From patchwork Tue Jun 23 11:30:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 90699 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B874CDB47C for ; Tue, 23 Jun 2026 11:31:03 +0000 (UTC) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.18586.1782214253718627716 for ; Tue, 23 Jun 2026 04:30:54 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=CQBPnbw4; spf=pass (domain: cisco.com, ip: 173.37.86.77, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=10427; q=dns/txt; s=iport01; t=1782214254; x=1783423854; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=DNSuanVqVba8A2ASPAE4ycw55Swy3lcEO2HMh/TobYI=; b=CQBPnbw4YpgReYj03vZlScpM7wKZFBWGRM5lhxzRxKmXRacNOKFG34Ta LjNJB+VGmyBwhI5a0omvFVPQjHkKveByUPe8o6zGKRycvQCG4pvB16tVZ ocWnbo0mwpC0ILo7rIH77yHJg6rxCXL5HB/f8Y4Tp9zQOljRcK1CoMWSz 3RpDVn6x/HJyx6SOqQ5G2PnAtDubIWxBnUbkw5P6FRvbF65he4agOGmvy Ar2fs8bRg/JpHPADEi7iuyMCyYyK/O4w0FOaNkgLrSzna/w5TYj/998jU qGBfG9kfCnzURXmElHAP/Vo2vYqUAW84xBxuGqNORnz2bJWrok+HphjCz g==; X-CSE-ConnectionGUID: IbwCVQ1kTP+bvAXgwcGyaQ== X-CSE-MsgGUID: OAFfcqxjQruwWlc/Xir7MQ== X-IPAS-Result: A0BIAgCDbTpq/5T/Ja1aHgEBCxIMggULgld0X0JJA4RUkXSeHhSBag8BAQEPRA0EAQGCEoJ0jUwCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECASYECwE0EiwDAQIDAiYCLSMhgwIBgnMCARGcVpcXGjd6fzOBAYNoAkNQ2ywBCxQBBYEFLoU/gxwBhQJbGAGEfCcbG4FygRWDaYEFgVwCgSMEIYNzgmoEgiKBDIFaGAaDKYtgSIECHANZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPhc0WBsHBYEdgW6BBIUCIx8DOX+BP4EkZGYVMDWBAQERHwqBKwMLGA1IESw3FBsEPQFuB4xaFw+BOTVIBwF6EwErIAJjFIETHAGTGwcqj2yCIaEPCiiDdYwhlToaM4VbpRELmH2OCpZQhGiBaDyBWXAVgyIJShkPjjiDa4QHgQzEfiQ1CwMvAQEHAgcOAwuBaJAAgX0BAQ IronPort-Data: A9a23:P8q0XaoOlF9VhapAZDH+vVplQNdeBmJJZBIvgKrLsJaIsI4StFCzt garIBnXPa3ZN2byLt51OY229ENVv5bdmtNkSAVt+X8wF3tBpOPIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7zdOCn9j8kif3gqoPUUIbsIjp2SRJvVBAvgBdin/9RqoNziLBVOSvV0 T/Ji5OZYgPNNwJcaDpOtfrd8kg35ZwehRtB1rAATaET1LPhvyF94KI3fcmZM3b+S49IKe+2L 86r5K255G7Q4yA2AdqjlLvhGmVSKlIFFVHT4pb+c/HKbilq/kTe4I5iXBYvQRs/ZwGyojxE4 I4lWapc5useFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpfh660GMa04AWEX0sd9Hkpwz KUbFAhOZA6qt+2py52qQ9A506zPLOGzVG8ekmtrwTecCbMtRorOBvyTo9RZxzw3wMtJGJ4yZ eJANmEpN0uGOUASfA5LWPrSn8/w7pX7WzRUr1SarLA6y2PS1wd2lrPqNbI5f/TWFJUFxh3G+ jiuE2LRJTg0OteG2Ti86G+zuevE2hP6Qt03LejtnhJtqBjJroAJMzURTVa9rPyzh0KyVt4aI EsO9wIqrLMu7wqsVtT7UhiyrXKIsxJaXMBfe9DW8ymXwabSpgLcDW8eQ3sYMZottdQ9Qnoh0 Vrhc87VOAGDeYa9ERq1nop4ZxvrUcTJBQfuvRM5cDY= IronPort-HdrOrdr: A9a23:xAJiR6AdUy/WmO7lHemO55DYdb4zR+YMi2TDGXofdfUzSL39qy nOpoV/6faaslcssR0b9OxoW5PwI080l6QU3WB5B97LN2PbUQCTQr2Kg7GP/9TIIVyYygck79 YCT4FOTPvtEFN9kcH2pCO8E9om3Z271ZrAv5a585+oJjsaE52JKGxCe3+mLnE= X-Talos-CUID: 9a23:galavWEa1Zf3P8bOqmJG/lE/JPl8cUHlj33OCn+3Fm1GWbSsHAo= X-Talos-MUID: 9a23:yv6OYA+Vx8FCkVA4GsWNHEiQf+BBzaqlEVAPqI8bpPaAPmtAOi3CqQ3iFw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,220,1774310400"; d="scan'208";a="498803642" Received: from rcdn-l-core-11.cisco.com ([173.37.255.148]) by rcdn-iport-6.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 23 Jun 2026 11:30:52 +0000 Received: from sjc-ads-4153.cisco.com (sjc-ads-4153.cisco.com [171.70.54.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-11.cisco.com (Postfix) with ESMTPS id 70D4A18000269; Tue, 23 Jun 2026 11:30:52 +0000 (GMT) Received: by sjc-ads-4153.cisco.com (Postfix, from userid 1870532) id 1607ECC12A6; Tue, 23 Jun 2026 04:30:52 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, to@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Date: Tue, 23 Jun 2026 04:30:25 -0700 Message-ID: <20260623113037.28968-1-adongare@cisco.com> X-Mailer: git-send-email 2.44.4 MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-4153.cisco.com [171.70.54.174];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.54.174, sjc-ads-4153.cisco.com X-Outbound-Node: rcdn-l-core-11.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 11:31:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239355 From: Anil Dongare Pick the upstream backport [1] for CVE-2026-27447 as mentioned in [2], where the scheduler treated local user and group names as case-insensitive. Also include the two upstream regression fixes that followed the CVE fix: - CVE-2026-27447-regression_p1.patch [3] fixes a cupsd crash when the referenced user does not exist on the server. This regression was reported in OpenPrinting/cups Issue [5]. - CVE-2026-27447-regression_p2.patch [4] fixes unauthenticated print policies for non-local accounts. This regression was reported in OpenPrinting/cups Issue [6]. [1] https://github.com/OpenPrinting/cups/commit/a0c62c1e69604ff061089b750073199fab5a1beb [2] https://security-tracker.debian.org/tracker/CVE-2026-27447 [3] https://github.com/OpenPrinting/cups/commit/6d97ee39fedf12a7a5429a74f4156ef9bb67f562 [4] https://github.com/OpenPrinting/cups/commit/849fba7d7a1144e48d45c5e6ba2504765912ece0 [5] https://github.com/OpenPrinting/cups/issues/1555 [6] https://github.com/OpenPrinting/cups/issues/1557 Signed-off-by: Anil Dongare --- meta/recipes-extended/cups/cups.inc | 3 + .../cups/CVE-2026-27447-regression_p1.patch | 48 +++++++ .../cups/CVE-2026-27447-regression_p2.patch | 46 +++++++ .../cups/cups/CVE-2026-27447.patch | 120 ++++++++++++++++++ 4 files changed, 217 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index c7475d2b81..ec9392b73d 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -20,6 +20,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://CVE-2025-58436.patch \ file://CVE-2025-61915.patch \ file://0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch \ + file://CVE-2026-27447.patch \ + file://CVE-2026-27447-regression_p1.patch \ + file://CVE-2026-27447-regression_p2.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch new file mode 100644 index 0000000000..85aadfde00 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch @@ -0,0 +1,48 @@ +From 6d97ee39fedf12a7a5429a74f4156ef9bb67f562 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Wed, 22 Apr 2026 12:40:14 +0200 +Subject: [PATCH] Fix cupsd crash if user does not exist on server + +CVE: CVE-2026-27447 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/6d97ee39fedf12a7a5429a74f4156ef9bb67f562] + +Backport Changes: +- Adapt the upstream CHANGES.md section for CUPS v2.4.18 to the + downstream CUPS v2.4.11 changelog. + +(cherry picked from commit 6d97ee39fedf12a7a5429a74f4156ef9bb67f562) +Signed-off-by: Anil Dongare +--- + CHANGES.md | 1 + + scheduler/auth.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/CHANGES.md b/CHANGES.md +index 0da2c55..59c131e 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -6,6 +6,7 @@ Changes in CUPS v2.4.10 (2024-06-18) + + - CVE-2026-27447: The scheduler treated local user and group names as case- + insensitive. ++- Fixed cupsd crash if user does not exist (Issue #1555) + - Fixed error handling when reading a mixed `1setOf` attribute. + - Fixed scheduler start if there is only domain socket to listen on (Issue #985) + +diff --git a/scheduler/auth.c b/scheduler/auth.c +index 1678a29..4798e86 100644 +--- a/scheduler/auth.c ++++ b/scheduler/auth.c +@@ -1810,7 +1810,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ + name; + name = (char *)cupsArrayNext(best->names)) + { +- if (!_cups_strcasecmp(name, "@OWNER") && owner && ++ if (!_cups_strcasecmp(name, "@OWNER") && owner && pw && + !strcmp(pw->pw_name, ownername)) + return (HTTP_OK); + else if (!_cups_strcasecmp(name, "@SYSTEM")) +-- +2.43.7 + + diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch new file mode 100644 index 0000000000..1d44306be0 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch @@ -0,0 +1,46 @@ +From 849fba7d7a1144e48d45c5e6ba2504765912ece0 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Fri, 24 Apr 2026 14:06:06 -0400 +Subject: [PATCH] Fix unauthenticated print policies (Issue #1557) + +CVE: CVE-2026-27447 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/849fba7d7a1144e48d45c5e6ba2504765912ece0] + +Backport Changes: +- Drop the upstream CHANGES.md section for CUPS v2.4.19. + +(cherry picked from commit 849fba7d7a1144e48d45c5e6ba2504765912ece0) +Signed-off-by: Anil Dongare +--- + scheduler/auth.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/scheduler/auth.c b/scheduler/auth.c +index 4798e86..1dd520d 100644 +--- a/scheduler/auth.c ++++ b/scheduler/auth.c +@@ -1810,8 +1810,9 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ + name; + name = (char *)cupsArrayNext(best->names)) + { +- if (!_cups_strcasecmp(name, "@OWNER") && owner && pw && +- !strcmp(pw->pw_name, ownername)) ++ if (!_cups_strcasecmp(name, "@OWNER") && owner && ++ ((pw && !strcmp(pw->pw_name, ownername)) || ++ (!pw && type == CUPSD_AUTH_NONE && !_cups_strcasecmp(username, ownername)))) + return (HTTP_OK); + else if (!_cups_strcasecmp(name, "@SYSTEM")) + { +@@ -1825,6 +1826,8 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ + } + else if (pw && !strcmp(pw->pw_name, name)) + return (HTTP_OK); ++ else if (!pw && type == CUPSD_AUTH_NONE && !_cups_strcasecmp(username, name)) ++ return (HTTP_STATUS_OK); + } + + for (name = (char *)cupsArrayFirst(best->names); +-- +2.43.7 + + diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch new file mode 100644 index 0000000000..77a26dae64 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch @@ -0,0 +1,120 @@ +From 37b8a4387864eded1a15a45db8950a23e5c610d2 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 31 Mar 2026 14:04:21 -0400 +Subject: [PATCH] CVE-2026-27447: The scheduler treated local user and group + names as case-insensitive. + +CVE: CVE-2026-27447 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/a0c62c1e69604ff061089b750073199fab5a1beb] + +Backport Changes: +- Rebase CHANGES.md and scheduler/auth.c context to the CUPS 2.4.11 source + carried by this recipe. + +(cherry picked from commit a0c62c1e69604ff061089b750073199fab5a1beb) +Signed-off-by: Anil Dongare +--- + CHANGES.md | 2 ++ + scheduler/auth.c | 31 +++++++++++++++---------------- + 2 files changed, 17 insertions(+), 16 deletions(-) + +diff --git a/CHANGES.md b/CHANGES.md +index 4a2e25d..0da2c55 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -4,6 +4,8 @@ CHANGES - OpenPrinting CUPS 2.4.10 - (2024-06-18) + Changes in CUPS v2.4.10 (2024-06-18) + ----------------------------- + ++- CVE-2026-27447: The scheduler treated local user and group names as case- ++ insensitive. + - Fixed error handling when reading a mixed `1setOf` attribute. + - Fixed scheduler start if there is only domain socket to listen on (Issue #985) + +diff --git a/scheduler/auth.c b/scheduler/auth.c +index d0430b4..1678a29 100644 +--- a/scheduler/auth.c ++++ b/scheduler/auth.c +@@ -1,7 +1,7 @@ + /* + * Authorization routines for the CUPS scheduler. + * +- * Copyright © 2020-2024 by OpenPrinting. ++ * Copyright © 2020-2026 by OpenPrinting. + * Copyright © 2007-2019 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products, all rights reserved. + * +@@ -1159,7 +1159,7 @@ cupsdCheckGroup( + group = getgrnam(groupname); + endgrent(); + +- if (group != NULL) ++ if (user && group) + { + /* + * Group exists, check it... +@@ -1173,7 +1173,7 @@ cupsdCheckGroup( + * User appears in the group membership... + */ + +- if (!_cups_strcasecmp(username, group->gr_mem[i])) ++ if (!strcmp(user->pw_name, group->gr_mem[i])) + return (1); + } + +@@ -1184,25 +1184,24 @@ cupsdCheckGroup( + * belongs to... + */ + +- if (user) +- { +- int ngroups; /* Number of groups */ ++ int ngroups; /* Number of groups */ + # ifdef __APPLE__ +- int groups[2048]; /* Groups that user belongs to */ ++ int groups[2048]; /* Groups that user belongs to */ + # else +- gid_t groups[2048]; /* Groups that user belongs to */ ++ gid_t groups[2048]; /* Groups that user belongs to */ + # endif /* __APPLE__ */ + +- ngroups = (int)(sizeof(groups) / sizeof(groups[0])); ++ ngroups = (int)(sizeof(groups) / sizeof(groups[0])); + # ifdef __APPLE__ +- getgrouplist(username, (int)user->pw_gid, groups, &ngroups); ++ getgrouplist(user->pw_name, (int)user->pw_gid, groups, &ngroups); + # else +- getgrouplist(username, user->pw_gid, groups, &ngroups); ++ getgrouplist(user->pw_name, user->pw_gid, groups, &ngroups); + #endif /* __APPLE__ */ + +- for (i = 0; i < ngroups; i ++) +- if ((int)groupid == (int)groups[i]) +- return (1); ++ for (i = 0; i < ngroups; i ++) ++ { ++ if ((int)groupid == (int)groups[i]) ++ return (1); + } + #endif /* HAVE_GETGROUPLIST */ + } +@@ -1812,7 +1811,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ + name = (char *)cupsArrayNext(best->names)) + { + if (!_cups_strcasecmp(name, "@OWNER") && owner && +- !_cups_strcasecmp(username, ownername)) ++ !strcmp(pw->pw_name, ownername)) + return (HTTP_OK); + else if (!_cups_strcasecmp(name, "@SYSTEM")) + { +@@ -1824,7 +1823,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ + if (cupsdCheckGroup(username, pw, name + 1)) + return (HTTP_OK); + } +- else if (!_cups_strcasecmp(username, name)) ++ else if (pw && !strcmp(pw->pw_name, name)) + return (HTTP_OK); + } + +-- +2.43.7 From patchwork Tue Jun 23 11:30:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 90696 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 21B2DCDB46F for ; Tue, 23 Jun 2026 11:31:03 +0000 (UTC) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.18972.1782214253641104153 for ; Tue, 23 Jun 2026 04:30:53 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=aGXT7tPL; spf=pass (domain: cisco.com, ip: 173.37.86.78, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=5458; q=dns/txt; s=iport01; t=1782214253; x=1783423853; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=9GU5tMjvmKYoZzEy8tVcpInWCdz296CI3HqYJB0p5yo=; b=aGXT7tPLdZw9UVoaSWS5RFZd9+ySmhZmou1UHI/CKnmFWL669ZgvW4DP iEDDqwggCtzaEq/l1z0OBUjjt+yclclIUtAKd9xhG2H5cpH/ICITb455W 66qnroto+3pkbDwecv1OCExXxR4aLWy+jRTZPkCEbDSYaq87e0psQiJur bxAQ0m4fptjDYB9r8f3vnpQAbDXB22EtT9JRvyBseqIeWRVgPITEh/NDd O5oiYcOFtU00KjB2NM8Qzaw2AH4oVAKcHLrunQzpOcsTtkcZPKq53lCyD 2yUB2LHJe74rZvbcArgr8NOXdh3UY3JJOXQatYTiEjuCjilCkJ8IEatbW w==; X-CSE-ConnectionGUID: PiyxR9IRRdCX1F3U/3T6mg== X-CSE-MsgGUID: 0BssXCrIRA6qjAZAmdPCZg== X-IPAS-Result: A0BMAgCDbTpq/5X/Ja1aglmCGD90X0JJA4RUkXQDnhsUgWoPAQEBD0QNBAEBghKCdAKNSgImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAyMECwE0EhAcAwECAwIJHQICKyMIGYIqWAGCcwIBEZxWlxcaN3p/M4EBg2gCQ1DbLAELFAEFgQUuhT+DHAGFAlsYAYR8JxsbgXKBFYNpgQWBXAKBI4QYgmoEgiKBDIFaGAZPBYJVghuJRUiBAhwDWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XNFgbBwWBHYFugQSFAiMfAzl/gT+BJGRmFTA1gQEBER8KgSsDCxgNSBEsNxQbBD0BbgeMWhcPgW5IB3sTASoBIGMCgSccATGSagcqkg2hDwoog3WMIZU6GjOFW51hhzALmH2OCpZQhGiBaDyBWXAVgyIJShkPjjiDa4QHgQzEfiQ1CwMvAQEHAgcOAwuBaJF9AQE IronPort-Data: A9a23:4lpJSaNSgJ1SKvvvrR30lsFynXyQoLVcMsEvi/4bfWQNrUor0zMBz jdMC2GFMvyLYGb2e4h0boi1oBhX6MPdz4diGXM5pCpnJ55oRWUpJjg4wmPYZX76whjrFRo/h ykmQoCeaphyFTmE+kvF3oHJ9RFUzbuPSqf3FNnKMyVwQR4MYCo6gHqPocZh6mJTqYb/WV/lV e/a+ZWFZgf7gWUsawr41orawP9RlKWq0N8nlgRWicBj5Df2i3QTBZQDEqC9R1OQapVUBOOzW 9HYx7i/+G7Dlz91Yj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnBaPpIACRYpQRw/ZwNlMDxG4 I4lWZSYEW/FN0BX8QgXe0Ew/ypWZcWq9FJbSJSymZT78qHIT5fj681vHVEMbKwiwOpcMThgr sFfcwxTax/W0opawJrjIgVtrt4oIM+uOMYUvWttiGiDS/0nWpvEBa7N4Le03h9p2ZsIRqmYP ZdEL2MzPXwsYDUXUrsTIJsym+Gnj2PyWzZZs1mS46Ew5gA/ySQtgei0bYGFJ4PiqcN9xmyDv VLt5UXDK08DNvWt4D+Jylmeibqa9c/8cMdIfFGizdZtmFCVy2kZBREaWFf+qv6jh2a6WslDM AoT4icooK04+UCnQ9W7WAe3yENopTYGUNZWVul/4waXx++NuUCSB3MPSXhKb9lOWNIKeAHGH 2Shx7vBbQGDepXMIZ5B3t94dQ+PBBU= IronPort-HdrOrdr: A9a23:QIXMHq4Qddb2PtXDcgPXwBbXdLJyesId70hD6qm+c3Nom6uj5q aTdZUgpHjJYVkqOU3I9ersBEDEewK/yXcX2/h0AV7BZmnbUQKTRekIh7cKgQeQfhEWndQy6U 4PScRD4fTLfCFHZL7BkWqFOudl5sWb+6a1guqb5XJsQQZ2L5xE1W5Ce36m+okcfng9OXL/f6 DsnfZ6mw== X-Talos-CUID: 9a23:jWjnlmnFqTzJHxrBLJz4b/pFXrnXOUXc3Wfqcm6CM2pCeOS7EmLXo586lsU7zg== X-Talos-MUID: 9a23:mWqNbw5O9m5N8bYckCitVDboxowwyb+1OGsXsK8v5dCGHB5ZPjulpwa4F9o= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,220,1774310400"; d="scan'208";a="498153857" Received: from rcdn-l-core-12.cisco.com ([173.37.255.149]) by rcdn-iport-7.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 23 Jun 2026 11:30:52 +0000 Received: from sjc-ads-4153.cisco.com (sjc-ads-4153.cisco.com [171.70.54.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-12.cisco.com (Postfix) with ESMTPS id 73BBE180001CF; Tue, 23 Jun 2026 11:30:52 +0000 (GMT) Received: by sjc-ads-4153.cisco.com (Postfix, from userid 1870532) id 1A78DCC12A7; Tue, 23 Jun 2026 04:30:52 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, to@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 2/8] cups: Fix CVE-2026-34978 Date: Tue, 23 Jun 2026 04:30:26 -0700 Message-ID: <20260623113037.28968-2-adongare@cisco.com> X-Mailer: git-send-email 2.44.4 In-Reply-To: <20260623113037.28968-1-adongare@cisco.com> References: <20260623113037.28968-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-4153.cisco.com [171.70.54.174];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.54.174, sjc-ads-4153.cisco.com X-Outbound-Node: rcdn-l-core-12.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 11:31:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239349 From: Anil Dongare Pick the upstream patch [1] as mentioned in [2]. [1] https://github.com/OpenPrinting/cups/commit/730347c5bbd5e1271149c6739aa858c0c83a7568 [2] https://security-tracker.debian.org/tracker/CVE-2026-34978 Signed-off-by: Anil Dongare --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-34978.patch | 102 ++++++++++++++++++ 2 files changed, 103 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34978.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index ec9392b73d..e06bbc0a2a 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -23,6 +23,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://CVE-2026-27447.patch \ file://CVE-2026-27447-regression_p1.patch \ file://CVE-2026-27447-regression_p2.patch \ + file://CVE-2026-34978.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch new file mode 100644 index 0000000000..d05bc85588 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch @@ -0,0 +1,102 @@ +From ab6ab965de6890aed4df39c97f7cd708fd5cb00c Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 31 Mar 2026 14:18:26 -0400 +Subject: [PATCH] Fix RSS notifier. + +CVE: CVE-2026-34978 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/730347c5bbd5e1271149c6739aa858c0c83a7568] + +Backport Changes: +- Rebase CHANGES.md placement and scheduler/ipp.c subscription context to the + CUPS 2.4.11 source carried by this recipe. + +(cherry picked from commit 730347c5bbd5e1271149c6739aa858c0c83a7568) +Signed-off-by: Anil Dongare +--- + CHANGES.md | 2 ++ + notifier/rss.c | 20 ++++++++++++++------ + scheduler/ipp.c | 12 ++++++++++++ + 3 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/CHANGES.md b/CHANGES.md +index 7a5e8813f..429ee874f 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -21,9 +21,11 @@ Changes in CUPS v2.4.11 (2024-09-30) + Changes in CUPS v2.4.10 (2024-06-18) + ------------------------------------ + + - CVE-2026-27447: The scheduler treated local user and group names as case- + insensitive. +- Fixed cupsd crash if user does not exist (Issue #1555) ++- CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS ++ directory. + - Fixed error handling when reading a mixed `1setOf` attribute. + - Fixed scheduler start if there is only domain socket to listen on (Issue #985) + +diff --git a/notifier/rss.c b/notifier/rss.c +index f17e1494c..250ad877e 100644 +--- a/notifier/rss.c ++++ b/notifier/rss.c +@@ -1,11 +1,12 @@ + /* + * RSS notifier for CUPS. + * +- * Copyright © 2020-2024 by OpenPrinting. +- * Copyright 2007-2015 by Apple Inc. +- * Copyright 2007 by Easy Software Products. ++ * Copyright © 2020-2026 by OpenPrinting. ++ * Copyright © 2007-2015 by Apple Inc. ++ * Copyright © 2007 by Easy Software Products. + * +- * Licensed under Apache License v2.0. See the file "LICENSE" for more information. ++ * Licensed under Apache License v2.0. See the file "LICENSE" for more ++ * information. + */ + + /* +@@ -80,6 +81,7 @@ main(int argc, /* I - Number of command-line arguments */ + http_status_t status; /* HTTP GET/PUT status code */ + char filename[1024], /* Local filename */ + newname[1024]; /* filename.N */ ++ struct stat fileinfo; /* Local file information */ + cups_lang_t *language; /* Language information */ + ipp_attribute_t *printer_up_time, /* Timestamp on event */ + *notify_sequence_number,/* Sequence number */ +@@ -111,9 +113,9 @@ main(int argc, /* I - Number of command-line arguments */ + + if (httpSeparateURI(HTTP_URI_CODING_ALL, argv[1], scheme, sizeof(scheme), + username, sizeof(username), host, sizeof(host), &port, +- resource, sizeof(resource)) < HTTP_URI_OK) ++ resource, sizeof(resource)) < HTTP_URI_OK || strstr(resource, "../") != NULL) + { +- fprintf(stderr, "ERROR: Bad RSS URI \"%s\"!\n", argv[1]); ++ fprintf(stderr, "ERROR: Bad RSS URI \"%s\".\n", argv[1]); + return (1); + } + +@@ -209,6 +211,12 @@ main(int argc, /* I - Number of command-line arguments */ + snprintf(filename, sizeof(filename), "%s/rss%s", cachedir, resource); + snprintf(newname, sizeof(newname), "%s.N", filename); + ++ if (!lstat(filename, &fileinfo) && !S_ISREG(fileinfo.st_mode)) ++ { ++ fprintf(stderr, "ERROR: Local RSS path \"%s\" is not a file.\n", filename); ++ return (1); ++ } ++ + httpAssembleURIf(HTTP_URI_CODING_ALL, baseurl, sizeof(baseurl), "http", + NULL, server_name, atoi(server_port), "/rss%s", resource); + } +diff --git a/scheduler/ipp.c b/scheduler/ipp.c +index 2d80a960e..2dc7376c1 100644 +--- a/scheduler/ipp.c ++++ b/scheduler/ipp.c +@@ -1985,6 +1985,12 @@ add_job_subscriptions( + "notify-status-code", IPP_ATTRIBUTES); + return; + } ++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL) ++ { ++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient); ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES); From patchwork Tue Jun 23 11:30:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 90702 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 366EFCDE002 for ; Tue, 23 Jun 2026 11:31:04 +0000 (UTC) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.18973.1782214253689841466 for ; Tue, 23 Jun 2026 04:30:53 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=Ur4DjzUH; spf=pass (domain: cisco.com, ip: 173.37.86.76, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=10348; q=dns/txt; s=iport01; t=1782214253; x=1783423853; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=f2f2WVT77X3SZQ7w5uHVFZ7JyEqOET8iurrpyN9tNvk=; b=Ur4DjzUHnbLrVWuPgk1TyL7Cig/acTd4JrvKfRAuhgWUVYTZ+O5HBsc1 NdIWyxG9PSGM42uNCj1lR5ym5u0ggXgUlFMAZ/88t5yIftSgxTcue0jwS oXKWFxwYkFtzgbDBiXoV98QlHm8ArLrCklbd2kcDVQq49xhvSU4hbHXLu QNiqiv77C/exPWvh+eRRlEAoBNOe74/2BvaS+f0WY/qsJe5YUTpJipgg/ TPxsitX5f9j6ZZ4uujGZL/nSZAqkEAaiX7oh9r5y39Yqp734XV4nIWf23 L4PpnI3pt+uBLYAxyDlGq42hku2hg6Gqh6XqgwzSver975uZKrRFuNI4r w==; X-CSE-ConnectionGUID: YbtEW9UTSrKy24aEeiSEAg== X-CSE-MsgGUID: 8MQbZtoLSqKR+K8MVyTRkQ== X-IPAS-Result: A0BLAgACbTpq/4v/Ja1aHgEBCxIMggULgld0X0JJA4RUkXQDnhsUgWoPAQEBD0QNBAEBghKCdAKNSgImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAyMECwE0EhAcAgEBAgMCJgICKyMIGYMCAYJzAgERnGeXFxo3en8zgQGDaAJDUNssAQsUAQWBBS6FP4McAYUCWxgBhHwnGxuBcoEVg2mBBYFcAoEjBIQUgmoEgiKBDIFaGAYyjldIgQIcA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+FzRYGwcFgR2BboEEhQIjHwM5f4E/gSRkZhUwNYEBAREfCoErAwsYDUgRLDcUGwQ9AW4HjFoXD4FuSAcBPD4TASsgAmOBJxwykmoxj2yCIYpzlhwKKIN1jCGVOhozhVulEQuYfY4KllCEaIFoPIFZcBWDIglKGQ+OLQsLg2CEB4EMgT3DQSQ1CwMvAQEHAgcOAwuBaJAALIFRAQE IronPort-Data: A9a23:+F7kV69e871kpzWYfeSnDrUD0X+TJUtcMsCJ2f8bNWPcYEJGY0x3m 2VODD3QbK6Pa2f0etF+a4+/80pUsMfcy4RnQFM4pX1EQiMRo6IpJzg2wmQcns+2BpeeJK6yx 5xGMrEsFOhtEDmE4EzrauS9xZVF/fngbqLmD+LZMTxGSwZhSSMw4TpugOdRbrRA2bBVOCvT/ 4muyyHjEAX9gWAsbDhPs/vrRC5H5ZwehhtJ5jTSWtgT1LPuvyF9JI4SI6i3M0z5TuF8dsamR /zOxa2O5WjQ+REgELuNyt4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5nXBYoUnq7vh3S9zxHJ HqhgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/wmWeG0YAzcmCA2kHN5E1xbdKPVpU1 u1CdDkgYxG4qsu5lefTpulE3qzPLeHxN48Z/3UlxjbDALN+G9bIQr7B4plT2zJYasJmRKmFI ZFGL2AyMVKZOEwn1lQ/UPrSmM+hin75fDRCpXqepLE85C7YywkZPL3FbIuFK4PWG5kK9qqej jLjxm7LHhY+D8W883mmoleSl9P1nhquDer+E5X9rJaGmma7wXQeDhATX1a3rfS1z0W5Qd93L 00P5jFoqrA/8kGuRNTxUxC05nmesXYht8F4CeY27kSJj6HT+QvcXjJCRT9aY9tgv8gzLdA36 mK0cxrSLWQHmNWopbi1r994cRva1fApEFI/ IronPort-HdrOrdr: A9a23:L6T0m69Hc8f28YqUbZxuk+AGI+orL9Y04lQ7vn2ZhyY7TiX+rb HJoB17726StN9/YhAdcLy7VZVoBEmsl6KdgrNhWYtKPjOHhILAFugLhuHfKn/bakjDH4Vmu5 uIHZITNDTYNykCsS+D2njaL/8QhP+a7auvmeDSi11pTQ1sduVcyj0RMHfiLqWzLzM2f6bQ0/ Gnl7F6mwY= X-Talos-CUID: 9a23:BbjuGm6mG3aSU6aHT9ssxUQIN/90T0Hm1lTBeROxJGtoc5C8RgrF X-Talos-MUID: 9a23:Mnk/FQWokxE0qtjq/G/JvTtQKMBM2L2NMgMuwbA4qvW+NhUlbg== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,220,1774310400"; d="scan'208";a="498974647" Received: from rcdn-l-core-02.cisco.com ([173.37.255.139]) by rcdn-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 23 Jun 2026 11:30:52 +0000 Received: from sjc-ads-4153.cisco.com (sjc-ads-4153.cisco.com [171.70.54.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-02.cisco.com (Postfix) with ESMTPS id 7A6D31800035E; Tue, 23 Jun 2026 11:30:52 +0000 (GMT) Received: by sjc-ads-4153.cisco.com (Postfix, from userid 1870532) id 217ABCC12A8; Tue, 23 Jun 2026 04:30:52 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, to@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 3/8] cups: Fix CVE-2026-34980 Date: Tue, 23 Jun 2026 04:30:27 -0700 Message-ID: <20260623113037.28968-3-adongare@cisco.com> X-Mailer: git-send-email 2.44.4 In-Reply-To: <20260623113037.28968-1-adongare@cisco.com> References: <20260623113037.28968-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-4153.cisco.com [171.70.54.174];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.54.174, sjc-ads-4153.cisco.com X-Outbound-Node: rcdn-l-core-02.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 11:31:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239350 From: Anil Dongare Pick the upstream fix [1] for CVE-2026-34980 as mentioned in [2], where the scheduler did not filter control characters from option values. Also include the upstream regression fixes that followed the CVE fix: - CVE-2026-34980-regression_p1.patch [3] fixes filter PPD keyword processing. The CVE fix parsed PPD keywords into a temporary array, but the loop did not advance the keyword pointer. This regression was reported in OpenPrinting/cups Issue [4]. - CVE-2026-34980-regression_p2.patch [5] fixes a get_options() regression where the option-value parser did not advance the input pointer for whitespace/control-character paths. [1] https://github.com/OpenPrinting/cups/commit/8d0f51cac24cb5bf949c5b6a221e51a150d982e3 [2] https://security-tracker.debian.org/tracker/CVE-2026-34980 [3] https://github.com/OpenPrinting/cups/commit/3f2bdc293243bca938c6de23ba50e6d783189629 [4] https://github.com/OpenPrinting/cups/issues/1562 [5] https://github.com/OpenPrinting/cups/commit/52cfb028dc211a0fd9ba6fe6eba6d482ccc6c9af Signed-off-by: Anil Dongare --- meta/recipes-extended/cups/cups.inc | 3 + .../cups/CVE-2026-34980-regression_p1.patch | 31 ++++++ .../cups/CVE-2026-34980-regression_p2.patch | 75 ++++++++++++++ .../cups/cups/CVE-2026-34980.patch | 97 +++++++++++++++++++ 4 files changed, 206 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p1.patch create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34980.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index e06bbc0a2a..dc5b971195 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -24,6 +24,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://CVE-2026-27447-regression_p1.patch \ file://CVE-2026-27447-regression_p2.patch \ file://CVE-2026-34978.patch \ + file://CVE-2026-34980.patch \ + file://CVE-2026-34980-regression_p1.patch \ + file://CVE-2026-34980-regression_p2.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p1.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p1.patch new file mode 100644 index 0000000000..9290a0e637 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p1.patch @@ -0,0 +1,31 @@ +From 3f2bdc293243bca938c6de23ba50e6d783189629 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 28 Apr 2026 17:42:41 -0400 +Subject: [PATCH] Fix filter PPD keyword processing (Issue #1562) + +CVE: CVE-2026-34980 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/3f2bdc293243bca938c6de23ba50e6d783189629] + +(cherry picked from commit 3f2bdc293243bca938c6de23ba50e6d783189629) +Signed-off-by: Anil Dongare +--- + scheduler/job.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scheduler/job.c b/scheduler/job.c +index 895b2d9..915ba94 100644 +--- a/scheduler/job.c ++++ b/scheduler/job.c +@@ -5419,7 +5419,7 @@ update_job(cupsd_job_t *job) /* I - Job to check */ + keywords = NULL; + num_keywords = cupsParseOptions(message, 0, &keywords); + +- for (i = 0, keyword = keywords; i < num_keywords; i ++) ++ for (i = 0, keyword = keywords; i < num_keywords; i ++, keyword ++) + { + /* + * Filter out "special" PPD keywords... +-- +2.43.7 + + diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch new file mode 100644 index 0000000000..73846cb8a3 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch @@ -0,0 +1,75 @@ +From 52cfb028dc211a0fd9ba6fe6eba6d482ccc6c9af Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Wed, 8 Apr 2026 16:42:48 -0400 +Subject: [PATCH] Fix get_options regression (Issue #1532) + +CVE: CVE-2026-34980 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/52cfb028dc211a0fd9ba6fe6eba6d482ccc6c9af] + +(cherry picked from commit 52cfb028dc211a0fd9ba6fe6eba6d482ccc6c9af) +Signed-off-by: Anil Dongare +--- + scheduler/job.c | 4 ++-- + test/5.5-lp.sh | 10 +++++----- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/scheduler/job.c b/scheduler/job.c +index 6b9d366..cf019e1 100644 +--- a/scheduler/job.c ++++ b/scheduler/job.c +@@ -4144,7 +4144,7 @@ get_options(cupsd_job_t *job, /* I - Job */ + case IPP_TAG_CHARSET : + case IPP_TAG_LANGUAGE : + case IPP_TAG_URI : +- for (valptr = attr->values[i].string.text; *valptr;) ++ for (valptr = attr->values[i].string.text; *valptr; valptr ++) + { + /* + * Convert tabs and newlines to spaces, filter out control chars, +@@ -4159,7 +4159,7 @@ get_options(cupsd_job_t *job, /* I - Job */ + { + if (strchr("\\\'\"", *valptr)) + *optptr++ = '\\'; +- *optptr++ = *valptr++; ++ *optptr++ = *valptr; + } + } + +diff --git a/test/5.5-lp.sh b/test/5.5-lp.sh +index 25e9d65..fe60890 100644 +--- a/test/5.5-lp.sh ++++ b/test/5.5-lp.sh +@@ -2,7 +2,7 @@ + # + # Test the lp command. + # +-# Copyright © 2020-2024 by OpenPrinting. ++# Copyright © 2020-2026 by OpenPrinting. + # Copyright © 2007-2019 by Apple Inc. + # Copyright © 1997-2005 by Easy Software Products, all rights reserved. + # +@@ -72,8 +72,8 @@ echo "" + + echo "LP Flood Test ($1 times in parallel)" + echo "" +-echo " lp -d Test1 testfile.jpg" +-echo " lp -d Test2 testfile.jpg" ++echo " lp -d Test1 -t 'Flood Test N' testfile.jpg" ++echo " lp -d Test2 -t 'Flood Test N' testfile.jpg" + i=0 + pids="" + while test $i -lt $1; do +@@ -83,9 +83,9 @@ while test $i -lt $1; do + j=`expr $j + 1` + done + +- $runcups $VALGRIND ../systemv/lp -d Test1 ../examples/testfile.jpg 2>&1 & ++ $runcups $VALGRIND ../systemv/lp -d Test1 -t "Flood Test $j" ../examples/testfile.jpg 2>&1 & + pids="$pids $!" +- $runcups $VALGRIND ../systemv/lp -d Test2 ../examples/testfile.jpg 2>&1 & ++ $runcups $VALGRIND ../systemv/lp -d Test2 -t "Flood Test $j" ../examples/testfile.jpg 2>&1 & + pids="$pids $!" + + i=`expr $i + 1` +-- +2.43.7 diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980.patch new file mode 100644 index 0000000000..286e9cd517 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-34980.patch @@ -0,0 +1,97 @@ +From e206c7643a7574cab2e9457eac4c9f755dbf44ff Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 31 Mar 2026 14:45:13 -0400 +Subject: [PATCH] Filter out control characters from option values. + +CVE: CVE-2026-34980 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/8d0f51cac24cb5bf949c5b6a221e51a150d982e3] + +Backport Changes: +- Rebase CHANGES.md placement and scheduler/job.c option-handling context to + the CUPS 2.4.11 source carried by this recipe. + +(cherry picked from commit 8d0f51cac24cb5bf949c5b6a221e51a150d982e3) +Signed-off-by: Anil Dongare +--- + CHANGES.md | 2 ++ + scheduler/job.c | 41 +++++++++++++++++++++++++++++++++++------ + 2 files changed, 37 insertions(+), 6 deletions(-) + +diff --git a/CHANGES.md b/CHANGES.md +index 7e24840..9863c17 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -9,6 +9,8 @@ Changes in CUPS v2.4.10 (2024-06-18) + - Fixed cupsd crash if user does not exist (Issue #1555) + - CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS + directory. ++- CVE-2026-34980: The scheduler did not filter control characters from option ++ values. + - Fixed error handling when reading a mixed `1setOf` attribute. + - Fixed scheduler start if there is only domain socket to listen on (Issue #985) + +diff --git a/scheduler/job.c b/scheduler/job.c +index 822a247..895b2d9 100644 +--- a/scheduler/job.c ++++ b/scheduler/job.c +@@ -4121,9 +4121,21 @@ get_options(cupsd_job_t *job, /* I - Job */ + case IPP_TAG_URI : + for (valptr = attr->values[i].string.text; *valptr;) + { +- if (strchr(" \t\n\\\'\"", *valptr)) +- *optptr++ = '\\'; +- *optptr++ = *valptr++; ++ /* ++ * Convert tabs and newlines to spaces, filter out control chars, ++ * and escape \, ', and ". ++ */ ++ ++ if (isspace(*valptr & 255)) ++ { ++ *optptr++ = ' '; ++ } ++ else if ((*valptr & 255) >= ' ' && *valptr != 0x7f) ++ { ++ if (strchr("\\\'\"", *valptr)) ++ *optptr++ = '\\'; ++ *optptr++ = *valptr++; ++ } + } + + *optptr = '\0'; +@@ -5394,13 +5409,30 @@ update_job(cupsd_job_t *job) /* I - Job to check */ + else if (loglevel == CUPSD_LOG_PPD) + { + /* +- * Set attribute(s)... ++ * Set PPD keyword(s)/value(s)... + */ + ++ int i, /* Looping var */ ++ num_keywords; /* Number of keywords */ ++ cups_option_t *keywords, /* Keywords */ ++ *keyword; /* Current keyword */ ++ + cupsdLogJob(job, CUPSD_LOG_DEBUG, "PPD: %s", message); + +- job->num_keywords = cupsParseOptions(message, job->num_keywords, +- &job->keywords); ++ keywords = NULL; ++ num_keywords = cupsParseOptions(message, 0, &keywords); ++ ++ for (i = 0, keyword = keywords; i < num_keywords; i ++) ++ { ++ /* ++ * Filter out "special" PPD keywords... ++ */ ++ ++ if (strcmp(keyword->name, "cupsFilter") && strcmp(keyword->name, "cupsFilter2") && strcmp(keyword->name, "cupsFinishingTemplate") && strcmp(keyword->name, "cupsIPPFinishings") && strcmp(keyword->name, "cupsIPPReason") && strcmp(keyword->name, "cupsMarkerName") && strcmp(keyword->name, "cupsMaxSize") && strncmp(keyword->name, "cupsMediaQualifier", 18) && strcmp(keyword->name, "cupsMinSize") && strcmp(keyword->name, "cupsPageSizeCategory") && strcmp(keyword->name, "cupsPortMonitor") && strcmp(keyword->name, "cupsPreFilter") && strcmp(keyword->name, "cupsPrintQuality") && strcmp(keyword->name, "APPrinterPreset")) ++ job->num_keywords = cupsAddOption(keyword->name, keyword->value, job->num_keywords, &job->keywords); ++ } ++ ++ cupsFreeOptions(num_keywords, keywords); + } + else + { +-- +2.43.7 From patchwork Tue Jun 23 11:30:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 90697 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6EBE7CDB47F for ; Tue, 23 Jun 2026 11:31:03 +0000 (UTC) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.18586.1782214253718627716 for ; Tue, 23 Jun 2026 04:30:54 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=ASBQw0rV; spf=pass (domain: cisco.com, ip: 173.37.86.77, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3850; q=dns/txt; s=iport01; t=1782214253; x=1783423853; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=rSpAMm1+mv+gzwILomEn5CUYfiFlJeYLK1z5FvYuP9I=; b=ASBQw0rVcD2tk5OHS/rqQKA7ezivylj+MewFBWXTIvizbPzMPlm6kC6p PEFLQS6Hu10J0I6NdF2ylBldGbwv/XT8BFdCH2E/N7jtYuwfSSexaCA1c YQppS00VaGaliB5QS+SzLV6fDR3uG2+eYNU8lmdSf/ofbifXTJGsDShT0 fVo61Vo+IHOBkyjnBr5bG9xzPjXg6LihJXDSsLWdj2pBrBZGpSHvFXIPH E1YRJo0nhHc++XNGJrk9SyRtUN8mWa+DHVLgzJeGZCBjYf7LCq3hJJfsW /2CwrCrGBw1BbmfNV3byD/DbDB8SldbbSntbIlkJzuHNVrxchicYcMWoq Q==; X-CSE-ConnectionGUID: J9+7M83dQ8+NjbMzFyd4GQ== X-CSE-MsgGUID: 2UrEOnCeQbGyi3A2JZbqOg== X-IPAS-Result: A0BHAgCDbTpq/5T/Ja1aHgEBCxIMggULgld0X0JJA5ZIA54bgX4PAQEBD0QNBAEBhQYCjUoCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMnCwE0EhAcAwECLysjCBmDAgGCcwIBEbNtGjeBeTOBAYNoAkNQ2ywBCxQBBYEzhT+IH1sYAYR8JxsbgXKBFYNpgQWBXAKIJQSCIoEMgVoYBo8JSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgR2BboEEhQIjHwM5f4E/gSRkZhUwNYEBAREfCoErAwsYDUgRLDcUGwQ+bgeMWhcPgjYHLU4EDwErIIIMkzgHkjehDwoog3WMIZU6GjOFW6URC5h9jgqWAFCEaIFoPIFZcBWDIglKGQ+OLQsLg2CEB4EMxH4kNQsDLwEBBwIHDgMLgWiRfQEB IronPort-Data: A9a23:vZn1m6P8iQfY9KfvrR30lsFynXyQoLVcMsEvi/4bfWQNrUpx1GNWy DFKWW6BbP2PNmanc9FwPd6zoEMH7MWGx9NqTXM5pCpnJ55oRWUpJjg4wmPYZX76whjrFRo/h ykmQoCeaphyFTmE+kvF3oHJ9RFUzbuPSqf3FNnKMyVwQR4MYCo6gHqPocZh6mJTqYb/WV/lV e/a+ZWFZgf7gWUsawr41orawP9RlKWq0N8nlgRWicBj5Df2i3QTBZQDEqC9R1OQapVUBOOzW 9HYx7i/+G7Dlz91Yj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnBaPpIACRYpQRw/ZwNlMDxG4 I4lWZSYEW/FN0BX8QgXe0Ew/ypWZcWq9FJbSJSymZT78qHIT5fj69c/Tx4TbdYUw7Y0J2NE0 O42OTxRQSnW0opawJrjIgVtrt4oIM+uOMYUvWttiGiAS/0nWpvEBa7N4Le03h9p2ZsIRqmYP ZdEL2MzPHwsYDUXUrsTIJsym+Gnj2PyWzZZs1mS46Ew5gA/ySQtgei9aIGLJoDiqcN9xHuCi 0XA1GnACD4LNYe2kxi3+GuLibqa9c/8cMdIfFGizdZtmFCVy2kZBREaWFf+qv6jh2a6WslDM AoT4icooK04+UCnQ9W7WAe3yENopTYGUNZWVul/4waXx++NukCSB3MPSXhKb9lOWNIKeAHGH 2Shx7vBbQGDepXPIZ5B3t94dQ+PBBU= IronPort-HdrOrdr: A9a23:fg/dVqqdarICrgozVTChejMaV5rzeYIsimQD101hICG9vPb2qy nIpoV96faaslcssR0b9OxofZPwI080lqQFhbX5X43DYOCOggLBR+tfBMnZsljd8kbFmNK1u5 0NT0FWMqyXMbEDt7eY3CCIV/A93dKA7Kekwc3az3trUEVWTpsI1XYBNu5eeXcGPzWvwvECZe Kh2vY= X-Talos-CUID: 9a23:lPTgeGN7T5PMHe5Dengkq2tEQcwcIj77zn31MWGpBTpGcejA X-Talos-MUID: 9a23:mrl7twlraPkUGywVeVXodno4Cd1FxKKFBXkHvoQH4ODeFx56IhCS2WE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,220,1774310400"; d="scan'208";a="498803644" Received: from rcdn-l-core-11.cisco.com ([173.37.255.148]) by rcdn-iport-6.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 23 Jun 2026 11:30:52 +0000 Received: from sjc-ads-4153.cisco.com (sjc-ads-4153.cisco.com [171.70.54.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-11.cisco.com (Postfix) with ESMTPS id 7D941180002CA; Tue, 23 Jun 2026 11:30:52 +0000 (GMT) Received: by sjc-ads-4153.cisco.com (Postfix, from userid 1870532) id 26894CC12A9; Tue, 23 Jun 2026 04:30:52 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, to@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 4/8] cups: Fix CVE-2026-34979 Date: Tue, 23 Jun 2026 04:30:28 -0700 Message-ID: <20260623113037.28968-4-adongare@cisco.com> X-Mailer: git-send-email 2.44.4 In-Reply-To: <20260623113037.28968-1-adongare@cisco.com> References: <20260623113037.28968-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-4153.cisco.com [171.70.54.174];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.54.174, sjc-ads-4153.cisco.com X-Outbound-Node: rcdn-l-core-11.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 11:31:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239352 From: Anil Dongare Pick the upstream patch [1] as mentioned in [2]. [1] https://github.com/OpenPrinting/cups/commit/0ff8897367c7341f2500770c3977038cdd7c0214 [2] https://security-tracker.debian.org/tracker/CVE-2026-34979 Signed-off-by: Anil Dongare --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-34979.patch | 73 +++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34979.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index dc5b971195..7dedb2daef 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -27,6 +27,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://CVE-2026-34980.patch \ file://CVE-2026-34980-regression_p1.patch \ file://CVE-2026-34980-regression_p2.patch \ + file://CVE-2026-34979.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34979.patch b/meta/recipes-extended/cups/cups/CVE-2026-34979.patch new file mode 100644 index 0000000000..4adb6415b1 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-34979.patch @@ -0,0 +1,73 @@ +From 471b4dc802455c7c59f9fd594fec8b6f3acb0db5 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 31 Mar 2026 14:50:06 -0400 +Subject: [PATCH] Expand allocation of options string. + +CVE: CVE-2026-34979 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/0ff8897367c7341f2500770c3977038cdd7c0214] + +Backport Changes: +- Rebase CHANGES.md placement and scheduler/job.c IPP length context to the + CUPS 2.4.11 source carried by this recipe. + +(cherry picked from commit 0ff8897367c7341f2500770c3977038cdd7c0214) +Signed-off-by: Anil Dongare +--- + CHANGES.md | 2 ++ + scheduler/job.c | 16 ++++------------ + 2 files changed, 6 insertions(+), 12 deletions(-) + +diff --git a/CHANGES.md b/CHANGES.md +index 9863c17..f203e9a 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -11,6 +11,8 @@ Changes in CUPS v2.4.10 (2024-06-18) + directory. + - CVE-2026-34980: The scheduler did not filter control characters from option + values. ++- CVE-2026-34979: The scheduler did not always allocate enough memory for a ++ job's options string. + - Fixed error handling when reading a mixed `1setOf` attribute. + - Fixed scheduler start if there is only domain socket to listen on (Issue #985) + +diff --git a/scheduler/job.c b/scheduler/job.c +index 915ba94..880c25f 100644 +--- a/scheduler/job.c ++++ b/scheduler/job.c +@@ -4195,18 +4195,6 @@ ipp_length(ipp_t *ipp) /* I - IPP request */ + + for (attr = ipp->attrs; attr != NULL; attr = attr->next) + { +- /* +- * Skip attributes that won't be sent to filters... +- */ +- +- if (attr->value_tag == IPP_TAG_NOVALUE || +- attr->value_tag == IPP_TAG_MIMETYPE || +- attr->value_tag == IPP_TAG_NAMELANG || +- attr->value_tag == IPP_TAG_TEXTLANG || +- attr->value_tag == IPP_TAG_URI || +- attr->value_tag == IPP_TAG_URISCHEME) +- continue; +- + /* + * Add space for a leading space and commas between each value. + * For the first attribute, the leading space isn't used, so the +@@ -4282,10 +4270,14 @@ ipp_length(ipp_t *ipp) /* I - IPP request */ + + case IPP_TAG_TEXT : + case IPP_TAG_NAME : ++ case IPP_TAG_TEXTLANG : ++ case IPP_TAG_NAMELANG : ++ case IPP_TAG_MIMETYPE : + case IPP_TAG_KEYWORD : + case IPP_TAG_CHARSET : + case IPP_TAG_LANGUAGE : + case IPP_TAG_URI : ++ case IPP_TAG_URISCHEME : + /* + * Strings can contain characters that need quoting. We need + * at least 2 * len + 2 characters to cover the quotes and +-- +2.43.7 + From patchwork Tue Jun 23 11:30:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 90701 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE261CDB480 for ; Tue, 23 Jun 2026 11:31:03 +0000 (UTC) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.18974.1782214253777311573 for ; Tue, 23 Jun 2026 04:30:53 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=JNtlsCfR; spf=pass (domain: cisco.com, ip: 173.37.86.72, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=14595; q=dns/txt; s=iport01; t=1782214253; x=1783423853; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=UxiZqKvI/Vy9JSClw1//6yztD4YNn7IyMiGJjzMkJ7U=; b=JNtlsCfRrDeAres/oPhRpnPqtteUo3+giYboYNjuXG2iUZSlWKy5J/1G oKoDFlXB2st3RjFF7iUU1eI2Lull9huL29fiX0mna7+xju8XJ3On9Orgn 9fbPO1TqVGtcUd2qBi4rOHyDSfEYyEx7duP84usR3KZDEYarWXxGOBFau pIbQQhbd88PHQCsl05abRh1frItEHSu1P+pd9ji1M1FbHqSoYlt9a0pNj 49RPFvK+dLqOjcuEDYV9Z5BPylZeuJPOGDBuZAEIjXNOkAQMHnL9DXRfW +vj9/KdwLd0yIR8+JuRmHR8SwoXptAZgNHej5T7A4+haZgb2Y7QtmBrde A==; X-CSE-ConnectionGUID: D0MHdIZPSque3doMwL0OGA== X-CSE-MsgGUID: Iwdrgo76RqW+SIqlRSk9UA== X-IPAS-Result: A0AnAAACbTpq/4v/Ja1aHQEBAQEJARIBBQUBgXwIAQsBglZ0X0JJA4RUiByJWAORSoxRFIFqDwEBAQ9EDQQBAYISgnQCjUoCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMjBAsBRhAcAgEBAgMCFBICAisjCBmDAgGCcwIBEZxnlxcaN3p/M4EBg2gCQ1DbLAELFAEFgQUuAYU+gxwBhQJbGAGEfCcbG4FygRWDaYEFgVwCgRgLJWiDC4JqBIIigQyBWhgGjwlIgQIcA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+FzRYGwcFgR2BboEEhQIjHwM5f4E/gSRkZhUwNYEBAREfCoErAwsYDUgRLDcUGwQ9AW4HjFoXD4FuFzYCPRwBIRMBKgEgZQw8NikRDAEcEZJjCgcqkg2BNZ9aCiiDdYwhlToaM4VbpRELmH2OCpU0AoEahGiBaDyBWXAVgyIJShkPji0LC4NghAeBDIE9w0EkNQcEAy8BAQcCBw4DC4FokBEVgVcBAQ IronPort-Data: A9a23:Wjv8zKpWe/+1+WgyP9S3YfTRwzVeBmJJZBIvgKrLsJaIsI4StFCzt garIBmEO/bcNmLwKNp0a961o0oOvsDWnIQyQAU4/Ck2QykUouPIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7zdOCn9j8kif3gqoPUUIbsIjp2SRJvVBAvgBdin/9RqoNziLBVOSvV0 T/Ji5OZYgPNNwJcaDpOtfrd8kg35ZwehRtB1rAATaET1LPhvyF94KI3fcmZM3b+S49IKe+2L 86r5K255G7Q4yA2AdqjlLvhGmVSKlIFFVHT4pb+c/HKbilq/kTe4I5iXBYvQRs/ZwGyojxE4 I4lWapc5useFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpfh660GMa04AWEX0sovJEFC1 M4gEykQY0uPgMep5OqcZcA506zPLOGzVG8ekmtrwTecCbMtRorOBv2Qo9RZxzw3wMtJGJ4yZ eJANmEpN0uGOUASfA5MWfrSn8/w7pX7WzRUr1SarLA6y2PS1wd2lrPqNbI5f/TWFJUOzhfH/ TKuE2LRIw4WLtOYlmS/603vvc7WmRnAW9MvPejtnhJtqBjJroAJMzURTVa9rPyzh0KyVt4aI EsO9wIqrLMu7wqsVtT7UhiyrXKIsxJaXMBfe9DW8ymXwabSpgLcDW8eQ3sZMpottdQ9Qnoh0 Vrhc87VOAGDeYa9ERq1nop4ZxvrUcTJBQfuvRM5cDY= IronPort-HdrOrdr: A9a23:1NkDTahjPYB0JMUnejyUOlk8mHBQXgQji2hC6mlwRA09TyVXra +TdZMgpHnJYVcqKRYdcL+7WZVoLUmwyXcx2/hyAV7AZniDhILLFuFfBOLZqlWKcREWtNQtsJ uIGJIRNDSfNzRHZO/BkXCF+q4bsbq62ZHto/vCxHFwSgwvQaRh4wBlTju/KCRNNXF77V5TLu vn2iKBzADQAkgqUg== X-Talos-CUID: 9a23:Ffd9GmgvfLolsiBJmhWLB7GSnDJuXiX47HvxEXeDEHtkE7GSbEC0oIRLup87 X-Talos-MUID: 9a23:rAQ8/w/9bXZFvmhPskjlMSGQf+Z3776hDx9Tq4w5+PKlLChKADTMsR3iFw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,220,1774310400"; d="scan'208";a="498389738" Received: from rcdn-l-core-02.cisco.com ([173.37.255.139]) by rcdn-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 23 Jun 2026 11:30:52 +0000 Received: from sjc-ads-4153.cisco.com (sjc-ads-4153.cisco.com [171.70.54.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-02.cisco.com (Postfix) with ESMTPS id 8490718000372; Tue, 23 Jun 2026 11:30:52 +0000 (GMT) Received: by sjc-ads-4153.cisco.com (Postfix, from userid 1870532) id 2DAE1CC124A; Tue, 23 Jun 2026 04:30:52 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, to@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 5/8] cups: Fix CVE-2026-34990 Date: Tue, 23 Jun 2026 04:30:29 -0700 Message-ID: <20260623113037.28968-5-adongare@cisco.com> X-Mailer: git-send-email 2.44.4 In-Reply-To: <20260623113037.28968-1-adongare@cisco.com> References: <20260623113037.28968-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-4153.cisco.com [171.70.54.174];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.54.174, sjc-ads-4153.cisco.com X-Outbound-Node: rcdn-l-core-02.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 11:31:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239351 From: Anil Dongare Pick the upstream patch [1] as mentioned in [2]. [1] https://github.com/OpenPrinting/cups/commit/e052dc44da9d12adfbebc51de4975fbadb2ce356 [2] https://security-tracker.debian.org/tracker/CVE-2026-34990 Signed-off-by: Anil Dongare --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-34990.patch | 366 ++++++++++++++++++ 2 files changed, 367 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34990.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 7dedb2daef..2e6bf698e0 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -28,6 +28,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://CVE-2026-34980-regression_p1.patch \ file://CVE-2026-34980-regression_p2.patch \ file://CVE-2026-34979.patch \ + file://CVE-2026-34990.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch new file mode 100644 index 0000000000..e3d6e10a23 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch @@ -0,0 +1,366 @@ +From 48648896ca7faa8f105eee7b7a8d86c42e0fa796 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 31 Mar 2026 15:55:50 -0400 +Subject: [PATCH] Don't allow local certificates over the loopback + interface, drop support for writing to plain files. + +CVE: CVE-2026-34990 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/e052dc44da9d12adfbebc51de4975fbadb2ce356] + +Backport Changes: +- Preserve the existing CVE-2025-61915 PeerCred disable guard while changing + localhost checks to AF_LOCAL. +- Replace CHANGES.md CVE-2026-NNNNN placeholder with CVE-2026-34990. + +(cherry picked from commit e052dc44da9d12adfbebc51de4975fbadb2ce356) +Signed-off-by: Anil Dongare +--- + CHANGES.md | 2 ++ + cups/auth.c | 30 ++++++-------------------- + scheduler/auth.c | 9 +++++---- + scheduler/client.c | 4 ++-- + scheduler/ipp.c | 12 ++++++++-- + scheduler/job.c | 46 ++++++++++++++++++++++------------------ + test/4.2-cups-printer-ops.test | 6 +++-- + test/5.1-lpadmin.sh | 14 +++++------ + 8 files changed, 60 insertions(+), 63 deletions(-) + +diff --git a/CHANGES.md b/CHANGES.md +index f203e9a..4eeebef 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -13,6 +13,8 @@ Changes in CUPS v2.4.10 (2024-06-18) + values. + - CVE-2026-34979: The scheduler did not always allocate enough memory for a + job's options string. ++- CVE-2026-34990: The scheduler incorrectly allowed local certificates over the ++ loopback interface. + - Fixed error handling when reading a mixed `1setOf` attribute. + - Fixed scheduler start if there is only domain socket to listen on (Issue #985) + +diff --git a/cups/auth.c b/cups/auth.c +index 5cb4194..14661c7 100644 +--- a/cups/auth.c ++++ b/cups/auth.c +@@ -1,7 +1,7 @@ + /* + * Authentication functions for CUPS. + * +- * Copyright © 2020-2024 by OpenPrinting. ++ * Copyright © 2020-2026 by OpenPrinting. + * Copyright © 2007-2019 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products. + * +@@ -92,7 +92,6 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status, + # define cups_gss_printf(major, minor, message) + # endif /* DEBUG */ + #endif /* HAVE_GSSAPI */ +-static int cups_is_local_connection(http_t *http); + static int cups_local_auth(http_t *http); + + +@@ -948,14 +947,6 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */ + # endif /* DEBUG */ + #endif /* HAVE_GSSAPI */ + +-static int /* O - 0 if not a local connection */ +- /* 1 if local connection */ +-cups_is_local_connection(http_t *http) /* I - HTTP connection to server */ +-{ +- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0) +- return 0; +- return 1; +-} + + /* + * 'cups_local_auth()' - Get the local authorization certificate if +@@ -967,13 +958,7 @@ static int /* O - 0 if available */ + /* -1 error */ + cups_local_auth(http_t *http) /* I - HTTP connection to server */ + { +-#if defined(_WIN32) || defined(__EMX__) +- /* +- * Currently _WIN32 and OS-2 do not support the CUPS server... +- */ +- +- return (1); +-#else ++#if !_WIN32 && !__EMX__ && defined(AF_LOCAL) + int pid; /* Current process ID */ + FILE *fp; /* Certificate file */ + char trc[16], /* Try Root Certificate parameter */ +@@ -998,7 +983,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ + * See if we are accessing localhost... + */ + +- if (!cups_is_local_connection(http)) ++ if (httpAddrFamily(httpGetAddress(http)) != AF_LOCAL) + { + DEBUG_puts("8cups_local_auth: Not a local connection!"); + return (1); +@@ -1072,15 +1057,14 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ + } + # endif /* HAVE_AUTHORIZATION_H */ + +-# if defined(SO_PEERCRED) && defined(AF_LOCAL) ++# ifdef SO_PEERCRED + /* + * See if we can authenticate using the peer credentials provided over a + * domain socket; if so, specify "PeerCred username" as the authentication + * information... + */ + +- if (http->hostaddr->addr.sa_family == AF_LOCAL && +- !getenv("GATEWAY_INTERFACE") && /* Not via CGI programs... */ ++ if (!getenv("GATEWAY_INTERFACE") && /* Not via CGI programs... */ + cups_auth_find(www_auth, "PeerCred")) + { + /* +@@ -1104,7 +1088,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ + return (0); + } + } +-# endif /* SO_PEERCRED && AF_LOCAL */ ++# endif /* SO_PEERCRED */ + + if ((schemedata = cups_auth_find(www_auth, "Local")) == NULL) + return (1); +@@ -1164,7 +1148,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ + return (0); + } + } ++#endif /* !_WIN32 && !__EMX__ && AF_LOCAL */ + + return (1); +-#endif /* _WIN32 || __EMX__ */ + } +diff --git a/scheduler/auth.c b/scheduler/auth.c +index 1dd520d..56855fc 100644 +--- a/scheduler/auth.c ++++ b/scheduler/auth.c +@@ -318,7 +318,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + } + #ifdef HAVE_AUTHORIZATION_H + else if (!strncmp(authorization, "AuthRef ", 8) && +- httpAddrLocalhost(httpGetAddress(con->http))) ++ httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) + { + OSStatus status; /* Status */ + char authdata[HTTP_MAX_VALUE]; +@@ -399,7 +399,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + #endif /* HAVE_AUTHORIZATION_H */ + #if defined(SO_PEERCRED) && defined(AF_LOCAL) +- else if (!strncmp(authorization, "PeerCred ", 9) && +- con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best) ++ else if (PeerCred != CUPSD_PEERCRED_OFF && ++ !strncmp(authorization, "PeerCred ", 9) && ++ httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL && con->best) + { + /* + * Use peer credentials from domain socket connection... +@@ -483,7 +483,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + } + #endif /* SO_PEERCRED && AF_LOCAL */ + else if (!strncmp(authorization, "Local", 5) && +- httpAddrLocalhost(httpGetAddress(con->http))) ++ httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) + { + /* + * Get Local certificate authentication data... +diff --git a/scheduler/client.c b/scheduler/client.c +index 779404c..dea9da0 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -2173,7 +2173,7 @@ cupsdSendHeader( + strlcpy(auth_str, "Negotiate", sizeof(auth_str)); + } + +- if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost")) ++ if (con->best && !con->is_browser && httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) + { + /* + * Add a "trc" (try root certification) parameter for local +@@ -2193,7 +2193,7 @@ cupsdSendHeader( + auth_size = sizeof(auth_str) - (size_t)(auth_key - auth_str); + + #if defined(SO_PEERCRED) && defined(AF_LOCAL) +- if (PeerCred != CUPSD_PEERCRED_OFF && httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) ++ if (PeerCred != CUPSD_PEERCRED_OFF) + { + strlcpy(auth_key, ", PeerCred", auth_size); + auth_key += 10; +diff --git a/scheduler/ipp.c b/scheduler/ipp.c +index b0d1f5b..11dcd39 100644 +--- a/scheduler/ipp.c ++++ b/scheduler/ipp.c +@@ -5561,7 +5561,7 @@ create_local_printer( + * Require local access to create a local printer... + */ + +- if (!httpAddrLocalhost(httpGetAddress(con->http))) ++ if (httpAddrFamily(httpGetAddress(con->http)) != AF_LOCAL) + { + send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Only local users can create a local printer.")); + return; +@@ -5621,9 +5621,15 @@ create_local_printer( + + ptr = ippGetString(device_uri, 0, NULL); + +- if (!ptr || !ptr[0]) ++ if (!ptr || !ptr[0]) + { +- send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri"); ++ send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri"); + + return; + } ++ else if (strncmp(ptr, "ipp://", 6) && strncmp(ptr, "ipps://", 7)) ++ { ++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad device-uri \"%s\"."), ptr); ++ ++ return; ++ } +diff --git a/scheduler/job.c b/scheduler/job.c +index 880c25f..6c033de 100644 +--- a/scheduler/job.c ++++ b/scheduler/job.c +@@ -1164,35 +1164,39 @@ cupsdContinueJob(cupsd_job_t *job) /* I - Job */ + } + else + { ++ char scheme[32], /* URI scheme */ ++ userpass[32], /* URI username:password */ ++ host[256], /* URI hostname */ ++ resource[1024]; /* URI resource path (filename) */ ++ int port; /* URI port number */ ++ ++ httpSeparateURI(HTTP_URI_CODING_ALL, job->printer->device_uri, scheme, sizeof(scheme), userpass, sizeof(userpass), host, sizeof(host), &port, resource, sizeof(resource)); ++ + job->print_pipes[0] = -1; +- if (!strcmp(job->printer->device_uri, "file:/dev/null") || +- !strcmp(job->printer->device_uri, "file:///dev/null")) +- job->print_pipes[1] = -1; +- else ++ job->print_pipes[1] = -1; ++ ++ if (strcmp(resource, "/dev/null")) + { +- if (!strncmp(job->printer->device_uri, "file:/dev/", 10)) +- job->print_pipes[1] = open(job->printer->device_uri + 5, +- O_WRONLY | O_EXCL); +- else if (!strncmp(job->printer->device_uri, "file:///dev/", 12)) +- job->print_pipes[1] = open(job->printer->device_uri + 7, +- O_WRONLY | O_EXCL); +- else if (!strncmp(job->printer->device_uri, "file:///", 8)) +- job->print_pipes[1] = open(job->printer->device_uri + 7, +- O_WRONLY | O_CREAT | O_TRUNC, 0600); +- else +- job->print_pipes[1] = open(job->printer->device_uri + 5, +- O_WRONLY | O_CREAT | O_TRUNC, 0600); ++ if (!FileDevice) ++ { ++ abort_message = "Stopping job because file: output is disabled."; + +- if (job->print_pipes[1] < 0) ++ goto abort_job; ++ } ++ else if ((job->print_pipes[1] = open(resource, O_WRONLY | O_EXCL)) < 0) + { +- abort_message = "Stopping job because the scheduler could not " +- "open the output file."; ++ abort_message = "Stopping job because the scheduler could not open the output file."; + + goto abort_job; + } ++ else ++ { ++ /* ++ * Close this file on execute... ++ */ + +- fcntl(job->print_pipes[1], F_SETFD, +- fcntl(job->print_pipes[1], F_GETFD) | FD_CLOEXEC); ++ fcntl(job->print_pipes[1], F_SETFD, fcntl(job->print_pipes[1], F_GETFD) | FD_CLOEXEC); ++ } + } + } + } +diff --git a/test/4.2-cups-printer-ops.test b/test/4.2-cups-printer-ops.test +index 1a011e0..945a9bb 100644 +--- a/test/4.2-cups-printer-ops.test ++++ b/test/4.2-cups-printer-ops.test +@@ -1,7 +1,7 @@ + # + # Verify that the CUPS printer operations work. + # +-# Copyright © 2020-2024 by OpenPrinting. ++# Copyright © 2020-2026 by OpenPrinting. + # Copyright © 2007-2019 by Apple Inc. + # Copyright © 2001-2006 by Easy Software Products. All rights reserved. + # +@@ -180,7 +180,7 @@ + ATTR uri printer-uri $method://$hostname:$port/printers/Test2 + + GROUP printer +- ATTR uri device-uri file:/tmp/Test2 ++ ATTR uri device-uri file:///dev/null + ATTR enum printer-state 3 + ATTR boolean printer-is-accepting-jobs true + +@@ -206,7 +206,7 @@ + ATTR uri printer-uri $method://$hostname:$port/printers/Test1 + + GROUP printer +- ATTR uri device-uri file:/tmp/Test1 ++ ATTR uri device-uri file:///dev/null + ATTR enum printer-state 3 + ATTR boolean printer-is-accepting-jobs true + ATTR text printer-info "Test Printer 1" +diff --git a/test/5.1-lpadmin.sh b/test/5.1-lpadmin.sh +index aa39800..36f2822 100644 +--- a/test/5.1-lpadmin.sh ++++ b/test/5.1-lpadmin.sh +@@ -2,7 +2,7 @@ + # + # Test the lpadmin command. + # +-# Copyright © 2020-2024 by OpenPrinting. ++# Copyright © 2020-2026 by OpenPrinting. + # Copyright © 2007-2018 by Apple Inc. + # Copyright © 1997-2005 by Easy Software Products, all rights reserved. + # +@@ -12,8 +12,8 @@ + + echo "Add Printer Test" + echo "" +-echo " lpadmin -p Test3 -v file:/dev/null -E -m drv:///sample.drv/deskjet.ppd" +-$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:/dev/null -E -m drv:///sample.drv/deskjet.ppd 2>&1 ++echo " lpadmin -p Test3 -v file:///dev/null -E -m drv:///sample.drv/deskjet.ppd" ++$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:///dev/null -E -m drv:///sample.drv/deskjet.ppd 2>&1 + if test $? != 0; then + echo " FAILED" + exit 1 +@@ -29,8 +29,8 @@ echo "" + + echo "Modify Printer Test" + echo "" +-echo " lpadmin -p Test3 -v file:/tmp/Test3 -o PageSize=A4" +-$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:/tmp/Test3 -o PageSize=A4 2>&1 ++echo " lpadmin -p Test3 -v file:///dev/null -o PageSize=A4" ++$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:///dev/null -o PageSize=A4 2>&1 + if test $? != 0; then + echo " FAILED" + exit 1 +@@ -65,8 +65,8 @@ echo "" + + echo "Add a printer for cupSNMP/IPPSupplies test" + echo "" +-echo " lpadmin -p Test4 -E -v file:/dev/null -m drv:///sample.drv/zebra.ppd" +-$runcups $VALGRIND ../systemv/lpadmin -p Test4 -E -v file:/dev/null -m drv:///sample.drv/zebra.ppd 2>&1 ++echo " lpadmin -p Test4 -E -v file:///dev/null -m drv:///sample.drv/zebra.ppd" ++$runcups $VALGRIND ../systemv/lpadmin -p Test4 -E -v file:///dev/null -m drv:///sample.drv/zebra.ppd 2>&1 + if test $? != 0; then + echo " FAILED" + exit 1 +-- +2.43.7 From patchwork Tue Jun 23 11:30:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 90695 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 143B2CD98F2 for ; Tue, 23 Jun 2026 11:31:03 +0000 (UTC) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.18972.1782214253641104153 for ; Tue, 23 Jun 2026 04:30:54 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=K6jgiD1P; spf=pass (domain: cisco.com, ip: 173.37.86.78, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3378; q=dns/txt; s=iport01; t=1782214254; x=1783423854; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=L9B2CVLH4rPL9/xHGV7ail29SFMVeTAFrkYj4a2yYiw=; b=K6jgiD1PAasin+/40lP2LMno73GuHGTiJw/L8NJ0mUISCFmmxEfVVmS3 zYSPFYCSAEnPxglShDP9xVe5eaxcyxUmtECtL0jR2rWeZB3J5znbf0gVo xZ3ogJRQXnR39LLdbGKb6fQed/wXC0zSNopOHGqXDOkvA11sP60Um9WFe UAZZMv7vYF7MZcDfVBCbKQmV7dW+jeRVFMiqTI8Aa7yLWt5Ca9it/ptkh 20XTJH+drPoZ8qcnG97Ij0JKHtudYFOf8MFVHqoqP7FPi8s9JwE6LM3C5 V89/bVqVTFezURatsp2jSfcbc17el7OtQzeIIRachUkj7tZ6deWFvG7Xl A==; X-CSE-ConnectionGUID: dRg6A21CRmu7grWYtT0luA== X-CSE-MsgGUID: kft/hb0zRLuYhdue+1nJww== X-IPAS-Result: A0BLAgCDbTpq/5H/Ja1aglmCV3RfQkkDhFSRdAOeGxSBag8BAQEPRA0EAQGFBgKNSgImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAyMPATQSEBwDAQIDAhQSAgIrIwgZgwIBgnMCARGcVpcXGjd6gTKBAYNoAkNQ2ywBCxQBBYEFLoU/gxwBhQJbGAGEfCcbG4FygRWDaYEFgVwCgSOBDYMLgmoEgiKBDIFaGAaJY4UmSIECHANZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPhc0WBsHBYEdgW6BBIUCIx8DOX+BP4EkZGYVMDWBAQERHwqBKwMLGA1IESw3FBsEPQFuB4xaFw+Bbk8BehMBKyCCDJM4kj6hDwoog3WMIZU6GjOFW51hhzALmH2OCpZQhGiBaDyBWXAVgyIJShkPjjiDa4QHgQzEfiQ1CwMvAQEHAgcOAwuBaJAmgVcBAQ IronPort-Data: A9a23:rgG3+aCXyZTP3RVW/3jiw5YqxClBgxIJ4kV8jS/XYbTApDgggWEBy WIWDGmEbPfcYzanfYh3YYy18EgPsZ7cnNRqOVdlrnsFo1CmBibm6XV1Cm+qYkt+++WaFBoPA /02M4eGdIZvCCeA+n9BC5C5xVFkz6aEW7HgP+DNPyF1VGdMRTwo4f5Zs7ZRbrVA357jX2thh fuo+5eBYAH/gGYtWo4pw/vrRC1H7ayaVAww5jTSVdgT1HfCmn8cCo4oJK3ZBxPQXolOE+emc P3Ixbe/83mx109F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq+kTe5p0G2M80Mi+7vdkmc+dZk 72hvbToIesg0zaldO41C3G0GAkmVUFKFSOuzXWX6aSuI0P6n3TEz89hUmhsZKYi//soDntxx OAkcDQQR0XW7w626OrTpuhEnM8vKozveYgYoHwllWGfBvc9SpeFSKLPjTNa9G5v3YYVQrCEO pdfMGYyBPjDS0Un1lM/AZ45muihnHTXeDxDo1XTrq0yi4TW5FAggOGwa4qLJrRmQ+1WkFrfp mie7V7dHyAaOMGSimOD0G2z07qncSTTHdh6+KeD3vlyjVuew2YeBBEbWR6wpuO0okq/QM5Eb UsM9ywjqKI/+ECmQp/6RRLQnZKflgQXV9wVF6gx7xuAj/KEpQ2YHWMDCDVGbbTKqfMLeNDj7 XfR9/uBONClmOf9pa61nltMkQ6PBA== IronPort-HdrOrdr: A9a23:VOM1x6/oQHl4kMEvpdFuk+AGI+orL9Y04lQ7vn2ZhyY7TiX+rb HJoB17726StN9/YhAdcLy7VZVoBEmsl6KdgrNhWYtKPjOHhILAFugLhuHfKn/bakjDH4Vmu5 uIHZITNDTYNykCsS+D2njaL/8QhP+a7auvmeDSi11pTQ1sduVcyj0RMHfiLqWzLzM2f6bQ0/ Gnl7F6mwY= X-Talos-CUID: 9a23:oVkFWmN/T/HRUe5DVBNoqmdOQ+sfd2CCw23vElOEUWJ0YejA X-Talos-MUID: 9a23:ulazLA1PlWjINQRUq/MzjWrNLDUj4KqyT0AHyYc8n9S1NSBtNnTEihaoXdpy X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,220,1774310400"; d="scan'208";a="498153864" Received: from rcdn-l-core-08.cisco.com ([173.37.255.145]) by rcdn-iport-7.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 23 Jun 2026 11:30:53 +0000 Received: from sjc-ads-4153.cisco.com (sjc-ads-4153.cisco.com [171.70.54.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-08.cisco.com (Postfix) with ESMTPS id D7077180001EA; Tue, 23 Jun 2026 11:30:52 +0000 (GMT) Received: by sjc-ads-4153.cisco.com (Postfix, from userid 1870532) id 339D6CC124B; Tue, 23 Jun 2026 04:30:52 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, to@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 6/8] cups: Fix CVE-2026-39314 Date: Tue, 23 Jun 2026 04:30:30 -0700 Message-ID: <20260623113037.28968-6-adongare@cisco.com> X-Mailer: git-send-email 2.44.4 In-Reply-To: <20260623113037.28968-1-adongare@cisco.com> References: <20260623113037.28968-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-4153.cisco.com [171.70.54.174];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.54.174, sjc-ads-4153.cisco.com X-Outbound-Node: rcdn-l-core-08.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 11:31:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239356 From: Anil Dongare Pick the upstream patch [1] as mentioned in [2]. [1] https://github.com/OpenPrinting/cups/commit/928a86b1b794f738f0a3dc87561b2e054bff7ce4 [2] https://security-tracker.debian.org/tracker/CVE-2026-39314 Signed-off-by: Anil Dongare --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-39314.patch | 56 +++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39314.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 2e6bf698e0..7bfa890b3d 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -29,6 +29,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://CVE-2026-34980-regression_p2.patch \ file://CVE-2026-34979.patch \ file://CVE-2026-34990.patch \ + file://CVE-2026-39314.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-39314.patch b/meta/recipes-extended/cups/cups/CVE-2026-39314.patch new file mode 100644 index 0000000000..2ebefb3bc5 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-39314.patch @@ -0,0 +1,56 @@ +From 65c463ada188915d6700d92ce48a9a14949ca413 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Sun, 5 Apr 2026 10:45:25 -0400 +Subject: [PATCH] Range check job-password-supported. + +CVE: CVE-2026-39314 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/928a86b1b794f738f0a3dc87561b2e054bff7ce4] + +Backport Changes: +- Rebase CHANGES.md placement and cups/ppd-cache.c context to the CUPS 2.4.11 + source carried by this recipe. + +(cherry picked from commit 928a86b1b794f738f0a3dc87561b2e054bff7ce4) +Signed-off-by: Anil Dongare +--- + CHANGES.md | 1 + + cups/ppd-cache.c | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/CHANGES.md b/CHANGES.md +index 4eeebef..082b9f7 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -15,6 +15,7 @@ Changes in CUPS v2.4.10 (2024-06-18) + job's options string. + - CVE-2026-34990: The scheduler incorrectly allowed local certificates over the + loopback interface. ++- Fixed the range check for job password strings. + - Fixed error handling when reading a mixed `1setOf` attribute. + - Fixed scheduler start if there is only domain socket to listen on (Issue #985) + +diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c +index e750fcc..08e0db8 100644 +--- a/cups/ppd-cache.c ++++ b/cups/ppd-cache.c +@@ -1,7 +1,7 @@ + /* + * PPD cache implementation for CUPS. + * +- * Copyright © 2022-2024 by OpenPrinting. ++ * Copyright © 2022-2026 by OpenPrinting. + * Copyright © 2010-2021 by Apple Inc. + * + * Licensed under Apache License v2.0. See the file "LICENSE" for more +@@ -3432,7 +3432,7 @@ _ppdCreateFromIPP2( + * Password/PIN printing... + */ + +- if ((attr = ippFindAttribute(supported, "job-password-supported", IPP_TAG_INTEGER)) != NULL) ++ if ((attr = ippFindAttribute(supported, "job-password-supported", IPP_TAG_INTEGER)) != NULL && ippGetInteger(attr, 0) > 0) + { + char pattern[33]; /* Password pattern */ + int maxlen = ippGetInteger(attr, 0); +-- +2.43.7 + From patchwork Tue Jun 23 11:30:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 90698 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B074CDB479 for ; Tue, 23 Jun 2026 11:31:03 +0000 (UTC) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.18972.1782214253641104153 for ; Tue, 23 Jun 2026 04:30:54 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=URZ5RImW; spf=pass (domain: cisco.com, ip: 173.37.86.78, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3046; q=dns/txt; s=iport01; t=1782214254; x=1783423854; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=AXj7EX2qxZ8lqVCqGHnB4nvkLr8jfhki2G/XjMreLX0=; b=URZ5RImWbsCF4Rn9gjIdYGOylQ/svNKh8qgkyCmTrhIP/mTovlUjk/Yu YJf54C599dV52joFmKpViphlvW82FKBKCHwecOuVxPx2Vy2lyzrYzDO8c K2pzAfJvOj7ZCn/jIktdkUI6iEEebyi+naOZ1NPOpF/V7fpXXv9oGD4uI KBof+3ScgncdUVQ+V+Od4UKnTxoclBi1/bfdjXqhaNxL3X5/K/TwsJcY9 g4SKPGOP+JoqEZ/Lf5QtzgzcYhGXI3/Ur/sxX6jtHh3eI9fQv9FTJevBD JTtTKbcNMl/YQRGayW1+K+wcaNmMHrycwcdihIxRYut8RwF3UPSlj7bA+ Q==; X-CSE-ConnectionGUID: MFnLl5ypQj62kJ3R5DHd5w== X-CSE-MsgGUID: RBAlZ8DDQhGWIH0ytffL8Q== X-IPAS-Result: A0BIAgCDbTpq/5D/Ja1aH4I6gld0X0JJA5ZIA54bgX4PAQEBD0QNBAEBhQYCjUoCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMyATQSEBwDAQIOCxYrIwgZgwIBgnMCARGzbRo3giyBAYNoAkNQ2ywBCxQBBYEzhT+IH1sYAYR8JxsbgXKBFYNpgQWBXAKCMIV1BIIigQyBWhgGTwWBUIEFghuJRUiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYEdgW6BBIUCIx8DOX+BP4EkZGYVMDWBAQERHwqBKwMLGA1IESw3FBsEPm4HjFoXD4I9AUkxEwErIIFdL5M4kj6hDwoog3WMIZU6GjOEBIFXpRELmH2CWYsxllCEaIFoPIFZcBU7gmcJShkPjjiDa4QHgQzEfiQ1CwMvAQEHAgcOAwuBaJAmd2ABAQ IronPort-Data: A9a23:QYm/7qw6/XCfo0dlEAN6t+dmxyrEfRIJ4+MujC+fZmUNrF6WrkUDx mUeXWCCOKyJYmb2KYt+ad6x8kMFvcPTmoJlTVQ/rVhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJlqCCea/VH1buSJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4 4+aT/H3Ygf/hWYqaDlMsspvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE8NvK6X evK0Iai9Wrf+Ro3Yvv9+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+vpT2M4nVKtio27hc+adZ zl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CCe5xWuTpfi/xlhJGQYO6kcp/dvOGMQr /86cwpQQjCP2v3jldpXSsE07igiBNPgMIVavjRryivUSK55B5vCWK7No9Rf2V/chOgXQq2YP JVfM2cyKk2cP3WjOX9PYH46tO6kgX/weidVgFmUvqEwpWPUyWSd1ZCxYYqMJ4faG549ckCwn Ejv+1apLj0jNPOg6Brd426iiMufpHauMG4VPPjinhJwu3WU3mEVBRgcWFe3rPX8gUmkVvpbK lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPBWS4PTyVKb5ots8peqSEW6 2JlVujBXVRH2IB5g1rHnltIhVte4RQoEFI= IronPort-HdrOrdr: A9a23:uo4LV6FS8VopwR3RpLqEMMeALOsnbusQ8zAXPo5KJiC9Ffbo8P xG88576faZslsssTQb6LK90cq7MBfhHPxOgbX5VI3KNGKNhILrFvAG0WKI+VPd8kPFmtK1/J 0QFZSWcOeAbmRSvILd/BSyFcomzZ2s9aClgvqb8lJWJDsaEp2JK2xCe32m+oocfng/OaYE X-Talos-CUID: 9a23:x7PBc2GfPydXy8rIqmJC2kgwHp00akTfki3TARSCVEpJROCKHAo= X-Talos-MUID: 9a23:NH4aVQ592vEfkTGX88uCcYa9xoxSyY2qOhAhvawGlPalFXRhJzmTqGSOF9o= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,220,1774310400"; d="scan'208";a="498153863" Received: from rcdn-l-core-07.cisco.com ([173.37.255.144]) by rcdn-iport-7.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 23 Jun 2026 11:30:53 +0000 Received: from sjc-ads-4153.cisco.com (sjc-ads-4153.cisco.com [171.70.54.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-07.cisco.com (Postfix) with ESMTPS id D61DF18000482; Tue, 23 Jun 2026 11:30:52 +0000 (GMT) Received: by sjc-ads-4153.cisco.com (Postfix, from userid 1870532) id 39E70CC124C; Tue, 23 Jun 2026 04:30:52 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, to@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 7/8] cups: Fix CVE-2026-39316 Date: Tue, 23 Jun 2026 04:30:31 -0700 Message-ID: <20260623113037.28968-7-adongare@cisco.com> X-Mailer: git-send-email 2.44.4 In-Reply-To: <20260623113037.28968-1-adongare@cisco.com> References: <20260623113037.28968-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-4153.cisco.com [171.70.54.174];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.54.174, sjc-ads-4153.cisco.com X-Outbound-Node: rcdn-l-core-07.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 11:31:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239353 From: Anil Dongare Pick the upstream patch [1] as mentioned in [2]. [1] https://github.com/OpenPrinting/cups/commit/0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f [2] https://security-tracker.debian.org/tracker/CVE-2026-39316 Signed-off-by: Anil Dongare --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-39316.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39316.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 7bfa890b3d..c2bf572bf5 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -30,6 +30,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://CVE-2026-34979.patch \ file://CVE-2026-34990.patch \ file://CVE-2026-39314.patch \ + file://CVE-2026-39316.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-39316.patch b/meta/recipes-extended/cups/cups/CVE-2026-39316.patch new file mode 100644 index 0000000000..4b43a7b41b --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-39316.patch @@ -0,0 +1,51 @@ +From 7c4d7951d189e931563f21086196d5a55fb2fa15 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Sun, 5 Apr 2026 11:33:23 -0400 +Subject: [PATCH] Expire per-printer subscriptions before deleting. + +CVE: CVE-2026-39316 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f] + +Backport Changes: +- Rebase CHANGES.md placement and scheduler/printers.c delete-printer context + to the CUPS 2.4.11 source carried by this recipe. + +(cherry picked from commit 0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f) +Signed-off-by: Anil Dongare +--- + CHANGES.md | 1 + + scheduler/printers.c | 6 ++++++ + 2 files changed, 7 insertions(+) + +diff --git a/CHANGES.md b/CHANGES.md +index 082b9f7..cde280d 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -16,6 +16,7 @@ Changes in CUPS v2.4.10 (2024-06-18) + - CVE-2026-34990: The scheduler incorrectly allowed local certificates over the + loopback interface. + - Fixed the range check for job password strings. ++- Fixed a printer subscription bug in the scheduler. + - Fixed error handling when reading a mixed `1setOf` attribute. + - Fixed scheduler start if there is only domain socket to listen on (Issue #985) + +diff --git a/scheduler/printers.c b/scheduler/printers.c +index bf493a3..ca983f9 100644 +--- a/scheduler/printers.c ++++ b/scheduler/printers.c +@@ -641,6 +641,12 @@ cupsdDeletePrinter( + update ? "Job stopped due to printer being deleted." : + "Job stopped."); + ++ /* ++ * Expire subscriptions on the printer... ++ */ ++ ++ cupsdExpireSubscriptions(p, /*job*/NULL); ++ + /* + * Remove the printer from the list... + */ +-- +2.43.7 + From patchwork Tue Jun 23 11:30:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 90700 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22596CDE000 for ; Tue, 23 Jun 2026 11:31:04 +0000 (UTC) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.18587.1782214253980438962 for ; Tue, 23 Jun 2026 04:30:54 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=hFl/NF0P; spf=pass (domain: cisco.com, ip: 173.37.86.80, mailfrom: adongare@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=9557; q=dns/txt; s=iport01; t=1782214254; x=1783423854; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=hH9Rc6FxKHalUTQYOVqXIc6qP0FMYnAPJQXZ57ztfvc=; b=hFl/NF0PS1eEOKG02tBxYCv/z4aq13WOjzEO2ZZAqmBIUsWva7ruNw9a X9EoMVOMiHZ/UuZCF2o0gq6O4Kq/Nd4SB8heurvB0I1cI4kMIOO2abVd2 knqEQ/WgvfUqCEh8IwiZuWH8PxheG80L1h5H/pg37UI1xUXFnjSDjQZcT O7wOnKOhuX9htq35j6hzPHjn2nZjabFXSTyYnYEdeXMODEi7wbfg62BO/ oy1Q9khFkWajem3dr/zOK6U36933XegaZbo0kz+U3xC6hNQ4qNeE/8npw RCX5fIrpyOwY6zlM8lPuw0zsjRaRmcTj29Nxi2D79E8Fb7yg65KEDIH0I g==; X-CSE-ConnectionGUID: sf3ZMN+7R+ytP6VLFEa6Ug== X-CSE-MsgGUID: yO0wwb6lS3aVk/MKJK0GZw== X-IPAS-Result: A0AaAACDbTpq/5X/Ja1aHAEBAQEBAQcBARIBAQQEAQGBfAcBAQsBglZ0X0JJA4RUiByJWAOeGxSBag8BAQEPRA0EAQGCEoJ0Ao1KAiY0CQ4BAgQDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhloBAgEDIwQLAUYQHAMBAgMCJgICKyMIGYMCAYJzAgERnFaXFxo3en8zgQGDaAJDUNssAQsUAQWBBS4BhT6DHAGFAlsYAYR8JxsbgXKBFYNpgQWBXAKBIxWEA4JqBIIigQyBWhgGhAaLA0iBAhwDWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XNFgbBwWBHYFugQSFAiMfAzl/gT+BJGRmFTA1gQEBER8KgSsDCxgNSBEsNxQbBD0BbgeMWhcPgW5IB3sTASoBIGMCgSccAjCScSqPbIIhoQ8KKIN1jCGVOhozhVulEQuYfY4KlgBQhGiBaDyBWXAVgyIJShkPjioOC4NghAeBDMR+JDULAy8BAQcCBw4DC4FokAGBfAEB IronPort-Data: A9a23:Opbk1aIv4Ozf6886FE+RgJQlxSXFcZb7ZxGr2PjKsXjdYENSgzcBz DBJUGzVaKyLNGWhKNtyPozl8E5VucLTyd4wQAod+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcoZsCCSa/kvxWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVnR0 T/Oi5eHYgH9hWQvajt8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/ /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN11AhoEGKtbpdw0EH12q 8I8Bh0EMC2M0rfeLLKTEoGAh+w5J8XteYdasXZ6wHSAV7AtQIvIROPB4towMDUY358VW62BI ZBENHw2MEWojx5nYj/7DLo3kOCuiXDlfhVTqUmeouw85G27IAlZjOmyYYKJJIXQLSlTtle// n3Z9Tr9OUoTCt/Y7Bmn0SqDtPCayEsXX6pXTtVU7MVCh0WewGEWAhAaWVa35PK+kEOWX9NEN 1dS/TIjq6U3/kGnQtTxGRqirxa5UgU0QdFcFag+rQqK0KeRulzfDWkfRTkHY9sj3CMreQEXO payt4uBLVRSXHe9EBpxKp/8QeuOBBUo IronPort-HdrOrdr: A9a23:3kTVoKs2A1GKG0MZT97JPvVS7skDqNV00zEX/kB9WHVpmwKj+P xG+85rsyMc6QxhP03I9urgBEDtex7hHNtOkOss1NSZLW3bUQmTTL2KhLGKq1aLJ8S9zJ856U 4KScZD4bPLYWSSpPyKmTVQa+xQo+WvweSPmfrUyWtrQEVBbqFt6Bo8NyOge3cGPDWvwfECZe ChDg0tnUvaRUgq X-Talos-CUID: 9a23:6Pb+zGsdzF/pCRzjkeCJgIQ56Is+fCbv6VGTfHX7GHpRFoOxZ3KZpp5rxp8= X-Talos-MUID: 9a23:pu4ddAt5t+6f6JRQNs2nlRY6K9hivaCVU0kzktIjmOunbQNCJGLI X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,220,1774310400"; d="scan'208";a="497904612" Received: from rcdn-l-core-12.cisco.com ([173.37.255.149]) by rcdn-iport-9.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 23 Jun 2026 11:30:53 +0000 Received: from sjc-ads-4153.cisco.com (sjc-ads-4153.cisco.com [171.70.54.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-12.cisco.com (Postfix) with ESMTPS id D9FAD180001CF; Tue, 23 Jun 2026 11:30:52 +0000 (GMT) Received: by sjc-ads-4153.cisco.com (Postfix, from userid 1870532) id 40DC7CC124D; Tue, 23 Jun 2026 04:30:52 -0700 (PDT) From: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, to@cisco.com, Anil Dongare Subject: [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079 Date: Tue, 23 Jun 2026 04:30:32 -0700 Message-ID: <20260623113037.28968-8-adongare@cisco.com> X-Mailer: git-send-email 2.44.4 In-Reply-To: <20260623113037.28968-1-adongare@cisco.com> References: <20260623113037.28968-1-adongare@cisco.com> MIME-Version: 1.0 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-Client-TLS: VERIFIED;sjc-ads-4153.cisco.com [171.70.54.174];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.54.174, sjc-ads-4153.cisco.com X-Outbound-Node: rcdn-l-core-12.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 11:31:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239354 From: Anil Dongare Pick the upstream patch [1] as mentioned in [2]. [1] https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080 [2] https://security-tracker.debian.org/tracker/CVE-2026-41079 Signed-off-by: Anil Dongare --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-27447.patch | 4 +- .../cups/cups/CVE-2026-34978.patch | 25 +++++-- .../cups/CVE-2026-34980-regression_p2.patch | 8 +-- .../cups/cups/CVE-2026-34990.patch | 19 ++--- .../cups/cups/CVE-2026-41079.patch | 72 +++++++++++++++++++ 6 files changed, 106 insertions(+), 23 deletions(-) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-41079.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index c2bf572bf5..64f71c9465 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -31,6 +31,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://CVE-2026-34990.patch \ file://CVE-2026-39314.patch \ file://CVE-2026-39316.patch \ + file://CVE-2026-41079.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch index 77a26dae64..1884acfa9f 100644 --- a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch +++ b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch @@ -22,9 +22,9 @@ diff --git a/CHANGES.md b/CHANGES.md index 4a2e25d..0da2c55 100644 --- a/CHANGES.md +++ b/CHANGES.md -@@ -4,6 +4,8 @@ CHANGES - OpenPrinting CUPS 2.4.10 - (2024-06-18) +@@ -21,6 +21,8 @@ Changes in CUPS v2.4.10 (2024-06-18) - ----------------------------- + ------------------------------------ +- CVE-2026-27447: The scheduler treated local user and group names as case- + insensitive. diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch index d05bc85588..b4b83a41d0 100644 --- a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch +++ b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch @@ -22,13 +22,10 @@ diff --git a/CHANGES.md b/CHANGES.md index 7a5e8813f..429ee874f 100644 --- a/CHANGES.md +++ b/CHANGES.md -@@ -21,9 +21,11 @@ Changes in CUPS v2.4.11 (2024-09-30) - Changes in CUPS v2.4.10 (2024-06-18) - ------------------------------------ - +@@ -24,6 +24,8 @@ - CVE-2026-27447: The scheduler treated local user and group names as case- insensitive. -- Fixed cupsd crash if user does not exist (Issue #1555) + - Fixed cupsd crash if user does not exist (Issue #1555) +- CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS + directory. - Fixed error handling when reading a mixed `1setOf` attribute. @@ -100,3 +97,21 @@ index 2d80a960e..2dc7376c1 100644 + { + send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient); + ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES); ++ return; ++ } + } + else if (!strcmp(attr->name, "notify-pull-method") && + attr->value_tag == IPP_TAG_KEYWORD) +@@ -6010,6 +6016,12 @@ create_subscriptions( + "notify-status-code", IPP_ATTRIBUTES); + return; + } ++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL) ++ { ++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient); ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES); ++ return; ++ } + } + else if (!strcmp(attr->name, "notify-pull-method") && + attr->value_tag == IPP_TAG_KEYWORD) diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch index 73846cb8a3..0cf63b10af 100644 --- a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch +++ b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch @@ -43,10 +43,10 @@ index 25e9d65..fe60890 100644 # # Test the lp command. # --# Copyright © 2020-2024 by OpenPrinting. -+# Copyright © 2020-2026 by OpenPrinting. - # Copyright © 2007-2019 by Apple Inc. - # Copyright © 1997-2005 by Easy Software Products, all rights reserved. +-# Copyright © 2020-2024 by OpenPrinting. ++# Copyright © 2020-2026 by OpenPrinting. + # Copyright © 2007-2019 by Apple Inc. + # Copyright © 1997-2005 by Easy Software Products, all rights reserved. # @@ -72,8 +72,8 @@ echo "" diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch index e3d6e10a23..916cdc09a3 100644 --- a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch +++ b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch @@ -147,10 +147,10 @@ index 1dd520d..56855fc 100644 { OSStatus status; /* Status */ char authdata[HTTP_MAX_VALUE]; -@@ -399,7 +399,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ +@@ -399,6 +399,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ #endif /* HAVE_AUTHORIZATION_H */ #if defined(SO_PEERCRED) && defined(AF_LOCAL) -- else if (!strncmp(authorization, "PeerCred ", 9) && +- else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) && - con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best) + else if (PeerCred != CUPSD_PEERCRED_OFF && + !strncmp(authorization, "PeerCred ", 9) && @@ -202,24 +202,19 @@ index b0d1f5b..11dcd39 100644 { send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Only local users can create a local printer.")); return; -@@ -5621,9 +5621,15 @@ create_local_printer( - - ptr = ippGetString(device_uri, 0, NULL); - -- if (!ptr || !ptr[0]) -+ if (!ptr || !ptr[0]) - { -- send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri"); -+ send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri"); +@@ -5634,6 +5634,12 @@ create_local_printer( return; } + else if (strncmp(ptr, "ipp://", 6) && strncmp(ptr, "ipps://", 7)) + { + send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad device-uri \"%s\"."), ptr); -+ ++ + return; + } + + printer_geo_location = ippFindAttribute(con->request, "printer-geo-location", IPP_TAG_URI); + printer_info = ippFindAttribute(con->request, "printer-info", IPP_TAG_TEXT); diff --git a/scheduler/job.c b/scheduler/job.c index 880c25f..6c033de 100644 --- a/scheduler/job.c diff --git a/meta/recipes-extended/cups/cups/CVE-2026-41079.patch b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch new file mode 100644 index 0000000000..f216c84e30 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch @@ -0,0 +1,72 @@ +From b8730b3e18852d203f7fa86a05ed0a8aa3a791e5 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Mon, 13 Apr 2026 11:50:23 -0400 +Subject: [PATCH] Limit num_bytes for SNMP string values. + +CVE: CVE-2026-41079 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080] + +(cherry picked from commit b7c2525a885f528d243c3a92197ca99609b3f080) +Signed-off-by: Anil Dongare +--- + cups/snmp-private.h | 6 +++--- + cups/snmp.c | 8 ++++++-- + 2 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/cups/snmp-private.h b/cups/snmp-private.h +index 52b8740..015f53e 100644 +--- a/cups/snmp-private.h ++++ b/cups/snmp-private.h +@@ -1,7 +1,7 @@ + /* + * Private SNMP definitions for CUPS. + * +- * Copyright © 2020-2024 by OpenPrinting. ++ * Copyright © 2020-2026 by OpenPrinting. + * Copyright © 2007-2014 by Apple Inc. + * Copyright © 2006-2007 by Easy Software Products, all rights reserved. + * +@@ -58,9 +58,9 @@ typedef enum cups_asn1_e cups_asn1_t; /**** ASN1 request/object types ****/ + + typedef struct cups_snmp_string_s /**** String value ****/ + { +- unsigned char bytes[CUPS_SNMP_MAX_STRING]; +- /* Bytes in string */ + unsigned num_bytes; /* Number of bytes */ ++ unsigned char bytes[CUPS_SNMP_MAX_STRING + 1]; ++ /* Bytes in string */ + } cups_snmp_string_t; + + union cups_snmp_value_u /**** Object value ****/ +diff --git a/cups/snmp.c b/cups/snmp.c +index 54e348f..3222ff3 100644 +--- a/cups/snmp.c ++++ b/cups/snmp.c +@@ -1,7 +1,7 @@ + /* + * SNMP functions for CUPS. + * +- * Copyright © 2020-2024 by OpenPrinting. ++ * Copyright © 2020-2026 by OpenPrinting. + * Copyright © 2007-2019 by Apple Inc. + * Copyright © 2006-2007 by Easy Software Products, all rights reserved. + * +@@ -1042,10 +1042,14 @@ asn1_decode_snmp(unsigned char *buffer, /* I - Buffer */ + case CUPS_ASN1_OCTET_STRING : + case CUPS_ASN1_BIT_STRING : + case CUPS_ASN1_HEX_STRING : +- packet->object_value.string.num_bytes = length; + asn1_get_string(&bufptr, bufend, length, + (char *)packet->object_value.string.bytes, + sizeof(packet->object_value.string.bytes)); ++ ++ if (length >= sizeof(packet->object_value.string.bytes)) ++ packet->object_value.string.num_bytes = sizeof(packet->object_value.string.bytes) - 1; ++ else ++ packet->object_value.string.num_bytes = length; + break; + + case CUPS_ASN1_OID : +-- +2.43.7 +