* [OE-core] [scarthgap] [PATCH 2/8] cups: Fix CVE-2026-34978
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-23 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 3/8] cups: Fix CVE-2026-34980 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (6 subsequent siblings)
7 siblings, 0 replies; 10+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream patch [1] as mentioned in [2].
[1] https://github.com/OpenPrinting/cups/commit/730347c5bbd5e1271149c6739aa858c0c83a7568
[2] https://security-tracker.debian.org/tracker/CVE-2026-34978
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2026-34978.patch | 102 ++++++++++++++++++
2 files changed, 103 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34978.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index ec9392b73d..e06bbc0a2a 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -23,6 +23,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-27447.patch \
file://CVE-2026-27447-regression_p1.patch \
file://CVE-2026-27447-regression_p2.patch \
+ file://CVE-2026-34978.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
new file mode 100644
index 0000000000..d05bc85588
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
@@ -0,0 +1,102 @@
+From ab6ab965de6890aed4df39c97f7cd708fd5cb00c Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 31 Mar 2026 14:18:26 -0400
+Subject: [PATCH] Fix RSS notifier.
+
+CVE: CVE-2026-34978
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/730347c5bbd5e1271149c6739aa858c0c83a7568]
+
+Backport Changes:
+- Rebase CHANGES.md placement and scheduler/ipp.c subscription context to the
+ CUPS 2.4.11 source carried by this recipe.
+
+(cherry picked from commit 730347c5bbd5e1271149c6739aa858c0c83a7568)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 2 ++
+ notifier/rss.c | 20 ++++++++++++++------
+ scheduler/ipp.c | 12 ++++++++++++
+ 3 files changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 7a5e8813f..429ee874f 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -21,9 +21,11 @@ Changes in CUPS v2.4.11 (2024-09-30)
+ Changes in CUPS v2.4.10 (2024-06-18)
+ ------------------------------------
+
+ - CVE-2026-27447: The scheduler treated local user and group names as case-
+ insensitive.
+- Fixed cupsd crash if user does not exist (Issue #1555)
++- CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
++ directory.
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/notifier/rss.c b/notifier/rss.c
+index f17e1494c..250ad877e 100644
+--- a/notifier/rss.c
++++ b/notifier/rss.c
+@@ -1,11 +1,12 @@
+ /*
+ * RSS notifier for CUPS.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
+- * Copyright 2007-2015 by Apple Inc.
+- * Copyright 2007 by Easy Software Products.
++ * Copyright © 2020-2026 by OpenPrinting.
++ * Copyright © 2007-2015 by Apple Inc.
++ * Copyright © 2007 by Easy Software Products.
+ *
+- * Licensed under Apache License v2.0. See the file "LICENSE" for more information.
++ * Licensed under Apache License v2.0. See the file "LICENSE" for more
++ * information.
+ */
+
+ /*
+@@ -80,6 +81,7 @@ main(int argc, /* I - Number of command-line arguments */
+ http_status_t status; /* HTTP GET/PUT status code */
+ char filename[1024], /* Local filename */
+ newname[1024]; /* filename.N */
++ struct stat fileinfo; /* Local file information */
+ cups_lang_t *language; /* Language information */
+ ipp_attribute_t *printer_up_time, /* Timestamp on event */
+ *notify_sequence_number,/* Sequence number */
+@@ -111,9 +113,9 @@ main(int argc, /* I - Number of command-line arguments */
+
+ if (httpSeparateURI(HTTP_URI_CODING_ALL, argv[1], scheme, sizeof(scheme),
+ username, sizeof(username), host, sizeof(host), &port,
+- resource, sizeof(resource)) < HTTP_URI_OK)
++ resource, sizeof(resource)) < HTTP_URI_OK || strstr(resource, "../") != NULL)
+ {
+- fprintf(stderr, "ERROR: Bad RSS URI \"%s\"!\n", argv[1]);
++ fprintf(stderr, "ERROR: Bad RSS URI \"%s\".\n", argv[1]);
+ return (1);
+ }
+
+@@ -209,6 +211,12 @@ main(int argc, /* I - Number of command-line arguments */
+ snprintf(filename, sizeof(filename), "%s/rss%s", cachedir, resource);
+ snprintf(newname, sizeof(newname), "%s.N", filename);
+
++ if (!lstat(filename, &fileinfo) && !S_ISREG(fileinfo.st_mode))
++ {
++ fprintf(stderr, "ERROR: Local RSS path \"%s\" is not a file.\n", filename);
++ return (1);
++ }
++
+ httpAssembleURIf(HTTP_URI_CODING_ALL, baseurl, sizeof(baseurl), "http",
+ NULL, server_name, atoi(server_port), "/rss%s", resource);
+ }
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index 2d80a960e..2dc7376c1 100644
+--- a/scheduler/ipp.c
++++ b/scheduler/ipp.c
+@@ -1985,6 +1985,12 @@ add_job_subscriptions(
+ "notify-status-code", IPP_ATTRIBUTES);
+ return;
+ }
++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL)
++ {
++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
--
2.44.4
^ permalink raw reply related [flat|nested] 10+ messages in thread* [OE-core] [scarthgap] [PATCH 3/8] cups: Fix CVE-2026-34980
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 2/8] cups: Fix CVE-2026-34978 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-23 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 4/8] cups: Fix CVE-2026-34979 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (5 subsequent siblings)
7 siblings, 0 replies; 10+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream fix [1] for CVE-2026-34980 as mentioned in [2], where
the scheduler did not filter control characters from option values.
Also include the upstream regression fixes that followed the CVE fix:
- CVE-2026-34980-regression_p1.patch [3] fixes filter PPD keyword
processing. The CVE fix parsed PPD keywords into a temporary array,
but the loop did not advance the keyword pointer. This regression was
reported in OpenPrinting/cups Issue [4].
- CVE-2026-34980-regression_p2.patch [5] fixes a get_options() regression
where the option-value parser did not advance the input pointer for
whitespace/control-character paths.
[1] https://github.com/OpenPrinting/cups/commit/8d0f51cac24cb5bf949c5b6a221e51a150d982e3
[2] https://security-tracker.debian.org/tracker/CVE-2026-34980
[3] https://github.com/OpenPrinting/cups/commit/3f2bdc293243bca938c6de23ba50e6d783189629
[4] https://github.com/OpenPrinting/cups/issues/1562
[5] https://github.com/OpenPrinting/cups/commit/52cfb028dc211a0fd9ba6fe6eba6d482ccc6c9af
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 3 +
.../cups/CVE-2026-34980-regression_p1.patch | 31 ++++++
.../cups/CVE-2026-34980-regression_p2.patch | 75 ++++++++++++++
.../cups/cups/CVE-2026-34980.patch | 97 +++++++++++++++++++
4 files changed, 206 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p1.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34980.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index e06bbc0a2a..dc5b971195 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -24,6 +24,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-27447-regression_p1.patch \
file://CVE-2026-27447-regression_p2.patch \
file://CVE-2026-34978.patch \
+ file://CVE-2026-34980.patch \
+ file://CVE-2026-34980-regression_p1.patch \
+ file://CVE-2026-34980-regression_p2.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p1.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p1.patch
new file mode 100644
index 0000000000..9290a0e637
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p1.patch
@@ -0,0 +1,31 @@
+From 3f2bdc293243bca938c6de23ba50e6d783189629 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 28 Apr 2026 17:42:41 -0400
+Subject: [PATCH] Fix filter PPD keyword processing (Issue #1562)
+
+CVE: CVE-2026-34980
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/3f2bdc293243bca938c6de23ba50e6d783189629]
+
+(cherry picked from commit 3f2bdc293243bca938c6de23ba50e6d783189629)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ scheduler/job.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scheduler/job.c b/scheduler/job.c
+index 895b2d9..915ba94 100644
+--- a/scheduler/job.c
++++ b/scheduler/job.c
+@@ -5419,7 +5419,7 @@ update_job(cupsd_job_t *job) /* I - Job to check */
+ keywords = NULL;
+ num_keywords = cupsParseOptions(message, 0, &keywords);
+
+- for (i = 0, keyword = keywords; i < num_keywords; i ++)
++ for (i = 0, keyword = keywords; i < num_keywords; i ++, keyword ++)
+ {
+ /*
+ * Filter out "special" PPD keywords...
+--
+2.43.7
+
+
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
new file mode 100644
index 0000000000..73846cb8a3
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
@@ -0,0 +1,75 @@
+From 52cfb028dc211a0fd9ba6fe6eba6d482ccc6c9af Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Wed, 8 Apr 2026 16:42:48 -0400
+Subject: [PATCH] Fix get_options regression (Issue #1532)
+
+CVE: CVE-2026-34980
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/52cfb028dc211a0fd9ba6fe6eba6d482ccc6c9af]
+
+(cherry picked from commit 52cfb028dc211a0fd9ba6fe6eba6d482ccc6c9af)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ scheduler/job.c | 4 ++--
+ test/5.5-lp.sh | 10 +++++-----
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/scheduler/job.c b/scheduler/job.c
+index 6b9d366..cf019e1 100644
+--- a/scheduler/job.c
++++ b/scheduler/job.c
+@@ -4144,7 +4144,7 @@ get_options(cupsd_job_t *job, /* I - Job */
+ case IPP_TAG_CHARSET :
+ case IPP_TAG_LANGUAGE :
+ case IPP_TAG_URI :
+- for (valptr = attr->values[i].string.text; *valptr;)
++ for (valptr = attr->values[i].string.text; *valptr; valptr ++)
+ {
+ /*
+ * Convert tabs and newlines to spaces, filter out control chars,
+@@ -4159,7 +4159,7 @@ get_options(cupsd_job_t *job, /* I - Job */
+ {
+ if (strchr("\\\'\"", *valptr))
+ *optptr++ = '\\';
+- *optptr++ = *valptr++;
++ *optptr++ = *valptr;
+ }
+ }
+
+diff --git a/test/5.5-lp.sh b/test/5.5-lp.sh
+index 25e9d65..fe60890 100644
+--- a/test/5.5-lp.sh
++++ b/test/5.5-lp.sh
+@@ -2,7 +2,7 @@
+ #
+ # Test the lp command.
+ #
+-# Copyright © 2020-2024 by OpenPrinting.
++# Copyright © 2020-2026 by OpenPrinting.
+ # Copyright © 2007-2019 by Apple Inc.
+ # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
+ #
+@@ -72,8 +72,8 @@ echo ""
+
+ echo "LP Flood Test ($1 times in parallel)"
+ echo ""
+-echo " lp -d Test1 testfile.jpg"
+-echo " lp -d Test2 testfile.jpg"
++echo " lp -d Test1 -t 'Flood Test N' testfile.jpg"
++echo " lp -d Test2 -t 'Flood Test N' testfile.jpg"
+ i=0
+ pids=""
+ while test $i -lt $1; do
+@@ -83,9 +83,9 @@ while test $i -lt $1; do
+ j=`expr $j + 1`
+ done
+
+- $runcups $VALGRIND ../systemv/lp -d Test1 ../examples/testfile.jpg 2>&1 &
++ $runcups $VALGRIND ../systemv/lp -d Test1 -t "Flood Test $j" ../examples/testfile.jpg 2>&1 &
+ pids="$pids $!"
+- $runcups $VALGRIND ../systemv/lp -d Test2 ../examples/testfile.jpg 2>&1 &
++ $runcups $VALGRIND ../systemv/lp -d Test2 -t "Flood Test $j" ../examples/testfile.jpg 2>&1 &
+ pids="$pids $!"
+
+ i=`expr $i + 1`
+--
+2.43.7
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980.patch
new file mode 100644
index 0000000000..286e9cd517
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34980.patch
@@ -0,0 +1,97 @@
+From e206c7643a7574cab2e9457eac4c9f755dbf44ff Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 31 Mar 2026 14:45:13 -0400
+Subject: [PATCH] Filter out control characters from option values.
+
+CVE: CVE-2026-34980
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/8d0f51cac24cb5bf949c5b6a221e51a150d982e3]
+
+Backport Changes:
+- Rebase CHANGES.md placement and scheduler/job.c option-handling context to
+ the CUPS 2.4.11 source carried by this recipe.
+
+(cherry picked from commit 8d0f51cac24cb5bf949c5b6a221e51a150d982e3)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 2 ++
+ scheduler/job.c | 41 +++++++++++++++++++++++++++++++++++------
+ 2 files changed, 37 insertions(+), 6 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 7e24840..9863c17 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -9,6 +9,8 @@ Changes in CUPS v2.4.10 (2024-06-18)
+ - Fixed cupsd crash if user does not exist (Issue #1555)
+ - CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
+ directory.
++- CVE-2026-34980: The scheduler did not filter control characters from option
++ values.
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/scheduler/job.c b/scheduler/job.c
+index 822a247..895b2d9 100644
+--- a/scheduler/job.c
++++ b/scheduler/job.c
+@@ -4121,9 +4121,21 @@ get_options(cupsd_job_t *job, /* I - Job */
+ case IPP_TAG_URI :
+ for (valptr = attr->values[i].string.text; *valptr;)
+ {
+- if (strchr(" \t\n\\\'\"", *valptr))
+- *optptr++ = '\\';
+- *optptr++ = *valptr++;
++ /*
++ * Convert tabs and newlines to spaces, filter out control chars,
++ * and escape \, ', and ".
++ */
++
++ if (isspace(*valptr & 255))
++ {
++ *optptr++ = ' ';
++ }
++ else if ((*valptr & 255) >= ' ' && *valptr != 0x7f)
++ {
++ if (strchr("\\\'\"", *valptr))
++ *optptr++ = '\\';
++ *optptr++ = *valptr++;
++ }
+ }
+
+ *optptr = '\0';
+@@ -5394,13 +5409,30 @@ update_job(cupsd_job_t *job) /* I - Job to check */
+ else if (loglevel == CUPSD_LOG_PPD)
+ {
+ /*
+- * Set attribute(s)...
++ * Set PPD keyword(s)/value(s)...
+ */
+
++ int i, /* Looping var */
++ num_keywords; /* Number of keywords */
++ cups_option_t *keywords, /* Keywords */
++ *keyword; /* Current keyword */
++
+ cupsdLogJob(job, CUPSD_LOG_DEBUG, "PPD: %s", message);
+
+- job->num_keywords = cupsParseOptions(message, job->num_keywords,
+- &job->keywords);
++ keywords = NULL;
++ num_keywords = cupsParseOptions(message, 0, &keywords);
++
++ for (i = 0, keyword = keywords; i < num_keywords; i ++)
++ {
++ /*
++ * Filter out "special" PPD keywords...
++ */
++
++ if (strcmp(keyword->name, "cupsFilter") && strcmp(keyword->name, "cupsFilter2") && strcmp(keyword->name, "cupsFinishingTemplate") && strcmp(keyword->name, "cupsIPPFinishings") && strcmp(keyword->name, "cupsIPPReason") && strcmp(keyword->name, "cupsMarkerName") && strcmp(keyword->name, "cupsMaxSize") && strncmp(keyword->name, "cupsMediaQualifier", 18) && strcmp(keyword->name, "cupsMinSize") && strcmp(keyword->name, "cupsPageSizeCategory") && strcmp(keyword->name, "cupsPortMonitor") && strcmp(keyword->name, "cupsPreFilter") && strcmp(keyword->name, "cupsPrintQuality") && strcmp(keyword->name, "APPrinterPreset"))
++ job->num_keywords = cupsAddOption(keyword->name, keyword->value, job->num_keywords, &job->keywords);
++ }
++
++ cupsFreeOptions(num_keywords, keywords);
+ }
+ else
+ {
+--
+2.43.7
--
2.44.4
^ permalink raw reply related [flat|nested] 10+ messages in thread* [OE-core] [scarthgap] [PATCH 4/8] cups: Fix CVE-2026-34979
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 2/8] cups: Fix CVE-2026-34978 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 3/8] cups: Fix CVE-2026-34980 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-23 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 5/8] cups: Fix CVE-2026-34990 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (4 subsequent siblings)
7 siblings, 0 replies; 10+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream patch [1] as mentioned in [2].
[1] https://github.com/OpenPrinting/cups/commit/0ff8897367c7341f2500770c3977038cdd7c0214
[2] https://security-tracker.debian.org/tracker/CVE-2026-34979
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2026-34979.patch | 73 +++++++++++++++++++
2 files changed, 74 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34979.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index dc5b971195..7dedb2daef 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -27,6 +27,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-34980.patch \
file://CVE-2026-34980-regression_p1.patch \
file://CVE-2026-34980-regression_p2.patch \
+ file://CVE-2026-34979.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34979.patch b/meta/recipes-extended/cups/cups/CVE-2026-34979.patch
new file mode 100644
index 0000000000..4adb6415b1
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34979.patch
@@ -0,0 +1,73 @@
+From 471b4dc802455c7c59f9fd594fec8b6f3acb0db5 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 31 Mar 2026 14:50:06 -0400
+Subject: [PATCH] Expand allocation of options string.
+
+CVE: CVE-2026-34979
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/0ff8897367c7341f2500770c3977038cdd7c0214]
+
+Backport Changes:
+- Rebase CHANGES.md placement and scheduler/job.c IPP length context to the
+ CUPS 2.4.11 source carried by this recipe.
+
+(cherry picked from commit 0ff8897367c7341f2500770c3977038cdd7c0214)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 2 ++
+ scheduler/job.c | 16 ++++------------
+ 2 files changed, 6 insertions(+), 12 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 9863c17..f203e9a 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -11,6 +11,8 @@ Changes in CUPS v2.4.10 (2024-06-18)
+ directory.
+ - CVE-2026-34980: The scheduler did not filter control characters from option
+ values.
++- CVE-2026-34979: The scheduler did not always allocate enough memory for a
++ job's options string.
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/scheduler/job.c b/scheduler/job.c
+index 915ba94..880c25f 100644
+--- a/scheduler/job.c
++++ b/scheduler/job.c
+@@ -4195,18 +4195,6 @@ ipp_length(ipp_t *ipp) /* I - IPP request */
+
+ for (attr = ipp->attrs; attr != NULL; attr = attr->next)
+ {
+- /*
+- * Skip attributes that won't be sent to filters...
+- */
+-
+- if (attr->value_tag == IPP_TAG_NOVALUE ||
+- attr->value_tag == IPP_TAG_MIMETYPE ||
+- attr->value_tag == IPP_TAG_NAMELANG ||
+- attr->value_tag == IPP_TAG_TEXTLANG ||
+- attr->value_tag == IPP_TAG_URI ||
+- attr->value_tag == IPP_TAG_URISCHEME)
+- continue;
+-
+ /*
+ * Add space for a leading space and commas between each value.
+ * For the first attribute, the leading space isn't used, so the
+@@ -4282,10 +4270,14 @@ ipp_length(ipp_t *ipp) /* I - IPP request */
+
+ case IPP_TAG_TEXT :
+ case IPP_TAG_NAME :
++ case IPP_TAG_TEXTLANG :
++ case IPP_TAG_NAMELANG :
++ case IPP_TAG_MIMETYPE :
+ case IPP_TAG_KEYWORD :
+ case IPP_TAG_CHARSET :
+ case IPP_TAG_LANGUAGE :
+ case IPP_TAG_URI :
++ case IPP_TAG_URISCHEME :
+ /*
+ * Strings can contain characters that need quoting. We need
+ * at least 2 * len + 2 characters to cover the quotes and
+--
+2.43.7
+
--
2.44.4
^ permalink raw reply related [flat|nested] 10+ messages in thread* [OE-core] [scarthgap] [PATCH 5/8] cups: Fix CVE-2026-34990
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (2 preceding siblings ...)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 4/8] cups: Fix CVE-2026-34979 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-23 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 6/8] cups: Fix CVE-2026-39314 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (3 subsequent siblings)
7 siblings, 0 replies; 10+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream patch [1] as mentioned in [2].
[1] https://github.com/OpenPrinting/cups/commit/e052dc44da9d12adfbebc51de4975fbadb2ce356
[2] https://security-tracker.debian.org/tracker/CVE-2026-34990
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2026-34990.patch | 366 ++++++++++++++++++
2 files changed, 367 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34990.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 7dedb2daef..2e6bf698e0 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -28,6 +28,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-34980-regression_p1.patch \
file://CVE-2026-34980-regression_p2.patch \
file://CVE-2026-34979.patch \
+ file://CVE-2026-34990.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
new file mode 100644
index 0000000000..e3d6e10a23
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
@@ -0,0 +1,366 @@
+From 48648896ca7faa8f105eee7b7a8d86c42e0fa796 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 31 Mar 2026 15:55:50 -0400
+Subject: [PATCH] Don't allow local certificates over the loopback
+ interface, drop support for writing to plain files.
+
+CVE: CVE-2026-34990
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/e052dc44da9d12adfbebc51de4975fbadb2ce356]
+
+Backport Changes:
+- Preserve the existing CVE-2025-61915 PeerCred disable guard while changing
+ localhost checks to AF_LOCAL.
+- Replace CHANGES.md CVE-2026-NNNNN placeholder with CVE-2026-34990.
+
+(cherry picked from commit e052dc44da9d12adfbebc51de4975fbadb2ce356)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 2 ++
+ cups/auth.c | 30 ++++++--------------------
+ scheduler/auth.c | 9 +++++----
+ scheduler/client.c | 4 ++--
+ scheduler/ipp.c | 12 ++++++++--
+ scheduler/job.c | 46 ++++++++++++++++++++++------------------
+ test/4.2-cups-printer-ops.test | 6 +++--
+ test/5.1-lpadmin.sh | 14 +++++------
+ 8 files changed, 60 insertions(+), 63 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index f203e9a..4eeebef 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -13,6 +13,8 @@ Changes in CUPS v2.4.10 (2024-06-18)
+ values.
+ - CVE-2026-34979: The scheduler did not always allocate enough memory for a
+ job's options string.
++- CVE-2026-34990: The scheduler incorrectly allowed local certificates over the
++ loopback interface.
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/cups/auth.c b/cups/auth.c
+index 5cb4194..14661c7 100644
+--- a/cups/auth.c
++++ b/cups/auth.c
+@@ -1,7 +1,7 @@
+ /*
+ * Authentication functions for CUPS.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 1997-2007 by Easy Software Products.
+ *
+@@ -92,7 +92,6 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status,
+ # define cups_gss_printf(major, minor, message)
+ # endif /* DEBUG */
+ #endif /* HAVE_GSSAPI */
+-static int cups_is_local_connection(http_t *http);
+ static int cups_local_auth(http_t *http);
+
+
+@@ -948,14 +947,6 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */
+ # endif /* DEBUG */
+ #endif /* HAVE_GSSAPI */
+
+-static int /* O - 0 if not a local connection */
+- /* 1 if local connection */
+-cups_is_local_connection(http_t *http) /* I - HTTP connection to server */
+-{
+- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
+- return 0;
+- return 1;
+-}
+
+ /*
+ * 'cups_local_auth()' - Get the local authorization certificate if
+@@ -967,13 +958,7 @@ static int /* O - 0 if available */
+ /* -1 error */
+ cups_local_auth(http_t *http) /* I - HTTP connection to server */
+ {
+-#if defined(_WIN32) || defined(__EMX__)
+- /*
+- * Currently _WIN32 and OS-2 do not support the CUPS server...
+- */
+-
+- return (1);
+-#else
++#if !_WIN32 && !__EMX__ && defined(AF_LOCAL)
+ int pid; /* Current process ID */
+ FILE *fp; /* Certificate file */
+ char trc[16], /* Try Root Certificate parameter */
+@@ -998,7 +983,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
+ * See if we are accessing localhost...
+ */
+
+- if (!cups_is_local_connection(http))
++ if (httpAddrFamily(httpGetAddress(http)) != AF_LOCAL)
+ {
+ DEBUG_puts("8cups_local_auth: Not a local connection!");
+ return (1);
+@@ -1072,15 +1057,14 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
+ }
+ # endif /* HAVE_AUTHORIZATION_H */
+
+-# if defined(SO_PEERCRED) && defined(AF_LOCAL)
++# ifdef SO_PEERCRED
+ /*
+ * See if we can authenticate using the peer credentials provided over a
+ * domain socket; if so, specify "PeerCred username" as the authentication
+ * information...
+ */
+
+- if (http->hostaddr->addr.sa_family == AF_LOCAL &&
+- !getenv("GATEWAY_INTERFACE") && /* Not via CGI programs... */
++ if (!getenv("GATEWAY_INTERFACE") && /* Not via CGI programs... */
+ cups_auth_find(www_auth, "PeerCred"))
+ {
+ /*
+@@ -1104,7 +1088,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
+ return (0);
+ }
+ }
+-# endif /* SO_PEERCRED && AF_LOCAL */
++# endif /* SO_PEERCRED */
+
+ if ((schemedata = cups_auth_find(www_auth, "Local")) == NULL)
+ return (1);
+@@ -1164,7 +1148,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
+ return (0);
+ }
+ }
++#endif /* !_WIN32 && !__EMX__ && AF_LOCAL */
+
+ return (1);
+-#endif /* _WIN32 || __EMX__ */
+ }
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 1dd520d..56855fc 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -318,7 +318,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
+ }
+ #ifdef HAVE_AUTHORIZATION_H
+ else if (!strncmp(authorization, "AuthRef ", 8) &&
+- httpAddrLocalhost(httpGetAddress(con->http)))
++ httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
+ {
+ OSStatus status; /* Status */
+ char authdata[HTTP_MAX_VALUE];
+@@ -399,7 +399,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
+ #endif /* HAVE_AUTHORIZATION_H */
+ #if defined(SO_PEERCRED) && defined(AF_LOCAL)
+- else if (!strncmp(authorization, "PeerCred ", 9) &&
+- con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
++ else if (PeerCred != CUPSD_PEERCRED_OFF &&
++ !strncmp(authorization, "PeerCred ", 9) &&
++ httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL && con->best)
+ {
+ /*
+ * Use peer credentials from domain socket connection...
+@@ -483,7 +483,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
+ }
+ #endif /* SO_PEERCRED && AF_LOCAL */
+ else if (!strncmp(authorization, "Local", 5) &&
+- httpAddrLocalhost(httpGetAddress(con->http)))
++ httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
+ {
+ /*
+ * Get Local certificate authentication data...
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 779404c..dea9da0 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -2173,7 +2173,7 @@ cupsdSendHeader(
+ strlcpy(auth_str, "Negotiate", sizeof(auth_str));
+ }
+
+- if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
++ if (con->best && !con->is_browser && httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
+ {
+ /*
+ * Add a "trc" (try root certification) parameter for local
+@@ -2193,7 +2193,7 @@ cupsdSendHeader(
+ auth_size = sizeof(auth_str) - (size_t)(auth_key - auth_str);
+
+ #if defined(SO_PEERCRED) && defined(AF_LOCAL)
+- if (PeerCred != CUPSD_PEERCRED_OFF && httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
++ if (PeerCred != CUPSD_PEERCRED_OFF)
+ {
+ strlcpy(auth_key, ", PeerCred", auth_size);
+ auth_key += 10;
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index b0d1f5b..11dcd39 100644
+--- a/scheduler/ipp.c
++++ b/scheduler/ipp.c
+@@ -5561,7 +5561,7 @@ create_local_printer(
+ * Require local access to create a local printer...
+ */
+
+- if (!httpAddrLocalhost(httpGetAddress(con->http)))
++ if (httpAddrFamily(httpGetAddress(con->http)) != AF_LOCAL)
+ {
+ send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Only local users can create a local printer."));
+ return;
+@@ -5621,9 +5621,15 @@ create_local_printer(
+
+ ptr = ippGetString(device_uri, 0, NULL);
+
+- if (!ptr || !ptr[0])
++ if (!ptr || !ptr[0])
+ {
+- send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
++ send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
+
+ return;
+ }
++ else if (strncmp(ptr, "ipp://", 6) && strncmp(ptr, "ipps://", 7))
++ {
++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad device-uri \"%s\"."), ptr);
++
++ return;
++ }
+diff --git a/scheduler/job.c b/scheduler/job.c
+index 880c25f..6c033de 100644
+--- a/scheduler/job.c
++++ b/scheduler/job.c
+@@ -1164,35 +1164,39 @@ cupsdContinueJob(cupsd_job_t *job) /* I - Job */
+ }
+ else
+ {
++ char scheme[32], /* URI scheme */
++ userpass[32], /* URI username:password */
++ host[256], /* URI hostname */
++ resource[1024]; /* URI resource path (filename) */
++ int port; /* URI port number */
++
++ httpSeparateURI(HTTP_URI_CODING_ALL, job->printer->device_uri, scheme, sizeof(scheme), userpass, sizeof(userpass), host, sizeof(host), &port, resource, sizeof(resource));
++
+ job->print_pipes[0] = -1;
+- if (!strcmp(job->printer->device_uri, "file:/dev/null") ||
+- !strcmp(job->printer->device_uri, "file:///dev/null"))
+- job->print_pipes[1] = -1;
+- else
++ job->print_pipes[1] = -1;
++
++ if (strcmp(resource, "/dev/null"))
+ {
+- if (!strncmp(job->printer->device_uri, "file:/dev/", 10))
+- job->print_pipes[1] = open(job->printer->device_uri + 5,
+- O_WRONLY | O_EXCL);
+- else if (!strncmp(job->printer->device_uri, "file:///dev/", 12))
+- job->print_pipes[1] = open(job->printer->device_uri + 7,
+- O_WRONLY | O_EXCL);
+- else if (!strncmp(job->printer->device_uri, "file:///", 8))
+- job->print_pipes[1] = open(job->printer->device_uri + 7,
+- O_WRONLY | O_CREAT | O_TRUNC, 0600);
+- else
+- job->print_pipes[1] = open(job->printer->device_uri + 5,
+- O_WRONLY | O_CREAT | O_TRUNC, 0600);
++ if (!FileDevice)
++ {
++ abort_message = "Stopping job because file: output is disabled.";
+
+- if (job->print_pipes[1] < 0)
++ goto abort_job;
++ }
++ else if ((job->print_pipes[1] = open(resource, O_WRONLY | O_EXCL)) < 0)
+ {
+- abort_message = "Stopping job because the scheduler could not "
+- "open the output file.";
++ abort_message = "Stopping job because the scheduler could not open the output file.";
+
+ goto abort_job;
+ }
++ else
++ {
++ /*
++ * Close this file on execute...
++ */
+
+- fcntl(job->print_pipes[1], F_SETFD,
+- fcntl(job->print_pipes[1], F_GETFD) | FD_CLOEXEC);
++ fcntl(job->print_pipes[1], F_SETFD, fcntl(job->print_pipes[1], F_GETFD) | FD_CLOEXEC);
++ }
+ }
+ }
+ }
+diff --git a/test/4.2-cups-printer-ops.test b/test/4.2-cups-printer-ops.test
+index 1a011e0..945a9bb 100644
+--- a/test/4.2-cups-printer-ops.test
++++ b/test/4.2-cups-printer-ops.test
+@@ -1,7 +1,7 @@
+ #
+ # Verify that the CUPS printer operations work.
+ #
+-# Copyright © 2020-2024 by OpenPrinting.
++# Copyright © 2020-2026 by OpenPrinting.
+ # Copyright © 2007-2019 by Apple Inc.
+ # Copyright © 2001-2006 by Easy Software Products. All rights reserved.
+ #
+@@ -180,7 +180,7 @@
+ ATTR uri printer-uri $method://$hostname:$port/printers/Test2
+
+ GROUP printer
+- ATTR uri device-uri file:/tmp/Test2
++ ATTR uri device-uri file:///dev/null
+ ATTR enum printer-state 3
+ ATTR boolean printer-is-accepting-jobs true
+
+@@ -206,7 +206,7 @@
+ ATTR uri printer-uri $method://$hostname:$port/printers/Test1
+
+ GROUP printer
+- ATTR uri device-uri file:/tmp/Test1
++ ATTR uri device-uri file:///dev/null
+ ATTR enum printer-state 3
+ ATTR boolean printer-is-accepting-jobs true
+ ATTR text printer-info "Test Printer 1"
+diff --git a/test/5.1-lpadmin.sh b/test/5.1-lpadmin.sh
+index aa39800..36f2822 100644
+--- a/test/5.1-lpadmin.sh
++++ b/test/5.1-lpadmin.sh
+@@ -2,7 +2,7 @@
+ #
+ # Test the lpadmin command.
+ #
+-# Copyright © 2020-2024 by OpenPrinting.
++# Copyright © 2020-2026 by OpenPrinting.
+ # Copyright © 2007-2018 by Apple Inc.
+ # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
+ #
+@@ -12,8 +12,8 @@
+
+ echo "Add Printer Test"
+ echo ""
+-echo " lpadmin -p Test3 -v file:/dev/null -E -m drv:///sample.drv/deskjet.ppd"
+-$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:/dev/null -E -m drv:///sample.drv/deskjet.ppd 2>&1
++echo " lpadmin -p Test3 -v file:///dev/null -E -m drv:///sample.drv/deskjet.ppd"
++$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:///dev/null -E -m drv:///sample.drv/deskjet.ppd 2>&1
+ if test $? != 0; then
+ echo " FAILED"
+ exit 1
+@@ -29,8 +29,8 @@ echo ""
+
+ echo "Modify Printer Test"
+ echo ""
+-echo " lpadmin -p Test3 -v file:/tmp/Test3 -o PageSize=A4"
+-$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:/tmp/Test3 -o PageSize=A4 2>&1
++echo " lpadmin -p Test3 -v file:///dev/null -o PageSize=A4"
++$runcups $VALGRIND ../systemv/lpadmin -p Test3 -v file:///dev/null -o PageSize=A4 2>&1
+ if test $? != 0; then
+ echo " FAILED"
+ exit 1
+@@ -65,8 +65,8 @@ echo ""
+
+ echo "Add a printer for cupSNMP/IPPSupplies test"
+ echo ""
+-echo " lpadmin -p Test4 -E -v file:/dev/null -m drv:///sample.drv/zebra.ppd"
+-$runcups $VALGRIND ../systemv/lpadmin -p Test4 -E -v file:/dev/null -m drv:///sample.drv/zebra.ppd 2>&1
++echo " lpadmin -p Test4 -E -v file:///dev/null -m drv:///sample.drv/zebra.ppd"
++$runcups $VALGRIND ../systemv/lpadmin -p Test4 -E -v file:///dev/null -m drv:///sample.drv/zebra.ppd 2>&1
+ if test $? != 0; then
+ echo " FAILED"
+ exit 1
+--
+2.43.7
--
2.44.4
^ permalink raw reply related [flat|nested] 10+ messages in thread* [OE-core] [scarthgap] [PATCH 6/8] cups: Fix CVE-2026-39314
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (3 preceding siblings ...)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 5/8] cups: Fix CVE-2026-34990 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-23 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 7/8] cups: Fix CVE-2026-39316 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (2 subsequent siblings)
7 siblings, 0 replies; 10+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream patch [1] as mentioned in [2].
[1] https://github.com/OpenPrinting/cups/commit/928a86b1b794f738f0a3dc87561b2e054bff7ce4
[2] https://security-tracker.debian.org/tracker/CVE-2026-39314
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2026-39314.patch | 56 +++++++++++++++++++
2 files changed, 57 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39314.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 2e6bf698e0..7bfa890b3d 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -29,6 +29,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-34980-regression_p2.patch \
file://CVE-2026-34979.patch \
file://CVE-2026-34990.patch \
+ file://CVE-2026-39314.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-39314.patch b/meta/recipes-extended/cups/cups/CVE-2026-39314.patch
new file mode 100644
index 0000000000..2ebefb3bc5
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-39314.patch
@@ -0,0 +1,56 @@
+From 65c463ada188915d6700d92ce48a9a14949ca413 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Sun, 5 Apr 2026 10:45:25 -0400
+Subject: [PATCH] Range check job-password-supported.
+
+CVE: CVE-2026-39314
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/928a86b1b794f738f0a3dc87561b2e054bff7ce4]
+
+Backport Changes:
+- Rebase CHANGES.md placement and cups/ppd-cache.c context to the CUPS 2.4.11
+ source carried by this recipe.
+
+(cherry picked from commit 928a86b1b794f738f0a3dc87561b2e054bff7ce4)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 1 +
+ cups/ppd-cache.c | 4 ++--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 4eeebef..082b9f7 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -15,6 +15,7 @@ Changes in CUPS v2.4.10 (2024-06-18)
+ job's options string.
+ - CVE-2026-34990: The scheduler incorrectly allowed local certificates over the
+ loopback interface.
++- Fixed the range check for job password strings.
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
+index e750fcc..08e0db8 100644
+--- a/cups/ppd-cache.c
++++ b/cups/ppd-cache.c
+@@ -1,7 +1,7 @@
+ /*
+ * PPD cache implementation for CUPS.
+ *
+- * Copyright © 2022-2024 by OpenPrinting.
++ * Copyright © 2022-2026 by OpenPrinting.
+ * Copyright © 2010-2021 by Apple Inc.
+ *
+ * Licensed under Apache License v2.0. See the file "LICENSE" for more
+@@ -3432,7 +3432,7 @@ _ppdCreateFromIPP2(
+ * Password/PIN printing...
+ */
+
+- if ((attr = ippFindAttribute(supported, "job-password-supported", IPP_TAG_INTEGER)) != NULL)
++ if ((attr = ippFindAttribute(supported, "job-password-supported", IPP_TAG_INTEGER)) != NULL && ippGetInteger(attr, 0) > 0)
+ {
+ char pattern[33]; /* Password pattern */
+ int maxlen = ippGetInteger(attr, 0);
+--
+2.43.7
+
--
2.44.4
^ permalink raw reply related [flat|nested] 10+ messages in thread* [OE-core] [scarthgap] [PATCH 7/8] cups: Fix CVE-2026-39316
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (4 preceding siblings ...)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 6/8] cups: Fix CVE-2026-39314 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-23 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-28 21:41 ` [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Yoann Congal
7 siblings, 0 replies; 10+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream patch [1] as mentioned in [2].
[1] https://github.com/OpenPrinting/cups/commit/0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f
[2] https://security-tracker.debian.org/tracker/CVE-2026-39316
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2026-39316.patch | 51 +++++++++++++++++++
2 files changed, 52 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39316.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 7bfa890b3d..c2bf572bf5 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -30,6 +30,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-34979.patch \
file://CVE-2026-34990.patch \
file://CVE-2026-39314.patch \
+ file://CVE-2026-39316.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-39316.patch b/meta/recipes-extended/cups/cups/CVE-2026-39316.patch
new file mode 100644
index 0000000000..4b43a7b41b
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-39316.patch
@@ -0,0 +1,51 @@
+From 7c4d7951d189e931563f21086196d5a55fb2fa15 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Sun, 5 Apr 2026 11:33:23 -0400
+Subject: [PATCH] Expire per-printer subscriptions before deleting.
+
+CVE: CVE-2026-39316
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f]
+
+Backport Changes:
+- Rebase CHANGES.md placement and scheduler/printers.c delete-printer context
+ to the CUPS 2.4.11 source carried by this recipe.
+
+(cherry picked from commit 0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ CHANGES.md | 1 +
+ scheduler/printers.c | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/CHANGES.md b/CHANGES.md
+index 082b9f7..cde280d 100644
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -16,6 +16,7 @@ Changes in CUPS v2.4.10 (2024-06-18)
+ - CVE-2026-34990: The scheduler incorrectly allowed local certificates over the
+ loopback interface.
+ - Fixed the range check for job password strings.
++- Fixed a printer subscription bug in the scheduler.
+ - Fixed error handling when reading a mixed `1setOf` attribute.
+ - Fixed scheduler start if there is only domain socket to listen on (Issue #985)
+
+diff --git a/scheduler/printers.c b/scheduler/printers.c
+index bf493a3..ca983f9 100644
+--- a/scheduler/printers.c
++++ b/scheduler/printers.c
+@@ -641,6 +641,12 @@ cupsdDeletePrinter(
+ update ? "Job stopped due to printer being deleted." :
+ "Job stopped.");
+
++ /*
++ * Expire subscriptions on the printer...
++ */
++
++ cupsdExpireSubscriptions(p, /*job*/NULL);
++
+ /*
+ * Remove the printer from the list...
+ */
+--
+2.43.7
+
--
2.44.4
^ permalink raw reply related [flat|nested] 10+ messages in thread* [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (5 preceding siblings ...)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 7/8] cups: Fix CVE-2026-39316 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-23 11:30 ` Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-06-28 21:57 ` Yoann Congal
2026-06-28 21:41 ` [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Yoann Congal
7 siblings, 1 reply; 10+ messages in thread
From: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-23 11:30 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, to, Anil Dongare
From: Anil Dongare <adongare@cisco.com>
Pick the upstream patch [1] as mentioned in [2].
[1] https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080
[2] https://security-tracker.debian.org/tracker/CVE-2026-41079
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2026-27447.patch | 4 +-
.../cups/cups/CVE-2026-34978.patch | 25 +++++--
.../cups/CVE-2026-34980-regression_p2.patch | 8 +--
.../cups/cups/CVE-2026-34990.patch | 19 ++---
.../cups/cups/CVE-2026-41079.patch | 72 +++++++++++++++++++
6 files changed, 106 insertions(+), 23 deletions(-)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-41079.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index c2bf572bf5..64f71c9465 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -31,6 +31,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2026-34990.patch \
file://CVE-2026-39314.patch \
file://CVE-2026-39316.patch \
+ file://CVE-2026-41079.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
index 77a26dae64..1884acfa9f 100644
--- a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
+++ b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
@@ -22,9 +22,9 @@ diff --git a/CHANGES.md b/CHANGES.md
index 4a2e25d..0da2c55 100644
--- a/CHANGES.md
+++ b/CHANGES.md
-@@ -4,6 +4,8 @@ CHANGES - OpenPrinting CUPS 2.4.10 - (2024-06-18)
+@@ -21,6 +21,8 @@
Changes in CUPS v2.4.10 (2024-06-18)
- -----------------------------
+ ------------------------------------
+- CVE-2026-27447: The scheduler treated local user and group names as case-
+ insensitive.
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
index d05bc85588..b4b83a41d0 100644
--- a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
@@ -22,13 +22,10 @@ diff --git a/CHANGES.md b/CHANGES.md
index 7a5e8813f..429ee874f 100644
--- a/CHANGES.md
+++ b/CHANGES.md
-@@ -21,9 +21,11 @@ Changes in CUPS v2.4.11 (2024-09-30)
- Changes in CUPS v2.4.10 (2024-06-18)
- ------------------------------------
-
+@@ -24,6 +24,8 @@
- CVE-2026-27447: The scheduler treated local user and group names as case-
insensitive.
-- Fixed cupsd crash if user does not exist (Issue #1555)
+ - Fixed cupsd crash if user does not exist (Issue #1555)
+- CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
+ directory.
- Fixed error handling when reading a mixed `1setOf` attribute.
@@ -100,3 +97,21 @@ index 2d80a960e..2dc7376c1 100644
+ {
+ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
+ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
++ return;
++ }
+ }
+ else if (!strcmp(attr->name, "notify-pull-method") &&
+ attr->value_tag == IPP_TAG_KEYWORD)
+@@ -6010,6 +6016,12 @@ create_subscriptions(
+ "notify-status-code", IPP_ATTRIBUTES);
+ return;
+ }
++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL)
++ {
++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
++ return;
++ }
+ }
+ else if (!strcmp(attr->name, "notify-pull-method") &&
+ attr->value_tag == IPP_TAG_KEYWORD)
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
index 73846cb8a3..0cf63b10af 100644
--- a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
@@ -43,10 +43,10 @@ index 25e9d65..fe60890 100644
#
# Test the lp command.
#
--# Copyright © 2020-2024 by OpenPrinting.
-+# Copyright © 2020-2026 by OpenPrinting.
- # Copyright © 2007-2019 by Apple Inc.
- # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
+-# Copyright © 2020-2024 by OpenPrinting.
++# Copyright © 2020-2026 by OpenPrinting.
+ # Copyright © 2007-2019 by Apple Inc.
+ # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
#
@@ -72,8 +72,8 @@ echo ""
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
index e3d6e10a23..916cdc09a3 100644
--- a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
+++ b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
@@ -147,10 +147,10 @@ index 1dd520d..56855fc 100644
{
OSStatus status; /* Status */
char authdata[HTTP_MAX_VALUE];
-@@ -399,7 +399,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
+@@ -399,6 +399,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
#endif /* HAVE_AUTHORIZATION_H */
#if defined(SO_PEERCRED) && defined(AF_LOCAL)
-- else if (!strncmp(authorization, "PeerCred ", 9) &&
+- else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) &&
- con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
+ else if (PeerCred != CUPSD_PEERCRED_OFF &&
+ !strncmp(authorization, "PeerCred ", 9) &&
@@ -202,24 +202,19 @@ index b0d1f5b..11dcd39 100644
{
send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Only local users can create a local printer."));
return;
-@@ -5621,9 +5621,15 @@ create_local_printer(
-
- ptr = ippGetString(device_uri, 0, NULL);
-
-- if (!ptr || !ptr[0])
-+ if (!ptr || !ptr[0])
- {
-- send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
-+ send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
+@@ -5634,6 +5634,12 @@ create_local_printer(
return;
}
+ else if (strncmp(ptr, "ipp://", 6) && strncmp(ptr, "ipps://", 7))
+ {
+ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad device-uri \"%s\"."), ptr);
-+
++
+ return;
+ }
+
+ printer_geo_location = ippFindAttribute(con->request, "printer-geo-location", IPP_TAG_URI);
+ printer_info = ippFindAttribute(con->request, "printer-info", IPP_TAG_TEXT);
diff --git a/scheduler/job.c b/scheduler/job.c
index 880c25f..6c033de 100644
--- a/scheduler/job.c
diff --git a/meta/recipes-extended/cups/cups/CVE-2026-41079.patch b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
new file mode 100644
index 0000000000..f216c84e30
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
@@ -0,0 +1,72 @@
+From b8730b3e18852d203f7fa86a05ed0a8aa3a791e5 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 13 Apr 2026 11:50:23 -0400
+Subject: [PATCH] Limit num_bytes for SNMP string values.
+
+CVE: CVE-2026-41079
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080]
+
+(cherry picked from commit b7c2525a885f528d243c3a92197ca99609b3f080)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ cups/snmp-private.h | 6 +++---
+ cups/snmp.c | 8 ++++++--
+ 2 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/cups/snmp-private.h b/cups/snmp-private.h
+index 52b8740..015f53e 100644
+--- a/cups/snmp-private.h
++++ b/cups/snmp-private.h
+@@ -1,7 +1,7 @@
+ /*
+ * Private SNMP definitions for CUPS.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2014 by Apple Inc.
+ * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
+ *
+@@ -58,9 +58,9 @@ typedef enum cups_asn1_e cups_asn1_t; /**** ASN1 request/object types ****/
+
+ typedef struct cups_snmp_string_s /**** String value ****/
+ {
+- unsigned char bytes[CUPS_SNMP_MAX_STRING];
+- /* Bytes in string */
+ unsigned num_bytes; /* Number of bytes */
++ unsigned char bytes[CUPS_SNMP_MAX_STRING + 1];
++ /* Bytes in string */
+ } cups_snmp_string_t;
+
+ union cups_snmp_value_u /**** Object value ****/
+diff --git a/cups/snmp.c b/cups/snmp.c
+index 54e348f..3222ff3 100644
+--- a/cups/snmp.c
++++ b/cups/snmp.c
+@@ -1,7 +1,7 @@
+ /*
+ * SNMP functions for CUPS.
+ *
+- * Copyright © 2020-2024 by OpenPrinting.
++ * Copyright © 2020-2026 by OpenPrinting.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
+ *
+@@ -1042,10 +1042,14 @@ asn1_decode_snmp(unsigned char *buffer, /* I - Buffer */
+ case CUPS_ASN1_OCTET_STRING :
+ case CUPS_ASN1_BIT_STRING :
+ case CUPS_ASN1_HEX_STRING :
+- packet->object_value.string.num_bytes = length;
+ asn1_get_string(&bufptr, bufend, length,
+ (char *)packet->object_value.string.bytes,
+ sizeof(packet->object_value.string.bytes));
++
++ if (length >= sizeof(packet->object_value.string.bytes))
++ packet->object_value.string.num_bytes = sizeof(packet->object_value.string.bytes) - 1;
++ else
++ packet->object_value.string.num_bytes = length;
+ break;
+
+ case CUPS_ASN1_OID :
+--
+2.43.7
+
--
2.44.4
^ permalink raw reply related [flat|nested] 10+ messages in thread* Re: [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-28 21:57 ` Yoann Congal
0 siblings, 0 replies; 10+ messages in thread
From: Yoann Congal @ 2026-06-28 21:57 UTC (permalink / raw)
To: adongare, openembedded-core; +Cc: xe-linux-external, to
On Tue Jun 23, 2026 at 1:30 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> Pick the upstream patch [1] as mentioned in [2].
>
> [1] https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080
> [2] https://security-tracker.debian.org/tracker/CVE-2026-41079
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
As far as I know, this fix is also needed on wrynose:
CVE-2026-41079 impacts "up to 2.4.17 excluding" per NVD and wrynose has 2.4.16.
Can you send a fix for wrynose so I can take this one for scarthgap?
> ---
> meta/recipes-extended/cups/cups.inc | 1 +
> .../cups/cups/CVE-2026-27447.patch | 4 +-
> .../cups/cups/CVE-2026-34978.patch | 25 +++++--
> .../cups/CVE-2026-34980-regression_p2.patch | 8 +--
> .../cups/cups/CVE-2026-34990.patch | 19 ++---
> .../cups/cups/CVE-2026-41079.patch | 72 +++++++++++++++++++
This patch touches a lot of patches added previously in the series. I
think this is a mistake and those changes should either be dropped or
squashed in the proper commit.
Can you send a v2 of the whole series with this cleaned up?
Please split CVE-2026-41079 and CVE-2026-27447 into another series as
those need a wrynose fix.
Thanks!
> 6 files changed, 106 insertions(+), 23 deletions(-)
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-41079.patch
>
> diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
> index c2bf572bf5..64f71c9465 100644
> --- a/meta/recipes-extended/cups/cups.inc
> +++ b/meta/recipes-extended/cups/cups.inc
> @@ -31,6 +31,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
> file://CVE-2026-34990.patch \
> file://CVE-2026-39314.patch \
> file://CVE-2026-39316.patch \
> + file://CVE-2026-41079.patch \
> "
>
> GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> index 77a26dae64..1884acfa9f 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> @@ -22,9 +22,9 @@ diff --git a/CHANGES.md b/CHANGES.md
> index 4a2e25d..0da2c55 100644
> --- a/CHANGES.md
> +++ b/CHANGES.md
> -@@ -4,6 +4,8 @@ CHANGES - OpenPrinting CUPS 2.4.10 - (2024-06-18)
> +@@ -21,6 +21,8 @@
> Changes in CUPS v2.4.10 (2024-06-18)
> - -----------------------------
> + ------------------------------------
>
> +- CVE-2026-27447: The scheduler treated local user and group names as case-
> + insensitive.
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> index d05bc85588..b4b83a41d0 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> @@ -22,13 +22,10 @@ diff --git a/CHANGES.md b/CHANGES.md
> index 7a5e8813f..429ee874f 100644
> --- a/CHANGES.md
> +++ b/CHANGES.md
> -@@ -21,9 +21,11 @@ Changes in CUPS v2.4.11 (2024-09-30)
> - Changes in CUPS v2.4.10 (2024-06-18)
> - ------------------------------------
> -
> +@@ -24,6 +24,8 @@
> - CVE-2026-27447: The scheduler treated local user and group names as case-
> insensitive.
> -- Fixed cupsd crash if user does not exist (Issue #1555)
> + - Fixed cupsd crash if user does not exist (Issue #1555)
> +- CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
> + directory.
> - Fixed error handling when reading a mixed `1setOf` attribute.
> @@ -100,3 +97,21 @@ index 2d80a960e..2dc7376c1 100644
> + {
> + send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
> + ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
> ++ return;
> ++ }
> + }
> + else if (!strcmp(attr->name, "notify-pull-method") &&
> + attr->value_tag == IPP_TAG_KEYWORD)
> +@@ -6010,6 +6016,12 @@ create_subscriptions(
> + "notify-status-code", IPP_ATTRIBUTES);
> + return;
> + }
> ++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL)
> ++ {
> ++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad notify-recipient-uri URI \"%s\"."), recipient);
> ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM, "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
> ++ return;
> ++ }
> + }
> + else if (!strcmp(attr->name, "notify-pull-method") &&
> + attr->value_tag == IPP_TAG_KEYWORD)
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> index 73846cb8a3..0cf63b10af 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> @@ -43,10 +43,10 @@ index 25e9d65..fe60890 100644
> #
> # Test the lp command.
> #
> --# Copyright © 2020-2024 by OpenPrinting.
> -+# Copyright © 2020-2026 by OpenPrinting.
> - # Copyright © 2007-2019 by Apple Inc.
> - # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
> +-# Copyright © 2020-2024 by OpenPrinting.
> ++# Copyright © 2020-2026 by OpenPrinting.
> + # Copyright © 2007-2019 by Apple Inc.
> + # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
> #
> @@ -72,8 +72,8 @@ echo ""
>
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> index e3d6e10a23..916cdc09a3 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> @@ -147,10 +147,10 @@ index 1dd520d..56855fc 100644
> {
> OSStatus status; /* Status */
> char authdata[HTTP_MAX_VALUE];
> -@@ -399,7 +399,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
> +@@ -399,6 +399,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
> #endif /* HAVE_AUTHORIZATION_H */
> #if defined(SO_PEERCRED) && defined(AF_LOCAL)
> -- else if (!strncmp(authorization, "PeerCred ", 9) &&
> +- else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) &&
> - con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
> + else if (PeerCred != CUPSD_PEERCRED_OFF &&
> + !strncmp(authorization, "PeerCred ", 9) &&
> @@ -202,24 +202,19 @@ index b0d1f5b..11dcd39 100644
> {
> send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Only local users can create a local printer."));
> return;
> -@@ -5621,9 +5621,15 @@ create_local_printer(
> -
> - ptr = ippGetString(device_uri, 0, NULL);
> -
> -- if (!ptr || !ptr[0])
> -+ if (!ptr || !ptr[0])
> - {
> -- send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
> -+ send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\" has empty value."), "device-uri");
> +@@ -5634,6 +5634,12 @@ create_local_printer(
>
> return;
> }
> + else if (strncmp(ptr, "ipp://", 6) && strncmp(ptr, "ipps://", 7))
> + {
> + send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad device-uri \"%s\"."), ptr);
> -+
> ++
> + return;
> + }
> +
> + printer_geo_location = ippFindAttribute(con->request, "printer-geo-location", IPP_TAG_URI);
> + printer_info = ippFindAttribute(con->request, "printer-info", IPP_TAG_TEXT);
> diff --git a/scheduler/job.c b/scheduler/job.c
> index 880c25f..6c033de 100644
> --- a/scheduler/job.c
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-41079.patch b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
> new file mode 100644
> index 0000000000..f216c84e30
> --- /dev/null
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
> @@ -0,0 +1,72 @@
> +From b8730b3e18852d203f7fa86a05ed0a8aa3a791e5 Mon Sep 17 00:00:00 2001
> +From: Michael R Sweet <msweet@msweet.org>
> +Date: Mon, 13 Apr 2026 11:50:23 -0400
> +Subject: [PATCH] Limit num_bytes for SNMP string values.
> +
> +CVE: CVE-2026-41079
> +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080]
> +
> +(cherry picked from commit b7c2525a885f528d243c3a92197ca99609b3f080)
> +Signed-off-by: Anil Dongare <adongare@cisco.com>
> +---
> + cups/snmp-private.h | 6 +++---
> + cups/snmp.c | 8 ++++++--
> + 2 files changed, 9 insertions(+), 5 deletions(-)
> +
> +diff --git a/cups/snmp-private.h b/cups/snmp-private.h
> +index 52b8740..015f53e 100644
> +--- a/cups/snmp-private.h
> ++++ b/cups/snmp-private.h
> +@@ -1,7 +1,7 @@
> + /*
> + * Private SNMP definitions for CUPS.
> + *
> +- * Copyright © 2020-2024 by OpenPrinting.
> ++ * Copyright © 2020-2026 by OpenPrinting.
> + * Copyright © 2007-2014 by Apple Inc.
> + * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
> + *
> +@@ -58,9 +58,9 @@ typedef enum cups_asn1_e cups_asn1_t; /**** ASN1 request/object types ****/
> +
> + typedef struct cups_snmp_string_s /**** String value ****/
> + {
> +- unsigned char bytes[CUPS_SNMP_MAX_STRING];
> +- /* Bytes in string */
> + unsigned num_bytes; /* Number of bytes */
> ++ unsigned char bytes[CUPS_SNMP_MAX_STRING + 1];
> ++ /* Bytes in string */
> + } cups_snmp_string_t;
> +
> + union cups_snmp_value_u /**** Object value ****/
> +diff --git a/cups/snmp.c b/cups/snmp.c
> +index 54e348f..3222ff3 100644
> +--- a/cups/snmp.c
> ++++ b/cups/snmp.c
> +@@ -1,7 +1,7 @@
> + /*
> + * SNMP functions for CUPS.
> + *
> +- * Copyright © 2020-2024 by OpenPrinting.
> ++ * Copyright © 2020-2026 by OpenPrinting.
> + * Copyright © 2007-2019 by Apple Inc.
> + * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
> + *
> +@@ -1042,10 +1042,14 @@ asn1_decode_snmp(unsigned char *buffer, /* I - Buffer */
> + case CUPS_ASN1_OCTET_STRING :
> + case CUPS_ASN1_BIT_STRING :
> + case CUPS_ASN1_HEX_STRING :
> +- packet->object_value.string.num_bytes = length;
> + asn1_get_string(&bufptr, bufend, length,
> + (char *)packet->object_value.string.bytes,
> + sizeof(packet->object_value.string.bytes));
> ++
> ++ if (length >= sizeof(packet->object_value.string.bytes))
> ++ packet->object_value.string.num_bytes = sizeof(packet->object_value.string.bytes) - 1;
> ++ else
> ++ packet->object_value.string.num_bytes = length;
> + break;
> +
> + case CUPS_ASN1_OID :
> +--
> +2.43.7
> +
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447
2026-06-23 11:30 [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
` (6 preceding siblings ...)
2026-06-23 11:30 ` [OE-core] [scarthgap] [PATCH 8/8] cups: Fix CVE-2026-41079 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-06-28 21:41 ` Yoann Congal
7 siblings, 0 replies; 10+ messages in thread
From: Yoann Congal @ 2026-06-28 21:41 UTC (permalink / raw)
To: adongare, openembedded-core; +Cc: xe-linux-external, to
On Tue Jun 23, 2026 at 1:30 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> Pick the upstream backport [1] for CVE-2026-27447 as mentioned in [2], where
> the scheduler treated local user and group names as case-insensitive.
>
> Also include the two upstream regression fixes that followed the CVE
> fix:
> - CVE-2026-27447-regression_p1.patch [3] fixes a cupsd crash when the
> referenced user does not exist on the server. This regression was
> reported in OpenPrinting/cups Issue [5].
> - CVE-2026-27447-regression_p2.patch [4] fixes unauthenticated print
> policies for non-local accounts. This regression was reported in
> OpenPrinting/cups Issue [6].
>
> [1] https://github.com/OpenPrinting/cups/commit/a0c62c1e69604ff061089b750073199fab5a1beb
> [2] https://security-tracker.debian.org/tracker/CVE-2026-27447
> [3] https://github.com/OpenPrinting/cups/commit/6d97ee39fedf12a7a5429a74f4156ef9bb67f562
> [4] https://github.com/OpenPrinting/cups/commit/849fba7d7a1144e48d45c5e6ba2504765912ece0
> [5] https://github.com/OpenPrinting/cups/issues/1555
> [6] https://github.com/OpenPrinting/cups/issues/1557
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
> meta/recipes-extended/cups/cups.inc | 3 +
> .../cups/CVE-2026-27447-regression_p1.patch | 48 +++++++
> .../cups/CVE-2026-27447-regression_p2.patch | 46 +++++++
> .../cups/cups/CVE-2026-27447.patch | 120 ++++++++++++++++++
> 4 files changed, 217 insertions(+)
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447.patch
Hello,
As far as I can tell this fix is needed for wrynose:
CVE impacts "up to 2.4.16 including" as per NVD but wrynose is 2.4.16.
Can you send a fix for wrynose so I can take this one for scarthgap?
Thanks!
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 10+ messages in thread