* [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447
@ 2026-06-23 11:30 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 2/8] cups: Fix CVE-2026-34978 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (7 more replies)
0 siblings, 8 replies; 12+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream backport [1] for CVE-2026-27447 as mentioned in [2], where
the scheduler treated local user and group names as case-insensitive.
Also include the two upstream regression fixes that followed the CVE
fix:
- CVE-2026-27447-regression_p1.patch [3] fixes a cupsd crash when the
referenced user does not exist on the server. This regression was
reported in OpenPrinting/cups Issue [5].
- CVE-2026-27447-regression_p2.patch [4] fixes unauthenticated print
policies for non-local accounts. This regression was reported in
OpenPrinting/cups Issue [6].
[1] https://github.com/OpenPrinting/cups/commit/a0c62c1e69604ff061089b750073199fab5a1beb
[2] https://security-tracker.debian.org/tracker/CVE-2026-27447
[3] https://github.com/OpenPrinting/cups/commit/6d97ee39fedf12a7a5429a74f4156ef9bb67f562
[4] https://github.com/OpenPrinting/cups/commit/849fba7d7a1144e48d45c5e6ba2504765912ece0
[5] https://github.com/OpenPrinting/cups/issues/1555
[6] https://github.com/OpenPrinting/cups/issues/1557
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 3 +
.../cups/CVE-2026-27447-regression_p1.patch | 48 +++++++
.../cups/CVE-2026-27447-regression_p2.patch | 46 +++++++
.../cups/cups/CVE-2026-27447.patch | 120 ++++++++++++++++++
4 files changed, 217 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index c7475d2b81..ec9392b73d 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -20,6 +20,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2025-58436.patch \
file://CVE-2025-61915.patch \
file://0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch \
+ file://CVE-2026-27447.patch \
+ file://CVE-2026-27447-regression_p1.patch \
+ file://CVE-2026-27447-regression_p2.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch
new file mode 100644
index 0000000000..85aadfde00
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch
@@ -0,0 +1,48 @@
+From 6d97ee39fedf12a7a5429a74f4156ef9bb67f562 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 22 Apr 2026 12:40:14 +0200
+Subject: [PATCH] Fix cupsd crash if user does not exist on server
+
+CVE: CVE-2026-27447
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/6d97ee39fedf12a7a5429a74f4156ef9bb67f562]
+
+Backport Changes:
+- Adapt the upstream CHANGES.md section for CUPS v2.4.18 to the
+ downstream CUPS v2.4.11 changelog.
+
+(cherry picked from commit 6d97ee39fedf12a7a5429a74f4156ef9bb67f562)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 1 +
+ scheduler/auth.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 0da2c55..59c131e 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -6,6 +6,7 @@ Changes in CUPS v2.4.10 (2024-06-18)
+
+ - CVE-2026-27447: The scheduler treated local user and group names as case-
+ insensitive.
++- Fixed cupsd crash if user does not exist (Issue #1555)
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 1678a29..4798e86 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -1810,7 +1810,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ name;
+ name = (char *)cupsArrayNext(best->names))
+ {
+- if (!_cups_strcasecmp(name, "@OWNER") && owner &&
++ if (!_cups_strcasecmp(name, "@OWNER") && owner && pw &&
+ !strcmp(pw->pw_name, ownername))
+ return (HTTP_OK);
+ else if (!_cups_strcasecmp(name, "@SYSTEM"))
+--
+2.43.7
+
+
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch
new file mode 100644
index 0000000000..1d44306be0
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch
@@ -0,0 +1,46 @@
+From 849fba7d7a1144e48d45c5e6ba2504765912ece0 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Fri, 24 Apr 2026 14:06:06 -0400
+Subject: [PATCH] Fix unauthenticated print policies (Issue #1557)
+
+CVE: CVE-2026-27447
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/849fba7d7a1144e48d45c5e6ba2504765912ece0]
+
+Backport Changes:
+- Drop the upstream CHANGES.md section for CUPS v2.4.19.
+
+(cherry picked from commit 849fba7d7a1144e48d45c5e6ba2504765912ece0)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ scheduler/auth.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 4798e86..1dd520d 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -1810,8 +1810,9 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ name;
+ name = (char *)cupsArrayNext(best->names))
+ {
+- if (!_cups_strcasecmp(name, "@OWNER") && owner && pw &&
+- !strcmp(pw->pw_name, ownername))
++ if (!_cups_strcasecmp(name, "@OWNER") && owner &&
++ ((pw && !strcmp(pw->pw_name, ownername)) ||
++ (!pw && type == CUPSD_AUTH_NONE && !_cups_strcasecmp(username, ownername))))
+ return (HTTP_OK);
+ else if (!_cups_strcasecmp(name, "@SYSTEM"))
+ {
+@@ -1825,6 +1826,8 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ }
+ else if (pw && !strcmp(pw->pw_name, name))
+ return (HTTP_OK);
++ else if (!pw && type == CUPSD_AUTH_NONE && !_cups_strcasecmp(username, name))
++ return (HTTP_STATUS_OK);
+ }
+
+ for (name = (char *)cupsArrayFirst(best->names);
+--
+2.43.7
+
+
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
new file mode 100644
index 0000000000..77a26dae64
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
@@ -0,0 +1,120 @@
+From 37b8a4387864eded1a15a45db8950a23e5c610d2 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 31 Mar 2026 14:04:21 -0400
+Subject: [PATCH] CVE-2026-27447: The scheduler treated local user and group
+ names as case-insensitive.
+
+CVE: CVE-2026-27447
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/a0c62c1e69604ff061089b750073199fab5a1beb]
+
+Backport Changes:
+- Rebase CHANGES.md and scheduler/auth.c context to the CUPS 2.4.11 source
+ carried by this recipe.
+
+(cherry picked from commit a0c62c1e69604ff061089b750073199fab5a1beb)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 2 ++
+ scheduler/auth.c | 31 +++++++++++++++----------------
+ 2 files changed, 17 insertions(+), 16 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 4a2e25d..0da2c55 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -4,6 +4,8 @@ CHANGES - OpenPrinting CUPS 2.4.10 - (2024-06-18)
+ Changes in CUPS v2.4.10 (2024-06-18)
+ -----------------------------
+
++- CVE-2026-27447: The scheduler treated local user and group names as case-
++ insensitive.
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index d0430b4..1678a29 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -1,7 +1,7 @@
+ /*
+ * Authorization routines for the CUPS scheduler.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
+ *
+@@ -1159,7 +1159,7 @@ cupsdCheckGroup(
+ group = getgrnam(groupname);
+ endgrent();
+
+- if (group != NULL)
++ if (user && group)
+ {
+ /*
+ * Group exists, check it...
+@@ -1173,7 +1173,7 @@ cupsdCheckGroup(
+ * User appears in the group membership...
+ */
+
+- if (!_cups_strcasecmp(username, group->gr_mem[i]))
++ if (!strcmp(user->pw_name, group->gr_mem[i]))
+ return (1);
+ }
+
+@@ -1184,25 +1184,24 @@ cupsdCheckGroup(
+ * belongs to...
+ */
+
+- if (user)
+- {
+- int ngroups; /* Number of groups */
++ int ngroups; /* Number of groups */
+ # ifdef __APPLE__
+- int groups[2048]; /* Groups that user belongs to */
++ int groups[2048]; /* Groups that user belongs to */
+ # else
+- gid_t groups[2048]; /* Groups that user belongs to */
++ gid_t groups[2048]; /* Groups that user belongs to */
+ # endif /* __APPLE__ */
+
+- ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
++ ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
+ # ifdef __APPLE__
+- getgrouplist(username, (int)user->pw_gid, groups, &ngroups);
++ getgrouplist(user->pw_name, (int)user->pw_gid, groups, &ngroups);
+ # else
+- getgrouplist(username, user->pw_gid, groups, &ngroups);
++ getgrouplist(user->pw_name, user->pw_gid, groups, &ngroups);
+ #endif /* __APPLE__ */
+
+- for (i = 0; i < ngroups; i ++)
+- if ((int)groupid == (int)groups[i])
+- return (1);
++ for (i = 0; i < ngroups; i ++)
++ {
++ if ((int)groupid == (int)groups[i])
++ return (1);
+ }
+ #endif /* HAVE_GETGROUPLIST */
+ }
+@@ -1812,7 +1811,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ name = (char *)cupsArrayNext(best->names))
+ {
+ if (!_cups_strcasecmp(name, "@OWNER") && owner &&
+- !_cups_strcasecmp(username, ownername))
++ !strcmp(pw->pw_name, ownername))
+ return (HTTP_OK);
+ else if (!_cups_strcasecmp(name, "@SYSTEM"))
+ {
+@@ -1824,7 +1823,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
+ if (cupsdCheckGroup(username, pw, name + 1))
+ return (HTTP_OK);
+ }
+- else if (!_cups_strcasecmp(username, name))
++ else if (pw && !strcmp(pw->pw_name, name))
+ return (HTTP_OK);
+ }
+
+--
+2.43.7
--
2.44.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [OE-core] [scarthgap] [PATCH 2/8] cups: Fix CVE-2026-34978
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-23 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 3/8] cups: Fix CVE-2026-34980 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (6 subsequent siblings)
7 siblings, 0 replies; 12+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream patch [1] as mentioned in [2].
[1] https://github.com/OpenPrinting/cups/commit/730347c5bbd5e1271149c6739aa858c0c83a7568
[2] https://security-tracker.debian.org/tracker/CVE-2026-34978
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2026-34978.patch | 102 ++++++++++++++++++
2 files changed, 103 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34978.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index ec9392b73d..e06bbc0a2a 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -23,6 +23,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-27447.patch \
file://CVE-2026-27447-regression_p1.patch \
file://CVE-2026-27447-regression_p2.patch \
+ file://CVE-2026-34978.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
new file mode 100644
index 0000000000..d05bc85588
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
@@ -0,0 +1,102 @@
+From ab6ab965de6890aed4df39c97f7cd708fd5cb00c Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 31 Mar 2026 14:18:26 -0400
+Subject: [PATCH] Fix RSS notifier.
+
+CVE: CVE-2026-34978
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/730347c5bbd5e1271149c6739aa858c0c83a7568]
+
+Backport Changes:
+- Rebase CHANGES.md placement and scheduler/ipp.c subscription context to the
+ CUPS 2.4.11 source carried by this recipe.
+
+(cherry picked from commit 730347c5bbd5e1271149c6739aa858c0c83a7568)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 2 ++
+ notifier/rss.c | 20 ++++++++++++++------
+ scheduler/ipp.c | 12 ++++++++++++
+ 3 files changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 7a5e8813f..429ee874f 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -21,9 +21,11 @@ Changes in CUPS v2.4.11 (2024-09-30)
+ Changes in CUPS v2.4.10 (2024-06-18)
+ ------------------------------------
+
+ - CVE-2026-27447: The scheduler treated local user and group names as case-
+ insensitive.
+- Fixed cupsd crash if user does not exist (Issue #1555)
++- CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
++ directory.
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/notifier/rss.c b/notifier/rss.c
+index f17e1494c..250ad877e 100644
+--- a/notifier/rss.c
++++ b/notifier/rss.c
+@@ -1,11 +1,12 @@
+ /*
+ * RSS notifier for CUPS.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
+- * Copyright 2007-2015 by Apple Inc.
+- * Copyright 2007 by Easy Software Products.
++ * Copyright © 2020-2026 by OpenPrinting.
++ * Copyright © 2007-2015 by Apple Inc.
++ * Copyright © 2007 by Easy Software Products.
+ *
+- * Licensed under Apache License v2.0. See the file "LICENSE" for more information.
++ * Licensed under Apache License v2.0. See the file "LICENSE" for more
++ * information.
+ */
+
+ /*
+@@ -80,6 +81,7 @@ main(int argc, /* I - Number of command-line arguments */
+ http_status_t status; /* HTTP GET/PUT status code */
+ char filename[1024], /* Local filename */
+ newname[1024]; /* filename.N */
++ struct stat fileinfo; /* Local file information */
+ cups_lang_t *language; /* Language information */
+ ipp_attribute_t *printer_up_time, /* Timestamp on event */
+ *notify_sequence_number,/* Sequence number */
+@@ -111,9 +113,9 @@ main(int argc, /* I - Number of command-line arguments */
+
+ if (httpSeparateURI(HTTP_URI_CODING_ALL, argv[1], scheme, sizeof(scheme),
+ username, sizeof(username), host, sizeof(host), &port,
+- resource, sizeof(resource)) < HTTP_URI_OK)
++ resource, sizeof(resource)) < HTTP_URI_OK || strstr(resource, "../") != NULL)
+ {
+- fprintf(stderr, "ERROR: Bad RSS URI \"%s\"!\n", argv[1]);
++ fprintf(stderr, "ERROR: Bad RSS URI \"%s\".\n", argv[1]);
+ return (1);
+ }
+
+@@ -209,6 +211,12 @@ main(int argc, /* I - Number of command-line arguments */
+ snprintf(filename, sizeof(filename), "%s/rss%s", cachedir, resource);
+ snprintf(newname, sizeof(newname), "%s.N", filename);
+
++ if (!lstat(filename, &fileinfo) && !S_ISREG(fileinfo.st_mode))
++ {
++ fprintf(stderr, "ERROR: Local RSS path \"%s\" is not a file.\n", filename);
++ return (1);
++ }
++
+ httpAssembleURIf(HTTP_URI_CODING_ALL, baseurl, sizeof(baseurl), "http",
+ NULL, server_name, atoi(server_port), "/rss%s", resource);
+ }
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index 2d80a960e..2dc7376c1 100644
+--- a/scheduler/ipp.c
++++ b/scheduler/ipp.c
+@@ -1985,6 +1985,12 @@ add_job_subscriptions(
+ "notify-status-code", IPP_ATTRIBUTES);
+ return;
+ }
++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL)
++ {
++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
--
2.44.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [OE-core] [scarthgap] [PATCH 3/8] cups: Fix CVE-2026-34980
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 2/8] cups: Fix CVE-2026-34978 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-23 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 4/8] cups: Fix CVE-2026-34979 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (5 subsequent siblings)
7 siblings, 0 replies; 12+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream fix [1] for CVE-2026-34980 as mentioned in [2], where
the scheduler did not filter control characters from option values.
Also include the upstream regression fixes that followed the CVE fix:
- CVE-2026-34980-regression_p1.patch [3] fixes filter PPD keyword
processing. The CVE fix parsed PPD keywords into a temporary array,
but the loop did not advance the keyword pointer. This regression was
reported in OpenPrinting/cups Issue [4].
- CVE-2026-34980-regression_p2.patch [5] fixes a get_options() regression
where the option-value parser did not advance the input pointer for
whitespace/control-character paths.
[1] https://github.com/OpenPrinting/cups/commit/8d0f51cac24cb5bf949c5b6a221e51a150d982e3
[2] https://security-tracker.debian.org/tracker/CVE-2026-34980
[3] https://github.com/OpenPrinting/cups/commit/3f2bdc293243bca938c6de23ba50e6d783189629
[4] https://github.com/OpenPrinting/cups/issues/1562
[5] https://github.com/OpenPrinting/cups/commit/52cfb028dc211a0fd9ba6fe6eba6d482ccc6c9af
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 3 +
.../cups/CVE-2026-34980-regression_p1.patch | 31 ++++++
.../cups/CVE-2026-34980-regression_p2.patch | 75 ++++++++++++++
.../cups/cups/CVE-2026-34980.patch | 97 +++++++++++++++++++
4 files changed, 206 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p1.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34980.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index e06bbc0a2a..dc5b971195 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -24,6 +24,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-27447-regression_p1.patch \
file://CVE-2026-27447-regression_p2.patch \
file://CVE-2026-34978.patch \
+ file://CVE-2026-34980.patch \
+ file://CVE-2026-34980-regression_p1.patch \
+ file://CVE-2026-34980-regression_p2.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p1.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p1.patch
new file mode 100644
index 0000000000..9290a0e637
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p1.patch
@@ -0,0 +1,31 @@
+From 3f2bdc293243bca938c6de23ba50e6d783189629 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 28 Apr 2026 17:42:41 -0400
+Subject: [PATCH] Fix filter PPD keyword processing (Issue #1562)
+
+CVE: CVE-2026-34980
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/3f2bdc293243bca938c6de23ba50e6d783189629]
+
+(cherry picked from commit 3f2bdc293243bca938c6de23ba50e6d783189629)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ scheduler/job.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scheduler/job.c b/scheduler/job.c
+index 895b2d9..915ba94 100644
+--- a/scheduler/job.c
++++ b/scheduler/job.c
+@@ -5419,7 +5419,7 @@ update_job(cupsd_job_t *job) /* I - Job to check */
+ keywords = NULL;
+ num_keywords = cupsParseOptions(message, 0, &keywords);
+
+- for (i = 0, keyword = keywords; i < num_keywords; i ++)
++ for (i = 0, keyword = keywords; i < num_keywords; i ++, keyword ++)
+ {
+ /*
+ * Filter out "special" PPD keywords...
+--
+2.43.7
+
+
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
new file mode 100644
index 0000000000..73846cb8a3
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
@@ -0,0 +1,75 @@
+From 52cfb028dc211a0fd9ba6fe6eba6d482ccc6c9af Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Wed, 8 Apr 2026 16:42:48 -0400
+Subject: [PATCH] Fix get_options regression (Issue #1532)
+
+CVE: CVE-2026-34980
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/52cfb028dc211a0fd9ba6fe6eba6d482ccc6c9af]
+
+(cherry picked from commit 52cfb028dc211a0fd9ba6fe6eba6d482ccc6c9af)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ scheduler/job.c | 4 ++--
+ test/5.5-lp.sh | 10 +++++-----
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/scheduler/job.c b/scheduler/job.c
+index 6b9d366..cf019e1 100644
+--- a/scheduler/job.c
++++ b/scheduler/job.c
+@@ -4144,7 +4144,7 @@ get_options(cupsd_job_t *job, /* I - Job */
+ case IPP_TAG_CHARSET :
+ case IPP_TAG_LANGUAGE :
+ case IPP_TAG_URI :
+- for (valptr = attr->values[i].string.text; *valptr;)
++ for (valptr = attr->values[i].string.text; *valptr; valptr ++)
+ {
+ /*
+ * Convert tabs and newlines to spaces, filter out control chars,
+@@ -4159,7 +4159,7 @@ get_options(cupsd_job_t *job, /* I - Job */
+ {
+ if (strchr("\\\'\"", *valptr))
+ *optptr++ = '\\';
+- *optptr++ = *valptr++;
++ *optptr++ = *valptr;
+ }
+ }
+
+diff --git a/test/5.5-lp.sh b/test/5.5-lp.sh
+index 25e9d65..fe60890 100644
+--- a/test/5.5-lp.sh
++++ b/test/5.5-lp.sh
+@@ -2,7 +2,7 @@
+ #
+ # Test the lp command.
+ #
+-# Copyright © 2020-2024 by OpenPrinting.
++# Copyright © 2020-2026 by OpenPrinting.
+ # Copyright © 2007-2019 by Apple Inc.
+ # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
+ #
+@@ -72,8 +72,8 @@ echo ""
+
+ echo "LP Flood Test ($1 times in parallel)"
+ echo ""
+-echo " lp -d Test1 testfile.jpg"
+-echo " lp -d Test2 testfile.jpg"
++echo " lp -d Test1 -t 'Flood Test N' testfile.jpg"
++echo " lp -d Test2 -t 'Flood Test N' testfile.jpg"
+ i=0
+ pids=""
+ while test $i -lt $1; do
+@@ -83,9 +83,9 @@ while test $i -lt $1; do
+ j=`expr $j + 1`
+ done
+
+- $runcups $VALGRIND ../systemv/lp -d Test1 ../examples/testfile.jpg 2>&1 &
++ $runcups $VALGRIND ../systemv/lp -d Test1 -t "Flood Test $j" ../examples/testfile.jpg 2>&1 &
+ pids="$pids $!"
+- $runcups $VALGRIND ../systemv/lp -d Test2 ../examples/testfile.jpg 2>&1 &
++ $runcups $VALGRIND ../systemv/lp -d Test2 -t "Flood Test $j" ../examples/testfile.jpg 2>&1 &
+ pids="$pids $!"
+
+ i=`expr $i + 1`
+--
+2.43.7
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980.patch
new file mode 100644
index 0000000000..286e9cd517
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34980.patch
@@ -0,0 +1,97 @@
+From e206c7643a7574cab2e9457eac4c9f755dbf44ff Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 31 Mar 2026 14:45:13 -0400
+Subject: [PATCH] Filter out control characters from option values.
+
+CVE: CVE-2026-34980
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/8d0f51cac24cb5bf949c5b6a221e51a150d982e3]
+
+Backport Changes:
+- Rebase CHANGES.md placement and scheduler/job.c option-handling context to
+ the CUPS 2.4.11 source carried by this recipe.
+
+(cherry picked from commit 8d0f51cac24cb5bf949c5b6a221e51a150d982e3)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 2 ++
+ scheduler/job.c | 41 +++++++++++++++++++++++++++++++++++------
+ 2 files changed, 37 insertions(+), 6 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 7e24840..9863c17 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -9,6 +9,8 @@ Changes in CUPS v2.4.10 (2024-06-18)
+ - Fixed cupsd crash if user does not exist (Issue #1555)
+ - CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
+ directory.
++- CVE-2026-34980: The scheduler did not filter control characters from option
++ values.
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/scheduler/job.c b/scheduler/job.c
+index 822a247..895b2d9 100644
+--- a/scheduler/job.c
++++ b/scheduler/job.c
+@@ -4121,9 +4121,21 @@ get_options(cupsd_job_t *job, /* I - Job */
+ case IPP_TAG_URI :
+ for (valptr = attr->values[i].string.text; *valptr;)
+ {
+- if (strchr(" \t\n\\\'\"", *valptr))
+- *optptr++ = '\\';
+- *optptr++ = *valptr++;
++ /*
++ * Convert tabs and newlines to spaces, filter out control chars,
++ * and escape \, ', and ".
++ */
++
++ if (isspace(*valptr & 255))
++ {
++ *optptr++ = ' ';
++ }
++ else if ((*valptr & 255) >= ' ' && *valptr != 0x7f)
++ {
++ if (strchr("\\\'\"", *valptr))
++ *optptr++ = '\\';
++ *optptr++ = *valptr++;
++ }
+ }
+
+ *optptr = '\0';
+@@ -5394,13 +5409,30 @@ update_job(cupsd_job_t *job) /* I - Job to check */
+ else if (loglevel == CUPSD_LOG_PPD)
+ {
+ /*
+- * Set attribute(s)...
++ * Set PPD keyword(s)/value(s)...
+ */
+
++ int i, /* Looping var */
++ num_keywords; /* Number of keywords */
++ cups_option_t *keywords, /* Keywords */
++ *keyword; /* Current keyword */
++
+ cupsdLogJob(job, CUPSD_LOG_DEBUG, "PPD: %s", message);
+
+- job->num_keywords = cupsParseOptions(message, job->num_keywords,
+- &job->keywords);
++ keywords = NULL;
++ num_keywords = cupsParseOptions(message, 0, &keywords);
++
++ for (i = 0, keyword = keywords; i < num_keywords; i ++)
++ {
++ /*
++ * Filter out "special" PPD keywords...
++ */
++
++ if (strcmp(keyword->name, "cupsFilter") && strcmp(keyword->name, "cupsFilter2") && strcmp(keyword->name, "cupsFinishingTemplate") && strcmp(keyword->name, "cupsIPPFinishings") && strcmp(keyword->name, "cupsIPPReason") && strcmp(keyword->name, "cupsMarkerName") && strcmp(keyword->name, "cupsMaxSize") && strncmp(keyword->name, "cupsMediaQualifier", 18) && strcmp(keyword->name, "cupsMinSize") && strcmp(keyword->name, "cupsPageSizeCategory") && strcmp(keyword->name, "cupsPortMonitor") && strcmp(keyword->name, "cupsPreFilter") && strcmp(keyword->name, "cupsPrintQuality") && strcmp(keyword->name, "APPrinterPreset"))
++ job->num_keywords = cupsAddOption(keyword->name, keyword->value, job->num_keywords, &job->keywords);
++ }
++
++ cupsFreeOptions(num_keywords, keywords);
+ }
+ else
+ {
+--
+2.43.7
--
2.44.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [OE-core] [scarthgap] [PATCH 4/8] cups: Fix CVE-2026-34979
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 2/8] cups: Fix CVE-2026-34978 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 3/8] cups: Fix CVE-2026-34980 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-23 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 5/8] cups: Fix CVE-2026-34990 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (4 subsequent siblings)
7 siblings, 0 replies; 12+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream patch [1] as mentioned in [2].
[1] https://github.com/OpenPrinting/cups/commit/0ff8897367c7341f2500770c3977038cdd7c0214
[2] https://security-tracker.debian.org/tracker/CVE-2026-34979
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2026-34979.patch | 73 +++++++++++++++++++
2 files changed, 74 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34979.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index dc5b971195..7dedb2daef 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -27,6 +27,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-34980.patch \
file://CVE-2026-34980-regression_p1.patch \
file://CVE-2026-34980-regression_p2.patch \
+ file://CVE-2026-34979.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34979.patch b/meta/recipes-extended/cups/cups/CVE-2026-34979.patch
new file mode 100644
index 0000000000..4adb6415b1
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34979.patch
@@ -0,0 +1,73 @@
+From 471b4dc802455c7c59f9fd594fec8b6f3acb0db5 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 31 Mar 2026 14:50:06 -0400
+Subject: [PATCH] Expand allocation of options string.
+
+CVE: CVE-2026-34979
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/0ff8897367c7341f2500770c3977038cdd7c0214]
+
+Backport Changes:
+- Rebase CHANGES.md placement and scheduler/job.c IPP length context to the
+ CUPS 2.4.11 source carried by this recipe.
+
+(cherry picked from commit 0ff8897367c7341f2500770c3977038cdd7c0214)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 2 ++
+ scheduler/job.c | 16 ++++------------
+ 2 files changed, 6 insertions(+), 12 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 9863c17..f203e9a 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -11,6 +11,8 @@ Changes in CUPS v2.4.10 (2024-06-18)
+ directory.
+ - CVE-2026-34980: The scheduler did not filter control characters from option
+ values.
++- CVE-2026-34979: The scheduler did not always allocate enough memory for a
++ job's options string.
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/scheduler/job.c b/scheduler/job.c
+index 915ba94..880c25f 100644
+--- a/scheduler/job.c
++++ b/scheduler/job.c
+@@ -4195,18 +4195,6 @@ ipp_length(ipp_t *ipp) /* I - IPP request */
+
+ for (attr = ipp->attrs; attr != NULL; attr = attr->next)
+ {
+- /*
+- * Skip attributes that won't be sent to filters...
+- */
+-
+- if (attr->value_tag == IPP_TAG_NOVALUE ||
+- attr->value_tag == IPP_TAG_MIMETYPE ||
+- attr->value_tag == IPP_TAG_NAMELANG ||
+- attr->value_tag == IPP_TAG_TEXTLANG ||
+- attr->value_tag == IPP_TAG_URI ||
+- attr->value_tag == IPP_TAG_URISCHEME)
+- continue;
+-
+ /*
+ * Add space for a leading space and commas between each value.
+ * For the first attribute, the leading space isn't used, so the
+@@ -4282,10 +4270,14 @@ ipp_length(ipp_t *ipp) /* I - IPP request */
+
+ case IPP_TAG_TEXT :
+ case IPP_TAG_NAME :
++ case IPP_TAG_TEXTLANG :
++ case IPP_TAG_NAMELANG :
++ case IPP_TAG_MIMETYPE :
+ case IPP_TAG_KEYWORD :
+ case IPP_TAG_CHARSET :
+ case IPP_TAG_LANGUAGE :
+ case IPP_TAG_URI :
++ case IPP_TAG_URISCHEME :
+ /*
+ * Strings can contain characters that need quoting. We need
+ * at least 2 * len + 2 characters to cover the quotes and
+--
+2.43.7
+
--
2.44.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [OE-core] [scarthgap] [PATCH 5/8] cups: Fix CVE-2026-34990
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (2 preceding siblings ...)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 4/8] cups: Fix CVE-2026-34979 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-23 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 6/8] cups: Fix CVE-2026-39314 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (3 subsequent siblings)
7 siblings, 0 replies; 12+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream patch [1] as mentioned in [2].
[1] https://github.com/OpenPrinting/cups/commit/e052dc44da9d12adfbebc51de4975fbadb2ce356
[2] https://security-tracker.debian.org/tracker/CVE-2026-34990
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2026-34990.patch | 366 ++++++++++++++++++
2 files changed, 367 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34990.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 7dedb2daef..2e6bf698e0 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -28,6 +28,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-34980-regression_p1.patch \
file://CVE-2026-34980-regression_p2.patch \
file://CVE-2026-34979.patch \
+ file://CVE-2026-34990.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
new file mode 100644
index 0000000000..e3d6e10a23
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
@@ -0,0 +1,366 @@
+From 48648896ca7faa8f105eee7b7a8d86c42e0fa796 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 31 Mar 2026 15:55:50 -0400
+Subject: [PATCH] Don't allow local certificates over the loopback
+ interface, drop support for writing to plain files.
+
+CVE: CVE-2026-34990
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/e052dc44da9d12adfbebc51de4975fbadb2ce356]
+
+Backport Changes:
+- Preserve the existing CVE-2025-61915 PeerCred disable guard while changing
+ localhost checks to AF_LOCAL.
+- Replace CHANGES.md CVE-2026-NNNNN placeholder with CVE-2026-34990.
+
+(cherry picked from commit e052dc44da9d12adfbebc51de4975fbadb2ce356)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 2 ++
+ cups/auth.c | 30 ++++++--------------------
+ scheduler/auth.c | 9 +++++----
+ scheduler/client.c | 4 ++--
+ scheduler/ipp.c | 12 ++++++++--
+ scheduler/job.c | 46 ++++++++++++++++++++++------------------
+ test/4.2-cups-printer-ops.test | 6 +++--
+ test/5.1-lpadmin.sh | 14 +++++------
+ 8 files changed, 60 insertions(+), 63 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index f203e9a..4eeebef 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -13,6 +13,8 @@ Changes in CUPS v2.4.10 (2024-06-18)
+ values.
+ - CVE-2026-34979: The scheduler did not always allocate enough memory for a
+ job's options string.
++- CVE-2026-34990: The scheduler incorrectly allowed local certificates over the
++ loopback interface.
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/cups/auth.c b/cups/auth.c
+index 5cb4194..14661c7 100644
+--- a/cups/auth.c
++++ b/cups/auth.c
+@@ -1,7 +1,7 @@
+ /*
+ * Authentication functions for CUPS.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 1997-2007 by Easy Software Products.
+ *
+@@ -92,7 +92,6 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status,
+ # define cups_gss_printf(major, minor, message)
+ # endif /* DEBUG */
+ #endif /* HAVE_GSSAPI */
+-static int cups_is_local_connection(http_t *http);
+ static int cups_local_auth(http_t *http);
+
+
+@@ -948,14 +947,6 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */
+ # endif /* DEBUG */
+ #endif /* HAVE_GSSAPI */
+
+-static int /* O - 0 if not a local connection */
+- /* 1 if local connection */
+-cups_is_local_connection(http_t *http) /* I - HTTP connection to server */
+-{
+- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
+- return 0;
+- return 1;
+-}
+
+ /*
+ * 'cups_local_auth()' - Get the local authorization certificate if
+@@ -967,13 +958,7 @@ static int /* O - 0 if available */
+ /* -1 error */
+ cups_local_auth(http_t *http) /* I - HTTP connection to server */
+ {
+-#if defined(_WIN32) || defined(__EMX__)
+- /*
+- * Currently _WIN32 and OS-2 do not support the CUPS server...
+- */
+-
+- return (1);
+-#else
++#if !_WIN32 && !__EMX__ && defined(AF_LOCAL)
+ int pid; /* Current process ID */
+ FILE *fp; /* Certificate file */
+ char trc[16], /* Try Root Certificate parameter */
+@@ -998,7 +983,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
+ * See if we are accessing localhost...
+ */
+
+- if (!cups_is_local_connection(http))
++ if (httpAddrFamily(httpGetAddress(http)) != AF_LOCAL)
+ {
+ DEBUG_puts("8cups_local_auth: Not a local connection!");
+ return (1);
+@@ -1072,15 +1057,14 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
+ }
+ # endif /* HAVE_AUTHORIZATION_H */
+
+-# if defined(SO_PEERCRED) && defined(AF_LOCAL)
++# ifdef SO_PEERCRED
+ /*
+ * See if we can authenticate using the peer credentials provided over a
+ * domain socket; if so, specify "PeerCred username" as the authentication
+ * information...
+ */
+
+- if (http->hostaddr->addr.sa_family == AF_LOCAL &&
+- !getenv("GATEWAY_INTERFACE") && /* Not via CGI programs... */
++ if (!getenv("GATEWAY_INTERFACE") && /* Not via CGI programs... */
+ cups_auth_find(www_auth, "PeerCred"))
+ {
+ /*
+@@ -1104,7 +1088,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
+ return (0);
+ }
+ }
+-# endif /* SO_PEERCRED && AF_LOCAL */
++# endif /* SO_PEERCRED */
+
+ if ((schemedata = cups_auth_find(www_auth, "Local")) == NULL)
+ return (1);
+@@ -1164,7 +1148,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
+ return (0);
+ }
+ }
++#endif /* !_WIN32 && !__EMX__ && AF_LOCAL */
+
+ return (1);
+-#endif /* _WIN32 || __EMX__ */
+ }
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 1dd520d..56855fc 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -318,7 +318,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
+ }
+ #ifdef HAVE_AUTHORIZATION_H
+ else if (!strncmp(authorization, "AuthRef ", 8) &&
+- httpAddrLocalhost(httpGetAddress(con->http)))
++ httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
+ {
+ OSStatus status; /* Status */
+ char authdata[HTTP_MAX_VALUE];
+@@ -399,7 +399,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
+ #endif /* HAVE_AUTHORIZATION_H */
+ #if defined(SO_PEERCRED) && defined(AF_LOCAL)
+- else if (!strncmp(authorization, "PeerCred ", 9) &&
+- con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
++ else if (PeerCred != CUPSD_PEERCRED_OFF &&
++ !strncmp(authorization, "PeerCred ", 9) &&
++ httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL && con->best)
+ {
+ /*
+ * Use peer credentials from domain socket connection...
+@@ -483,7 +483,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
+ }
+ #endif /* SO_PEERCRED && AF_LOCAL */
+ else if (!strncmp(authorization, "Local", 5) &&
+- httpAddrLocalhost(httpGetAddress(con->http)))
++ httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
+ {
+ /*
+ * Get Local certificate authentication data...
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 779404c..dea9da0 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -2173,7 +2173,7 @@ cupsdSendHeader(
+ strlcpy(auth_str, "Negotiate", sizeof(auth_str));
+ }
+
+- if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
++ if (con->best && !con->is_browser && httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
+ {
+ /*
+ * Add a "trc" (try root certification) parameter for local
+@@ -2193,7 +2193,7 @@ cupsdSendHeader(
+ auth_size = sizeof(auth_str) - (size_t)(auth_key - auth_str);
+
+ #if defined(SO_PEERCRED) && defined(AF_LOCAL)
+- if (PeerCred != CUPSD_PEERCRED_OFF && httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
++ if (PeerCred != CUPSD_PEERCRED_OFF)
+ {
+ strlcpy(auth_key, ", PeerCred", auth_size);
+ auth_key += 10;
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index b0d1f5b..11dcd39 100644
+--- a/scheduler/ipp.c
++++ b/scheduler/ipp.c
+@@ -5561,7 +5561,7 @@ create_local_printer(
+ * Require local access to create a local printer...
+ */
+
+- if (!httpAddrLocalhost(httpGetAddress(con->http)))
++ if (httpAddrFamily(httpGetAddress(con->http)) != AF_LOCAL)
+ {
+ send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Only local users can create a local printer."));
+ return;
+@@ -5621,9 +5621,15 @@ create_local_printer(
+
+ ptr = ippGetString(device_uri, 0, NULL);
+
+- if (!ptr || !ptr[0])
++ if (!ptr || !ptr[0])
+ {
+- send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
++ send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
+
+ return;
+ }
++ else if (strncmp(ptr, "ipp://", 6) && strncmp(ptr, "ipps://", 7))
++ {
++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad device-uri \"%s\"."), ptr);
++
++ return;
++ }
+diff --git a/scheduler/job.c b/scheduler/job.c
+index 880c25f..6c033de 100644
+--- a/scheduler/job.c
++++ b/scheduler/job.c
+@@ -1164,35 +1164,39 @@ cupsdContinueJob(cupsd_job_t *job) /* I - Job */
+ }
+ else
+ {
++ char scheme[32], /* URI scheme */
++ userpass[32], /* URI username:password */
++ host[256], /* URI hostname */
++ resource[1024]; /* URI resource path (filename) */
++ int port; /* URI port number */
++
++ httpSeparateURI(HTTP_URI_CODING_ALL, job->printer->device_uri, scheme, sizeof(scheme), userpass, sizeof(userpass), host, sizeof(host), &port, resource, sizeof(resource));
++
+ job->print_pipes[0] = -1;
+- if (!strcmp(job->printer->device_uri, "file:/dev/null") ||
+- !strcmp(job->printer->device_uri, "file:///dev/null"))
+- job->print_pipes[1] = -1;
+- else
++ job->print_pipes[1] = -1;
++
++ if (strcmp(resource, "/dev/null"))
+ {
+- if (!strncmp(job->printer->device_uri, "file:/dev/", 10))
+- job->print_pipes[1] = open(job->printer->device_uri + 5,
+- O_WRONLY | O_EXCL);
+- else if (!strncmp(job->printer->device_uri, "file:///dev/", 12))
+- job->print_pipes[1] = open(job->printer->device_uri + 7,
+- O_WRONLY | O_EXCL);
+- else if (!strncmp(job->printer->device_uri, "file:///", 8))
+- job->print_pipes[1] = open(job->printer->device_uri + 7,
+- O_WRONLY | O_CREAT | O_TRUNC, 0600);
+- else
+- job->print_pipes[1] = open(job->printer->device_uri + 5,
+- O_WRONLY | O_CREAT | O_TRUNC, 0600);
++ if (!FileDevice)
++ {
++ abort_message = "Stopping job because file: output is disabled.";
+
+- if (job->print_pipes[1] < 0)
++ goto abort_job;
++ }
++ else if ((job->print_pipes[1] = open(resource, O_WRONLY | O_EXCL)) < 0)
+ {
+- abort_message = "Stopping job because the scheduler could not "
+- "open the output file.";
++ abort_message = "Stopping job because the scheduler could not open the output file.";
+
+ goto abort_job;
+ }
++ else
++ {
++ /*
++ * Close this file on execute...
++ */
+
+- fcntl(job->print_pipes[1], F_SETFD,
+- fcntl(job->print_pipes[1], F_GETFD) | FD_CLOEXEC);
++ fcntl(job->print_pipes[1], F_SETFD, fcntl(job->print_pipes[1], F_GETFD) | FD_CLOEXEC);
++ }
+ }
+ }
+ }
+diff --git a/test/4.2-cups-printer-ops.test b/test/4.2-cups-printer-ops.test
+index 1a011e0..945a9bb 100644
+--- a/test/4.2-cups-printer-ops.test
++++ b/test/4.2-cups-printer-ops.test
+@@ -1,7 +1,7 @@
+ #
+ # Verify that the CUPS printer operations work.
+ #
+-# Copyright © 2020-2024 by OpenPrinting.
++# Copyright © 2020-2026 by OpenPrinting.
+ # Copyright © 2007-2019 by Apple Inc.
+ # Copyright © 2001-2006 by Easy Software Products. All rights reserved.
+ #
+@@ -180,7 +180,7 @@
+ ATTR uri printer-uri $method://$hostname:$port/printers/Test2
+
+ GROUP printer
+- ATTR uri device-uri file:/tmp/Test2
++ ATTR uri device-uri file:///dev/null
+ ATTR enum printer-state 3
+ ATTR boolean printer-is-accepting-jobs true
+
+@@ -206,7 +206,7 @@
+ ATTR uri printer-uri $method://$hostname:$port/printers/Test1
+
+ GROUP printer
+- ATTR uri device-uri file:/tmp/Test1
++ ATTR uri device-uri file:///dev/null
+ ATTR enum printer-state 3
+ ATTR boolean printer-is-accepting-jobs true
+ ATTR text printer-info "Test Printer 1"
+diff --git a/test/5.1-lpadmin.sh b/test/5.1-lpadmin.sh
+index aa39800..36f2822 100644
+--- a/test/5.1-lpadmin.sh
++++ b/test/5.1-lpadmin.sh
+@@ -2,7 +2,7 @@
+ #
+ # Test the lpadmin command.
+ #
+-# Copyright © 2020-2024 by OpenPrinting.
++# Copyright © 2020-2026 by OpenPrinting.
+ # Copyright © 2007-2018 by Apple Inc.
+ # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
+ #
+@@ -12,8 +12,8 @@
+
+ echo "Add Printer Test"
+ echo ""
+-echo " lpadmin -p Test3 -v file:/dev/null -E -m drv:///sample.drv/deskjet.ppd"
+-$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:/dev/null -E -m drv:///sample.drv/deskjet.ppd 2>&1
++echo " lpadmin -p Test3 -v file:///dev/null -E -m drv:///sample.drv/deskjet.ppd"
++$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:///dev/null -E -m drv:///sample.drv/deskjet.ppd 2>&1
+ if test $? != 0; then
+ echo " FAILED"
+ exit 1
+@@ -29,8 +29,8 @@ echo ""
+
+ echo "Modify Printer Test"
+ echo ""
+-echo " lpadmin -p Test3 -v file:/tmp/Test3 -o PageSize=A4"
+-$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:/tmp/Test3 -o PageSize=A4 2>&1
++echo " lpadmin -p Test3 -v file:///dev/null -o PageSize=A4"
++$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:///dev/null -o PageSize=A4 2>&1
+ if test $? != 0; then
+ echo " FAILED"
+ exit 1
+@@ -65,8 +65,8 @@ echo ""
+
+ echo "Add a printer for cupSNMP/IPPSupplies test"
+ echo ""
+-echo " lpadmin -p Test4 -E -v file:/dev/null -m drv:///sample.drv/zebra.ppd"
+-$runcups $VALGRIND ../systemv/lpadmin -p Test4 -E -v file:/dev/null -m drv:///sample.drv/zebra.ppd 2>&1
++echo " lpadmin -p Test4 -E -v file:///dev/null -m drv:///sample.drv/zebra.ppd"
++$runcups $VALGRIND ../systemv/lpadmin -p Test4 -E -v file:///dev/null -m drv:///sample.drv/zebra.ppd 2>&1
+ if test $? != 0; then
+ echo " FAILED"
+ exit 1
+--
+2.43.7
--
2.44.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [OE-core] [scarthgap] [PATCH 6/8] cups: Fix CVE-2026-39314
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (3 preceding siblings ...)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 5/8] cups: Fix CVE-2026-34990 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-23 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 7/8] cups: Fix CVE-2026-39316 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (2 subsequent siblings)
7 siblings, 0 replies; 12+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream patch [1] as mentioned in [2].
[1] https://github.com/OpenPrinting/cups/commit/928a86b1b794f738f0a3dc87561b2e054bff7ce4
[2] https://security-tracker.debian.org/tracker/CVE-2026-39314
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2026-39314.patch | 56 +++++++++++++++++++
2 files changed, 57 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39314.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 2e6bf698e0..7bfa890b3d 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -29,6 +29,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-34980-regression_p2.patch \
file://CVE-2026-34979.patch \
file://CVE-2026-34990.patch \
+ file://CVE-2026-39314.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-39314.patch b/meta/recipes-extended/cups/cups/CVE-2026-39314.patch
new file mode 100644
index 0000000000..2ebefb3bc5
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-39314.patch
@@ -0,0 +1,56 @@
+From 65c463ada188915d6700d92ce48a9a14949ca413 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Sun, 5 Apr 2026 10:45:25 -0400
+Subject: [PATCH] Range check job-password-supported.
+
+CVE: CVE-2026-39314
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/928a86b1b794f738f0a3dc87561b2e054bff7ce4]
+
+Backport Changes:
+- Rebase CHANGES.md placement and cups/ppd-cache.c context to the CUPS 2.4.11
+ source carried by this recipe.
+
+(cherry picked from commit 928a86b1b794f738f0a3dc87561b2e054bff7ce4)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 1 +
+ cups/ppd-cache.c | 4 ++--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 4eeebef..082b9f7 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -15,6 +15,7 @@ Changes in CUPS v2.4.10 (2024-06-18)
+ job's options string.
+ - CVE-2026-34990: The scheduler incorrectly allowed local certificates over the
+ loopback interface.
++- Fixed the range check for job password strings.
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
+index e750fcc..08e0db8 100644
+--- a/cups/ppd-cache.c
++++ b/cups/ppd-cache.c
+@@ -1,7 +1,7 @@
+ /*
+ * PPD cache implementation for CUPS.
+ *
+- * Copyright © 2022-2024 by OpenPrinting.
++ * Copyright © 2022-2026 by OpenPrinting.
+ * Copyright © 2010-2021 by Apple Inc.
+ *
+ * Licensed under Apache License v2.0. See the file "LICENSE" for more
+@@ -3432,7 +3432,7 @@ _ppdCreateFromIPP2(
+ * Password/PIN printing...
+ */
+
+- if ((attr = ippFindAttribute(supported, "job-password-supported", IPP_TAG_INTEGER)) != NULL)
++ if ((attr = ippFindAttribute(supported, "job-password-supported", IPP_TAG_INTEGER)) != NULL && ippGetInteger(attr, 0) > 0)
+ {
+ char pattern[33]; /* Password pattern */
+ int maxlen = ippGetInteger(attr, 0);
+--
+2.43.7
+
--
2.44.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [OE-core] [scarthgap] [PATCH 7/8] cups: Fix CVE-2026-39316
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (4 preceding siblings ...)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 6/8] cups: Fix CVE-2026-39314 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-23 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-28 21:41 ` [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Yoann Congal
7 siblings, 0 replies; 12+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream patch [1] as mentioned in [2].
[1] https://github.com/OpenPrinting/cups/commit/0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f
[2] https://security-tracker.debian.org/tracker/CVE-2026-39316
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2026-39316.patch | 51 +++++++++++++++++++
2 files changed, 52 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39316.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 7bfa890b3d..c2bf572bf5 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -30,6 +30,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-34979.patch \
file://CVE-2026-34990.patch \
file://CVE-2026-39314.patch \
+ file://CVE-2026-39316.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-39316.patch b/meta/recipes-extended/cups/cups/CVE-2026-39316.patch
new file mode 100644
index 0000000000..4b43a7b41b
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-39316.patch
@@ -0,0 +1,51 @@
+From 7c4d7951d189e931563f21086196d5a55fb2fa15 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Sun, 5 Apr 2026 11:33:23 -0400
+Subject: [PATCH] Expire per-printer subscriptions before deleting.
+
+CVE: CVE-2026-39316
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f]
+
+Backport Changes:
+- Rebase CHANGES.md placement and scheduler/printers.c delete-printer context
+ to the CUPS 2.4.11 source carried by this recipe.
+
+(cherry picked from commit 0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 1 +
+ scheduler/printers.c | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 082b9f7..cde280d 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -16,6 +16,7 @@ Changes in CUPS v2.4.10 (2024-06-18)
+ - CVE-2026-34990: The scheduler incorrectly allowed local certificates over the
+ loopback interface.
+ - Fixed the range check for job password strings.
++- Fixed a printer subscription bug in the scheduler.
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/scheduler/printers.c b/scheduler/printers.c
+index bf493a3..ca983f9 100644
+--- a/scheduler/printers.c
++++ b/scheduler/printers.c
+@@ -641,6 +641,12 @@ cupsdDeletePrinter(
+ update ? "Job stopped due to printer being deleted." :
+ "Job stopped.");
+
++ /*
++ * Expire subscriptions on the printer...
++ */
++
++ cupsdExpireSubscriptions(p, /*job*/NULL);
++
+ /*
+ * Remove the printer from the list...
+ */
+--
+2.43.7
+
--
2.44.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (5 preceding siblings ...)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 7/8] cups: Fix CVE-2026-39316 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-23 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-28 21:57 ` Yoann Congal
2026-06-28 21:41 ` [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Yoann Congal
7 siblings, 1 reply; 12+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream patch [1] as mentioned in [2].
[1] https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080
[2] https://security-tracker.debian.org/tracker/CVE-2026-41079
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2026-27447.patch | 4 +-
.../cups/cups/CVE-2026-34978.patch | 25 +++++--
.../cups/CVE-2026-34980-regression_p2.patch | 8 +--
.../cups/cups/CVE-2026-34990.patch | 19 ++---
.../cups/cups/CVE-2026-41079.patch | 72 +++++++++++++++++++
6 files changed, 106 insertions(+), 23 deletions(-)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-41079.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index c2bf572bf5..64f71c9465 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -31,6 +31,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-34990.patch \
file://CVE-2026-39314.patch \
file://CVE-2026-39316.patch \
+ file://CVE-2026-41079.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
index 77a26dae64..1884acfa9f 100644
--- a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
+++ b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
@@ -22,9 +22,9 @@ diff --git a/CHANGES.md b/CHANGES.md
index 4a2e25d..0da2c55 100644
--- a/CHANGES.md
+++ b/CHANGES.md
-@@ -4,6 +4,8 @@ CHANGES - OpenPrinting CUPS 2.4.10 - (2024-06-18)
+@@ -21,6 +21,8 @@
Changes in CUPS v2.4.10 (2024-06-18)
- -----------------------------
+ ------------------------------------
+- CVE-2026-27447: The scheduler treated local user and group names as case-
+ insensitive.
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
index d05bc85588..b4b83a41d0 100644
--- a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
@@ -22,13 +22,10 @@ diff --git a/CHANGES.md b/CHANGES.md
index 7a5e8813f..429ee874f 100644
--- a/CHANGES.md
+++ b/CHANGES.md
-@@ -21,9 +21,11 @@ Changes in CUPS v2.4.11 (2024-09-30)
- Changes in CUPS v2.4.10 (2024-06-18)
- ------------------------------------
-
+@@ -24,6 +24,8 @@
- CVE-2026-27447: The scheduler treated local user and group names as case-
insensitive.
-- Fixed cupsd crash if user does not exist (Issue #1555)
+ - Fixed cupsd crash if user does not exist (Issue #1555)
+- CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
+ directory.
- Fixed error handling when reading a mixed `1setOf` attribute.
@@ -100,3 +97,21 @@ index 2d80a960e..2dc7376c1 100644
+ {
+ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
+ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
++ return;
++ }
+ }
+ else if (!strcmp(attr->name, "notify-pull-method") &&
+ attr->value_tag == IPP_TAG_KEYWORD)
+@@ -6010,6 +6016,12 @@ create_subscriptions(
+ "notify-status-code", IPP_ATTRIBUTES);
+ return;
+ }
++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL)
++ {
++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
++ return;
++ }
+ }
+ else if (!strcmp(attr->name, "notify-pull-method") &&
+ attr->value_tag == IPP_TAG_KEYWORD)
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
index 73846cb8a3..0cf63b10af 100644
--- a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
@@ -43,10 +43,10 @@ index 25e9d65..fe60890 100644
#
# Test the lp command.
#
--# Copyright © 2020-2024 by OpenPrinting.
-+# Copyright © 2020-2026 by OpenPrinting.
- # Copyright © 2007-2019 by Apple Inc.
- # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
+-# Copyright © 2020-2024 by OpenPrinting.
++# Copyright © 2020-2026 by OpenPrinting.
+ # Copyright © 2007-2019 by Apple Inc.
+ # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
#
@@ -72,8 +72,8 @@ echo ""
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
index e3d6e10a23..916cdc09a3 100644
--- a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
@@ -147,10 +147,10 @@ index 1dd520d..56855fc 100644
{
OSStatus status; /* Status */
char authdata[HTTP_MAX_VALUE];
-@@ -399,7 +399,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
+@@ -399,6 +399,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
#endif /* HAVE_AUTHORIZATION_H */
#if defined(SO_PEERCRED) && defined(AF_LOCAL)
-- else if (!strncmp(authorization, "PeerCred ", 9) &&
+- else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) &&
- con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
+ else if (PeerCred != CUPSD_PEERCRED_OFF &&
+ !strncmp(authorization, "PeerCred ", 9) &&
@@ -202,24 +202,19 @@ index b0d1f5b..11dcd39 100644
{
send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Only local users can create a local printer."));
return;
-@@ -5621,9 +5621,15 @@ create_local_printer(
-
- ptr = ippGetString(device_uri, 0, NULL);
-
-- if (!ptr || !ptr[0])
-+ if (!ptr || !ptr[0])
- {
-- send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
-+ send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
+@@ -5634,6 +5634,12 @@ create_local_printer(
return;
}
+ else if (strncmp(ptr, "ipp://", 6) && strncmp(ptr, "ipps://", 7))
+ {
+ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad device-uri \"%s\"."), ptr);
-+
++
+ return;
+ }
+
+ printer_geo_location = ippFindAttribute(con->request, "printer-geo-location", IPP_TAG_URI);
+ printer_info = ippFindAttribute(con->request, "printer-info", IPP_TAG_TEXT);
diff --git a/scheduler/job.c b/scheduler/job.c
index 880c25f..6c033de 100644
--- a/scheduler/job.c
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-41079.patch b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
new file mode 100644
index 0000000000..f216c84e30
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
@@ -0,0 +1,72 @@
+From b8730b3e18852d203f7fa86a05ed0a8aa3a791e5 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 13 Apr 2026 11:50:23 -0400
+Subject: [PATCH] Limit num_bytes for SNMP string values.
+
+CVE: CVE-2026-41079
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080]
+
+(cherry picked from commit b7c2525a885f528d243c3a92197ca99609b3f080)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ cups/snmp-private.h | 6 +++---
+ cups/snmp.c | 8 ++++++--
+ 2 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/cups/snmp-private.h b/cups/snmp-private.h
+index 52b8740..015f53e 100644
+--- a/cups/snmp-private.h
++++ b/cups/snmp-private.h
+@@ -1,7 +1,7 @@
+ /*
+ * Private SNMP definitions for CUPS.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2014 by Apple Inc.
+ * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
+ *
+@@ -58,9 +58,9 @@ typedef enum cups_asn1_e cups_asn1_t; /**** ASN1 request/object types ****/
+
+ typedef struct cups_snmp_string_s /**** String value ****/
+ {
+- unsigned char bytes[CUPS_SNMP_MAX_STRING];
+- /* Bytes in string */
+ unsigned num_bytes; /* Number of bytes */
++ unsigned char bytes[CUPS_SNMP_MAX_STRING + 1];
++ /* Bytes in string */
+ } cups_snmp_string_t;
+
+ union cups_snmp_value_u /**** Object value ****/
+diff --git a/cups/snmp.c b/cups/snmp.c
+index 54e348f..3222ff3 100644
+--- a/cups/snmp.c
++++ b/cups/snmp.c
+@@ -1,7 +1,7 @@
+ /*
+ * SNMP functions for CUPS.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
+ *
+@@ -1042,10 +1042,14 @@ asn1_decode_snmp(unsigned char *buffer, /* I - Buffer */
+ case CUPS_ASN1_OCTET_STRING :
+ case CUPS_ASN1_BIT_STRING :
+ case CUPS_ASN1_HEX_STRING :
+- packet->object_value.string.num_bytes = length;
+ asn1_get_string(&bufptr, bufend, length,
+ (char *)packet->object_value.string.bytes,
+ sizeof(packet->object_value.string.bytes));
++
++ if (length >= sizeof(packet->object_value.string.bytes))
++ packet->object_value.string.num_bytes = sizeof(packet->object_value.string.bytes) - 1;
++ else
++ packet->object_value.string.num_bytes = length;
+ break;
+
+ case CUPS_ASN1_OID :
+--
+2.43.7
+
--
2.44.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (6 preceding siblings ...)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-28 21:41 ` Yoann Congal
2026-07-15 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
7 siblings, 1 reply; 12+ messages in thread
From: Yoann Congal @ 2026-06-28 21:41 UTC (permalink / raw)
To: adongare, openembedded-core; +Cc: xe-linux-external, to
On Tue Jun 23, 2026 at 1:30 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> Pick the upstream backport [1] for CVE-2026-27447 as mentioned in [2], where
> the scheduler treated local user and group names as case-insensitive.
>
> Also include the two upstream regression fixes that followed the CVE
> fix:
> - CVE-2026-27447-regression_p1.patch [3] fixes a cupsd crash when the
> referenced user does not exist on the server. This regression was
> reported in OpenPrinting/cups Issue [5].
> - CVE-2026-27447-regression_p2.patch [4] fixes unauthenticated print
> policies for non-local accounts. This regression was reported in
> OpenPrinting/cups Issue [6].
>
> [1] https://github.com/OpenPrinting/cups/commit/a0c62c1e69604ff061089b750073199fab5a1beb
> [2] https://security-tracker.debian.org/tracker/CVE-2026-27447
> [3] https://github.com/OpenPrinting/cups/commit/6d97ee39fedf12a7a5429a74f4156ef9bb67f562
> [4] https://github.com/OpenPrinting/cups/commit/849fba7d7a1144e48d45c5e6ba2504765912ece0
> [5] https://github.com/OpenPrinting/cups/issues/1555
> [6] https://github.com/OpenPrinting/cups/issues/1557
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
> meta/recipes-extended/cups/cups.inc | 3 +
> .../cups/CVE-2026-27447-regression_p1.patch | 48 +++++++
> .../cups/CVE-2026-27447-regression_p2.patch | 46 +++++++
> .../cups/cups/CVE-2026-27447.patch | 120 ++++++++++++++++++
> 4 files changed, 217 insertions(+)
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447.patch
Hello,
As far as I can tell this fix is needed for wrynose:
CVE impacts "up to 2.4.16 including" as per NVD but wrynose is 2.4.16.
Can you send a fix for wrynose so I can take this one for scarthgap?
Thanks!
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-28 21:57 ` Yoann Congal
2026-07-15 13:25 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
0 siblings, 1 reply; 12+ messages in thread
From: Yoann Congal @ 2026-06-28 21:57 UTC (permalink / raw)
To: adongare, openembedded-core; +Cc: xe-linux-external, to
On Tue Jun 23, 2026 at 1:30 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> Pick the upstream patch [1] as mentioned in [2].
>
> [1] https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080
> [2] https://security-tracker.debian.org/tracker/CVE-2026-41079
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
As far as I know, this fix is also needed on wrynose:
CVE-2026-41079 impacts "up to 2.4.17 excluding" per NVD and wrynose has 2.4.16.
Can you send a fix for wrynose so I can take this one for scarthgap?
> ---
> meta/recipes-extended/cups/cups.inc | 1 +
> .../cups/cups/CVE-2026-27447.patch | 4 +-
> .../cups/cups/CVE-2026-34978.patch | 25 +++++--
> .../cups/CVE-2026-34980-regression_p2.patch | 8 +--
> .../cups/cups/CVE-2026-34990.patch | 19 ++---
> .../cups/cups/CVE-2026-41079.patch | 72 +++++++++++++++++++
This patch touches a lot of patches added previously in the series. I
think this is a mistake and those changes should either be dropped or
squashed in the proper commit.
Can you send a v2 of the whole series with this cleaned up?
Please split CVE-2026-41079 and CVE-2026-27447 into another series as
those need a wrynose fix.
Thanks!
> 6 files changed, 106 insertions(+), 23 deletions(-)
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-41079.patch
>
> diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
> index c2bf572bf5..64f71c9465 100644
> --- a/meta/recipes-extended/cups/cups.inc
> +++ b/meta/recipes-extended/cups/cups.inc
> @@ -31,6 +31,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
> file://CVE-2026-34990.patch \
> file://CVE-2026-39314.patch \
> file://CVE-2026-39316.patch \
> + file://CVE-2026-41079.patch \
> "
>
> GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> index 77a26dae64..1884acfa9f 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> @@ -22,9 +22,9 @@ diff --git a/CHANGES.md b/CHANGES.md
> index 4a2e25d..0da2c55 100644
> --- a/CHANGES.md
> +++ b/CHANGES.md
> -@@ -4,6 +4,8 @@ CHANGES - OpenPrinting CUPS 2.4.10 - (2024-06-18)
> +@@ -21,6 +21,8 @@
> Changes in CUPS v2.4.10 (2024-06-18)
> - -----------------------------
> + ------------------------------------
>
> +- CVE-2026-27447: The scheduler treated local user and group names as case-
> + insensitive.
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> index d05bc85588..b4b83a41d0 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> @@ -22,13 +22,10 @@ diff --git a/CHANGES.md b/CHANGES.md
> index 7a5e8813f..429ee874f 100644
> --- a/CHANGES.md
> +++ b/CHANGES.md
> -@@ -21,9 +21,11 @@ Changes in CUPS v2.4.11 (2024-09-30)
> - Changes in CUPS v2.4.10 (2024-06-18)
> - ------------------------------------
> -
> +@@ -24,6 +24,8 @@
> - CVE-2026-27447: The scheduler treated local user and group names as case-
> insensitive.
> -- Fixed cupsd crash if user does not exist (Issue #1555)
> + - Fixed cupsd crash if user does not exist (Issue #1555)
> +- CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
> + directory.
> - Fixed error handling when reading a mixed `1setOf` attribute.
> @@ -100,3 +97,21 @@ index 2d80a960e..2dc7376c1 100644
> + {
> + send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
> + ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
> ++ return;
> ++ }
> + }
> + else if (!strcmp(attr->name, "notify-pull-method") &&
> + attr->value_tag == IPP_TAG_KEYWORD)
> +@@ -6010,6 +6016,12 @@ create_subscriptions(
> + "notify-status-code", IPP_ATTRIBUTES);
> + return;
> + }
> ++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL)
> ++ {
> ++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
> ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
> ++ return;
> ++ }
> + }
> + else if (!strcmp(attr->name, "notify-pull-method") &&
> + attr->value_tag == IPP_TAG_KEYWORD)
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> index 73846cb8a3..0cf63b10af 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> @@ -43,10 +43,10 @@ index 25e9d65..fe60890 100644
> #
> # Test the lp command.
> #
> --# Copyright © 2020-2024 by OpenPrinting.
> -+# Copyright © 2020-2026 by OpenPrinting.
> - # Copyright © 2007-2019 by Apple Inc.
> - # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
> +-# Copyright © 2020-2024 by OpenPrinting.
> ++# Copyright © 2020-2026 by OpenPrinting.
> + # Copyright © 2007-2019 by Apple Inc.
> + # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
> #
> @@ -72,8 +72,8 @@ echo ""
>
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> index e3d6e10a23..916cdc09a3 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> @@ -147,10 +147,10 @@ index 1dd520d..56855fc 100644
> {
> OSStatus status; /* Status */
> char authdata[HTTP_MAX_VALUE];
> -@@ -399,7 +399,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
> +@@ -399,6 +399,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
> #endif /* HAVE_AUTHORIZATION_H */
> #if defined(SO_PEERCRED) && defined(AF_LOCAL)
> -- else if (!strncmp(authorization, "PeerCred ", 9) &&
> +- else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) &&
> - con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
> + else if (PeerCred != CUPSD_PEERCRED_OFF &&
> + !strncmp(authorization, "PeerCred ", 9) &&
> @@ -202,24 +202,19 @@ index b0d1f5b..11dcd39 100644
> {
> send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Only local users can create a local printer."));
> return;
> -@@ -5621,9 +5621,15 @@ create_local_printer(
> -
> - ptr = ippGetString(device_uri, 0, NULL);
> -
> -- if (!ptr || !ptr[0])
> -+ if (!ptr || !ptr[0])
> - {
> -- send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
> -+ send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
> +@@ -5634,6 +5634,12 @@ create_local_printer(
>
> return;
> }
> + else if (strncmp(ptr, "ipp://", 6) && strncmp(ptr, "ipps://", 7))
> + {
> + send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad device-uri \"%s\"."), ptr);
> -+
> ++
> + return;
> + }
> +
> + printer_geo_location = ippFindAttribute(con->request, "printer-geo-location", IPP_TAG_URI);
> + printer_info = ippFindAttribute(con->request, "printer-info", IPP_TAG_TEXT);
> diff --git a/scheduler/job.c b/scheduler/job.c
> index 880c25f..6c033de 100644
> --- a/scheduler/job.c
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-41079.patch b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
> new file mode 100644
> index 0000000000..f216c84e30
> --- /dev/null
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
> @@ -0,0 +1,72 @@
> +From b8730b3e18852d203f7fa86a05ed0a8aa3a791e5 Mon Sep 17 00:00:00 2001
> +From: Michael R Sweet <msweet@msweet.org>
> +Date: Mon, 13 Apr 2026 11:50:23 -0400
> +Subject: [PATCH] Limit num_bytes for SNMP string values.
> +
> +CVE: CVE-2026-41079
> +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080]
> +
> +(cherry picked from commit b7c2525a885f528d243c3a92197ca99609b3f080)
> +Signed-off-by: Anil Dongare <adongare@cisco.com>
> +---
> + cups/snmp-private.h | 6 +++---
> + cups/snmp.c | 8 ++++++--
> + 2 files changed, 9 insertions(+), 5 deletions(-)
> +
> +diff --git a/cups/snmp-private.h b/cups/snmp-private.h
> +index 52b8740..015f53e 100644
> +--- a/cups/snmp-private.h
> ++++ b/cups/snmp-private.h
> +@@ -1,7 +1,7 @@
> + /*
> + * Private SNMP definitions for CUPS.
> + *
> +- * Copyright © 2020-2024 by OpenPrinting.
> ++ * Copyright © 2020-2026 by OpenPrinting.
> + * Copyright © 2007-2014 by Apple Inc.
> + * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
> + *
> +@@ -58,9 +58,9 @@ typedef enum cups_asn1_e cups_asn1_t; /**** ASN1 request/object types ****/
> +
> + typedef struct cups_snmp_string_s /**** String value ****/
> + {
> +- unsigned char bytes[CUPS_SNMP_MAX_STRING];
> +- /* Bytes in string */
> + unsigned num_bytes; /* Number of bytes */
> ++ unsigned char bytes[CUPS_SNMP_MAX_STRING + 1];
> ++ /* Bytes in string */
> + } cups_snmp_string_t;
> +
> + union cups_snmp_value_u /**** Object value ****/
> +diff --git a/cups/snmp.c b/cups/snmp.c
> +index 54e348f..3222ff3 100644
> +--- a/cups/snmp.c
> ++++ b/cups/snmp.c
> +@@ -1,7 +1,7 @@
> + /*
> + * SNMP functions for CUPS.
> + *
> +- * Copyright © 2020-2024 by OpenPrinting.
> ++ * Copyright © 2020-2026 by OpenPrinting.
> + * Copyright © 2007-2019 by Apple Inc.
> + * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
> + *
> +@@ -1042,10 +1042,14 @@ asn1_decode_snmp(unsigned char *buffer, /* I - Buffer */
> + case CUPS_ASN1_OCTET_STRING :
> + case CUPS_ASN1_BIT_STRING :
> + case CUPS_ASN1_HEX_STRING :
> +- packet->object_value.string.num_bytes = length;
> + asn1_get_string(&bufptr, bufend, length,
> + (char *)packet->object_value.string.bytes,
> + sizeof(packet->object_value.string.bytes));
> ++
> ++ if (length >= sizeof(packet->object_value.string.bytes))
> ++ packet->object_value.string.num_bytes = sizeof(packet->object_value.string.bytes) - 1;
> ++ else
> ++ packet->object_value.string.num_bytes = length;
> + break;
> +
> + case CUPS_ASN1_OID :
> +--
> +2.43.7
> +
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447
2026-06-28 21:41 ` [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Yoann Congal
@ 2026-07-15 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
0 siblings, 0 replies; 12+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-07-15 11:30 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 305 bytes --]
Hello Yoann,
Thanks for checking.
The fix for wrynose has already been merged, so wrynose should be covered now.
Could you please review this patch series for scarthgap? This one is intended for the scarthgap branch.
Please let me know if you still see any gap on wrynose.
Thanks,
Anil Dongare
[-- Attachment #2: Type: text/html, Size: 367 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079
2026-06-28 21:57 ` Yoann Congal
@ 2026-07-15 13:25 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
0 siblings, 0 replies; 12+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-07-15 13:25 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 534 bytes --]
Thanks Yoann.
Yes, I will send a cleaned v2.
The wrynose fixes for CVE-2026-27447 and CVE-2026-41079 are now merged, so wrynose is covered.
For scarthgap v2, I will split the series as requested:
- one series for the remaining CUPS CVEs
- a separate series for CVE-2026-27447 and CVE-2026-41079
I will also clean the CVE-2026-41079 patch so it only adds CVE-2026-41079.patch and updates cups.inc. The unrelated changes to earlier CVE patch files will be moved into the proper commits or dropped.
Thanks,
Anil Dongare
[-- Attachment #2: Type: text/html, Size: 2666 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2026-07-15 13:25 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 2/8] cups: Fix CVE-2026-34978 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 3/8] cups: Fix CVE-2026-34980 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 4/8] cups: Fix CVE-2026-34979 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 5/8] cups: Fix CVE-2026-34990 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 6/8] cups: Fix CVE-2026-39314 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 7/8] cups: Fix CVE-2026-39316 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-28 21:57 ` Yoann Congal
2026-07-15 13:25 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-28 21:41 ` [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Yoann Congal
2026-07-15 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox