* [OE-core] [wrynose] [PATCH 1/2] cups: fix CVE-2026-27447
@ 2026-07-01 4:52 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-01 4:52 ` [OE-core] [wrynose] [PATCH 2/2] cups: fix CVE-2026-41079 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
0 siblings, 1 reply; 2+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-07-01 4:52 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream fix [1] for CVE-2026-27447 as referenced by Debian [2].
Also include the two upstream regression fixes that followed the CVE fix:
- CVE-2026-27447-regression_p1.patch [3] fixes a cupsd crash when the referenced
user does not exist on the server. This regression was reported in
OpenPrinting/cups Issue [5].
- CVE-2026-27447-regression_p2.patch [4] fixes unauthenticated print policies for
non-local accounts. This regression was reported in OpenPrinting/cups Issue [6].
[1] https://github.com/OpenPrinting/cups/commit/a0c62c1e69604ff061089b750073199fab5a1beb
[2] https://security-tracker.debian.org/tracker/CVE-2026-27447
[3] https://github.com/OpenPrinting/cups/commit/6d97ee39fedf12a7a5429a74f4156ef9bb67f562
[4] https://github.com/OpenPrinting/cups/commit/849fba7d7a1144e48d45c5e6ba2504765912ece0
[5] https://github.com/OpenPrinting/cups/issues/1555
[6] https://github.com/OpenPrinting/cups/issues/1557
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 3 +
.../cups/CVE-2026-27447-regression_p1.patch | 46 +++++++
.../cups/CVE-2026-27447-regression_p2.patch | 58 +++++++++
.../cups/cups/CVE-2026-27447.patch | 120 ++++++++++++++++++
4 files changed, 227 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 194b9c2638..49b828506a 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -21,6 +21,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-34990.patch \
file://CVE-2026-39314.patch \
file://CVE-2026-39316.patch \
+ file://CVE-2026-27447.patch \
+ file://CVE-2026-27447-regression_p1.patch \
+ file://CVE-2026-27447-regression_p2.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch
new file mode 100644
index 0000000000..bbd44913d3
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch
@@ -0,0 +1,46 @@
+From c4c0a46b266bd227fa3925ad08556a620da342ae Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 22 Apr 2026 12:40:14 +0200
+Subject: [PATCH] Fix cupsd crash if user does not exist on server
+
+CVE: CVE-2026-27447
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/6d97ee39fedf12a7a5429a74f4156ef9bb67f562]
+
+Backport Changes:
+- Rebase CHANGES.md context to the CUPS 2.4.16 changelog section.
+
+(cherry picked from commit 6d97ee39fedf12a7a5429a74f4156ef9bb67f562)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 1 +
+ scheduler/auth.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index d591ead..16e9527 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -7,6 +7,7 @@ Changes in CUPS v2.4.16 (2025-12-04)
+
+ - CVE-2026-27447: The scheduler treated local user and group names as case-
+ insensitive.
++- Fixed cupsd crash if user does not exist (Issue #1555)
+ - `cupsUTF8ToCharset` didn't validate 2-byte UTF-8 sequences, potentially
+ reading past the end of the source string (Issue #1438)
+ - The web interface did not support domain usernames fully (Issue #1441)
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 3e7041e..d5f564e 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -1835,7 +1835,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ name;
+ name = (char *)cupsArrayNext(best->names))
+ {
+- if (!_cups_strcasecmp(name, "@OWNER") && owner &&
++ if (!_cups_strcasecmp(name, "@OWNER") && owner && pw &&
+ !strcmp(pw->pw_name, ownername))
+ return (HTTP_OK);
+ else if (!_cups_strcasecmp(name, "@SYSTEM"))
+--
+2.43.7
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch
new file mode 100644
index 0000000000..69b7ea962c
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch
@@ -0,0 +1,58 @@
+From 6a712bd3b5236df3e1bd145e89ea1108fb860d8b Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Fri, 24 Apr 2026 14:06:06 -0400
+Subject: [PATCH] Fix unauthenticated print policies (Issue #1557)
+
+CVE: CVE-2026-27447
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/849fba7d7a1144e48d45c5e6ba2504765912ece0]
+
+Backport Changes:
+- Rebase CHANGES.md context to the CUPS 2.4.16 changelog section.
+
+(cherry picked from commit 849fba7d7a1144e48d45c5e6ba2504765912ece0)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 1 +
+ scheduler/auth.c | 7 +++++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 16e9527..47b394b 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -8,6 +8,7 @@ Changes in CUPS v2.4.16 (2025-12-04)
+ - CVE-2026-27447: The scheduler treated local user and group names as case-
+ insensitive.
+ - Fixed cupsd crash if user does not exist (Issue #1555)
++- Fixed a regression in shared printing from non-local accounts (Issue #1557)
+ - `cupsUTF8ToCharset` didn't validate 2-byte UTF-8 sequences, potentially
+ reading past the end of the source string (Issue #1438)
+ - The web interface did not support domain usernames fully (Issue #1441)
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index d5f564e..7e211ff 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -1835,8 +1835,9 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ name;
+ name = (char *)cupsArrayNext(best->names))
+ {
+- if (!_cups_strcasecmp(name, "@OWNER") && owner && pw &&
+- !strcmp(pw->pw_name, ownername))
++ if (!_cups_strcasecmp(name, "@OWNER") && owner &&
++ ((pw && !strcmp(pw->pw_name, ownername)) ||
++ (!pw && type == CUPSD_AUTH_NONE && !_cups_strcasecmp(username, ownername))))
+ return (HTTP_OK);
+ else if (!_cups_strcasecmp(name, "@SYSTEM"))
+ {
+@@ -1850,6 +1851,8 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ }
+ else if (pw && !strcmp(pw->pw_name, name))
+ return (HTTP_OK);
++ else if (!pw && type == CUPSD_AUTH_NONE && !_cups_strcasecmp(username, name))
++ return (HTTP_STATUS_OK);
+ }
+
+ for (name = (char *)cupsArrayFirst(best->names);
+--
+2.43.7
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
new file mode 100644
index 0000000000..b73377ce4d
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
@@ -0,0 +1,120 @@
+From f792687607462386ea3778fac5e0394da09c8a72 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 31 Mar 2026 14:04:21 -0400
+Subject: [PATCH] CVE-2026-27447: The scheduler treated local user and group
+ names as case-insensitive.
+
+CVE: CVE-2026-27447
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/a0c62c1e69604ff061089b750073199fab5a1beb]
+
+Backport Changes:
+- Rebase CHANGES.md context to the CUPS 2.4.16 changelog section.
+
+(cherry picked from commit a0c62c1e69604ff061089b750073199fab5a1beb)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 2 ++
+ scheduler/auth.c | 31 +++++++++++++++----------------
+ 2 files changed, 17 insertions(+), 16 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 78a9a94..d591ead 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -5,6 +5,8 @@ CHANGES - OpenPrinting CUPS
+ Changes in CUPS v2.4.16 (2025-12-04)
+ ------------------------------------
+
++- CVE-2026-27447: The scheduler treated local user and group names as case-
++ insensitive.
+ - `cupsUTF8ToCharset` didn't validate 2-byte UTF-8 sequences, potentially
+ reading past the end of the source string (Issue #1438)
+ - The web interface did not support domain usernames fully (Issue #1441)
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 18ac443..3e7041e 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -1,7 +1,7 @@
+ /*
+ * Authorization routines for the CUPS scheduler.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
+ *
+@@ -1184,7 +1184,7 @@ cupsdCheckGroup(
+ group = getgrnam(groupname);
+ endgrent();
+
+- if (group != NULL)
++ if (user && group)
+ {
+ /*
+ * Group exists, check it...
+@@ -1198,7 +1198,7 @@ cupsdCheckGroup(
+ * User appears in the group membership...
+ */
+
+- if (!_cups_strcasecmp(username, group->gr_mem[i]))
++ if (!strcmp(user->pw_name, group->gr_mem[i]))
+ return (1);
+ }
+
+@@ -1209,25 +1209,24 @@ cupsdCheckGroup(
+ * belongs to...
+ */
+
+- if (user)
+- {
+- int ngroups; /* Number of groups */
++ int ngroups; /* Number of groups */
+ # ifdef __APPLE__
+- int groups[2048]; /* Groups that user belongs to */
++ int groups[2048]; /* Groups that user belongs to */
+ # else
+- gid_t groups[2048]; /* Groups that user belongs to */
++ gid_t groups[2048]; /* Groups that user belongs to */
+ # endif /* __APPLE__ */
+
+- ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
++ ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
+ # ifdef __APPLE__
+- getgrouplist(username, (int)user->pw_gid, groups, &ngroups);
++ getgrouplist(user->pw_name, (int)user->pw_gid, groups, &ngroups);
+ # else
+- getgrouplist(username, user->pw_gid, groups, &ngroups);
++ getgrouplist(user->pw_name, user->pw_gid, groups, &ngroups);
+ #endif /* __APPLE__ */
+
+- for (i = 0; i < ngroups; i ++)
+- if ((int)groupid == (int)groups[i])
+- return (1);
++ for (i = 0; i < ngroups; i ++)
++ {
++ if ((int)groupid == (int)groups[i])
++ return (1);
+ }
+ #endif /* HAVE_GETGROUPLIST */
+ }
+@@ -1837,7 +1836,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ name = (char *)cupsArrayNext(best->names))
+ {
+ if (!_cups_strcasecmp(name, "@OWNER") && owner &&
+- !_cups_strcasecmp(username, ownername))
++ !strcmp(pw->pw_name, ownername))
+ return (HTTP_OK);
+ else if (!_cups_strcasecmp(name, "@SYSTEM"))
+ {
+@@ -1849,7 +1848,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ if (cupsdCheckGroup(username, pw, name + 1))
+ return (HTTP_OK);
+ }
+- else if (!_cups_strcasecmp(username, name))
++ else if (pw && !strcmp(pw->pw_name, name))
+ return (HTTP_OK);
+ }
+
+--
+2.43.7
--
2.44.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [OE-core] [wrynose] [PATCH 2/2] cups: fix CVE-2026-41079
2026-07-01 4:52 [OE-core] [wrynose] [PATCH 1/2] cups: fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-07-01 4:52 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
0 siblings, 0 replies; 2+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-07-01 4:52 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream fix [1] for CVE-2026-41079 as referenced by Debian [2].
[1] https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080
[2] https://security-tracker.debian.org/tracker/CVE-2026-41079
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2026-41079.patch | 73 +++++++++++++++++++
2 files changed, 74 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-41079.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 49b828506a..9f5d5fe726 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -24,6 +24,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-27447.patch \
file://CVE-2026-27447-regression_p1.patch \
file://CVE-2026-27447-regression_p2.patch \
+ file://CVE-2026-41079.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-41079.patch b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
new file mode 100644
index 0000000000..2392a77311
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
@@ -0,0 +1,73 @@
+From a331e93e2f9baf411715ef69ae19b73827da23d7 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 13 Apr 2026 11:50:23 -0400
+Subject: [PATCH] Limit num_bytes for SNMP string values.
+
+CVE: CVE-2026-41079
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080]
+
+(cherry picked from commit b7c2525a885f528d243c3a92197ca99609b3f080)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ cups/snmp-private.h | 6 +++---
+ cups/snmp.c | 8 ++++++--
+ 2 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/cups/snmp-private.h b/cups/snmp-private.h
+index 52b8740..015f53e 100644
+--- a/cups/snmp-private.h
++++ b/cups/snmp-private.h
+@@ -1,7 +1,7 @@
+ /*
+ * Private SNMP definitions for CUPS.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2014 by Apple Inc.
+ * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
+ *
+@@ -58,9 +58,9 @@ typedef enum cups_asn1_e cups_asn1_t; /**** ASN1 request/object types ****/
+
+ typedef struct cups_snmp_string_s /**** String value ****/
+ {
+- unsigned char bytes[CUPS_SNMP_MAX_STRING];
+- /* Bytes in string */
+ unsigned num_bytes; /* Number of bytes */
++ unsigned char bytes[CUPS_SNMP_MAX_STRING + 1];
++ /* Bytes in string */
+ } cups_snmp_string_t;
+
+ union cups_snmp_value_u /**** Object value ****/
+diff --git a/cups/snmp.c b/cups/snmp.c
+index 54e348f..2fcb38d 100644
+--- a/cups/snmp.c
++++ b/cups/snmp.c
+@@ -1,7 +1,7 @@
+ /*
+ * SNMP functions for CUPS.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
+ *
+@@ -1042,10 +1042,14 @@ asn1_decode_snmp(unsigned char *buffer, /* I - Buffer */
+ case CUPS_ASN1_OCTET_STRING :
+ case CUPS_ASN1_BIT_STRING :
+ case CUPS_ASN1_HEX_STRING :
+- packet->object_value.string.num_bytes = length;
+ asn1_get_string(&bufptr, bufend, length,
+ (char *)packet->object_value.string.bytes,
+ sizeof(packet->object_value.string.bytes));
++
++ if (length >= sizeof(packet->object_value.string.bytes))
++ packet->object_value.string.num_bytes = sizeof(packet->object_value.string.bytes) - 1;
++ else
++ packet->object_value.string.num_bytes = length;
+ break;
+
+ case CUPS_ASN1_OID :
+--
+2.43.7
+
--
2.44.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-01 4:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01 4:52 [OE-core] [wrynose] [PATCH 1/2] cups: fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-01 4:52 ` [OE-core] [wrynose] [PATCH 2/2] cups: fix CVE-2026-41079 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox