Openembedded Core Discussions
 help / color / mirror / Atom feed
From: "Yoann Congal" <yoann.congal@smile.fr>
To: <adongare@cisco.com>, <openembedded-core@lists.openembedded.org>
Cc: <xe-linux-external@cisco.com>, <to@cisco.com>
Subject: Re: [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079
Date: Sun, 28 Jun 2026 23:57:20 +0200	[thread overview]
Message-ID: <DJL0OIF53N7U.2AAPEB2LOEEDT@smile.fr> (raw)
In-Reply-To: <20260623113037.28968-8-adongare@cisco.com>

On Tue Jun 23, 2026 at 1:30 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> Pick the upstream patch [1] as mentioned in [2].
>
> [1] https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080
> [2] https://security-tracker.debian.org/tracker/CVE-2026-41079
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>

As far as I know, this fix is also needed on wrynose:
CVE-2026-41079 impacts "up to 2.4.17 excluding" per NVD and wrynose has 2.4.16.

Can you send a fix for wrynose so I can take this one for scarthgap?

> ---
>  meta/recipes-extended/cups/cups.inc           |  1 +
>  .../cups/cups/CVE-2026-27447.patch            |  4 +-
>  .../cups/cups/CVE-2026-34978.patch            | 25 +++++--
>  .../cups/CVE-2026-34980-regression_p2.patch   |  8 +--
>  .../cups/cups/CVE-2026-34990.patch            | 19 ++---
>  .../cups/cups/CVE-2026-41079.patch            | 72 +++++++++++++++++++

This patch touches a lot of patches added previously in the series. I
think this is a mistake and those changes should either be dropped or
squashed in the proper commit.

Can you send a v2 of the whole series with this cleaned up?
Please split CVE-2026-41079 and CVE-2026-27447 into another series as
those need a wrynose fix.

Thanks!


>  6 files changed, 106 insertions(+), 23 deletions(-)
>  create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-41079.patch


>
> diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
> index c2bf572bf5..64f71c9465 100644
> --- a/meta/recipes-extended/cups/cups.inc
> +++ b/meta/recipes-extended/cups/cups.inc
> @@ -31,6 +31,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
>             file://CVE-2026-34990.patch \
>             file://CVE-2026-39314.patch \
>             file://CVE-2026-39316.patch \
> +           file://CVE-2026-41079.patch \
>             "
>  
>  GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> index 77a26dae64..1884acfa9f 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> @@ -22,9 +22,9 @@ diff --git a/CHANGES.md b/CHANGES.md
>  index 4a2e25d..0da2c55 100644
>  --- a/CHANGES.md
>  +++ b/CHANGES.md
> -@@ -4,6 +4,8 @@ CHANGES - OpenPrinting CUPS 2.4.10 - (2024-06-18)
> +@@ -21,6 +21,8 @@
>   Changes in CUPS v2.4.10 (2024-06-18)
> - -----------------------------
> + ------------------------------------
>   
>  +- CVE-2026-27447: The scheduler treated local user and group names as case-
>  +  insensitive.
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> index d05bc85588..b4b83a41d0 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> @@ -22,13 +22,10 @@ diff --git a/CHANGES.md b/CHANGES.md
>  index 7a5e8813f..429ee874f 100644
>  --- a/CHANGES.md
>  +++ b/CHANGES.md
> -@@ -21,9 +21,11 @@ Changes in CUPS v2.4.11 (2024-09-30)
> - Changes in CUPS v2.4.10 (2024-06-18)
> - ------------------------------------
> - 
> +@@ -24,6 +24,8 @@
>   - CVE-2026-27447: The scheduler treated local user and group names as case-
>     insensitive.
> -- Fixed cupsd crash if user does not exist (Issue #1555)
> + - Fixed cupsd crash if user does not exist (Issue #1555)
>  +- CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
>  +  directory.
>   - Fixed error handling when reading a mixed `1setOf` attribute.
> @@ -100,3 +97,21 @@ index 2d80a960e..2dc7376c1 100644
>  +	{
>  +	  send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
>  +	  ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
> ++	  return;
> ++	}
> +       }
> +       else if (!strcmp(attr->name, "notify-pull-method") &&
> +                attr->value_tag == IPP_TAG_KEYWORD)
> +@@ -6010,6 +6016,12 @@ create_subscriptions(
> + 	                "notify-status-code", IPP_ATTRIBUTES);
> + 	  return;
> + 	}
> ++	else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL)
> ++	{
> ++	  send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
> ++	  ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
> ++	  return;
> ++	}
> +       }
> +       else if (!strcmp(attr->name, "notify-pull-method") &&
> +                attr->value_tag == IPP_TAG_KEYWORD)
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> index 73846cb8a3..0cf63b10af 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> @@ -43,10 +43,10 @@ index 25e9d65..fe60890 100644
>   #
>   # Test the lp command.
>   #
> --# Copyright © 2020-2024 by OpenPrinting.
> -+# Copyright © 2020-2026 by OpenPrinting.
> - # Copyright © 2007-2019 by Apple Inc.
> - # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
> +-# Copyright © 2020-2024 by OpenPrinting.
> ++# Copyright © 2020-2026 by OpenPrinting.
> + # Copyright © 2007-2019 by Apple Inc.
> + # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
>   #
>  @@ -72,8 +72,8 @@ echo ""
>   
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> index e3d6e10a23..916cdc09a3 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> @@ -147,10 +147,10 @@ index 1dd520d..56855fc 100644
>     {
>       OSStatus		status;		/* Status */
>       char		authdata[HTTP_MAX_VALUE];
> -@@ -399,7 +399,8 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
> +@@ -399,6 +399,7 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
>   #endif /* HAVE_AUTHORIZATION_H */
>   #if defined(SO_PEERCRED) && defined(AF_LOCAL)
> --  else if (!strncmp(authorization, "PeerCred ", 9) &&
> +-  else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) &&
>  -           con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
>  +  else if (PeerCred != CUPSD_PEERCRED_OFF &&
>  +           !strncmp(authorization, "PeerCred ", 9) &&
> @@ -202,24 +202,19 @@ index b0d1f5b..11dcd39 100644
>     {
>       send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Only local users can create a local printer."));
>       return;
> -@@ -5621,9 +5621,15 @@ create_local_printer(
> - 
> -   ptr = ippGetString(device_uri, 0, NULL);
> - 
> --  if (!ptr || !ptr[0])
> -+  if (!ptr || !ptr[0])
> -  {
> --    send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
> -+    send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
> +@@ -5634,6 +5634,12 @@ create_local_printer(
>   
>       return;
>     }
>  +  else if (strncmp(ptr, "ipp://", 6) && strncmp(ptr, "ipps://", 7))
>  +  {
>  +    send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad device-uri \"%s\"."), ptr);
> -+ 
> ++
>  +    return;
>  +  }
> + 
> +   printer_geo_location = ippFindAttribute(con->request, "printer-geo-location", IPP_TAG_URI);
> +   printer_info         = ippFindAttribute(con->request, "printer-info", IPP_TAG_TEXT);
>  diff --git a/scheduler/job.c b/scheduler/job.c
>  index 880c25f..6c033de 100644
>  --- a/scheduler/job.c
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-41079.patch b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
> new file mode 100644
> index 0000000000..f216c84e30
> --- /dev/null
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
> @@ -0,0 +1,72 @@
> +From b8730b3e18852d203f7fa86a05ed0a8aa3a791e5 Mon Sep 17 00:00:00 2001
> +From: Michael R Sweet <msweet@msweet.org>
> +Date: Mon, 13 Apr 2026 11:50:23 -0400
> +Subject: [PATCH] Limit num_bytes for SNMP string values.
> +
> +CVE: CVE-2026-41079
> +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080]
> +
> +(cherry picked from commit b7c2525a885f528d243c3a92197ca99609b3f080)
> +Signed-off-by: Anil Dongare <adongare@cisco.com>
> +---
> + cups/snmp-private.h | 6 +++---
> + cups/snmp.c         | 8 ++++++--
> + 2 files changed, 9 insertions(+), 5 deletions(-)
> +
> +diff --git a/cups/snmp-private.h b/cups/snmp-private.h
> +index 52b8740..015f53e 100644
> +--- a/cups/snmp-private.h
> ++++ b/cups/snmp-private.h
> +@@ -1,7 +1,7 @@
> + /*
> +  * Private SNMP definitions for CUPS.
> +  *
> +- * Copyright © 2020-2024 by OpenPrinting.
> ++ * Copyright © 2020-2026 by OpenPrinting.
> +  * Copyright © 2007-2014 by Apple Inc.
> +  * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
> +  *
> +@@ -58,9 +58,9 @@ typedef enum cups_asn1_e cups_asn1_t;	/**** ASN1 request/object types ****/
> + 
> + typedef struct cups_snmp_string_s	/**** String value ****/
> + {
> +-  unsigned char	bytes[CUPS_SNMP_MAX_STRING];
> +-					/* Bytes in string */
> +   unsigned	num_bytes;		/* Number of bytes */
> ++  unsigned char	bytes[CUPS_SNMP_MAX_STRING + 1];
> ++					/* Bytes in string */
> + } cups_snmp_string_t;
> + 
> + union cups_snmp_value_u			/**** Object value ****/
> +diff --git a/cups/snmp.c b/cups/snmp.c
> +index 54e348f..3222ff3 100644
> +--- a/cups/snmp.c
> ++++ b/cups/snmp.c
> +@@ -1,7 +1,7 @@
> + /*
> +  * SNMP functions for CUPS.
> +  *
> +- * Copyright © 2020-2024 by OpenPrinting.
> ++ * Copyright © 2020-2026 by OpenPrinting.
> +  * Copyright © 2007-2019 by Apple Inc.
> +  * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
> +  *
> +@@ -1042,10 +1042,14 @@ asn1_decode_snmp(unsigned char *buffer,	/* I - Buffer */
> + 	        case CUPS_ASN1_OCTET_STRING :
> + 	        case CUPS_ASN1_BIT_STRING :
> + 	        case CUPS_ASN1_HEX_STRING :
> +-		    packet->object_value.string.num_bytes = length;
> + 		    asn1_get_string(&bufptr, bufend, length,
> + 		                    (char *)packet->object_value.string.bytes,
> + 				    sizeof(packet->object_value.string.bytes));
> ++
> ++		    if (length >= sizeof(packet->object_value.string.bytes))
> ++		      packet->object_value.string.num_bytes = sizeof(packet->object_value.string.bytes) - 1;
> ++		    else
> ++		      packet->object_value.string.num_bytes = length;
> + 	            break;
> + 
> + 	        case CUPS_ASN1_OID :
> +-- 
> +2.43.7
> +


-- 
Yoann Congal
Smile ECS



  reply	other threads:[~2026-06-28 21:57 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 2/8] cups: Fix CVE-2026-34978 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 3/8] cups: Fix CVE-2026-34980 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 4/8] cups: Fix CVE-2026-34979 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 5/8] cups: Fix CVE-2026-34990 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 6/8] cups: Fix CVE-2026-39314 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 7/8] cups: Fix CVE-2026-39316 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-28 21:57   ` Yoann Congal [this message]
2026-06-28 21:41 ` [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Yoann Congal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJL0OIF53N7U.2AAPEB2LOEEDT@smile.fr \
    --to=yoann.congal@smile.fr \
    --cc=adongare@cisco.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=to@cisco.com \
    --cc=xe-linux-external@cisco.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox