Package: cups Version: 2.4.16-1.1 (Modified) Severity: grave Tags: security patch X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi security team, I have backported and verified the fixes for CVE-2026-34980 and CVE-2026-34990 in CUPS 2.4.16. These patches address two security issues: 1. CVE-2026-34980: Prevents newline injection in the 'page-border' attribute which could lead to malicious PPD modification. 2. CVE-2026-34990: Blocks unauthorized file-uri schemes in CUPS-Create-Local-Printer.. preventing local privilege escalation (LPE). Testing: - Verified CVE-2026-34990 fix: Attempted file-uri bypass now returns IPP_STATUS_ERROR_FORBIDDEN. - Verified CVE-2026-34980 fix: Injected attributes are correctly sanitized, returning IPP_STATUS_ERROR_BAD_REQUEST and preventing PPD poisoning. The attached patch is in the standard debian/patches format. -- The proofs of concept (PoCs) are available on GHSA: https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf / https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp -- System Information: Debian Release: forky/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.19.10+deb14-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=es_CL.UTF-8, LC_CTYPE=es_CL.UTF-8 (charmap=UTF-8), LANGUAGE=es_CL:es Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cups depends on: hi cups-client 2.4.16-1.1 hi cups-common 2.4.16-1.1 ii cups-core-drivers 2.4.16-1.1 hi cups-daemon 2.4.16-1.1 ii cups-filters 1.28.17-7 ii cups-ppdc 2.4.16-1.1 ii cups-server-common 2.4.16-1.1 ii debconf [debconf-2.0] 1.5.92 ii ghostscript 10.07.0~dfsg-2 ii libavahi-client3 0.8-18 ii libavahi-common3 0.8-18 ii libc6 2.42-14 hi libcups2t64 2.4.16-1.1 ii libgcc-s1 16-20260322-1 ii libstdc++6 16-20260322-1 ii libusb-1.0-0 2:1.0.29-2+b1 ii poppler-utils 25.03.0-11.1+b1 ii procps 2:4.0.4-9+b1 Versions of packages cups recommends: ii avahi-daemon 0.8-18 ii colord 1.4.8-3 Versions of packages cups suggests: ii cups-bsd 2.4.16-1.1 pn cups-pdf <none> pn foomatic-db-compressed-ppds | foomatic-db <none> pn smbclient <none> ii udev 260.1-1 -- debconf information: cupsys/backend: lpd, socket, usb, snmp, dnssd cupsys/raw-print: true
Description: Fix PPD injection (CVE-2026-34980) and LPE via file-uri bypass This patch prevents command injection via the page-border attribute and blocks unauthorized file overwrites as root via CUPS-Create-Local-Printer. Author: Benjamin Alonso Leon Dubos <[email protected]> Origin: vendor Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-34980 and https://security-tracker.debian.org/tracker/CVE-2026-34990 Forwarded: no Last-Update: 2026-04-04 --- a/scheduler/ipp.c +++ b/scheduler/ipp.c @@ -1208,6 +1208,28 @@ return (NULL); } +/* + * CVE-2026-34980: Sanitize page-border attribute to prevent newline injection + */ + + if ((attr = ippFindAttribute(con->request, "page-border", IPP_TAG_TEXT)) != NULL) + { + const char *val = ippGetString(attr, 0, NULL); + if (val) + { + const char *p; + for (p = val; *p; p++) + { + if (*p < ' ' || *p == 0x7f) + { + cupsdLogMessage(CUPSD_LOG_ERROR, "[Job ?] Invalid characters in page-border attribute."); + send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Invalid page-border value.")); + return (NULL); + } + } + } + } + /* * Check policy... */ @@ -5686,6 +5708,20 @@ return; } + /* + * CVE-2026: Security lock for file:/// schemes + * Prevents a local user from using CUPS to write to system files (such as /etc/sudoers). + */ + +if (!strncmp(ptr, "file:", 5) && + strcmp(ptr, "file:/dev/null") && + !FileDevice) + { + cupsdLogMessage(CUPSD_LOG_ERROR, "Denying CUPS-Create-Local-Printer with file: URI (%s).", ptr); + send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Direct file printing is disabled (FileDevice).")); + return; + } + printer_geo_location = ippFindAttribute(con->request, "printer-geo-location", IPP_TAG_URI); printer_info = ippFindAttribute(con->request, "printer-info", IPP_TAG_TEXT); printer_location = ippFindAttribute(con->request, "printer-location", IPP_TAG_TEXT);
