In CUPS versions 2.4.16 and prior, a network-exposed cupsd with a shared target queue allows an unauthorized client to send a Print-Job without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary (e.g., /usr/bin/vim) as lp.
Apply upstream fix to prevent newline injection and unauthorized execution in shared PostScript queues. Signed-off-by: Abhishek Bachiphale <[email protected]> --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-34980.patch | 88 +++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-34980.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 78e0495d1c..f23411f44b 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -17,6 +17,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://cups-volatiles.conf \ file://CVE-2026-34978.patch \ file://CVE-2026-34979.patch \ + file://CVE-2026-34980.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"; diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34980.patch b/meta/recipes-extended/cups/cups/CVE-2026-34980.patch new file mode 100644 index 0000000000..ebf7a3a353 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-34980.patch @@ -0,0 +1,88 @@ +From 8d0f51cac24cb5bf949c5b6a221e51a150d982e3 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet <[email protected]> +Date: Tue, 31 Mar 2026 14:45:13 -0400 +Subject: [PATCH] Filter out control characters from option values. + +OpenPrinting CUPS is an open source printing system for Linux and other +Unix-like operating systems. In versions 2.4.16 and prior, in a +network-exposed cupsd with a shared target queue, an unauthorized client +can send a Print-Job to that shared PostScript queue without +authentication. The server accepts a page-border value supplied as +textWithoutLanguage, preserves an embedded newline through option +escaping and reparse, and then reparses the resulting second-line PPD: +text as a trusted scheduler control record. A follow-up raw print job +can therefore make the server execute an attacker-chosen existing binary +such as /usr/bin/vim as lp. + +CVE: CVE-2026-34980 + +Upstream-Status: Backport [ https://github.com/OpenPrinting/cups/commit/8d0f51cac24cb5bf949c5b6a221e51a150d982e3 ] + +Signed-off-by: Abhishek Bachiphale <[email protected]> +--- + scheduler/job.c | 41 +++++++++++++++++++++++++++++++++++------ + 1 file changed, 37 insertions(+), 6 deletions(-) + +diff --git a/scheduler/job.c b/scheduler/job.c +index 1fef9d0cd..af6390687 100644 +--- a/scheduler/job.c ++++ b/scheduler/job.c +@@ -4118,9 +4118,21 @@ get_options(cupsd_job_t *job, /* I - Job */ + case IPP_TAG_URI : + for (valptr = attr->values[i].string.text; *valptr;) + { +- if (strchr(" \t\n\\\'\"", *valptr)) +- *optptr++ = '\\'; +- *optptr++ = *valptr++; ++ /* ++ * Convert tabs and newlines to spaces, filter out control chars, ++ * and escape \, ', and ". ++ */ ++ ++ if (isspace(*valptr & 255)) ++ { ++ *optptr++ = ' '; ++ } ++ else if ((*valptr & 255) >= ' ' && *valptr != 0x7f) ++ { ++ if (strchr("\\\'\"", *valptr)) ++ *optptr++ = '\\'; ++ *optptr++ = *valptr++; ++ } + } + + *optptr = '\0'; +@@ -5395,13 +5407,30 @@ update_job(cupsd_job_t *job) /* I - Job to check */ + else if (loglevel == CUPSD_LOG_PPD) + { + /* +- * Set attribute(s)... ++ * Set PPD keyword(s)/value(s)... + */ + ++ int i, /* Looping var */ ++ num_keywords; /* Number of keywords */ ++ cups_option_t *keywords, /* Keywords */ ++ *keyword; /* Current keyword */ ++ + cupsdLogJob(job, CUPSD_LOG_DEBUG, "PPD: %s", message); + +- job->num_keywords = cupsParseOptions(message, job->num_keywords, +- &job->keywords); ++ keywords = NULL; ++ num_keywords = cupsParseOptions(message, 0, &keywords); ++ ++ for (i = 0, keyword = keywords; i < num_keywords; i ++) ++ { ++ /* ++ * Filter out "special" PPD keywords... ++ */ ++ ++ if (strcmp(keyword->name, "cupsFilter") && strcmp(keyword->name, "cupsFilter2") && strcmp(keyword->name, "cupsFinishingTemplate") && strcmp(keyword->name, "cupsIPPFinishings") && strcmp(keyword->name, "cupsIPPReason") && strcmp(keyword->name, "cupsMarkerName") && strcmp(keyword->name, "cupsMaxSize") && strncmp(keyword->name, "cupsMediaQualifier", 18) && strcmp(keyword->name, "cupsMinSize") && strcmp(keyword->name, "cupsPageSizeCategory") && strcmp(keyword->name, "cupsPortMonitor") && strcmp(keyword->name, "cupsPreFilter") && strcmp(keyword->name, "cupsPrintQuality") && strcmp(keyword->name, "APPrinterPreset")) ++ job->num_keywords = cupsAddOption(keyword->name, keyword->value, job->num_keywords, &job->keywords); ++ } ++ ++ cupsFreeOptions(num_keywords, keywords); + } + else + { -- 2.40.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237991): https://lists.openembedded.org/g/openembedded-core/message/237991 Mute This Topic: https://lists.openembedded.org/mt/119600013/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
