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 01 Jun 2026 20:00:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237993 In CUPS versions 2.4.16 and prior, an integer underflow exists in _ppdCreateFromIPP() (cups/ppd-cache.c). A local unprivileged user can supply a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service. Apply upstream fix to validate negative values and prevent integer underflow in _ppdCreateFromIPP(). Signed-off-by: Abhishek Bachiphale --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-39314.patch | 47 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39314.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 42107774e4..a12965bb6e 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -19,6 +19,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://CVE-2026-34979.patch \ file://CVE-2026-34980.patch \ file://CVE-2026-34990.patch \ + file://CVE-2026-39314.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-39314.patch b/meta/recipes-extended/cups/cups/CVE-2026-39314.patch new file mode 100644 index 0000000000..8d25a1c2e3 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-39314.patch @@ -0,0 +1,47 @@ +From 928a86b1b794f738f0a3dc87561b2e054bff7ce4 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Sun, 5 Apr 2026 10:45:25 -0400 +Subject: [PATCH] Range check job-password-supported. + +OpenPrinting CUPS is an open source printing system for Linux and other +Unix-like operating systems. In versions 2.4.16 and prior, an integer +underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows +any unprivileged local user to crash the cupsd root process by supplying +a negative job-password-supported IPP attribute. The bounds check only +caps the upper bound, so a negative value passes validation, is cast to +size_t (wrapping to ~2^64), and is used as the length argument to +memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in +the cupsd root process. Combined with systemd's Restart=on-failure, an +attacker can repeat the crash for sustained denial of service. + +CVE: CVE-2026-39314 + +Upstream-Status: Backport [ https://github.com/OpenPrinting/cups/commit/928a86b1b794f738f0a3dc87561b2e054bff7ce4 ] + +Signed-off-by: Abhishek Bachiphale +--- + cups/ppd-cache.c | 4 ++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c +index f5386532ca..ef6caa28a7 100644 +--- a/cups/ppd-cache.c ++++ b/cups/ppd-cache.c +@@ -1,7 +1,7 @@ + /* + * PPD cache implementation for CUPS. + * +- * Copyright © 2022-2025 by OpenPrinting. ++ * Copyright © 2022-2026 by OpenPrinting. + * Copyright © 2010-2021 by Apple Inc. + * + * Licensed under Apache License v2.0. See the file "LICENSE" for more +@@ -3530,7 +3530,7 @@ _ppdCreateFromIPP2( + * Password/PIN printing... + */ + +- if ((attr = ippFindAttribute(supported, "job-password-supported", IPP_TAG_INTEGER)) != NULL) ++ if ((attr = ippFindAttribute(supported, "job-password-supported", IPP_TAG_INTEGER)) != NULL && ippGetInteger(attr, 0) > 0) + { + char pattern[33]; /* Password pattern */ + int maxlen = ippGetInteger(attr, 0); From patchwork Mon Jun 1 19:58:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Abhishek Bachiphale X-Patchwork-Id: 89109 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1329CCD6E60 for ; Mon, 1 Jun 2026 20:00:13 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.8379.1780344007628353613 for ; Mon, 01 Jun 2026 13:00:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=XuRxBKph; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=06123b62e6=abhishek.bachiphale@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 651GxOH53929398 for ; Mon, 1 Jun 2026 20:00:06 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=NN0D/jZ3c2TtxNkrzLHgUBBahU4jD/he1Y3clWrxoU0=; b=XuRxBKphNSCh yXDRdtsxqyQfyLinHuy5Xl7WOu+Yjg2CF3IIZ+SUz6/9FoQfBf6YuA0gKZDzA28s XbvtnFw/RRqq7eYqbfd5o/J3cD+NLolkqRao9BS3DWQvwM1cjFe6Q9fSLCkSinn1 0dLJtSv0gFfHihh6n1zQNA4Pq3PCz/SDODIINm4gM+WgMlB8a9Fw1OsE1UyEwMAz jMQYW0w/FygHDZcdPgNYN7qsXMm5QAxIx2oY3j9tRX5LxbuH1ttgd/mTbGi9SIUg 7SGeNEK/q80b1+tH7EPXHjTIK4Gui+9ChXsypWiYzhz5p87ATv1kSRY+Nu2LiPRc Fr/rjV+S4Q== Received: from bn1pr04cu002.outbound.protection.outlook.com (mail-eastus2azon11010018.outbound.protection.outlook.com [52.101.56.18]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4efn403qv2-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Mon, 01 Jun 2026 20:00:06 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=VqeN9hwxwCDPAOLOabaVo8vOibs95+H6FM2nG5xYQpOSTA4c1beX7ZoAjA0oaNsNeUItt5+byQvh8iFg+Zim8K8kRICuEZPNjyBUo+Si5Qo2fRTnwKFsLhX4y4hOERY4WtrWdaIHIk+iy8uB36lnJKFEBgoZf//CGFek3v5p6TvQE+ZiqbzB6Rhd+niqg1X/kR+lGmkVwRZIB/LXT927lrvz/mFlMrDFE9hsLdVdA3acm/ezi0WBFIAlPvQIHEIERPIoiyTq7ztxYjp7Wr1YWJHZfi9sN+aV9G/ARvZkBdzshYzHtvFoN7IKetIC9c68n29730zMm204Zxoxfzn+DA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NN0D/jZ3c2TtxNkrzLHgUBBahU4jD/he1Y3clWrxoU0=; b=kLyGzriXCuqjweH/cvJle0PgNTqQKMRhDbVo57ITeq7lA30VD5yyYuGGqoWDmD7I7rSCkv7lFU1mf20ANEAJOk8yj8x9ILGuJPGzTEjbYVTivpdnsfpSajSwPS+EvLSDFgpTdteaTteAV2kCciIX4aEigiG/2rWSGmoUSKPQWmMynciRCjgXAOS9xVUkh1o9KwC5IMLuLMBBAnnH99dHgqi+N0/yCxHSpAzYQVYLhI4N85I57kMVyGZMyEX/DA+xe6UtipzxylQM1TBQJhQ/UiWrJurnyCWHuS4HKHrEwY5WEmWibni8oLICpswNIEj6Egdo+nMIrQxdd6Yfkn1SMQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from IA0PR11MB8399.namprd11.prod.outlook.com (2603:10b6:208:48d::9) by SJ5PPF8F93806F5.namprd11.prod.outlook.com (2603:10b6:a0f:fc02::845) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.12; Mon, 1 Jun 2026 20:00:04 +0000 Received: from IA0PR11MB8399.namprd11.prod.outlook.com ([fe80::ea10:3d10:93bf:f83c]) by IA0PR11MB8399.namprd11.prod.outlook.com ([fe80::ea10:3d10:93bf:f83c%6]) with mapi id 15.21.0071.010; Mon, 1 Jun 2026 20:00:04 +0000 From: Abhishek Bachiphale To: openembedded-core@lists.openembedded.org Subject: [PATCH 6/6][wrynose] cups: fix CVE-2026-39316 Date: Tue, 2 Jun 2026 01:28:01 +0530 Message-Id: <20260601195801.4008899-7-Abhishek.Bachiphale@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> References: <20260601195801.4008899-1-Abhishek.Bachiphale@windriver.com> X-ClientProxiedBy: TY4PR01CA0094.jpnprd01.prod.outlook.com (2603:1096:405:37d::18) To IA0PR11MB8399.namprd11.prod.outlook.com (2603:10b6:208:48d::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: IA0PR11MB8399:EE_|SJ5PPF8F93806F5:EE_ X-MS-Office365-Filtering-Correlation-Id: 6dbaa48f-b4c3-4632-97be-08dec0185f68 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|52116014|366016|1800799024|38350700014|11063799006|3023799007|18002099003|22082099003|56012099006; X-Microsoft-Antispam-Message-Info: 9A9g/h1OUck2EdNMM3Ni0u77u/TFtruPkboMtkF0+GudbI/5af8uX6tuuM6bnG9IrWo5IOGO5UPJWX+yuelKRlwMJRCTZ8Jg3r4u7kwxllCSSjTywhM+XCnu3L2cOi/BvKiEe5hOf260lkKkfey7CvFRl75vkfxUGq84uCGoavEoX3EhFsb+W3cFYakn1lqJlGShF1igQ+x5bc7Q0D+CSbono964Qm5KCVd3gCfH7P9LsZ534A6ncQm58R5MIGRGDKHNCzhD09QOBdZ81zzFGC5FWw2V/9r1k8pgzLLtZF3sv0ejXexcmQ9uYIm6Mjvjhfod66deXeId/Y8j0PPEPUGoTIabCPpA2zs8V4HgKjnc3aNRJaBM3ztPeANn2OpNC4tYuiuGtFGLMP2c5fIHHRlPuCMapJMShpuP9LPxOPjAf6J+kjT1MT9h8GWKHaEkr8vfjkm2BzqhH4v+2e+5VAU6EaMkpPcv8zm60vhFg8pGrVpLRRTdSntKWuQ5gjFlhSCV83fvN5+avgt5VULLXMrKyHBY2dU6rsEP4HA+nxTqWadi9aatNYLgqMRLZutzY79bmWzKCg69isQilt1cUl1cbYi3uhSiGEL56oKV/6YrCMYbQdck58niiofUD618bd7TItK+4f3M/oLhjCgXguO81Yzh0VlxL6sh4dgIfMFnYUcUQFsV84Rh2sV7eL1BdLqSNkMwVqCB2ZtaTvwdD6/+WYjLc2KgVGXcvz4SQOsY7dokbyl2M9sMTPaZfJ/a X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:IA0PR11MB8399.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(52116014)(366016)(1800799024)(38350700014)(11063799006)(3023799007)(18002099003)(22082099003)(56012099006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: A6OFqeiJG+KwQkgjWzhWIzM0u2ttNbjWHSZHCH1Pc+qKvlEDibJsxwZzgnWIrUj0xOPPpP4M8iOYnaV7/tYIzMxFGsQo2aBWm4Fdz4yi9i5bot+LPBmGtKMxhfrHc+HwYLWLnzC+bIn17SH/77LbFnedZVkOTsXlA8tZZE33PofeMuVLXU/0ey+kcVjRh7zukBl+o3kvT7Ahv3BTWAMmHGKpvTjxKvM58Yw3iWZtBwP2KMsI8JP0S4+bOTHjN/Hif0DIglGc82c0C4yEyKzGXeRbzRlfiSeK205gSkCERmyMH8W+ZjCXUG/ZvOV/Zy47EQF/3Tq7jhxMxMLekvA9/X+aNyUiFz4mKgNC4Za5bkmInAMKpfuj3UFVNMZPdQwSPAwqf8ulEQ1BpEA2TX1SpFZJi03r4kKgDJ9A9gU1I8JFOEIf4QMW0eERrCX9j/Sl10/Oo3ynAzOrYzLMjhWKTUQWkBbtodUjtLoe1C+Ox7bmdIW5vcSXNoRTfmCutxUs0mofUYfvaaOUj0cor0QEj3XrrwSagaxMRvY7SZ/2JcneQfCdxcWHT3IUUDn8fuvee6N2hXIF1ewZREjkWwB4I+cjdYRRWEHh8IWaafyFBR7N9s6O9A6s+6zzCOEMEbByiiYJfO+psGBRHW6NugXb0p+YP2lqOQGFPrdlY0f7G8fVCwLXMKEFZj/cSZah2mMF3yEYi5AMqoh/nfB+GL3kUk8Rtqq8ugNcZrzkMEGeQhZ1QLDDwLNR+1yIvKcwg69bqhWHg7MaqEnmgDcxK1LopG5EQEDFjJFiKwXH3UOX7t8SHrsgGyBGxK1mQIphlKyOSb4u1kqdDXp1s7Z7GWmGzAtj3qC1horOQ+9OAe/D0IvDjN+qwxkHa4/CR2I5leUxLPA1B46gIgSVh83dZWUlhh3yTMxq+qF78HSnR3jzY+FYDvMQKKTokNuiTsPnBvN+ftmjJD8LGikDex/affbY/p2D577PCmLEpc0n3nzRrmTfhtlk/9s+R57YeYYeVBwPUBaZV1UiPA0u2MzPXNjYXh1drmy9xh8MIVx4wPasnqNYv1TRdIJPsIiQ+59PbUq5YQKIARisVIYVrqrkzmaDH146r5hAeoc3QUPwb4aobZrDZiWcpxHdzTpJ4QDc1hoKdwZAXnedROqRhZrODlYX1MSkZm3Q6wr4cYPt5dqcYqDUzSyn/144o2l2YhwrGFC1WpVqUOMbFBivOn2UBZakPch5IgzgmAnVgOmmTUf+NcImNHspgWtacDf0Wohk6WqDbmyggJq1kSeGyieYujYSlOEMCQXNpkepsNd/vaYfLcl67a2KugArd8N6irwNfWaUexmkqfTRrP3RpX4c1IkeUkV/49EIwt5MqOMzf70DCjDYdnrlydqwGemifvotntY79tbZ5IPMW2hnbkKODmctIC2wVRO/zHXB4JpYMHqYFUrlfqBUZozy+4Fl9DyWy4H+fu+qMYjMAcPL+GTf9WWU6ZZ4w6jcyKD1sXCJZJJo2XfGZrwj7dD2mG/te1jSjNpNAFvrDcufOtn9FSyq1LhIDOk02YDA0GJhMgG5n0FZKQa1AWSIHVvqgrH0XLrH/sLqeSfQt7hyHX/7bpKtmJ08iCS2/MKTbm3xKwpw4/riuy0u2dLd0gLqoP6xV5wYetCV9EjjMHceqfoRk/7Yvl/GsgqWBK99fksHerV8zMAtATzmPcpzjm+Zk2VuAVZj2bSsoAo26CuBKdB2lZtbpVDFTyvI8oD3QHMfoOWGQFbQgW5ZJzEqdVpuyoDHgXehZJfZ X-Exchange-RoutingPolicyChecked: CPGI88SWSIMh1xd0+LN8nBGhgFEqfj3YPTTXd2CaPOL2++VOWkqcXEasDaWA6s+eoJ0Xa0ZbuSF2rBzdejP/aWTSYHn+jEnLDKYJsg/yNZ3lEpVGpg72OvQ5YccYjevV6uuaWfGjt14q0bWs32o9EDOB0mOvdx3fZvmbJNtmWTF5mAVNtVTFCs65EI7kxrAs0y6Yg4POh0+wPpy2CYjBikFCHPGqDO+bWw+mNXU1oN78wCdH+HGH7CHrmQjyzdMuBlNHgLdTPN02sEl7E+g6GU4dcOUmYze6wP9JpyWyNO+bDmXz7I8UjqivnNsWkFGQ/sGFusLdFR453URW6Np/WQ== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6dbaa48f-b4c3-4632-97be-08dec0185f68 X-MS-Exchange-CrossTenant-AuthSource: IA0PR11MB8399.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jun 2026 20:00:04.7782 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ARaMgXx9/sUVpcDZcczbWOY/lmM99ggkeiDSiO610MQryQ0a6eWeoW1Gwdw0C20oVuwmNRQeBZ4QKYYOkum5Xrz0+jOcIMzZEKn05VNIUqNJOq8WDbzYxSVGAn7vC+PU X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ5PPF8F93806F5 X-Proofpoint-ORIG-GUID: QTUFaLBd4M6r5te0S55sZeMnkN7MEWe1 X-Proofpoint-GUID: QTUFaLBd4M6r5te0S55sZeMnkN7MEWe1 X-Authority-Analysis: v=2.4 cv=GI441ONK c=1 sm=1 tr=0 ts=6a1de4c6 cx=c_pps a=GAehYNPk9jHZ2DyfQldz4Q==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=FelO9ux0wxsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=klDOsUkWDRETUCZYPvoE:22 a=F_ubicZDAAAA:20 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=aTVoPYTGAAAA:8 a=jyMhGcLy8v583ZEMYxMA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=rKT3Ez47ESLuxQAP_tCa:22 a=bA3UWDv6hWIuX7UZL3qL:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjAxMDE5NSBTYWx0ZWRfXwYJHF9xDf8PG mqro1lQwEHpI3WPK7DdRI+sskGOIIikv2r/E1IAyy8iRceK86s7ocpBQU8PnkXu+traoHyX/Z9j yvlO4IzUvK/62Now9btpijeq8M+lmTNVUokxgGQ1ciB6RoOvnmAVOV0rKTespKnJ79Hvx57BXDT ZRb/5F6dq+UEzqJvnj3LH1C/A2URDUX/DWPUjRyqyVZLvWol6kIW5Si+lAhxMh7cCEHfVIeT34b 4GCZNGjOjRmbngKCg/cz9LLK9VDaRif8sUBtqJ4E791zSLO1dl7D016uqPni7p98z2HRNWjOQfK ta7PrbgiDqJGTYM86smLDLVLr0800knSFhJMJzFNi5zvx6gRuPMxB202uV3NGnKxUh7p7aMXS6l DK3rXsZWYXkJtHvjlwY6CQDotpsbRwTqj+Lyv8OjIkab9oGMkDyhMnbwiDlLTAh9JTKsztseFMO RbDhTi+hLSrdQpPrtLQ== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-06-01_05,2026-05-28_03,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 malwarescore=0 phishscore=0 spamscore=0 bulkscore=0 adultscore=0 clxscore=1015 priorityscore=1501 lowpriorityscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605210000 definitions=main-2606010195 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 01 Jun 2026 20:00:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237994 In CUPS versions 2.4.16 and prior, a use-after-free vulnerability exists in the scheduler when temporary printers are automatically deleted. The function cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls cupsdDeletePrinter() without first expiring subscriptions that reference the printer, leaving cupsd_subscription_t.dest as a dangling pointer to freed heap memory. The dangling pointer is subsequently dereferenced at multiple code sites, causing a crash (denial of service) of the cupsd daemon. With heap grooming, this issue can be leveraged for code execution. Apply upstream fix to expire subscriptions before deleting printers, preventing dangling pointers and use-after-free conditions. Signed-off-by: Abhishek Bachiphale --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-39316.patch | 42 +++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39316.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index a12965bb6e..194b9c2638 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -20,6 +20,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://CVE-2026-34980.patch \ file://CVE-2026-34990.patch \ file://CVE-2026-39314.patch \ + file://CVE-2026-39316.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-39316.patch b/meta/recipes-extended/cups/cups/CVE-2026-39316.patch new file mode 100644 index 0000000000..c8d7e10ac2 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-39316.patch @@ -0,0 +1,42 @@ +From 0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Sun, 5 Apr 2026 11:33:23 -0400 +Subject: [PATCH] Expire per-printer subscriptions before deleting. + +OpenPrinting CUPS is an open source printing system for Linux and other +Unix-like operating systems. In versions 2.4.16 and prior, a +use-after-free vulnerability exists in the CUPS scheduler (cupsd) when +temporary printers are automatically deleted. +cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls +cupsdDeletePrinter() without first expiring subscriptions that reference +the printer, leaving cupsd_subscription_t.dest as a dangling pointer to +freed heap memory. The dangling pointer is subsequently dereferenced at +multiple code sites, causing a crash (denial of service) of the cupsd +daemon. With heap grooming, this can be leveraged for code execution. + +CVE: CVE-2026-39316 + +Upstream-Status: Backport [ https://github.com/OpenPrinting/cups/commit/0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f ] + +Signed-off-by: Abhishek Bachiphale +--- + scheduler/printers.c | 6 ++++++ + 1 file changed, 7 insertions(+) + +diff --git a/scheduler/printers.c b/scheduler/printers.c +index 4aba6241c..50778b89a 100644 +--- a/scheduler/printers.c ++++ b/scheduler/printers.c +@@ -644,6 +644,12 @@ cupsdDeletePrinter( + update ? "Job stopped due to printer being deleted." : + "Job stopped."); + ++ /* ++ * Expire subscriptions on the printer... ++ */ ++ ++ cupsdExpireSubscriptions(p, /*job*/NULL); ++ + /* + * Remove the printer from the list... + */