Your message dated Sat, 4 Apr 2026 22:56:45 +0000 (UTC)
with message-id <[email protected]>
and subject line Re: Bug#1132729: Security fixes for CVE-2026-34980 and
CVE-2026-34990
has caused the Debian Bug report #1132729,
regarding Security fixes for CVE-2026-34980 and CVE-2026-34990
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132729: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132729
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cups
Version: 2.4.16-1.1 (Modified)
Severity: grave
Tags: security patch
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
Hi security team,
I have backported and verified the fixes for CVE-2026-34980 and CVE-2026-34990
in CUPS 2.4.16.
These patches address two security issues:
1. CVE-2026-34980: Prevents newline injection in the 'page-border' attribute
which could lead to malicious PPD modification.
2. CVE-2026-34990: Blocks unauthorized file-uri schemes in
CUPS-Create-Local-Printer.. preventing local privilege escalation (LPE).
Testing:
- Verified CVE-2026-34990 fix: Attempted file-uri bypass now returns
IPP_STATUS_ERROR_FORBIDDEN.
- Verified CVE-2026-34980 fix: Injected attributes are correctly sanitized,
returning IPP_STATUS_ERROR_BAD_REQUEST and preventing PPD poisoning.
The attached patch is in the standard debian/patches format.
--
The proofs of concept (PoCs) are available on GHSA:
https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf
/
https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp
-- System Information:
Debian Release: forky/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.19.10+deb14-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=es_CL.UTF-8, LC_CTYPE=es_CL.UTF-8 (charmap=UTF-8),
LANGUAGE=es_CL:es
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cups depends on:
hi cups-client 2.4.16-1.1
hi cups-common 2.4.16-1.1
ii cups-core-drivers 2.4.16-1.1
hi cups-daemon 2.4.16-1.1
ii cups-filters 1.28.17-7
ii cups-ppdc 2.4.16-1.1
ii cups-server-common 2.4.16-1.1
ii debconf [debconf-2.0] 1.5.92
ii ghostscript 10.07.0~dfsg-2
ii libavahi-client3 0.8-18
ii libavahi-common3 0.8-18
ii libc6 2.42-14
hi libcups2t64 2.4.16-1.1
ii libgcc-s1 16-20260322-1
ii libstdc++6 16-20260322-1
ii libusb-1.0-0 2:1.0.29-2+b1
ii poppler-utils 25.03.0-11.1+b1
ii procps 2:4.0.4-9+b1
Versions of packages cups recommends:
ii avahi-daemon 0.8-18
ii colord 1.4.8-3
Versions of packages cups suggests:
ii cups-bsd 2.4.16-1.1
pn cups-pdf <none>
pn foomatic-db-compressed-ppds | foomatic-db <none>
pn smbclient <none>
ii udev 260.1-1
-- debconf information:
cupsys/backend: lpd, socket, usb, snmp, dnssd
cupsys/raw-print: true
Description: Fix PPD injection (CVE-2026-34980) and LPE via file-uri bypass
This patch prevents command injection via the page-border attribute
and blocks unauthorized file overwrites as root via CUPS-Create-Local-Printer.
Author: Benjamin Alonso Leon Dubos <[email protected]>
Origin: vendor
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-34980 and
https://security-tracker.debian.org/tracker/CVE-2026-34990
Forwarded: no
Last-Update: 2026-04-04
--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
@@ -1208,6 +1208,28 @@
return (NULL);
}
+/*
+ * CVE-2026-34980: Sanitize page-border attribute to prevent newline
injection
+ */
+
+ if ((attr = ippFindAttribute(con->request, "page-border", IPP_TAG_TEXT)) !=
NULL)
+ {
+ const char *val = ippGetString(attr, 0, NULL);
+ if (val)
+ {
+ const char *p;
+ for (p = val; *p; p++)
+ {
+ if (*p < ' ' || *p == 0x7f)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR, "[Job ?] Invalid characters in
page-border attribute.");
+ send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Invalid
page-border value."));
+ return (NULL);
+ }
+ }
+ }
+ }
+
/*
* Check policy...
*/
@@ -5686,6 +5708,20 @@
return;
}
+ /*
+ * CVE-2026: Security lock for file:/// schemes
+ * Prevents a local user from using CUPS to write to system files (such as
/etc/sudoers).
+ */
+
+if (!strncmp(ptr, "file:", 5) &&
+ strcmp(ptr, "file:/dev/null") &&
+ !FileDevice)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Denying CUPS-Create-Local-Printer with
file: URI (%s).", ptr);
+ send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Direct file printing
is disabled (FileDevice)."));
+ return;
+ }
+
printer_geo_location = ippFindAttribute(con->request,
"printer-geo-location", IPP_TAG_URI);
printer_info = ippFindAttribute(con->request, "printer-info",
IPP_TAG_TEXT);
printer_location = ippFindAttribute(con->request, "printer-location",
IPP_TAG_TEXT);
--- End Message ---
--- Begin Message ---
Hi Benjamin,
thanks for trying to contribute. A severity of grave seems a bit
exaggerated for issues with only a medium CVSS score.
On Sat, 4 Apr 2026, Benjamin Leon Dubos wrote:
I have backported and verified the fixes for CVE-2026-34980 and CVE-2026-34990
in CUPS 2.4.16.
Anyway, the entries for each CUPS CVE in the Debian security tracker
contain the upstream commits to fix these issues. Your suggested patch
does not bear any resemblance to them. How were you able to verify that
your patch really fixes the issues?
Is there a reason why you ignored the other three CVEs?
The attached patch is in the standard debian/patches format.
I would like to object here. Other debian/patches acknowledge the author
of the original work.
I am closing this bug again.
Thorsten
--- End Message ---
