In CUPS versions 2.4.16 and prior, an integer underflow exists in _ppdCreateFromIPP() (cups/ppd-cache.c). A local unprivileged user can supply a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service.
Apply upstream fix to validate negative values and prevent integer underflow in _ppdCreateFromIPP(). Signed-off-by: Abhishek Bachiphale <[email protected]> --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-39314.patch | 47 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39314.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 42107774e4..a12965bb6e 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -19,6 +19,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://CVE-2026-34979.patch \ file://CVE-2026-34980.patch \ file://CVE-2026-34990.patch \ + file://CVE-2026-39314.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"; diff --git a/meta/recipes-extended/cups/cups/CVE-2026-39314.patch b/meta/recipes-extended/cups/cups/CVE-2026-39314.patch new file mode 100644 index 0000000000..8d25a1c2e3 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-39314.patch @@ -0,0 +1,47 @@ +From 928a86b1b794f738f0a3dc87561b2e054bff7ce4 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet <[email protected]> +Date: Sun, 5 Apr 2026 10:45:25 -0400 +Subject: [PATCH] Range check job-password-supported. + +OpenPrinting CUPS is an open source printing system for Linux and other +Unix-like operating systems. In versions 2.4.16 and prior, an integer +underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows +any unprivileged local user to crash the cupsd root process by supplying +a negative job-password-supported IPP attribute. The bounds check only +caps the upper bound, so a negative value passes validation, is cast to +size_t (wrapping to ~2^64), and is used as the length argument to +memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in +the cupsd root process. Combined with systemd's Restart=on-failure, an +attacker can repeat the crash for sustained denial of service. + +CVE: CVE-2026-39314 + +Upstream-Status: Backport [ https://github.com/OpenPrinting/cups/commit/928a86b1b794f738f0a3dc87561b2e054bff7ce4 ] + +Signed-off-by: Abhishek Bachiphale <[email protected]> +--- + cups/ppd-cache.c | 4 ++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c +index f5386532ca..ef6caa28a7 100644 +--- a/cups/ppd-cache.c ++++ b/cups/ppd-cache.c +@@ -1,7 +1,7 @@ + /* + * PPD cache implementation for CUPS. + * +- * Copyright © 2022-2025 by OpenPrinting. ++ * Copyright © 2022-2026 by OpenPrinting. + * Copyright © 2010-2021 by Apple Inc. + * + * Licensed under Apache License v2.0. See the file "LICENSE" for more +@@ -3530,7 +3530,7 @@ _ppdCreateFromIPP2( + * Password/PIN printing... + */ + +- if ((attr = ippFindAttribute(supported, "job-password-supported", IPP_TAG_INTEGER)) != NULL) ++ if ((attr = ippFindAttribute(supported, "job-password-supported", IPP_TAG_INTEGER)) != NULL && ippGetInteger(attr, 0) > 0) + { + char pattern[33]; /* Password pattern */ + int maxlen = ippGetInteger(attr, 0); -- 2.40.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237993): https://lists.openembedded.org/g/openembedded-core/message/237993 Mute This Topic: https://lists.openembedded.org/mt/119600025/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
