From: "Yoann Congal" <yoann.congal@smile.fr>
To: <adongare@cisco.com>, <openembedded-core@lists.openembedded.org>
Cc: <xe-linux-external@cisco.com>, <to@cisco.com>
Subject: Re: [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079
Date: Sun, 28 Jun 2026 23:57:20 +0200 [thread overview]
Message-ID: <DJL0OIF53N7U.2AAPEB2LOEEDT@smile.fr> (raw)
In-Reply-To: <20260623113037.28968-8-adongare@cisco.com>
On Tue Jun 23, 2026 at 1:30 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> Pick the upstream patch [1] as mentioned in [2].
>
> [1] https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080
> [2] https://security-tracker.debian.org/tracker/CVE-2026-41079
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
As far as I know, this fix is also needed on wrynose:
CVE-2026-41079 impacts "up to 2.4.17 excluding" per NVD and wrynose has 2.4.16.
Can you send a fix for wrynose so I can take this one for scarthgap?
> ---
> meta/recipes-extended/cups/cups.inc | 1 +
> .../cups/cups/CVE-2026-27447.patch | 4 +-
> .../cups/cups/CVE-2026-34978.patch | 25 +++++--
> .../cups/CVE-2026-34980-regression_p2.patch | 8 +--
> .../cups/cups/CVE-2026-34990.patch | 19 ++---
> .../cups/cups/CVE-2026-41079.patch | 72 +++++++++++++++++++
This patch touches a lot of patches added previously in the series. I
think this is a mistake and those changes should either be dropped or
squashed in the proper commit.
Can you send a v2 of the whole series with this cleaned up?
Please split CVE-2026-41079 and CVE-2026-27447 into another series as
those need a wrynose fix.
Thanks!
> 6 files changed, 106 insertions(+), 23 deletions(-)
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-41079.patch
>
> diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
> index c2bf572bf5..64f71c9465 100644
> --- a/meta/recipes-extended/cups/cups.inc
> +++ b/meta/recipes-extended/cups/cups.inc
> @@ -31,6 +31,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
> file://CVE-2026-34990.patch \
> file://CVE-2026-39314.patch \
> file://CVE-2026-39316.patch \
> + file://CVE-2026-41079.patch \
> "
>
> GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> index 77a26dae64..1884acfa9f 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> @@ -22,9 +22,9 @@ diff --git a/CHANGES.md b/CHANGES.md
> index 4a2e25d..0da2c55 100644
> --- a/CHANGES.md
> +++ b/CHANGES.md
> -@@ -4,6 +4,8 @@ CHANGES - OpenPrinting CUPS 2.4.10 - (2024-06-18)
> +@@ -21,6 +21,8 @@
> Changes in CUPS v2.4.10 (2024-06-18)
> - -----------------------------
> + ------------------------------------
>
> +- CVE-2026-27447: The scheduler treated local user and group names as case-
> + insensitive.
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> index d05bc85588..b4b83a41d0 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> @@ -22,13 +22,10 @@ diff --git a/CHANGES.md b/CHANGES.md
> index 7a5e8813f..429ee874f 100644
> --- a/CHANGES.md
> +++ b/CHANGES.md
> -@@ -21,9 +21,11 @@ Changes in CUPS v2.4.11 (2024-09-30)
> - Changes in CUPS v2.4.10 (2024-06-18)
> - ------------------------------------
> -
> +@@ -24,6 +24,8 @@
> - CVE-2026-27447: The scheduler treated local user and group names as case-
> insensitive.
> -- Fixed cupsd crash if user does not exist (Issue #1555)
> + - Fixed cupsd crash if user does not exist (Issue #1555)
> +- CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
> + directory.
> - Fixed error handling when reading a mixed `1setOf` attribute.
> @@ -100,3 +97,21 @@ index 2d80a960e..2dc7376c1 100644
> + {
> + send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
> + ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
> ++ return;
> ++ }
> + }
> + else if (!strcmp(attr->name, "notify-pull-method") &&
> + attr->value_tag == IPP_TAG_KEYWORD)
> +@@ -6010,6 +6016,12 @@ create_subscriptions(
> + "notify-status-code", IPP_ATTRIBUTES);
> + return;
> + }
> ++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL)
> ++ {
> ++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
> ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
> ++ return;
> ++ }
> + }
> + else if (!strcmp(attr->name, "notify-pull-method") &&
> + attr->value_tag == IPP_TAG_KEYWORD)
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> index 73846cb8a3..0cf63b10af 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> @@ -43,10 +43,10 @@ index 25e9d65..fe60890 100644
> #
> # Test the lp command.
> #
> --# Copyright © 2020-2024 by OpenPrinting.
> -+# Copyright © 2020-2026 by OpenPrinting.
> - # Copyright © 2007-2019 by Apple Inc.
> - # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
> +-# Copyright © 2020-2024 by OpenPrinting.
> ++# Copyright © 2020-2026 by OpenPrinting.
> + # Copyright © 2007-2019 by Apple Inc.
> + # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
> #
> @@ -72,8 +72,8 @@ echo ""
>
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> index e3d6e10a23..916cdc09a3 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> @@ -147,10 +147,10 @@ index 1dd520d..56855fc 100644
> {
> OSStatus status; /* Status */
> char authdata[HTTP_MAX_VALUE];
> -@@ -399,7 +399,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
> +@@ -399,6 +399,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
> #endif /* HAVE_AUTHORIZATION_H */
> #if defined(SO_PEERCRED) && defined(AF_LOCAL)
> -- else if (!strncmp(authorization, "PeerCred ", 9) &&
> +- else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) &&
> - con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
> + else if (PeerCred != CUPSD_PEERCRED_OFF &&
> + !strncmp(authorization, "PeerCred ", 9) &&
> @@ -202,24 +202,19 @@ index b0d1f5b..11dcd39 100644
> {
> send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Only local users can create a local printer."));
> return;
> -@@ -5621,9 +5621,15 @@ create_local_printer(
> -
> - ptr = ippGetString(device_uri, 0, NULL);
> -
> -- if (!ptr || !ptr[0])
> -+ if (!ptr || !ptr[0])
> - {
> -- send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
> -+ send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
> +@@ -5634,6 +5634,12 @@ create_local_printer(
>
> return;
> }
> + else if (strncmp(ptr, "ipp://", 6) && strncmp(ptr, "ipps://", 7))
> + {
> + send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad device-uri \"%s\"."), ptr);
> -+
> ++
> + return;
> + }
> +
> + printer_geo_location = ippFindAttribute(con->request, "printer-geo-location", IPP_TAG_URI);
> + printer_info = ippFindAttribute(con->request, "printer-info", IPP_TAG_TEXT);
> diff --git a/scheduler/job.c b/scheduler/job.c
> index 880c25f..6c033de 100644
> --- a/scheduler/job.c
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-41079.patch b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
> new file mode 100644
> index 0000000000..f216c84e30
> --- /dev/null
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
> @@ -0,0 +1,72 @@
> +From b8730b3e18852d203f7fa86a05ed0a8aa3a791e5 Mon Sep 17 00:00:00 2001
> +From: Michael R Sweet <msweet@msweet.org>
> +Date: Mon, 13 Apr 2026 11:50:23 -0400
> +Subject: [PATCH] Limit num_bytes for SNMP string values.
> +
> +CVE: CVE-2026-41079
> +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080]
> +
> +(cherry picked from commit b7c2525a885f528d243c3a92197ca99609b3f080)
> +Signed-off-by: Anil Dongare <adongare@cisco.com>
> +---
> + cups/snmp-private.h | 6 +++---
> + cups/snmp.c | 8 ++++++--
> + 2 files changed, 9 insertions(+), 5 deletions(-)
> +
> +diff --git a/cups/snmp-private.h b/cups/snmp-private.h
> +index 52b8740..015f53e 100644
> +--- a/cups/snmp-private.h
> ++++ b/cups/snmp-private.h
> +@@ -1,7 +1,7 @@
> + /*
> + * Private SNMP definitions for CUPS.
> + *
> +- * Copyright © 2020-2024 by OpenPrinting.
> ++ * Copyright © 2020-2026 by OpenPrinting.
> + * Copyright © 2007-2014 by Apple Inc.
> + * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
> + *
> +@@ -58,9 +58,9 @@ typedef enum cups_asn1_e cups_asn1_t; /**** ASN1 request/object types ****/
> +
> + typedef struct cups_snmp_string_s /**** String value ****/
> + {
> +- unsigned char bytes[CUPS_SNMP_MAX_STRING];
> +- /* Bytes in string */
> + unsigned num_bytes; /* Number of bytes */
> ++ unsigned char bytes[CUPS_SNMP_MAX_STRING + 1];
> ++ /* Bytes in string */
> + } cups_snmp_string_t;
> +
> + union cups_snmp_value_u /**** Object value ****/
> +diff --git a/cups/snmp.c b/cups/snmp.c
> +index 54e348f..3222ff3 100644
> +--- a/cups/snmp.c
> ++++ b/cups/snmp.c
> +@@ -1,7 +1,7 @@
> + /*
> + * SNMP functions for CUPS.
> + *
> +- * Copyright © 2020-2024 by OpenPrinting.
> ++ * Copyright © 2020-2026 by OpenPrinting.
> + * Copyright © 2007-2019 by Apple Inc.
> + * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
> + *
> +@@ -1042,10 +1042,14 @@ asn1_decode_snmp(unsigned char *buffer, /* I - Buffer */
> + case CUPS_ASN1_OCTET_STRING :
> + case CUPS_ASN1_BIT_STRING :
> + case CUPS_ASN1_HEX_STRING :
> +- packet->object_value.string.num_bytes = length;
> + asn1_get_string(&bufptr, bufend, length,
> + (char *)packet->object_value.string.bytes,
> + sizeof(packet->object_value.string.bytes));
> ++
> ++ if (length >= sizeof(packet->object_value.string.bytes))
> ++ packet->object_value.string.num_bytes = sizeof(packet->object_value.string.bytes) - 1;
> ++ else
> ++ packet->object_value.string.num_bytes = length;
> + break;
> +
> + case CUPS_ASN1_OID :
> +--
> +2.43.7
> +
--
Yoann Congal
Smile ECS
next prev parent reply other threads:[~2026-06-28 21:57 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 2/8] cups: Fix CVE-2026-34978 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 3/8] cups: Fix CVE-2026-34980 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 4/8] cups: Fix CVE-2026-34979 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 5/8] cups: Fix CVE-2026-34990 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 6/8] cups: Fix CVE-2026-39314 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 7/8] cups: Fix CVE-2026-39316 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-28 21:57 ` Yoann Congal [this message]
2026-07-15 13:25 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-28 21:41 ` [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Yoann Congal
2026-07-15 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJL0OIF53N7U.2AAPEB2LOEEDT@smile.fr \
--to=yoann.congal@smile.fr \
--cc=adongare@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=to@cisco.com \
--cc=xe-linux-external@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.