From: Anil Dongare <[email protected]> Pick the upstream patch [1] as mentioned in [2].
[1] https://github.com/OpenPrinting/cups/commit/0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f [2] https://security-tracker.debian.org/tracker/CVE-2026-39316 Signed-off-by: Anil Dongare <[email protected]> --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2026-39316.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-39316.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 7bfa890b3d..c2bf572bf5 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -30,6 +30,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://CVE-2026-34979.patch \ file://CVE-2026-34990.patch \ file://CVE-2026-39314.patch \ + file://CVE-2026-39316.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"; diff --git a/meta/recipes-extended/cups/cups/CVE-2026-39316.patch b/meta/recipes-extended/cups/cups/CVE-2026-39316.patch new file mode 100644 index 0000000000..4b43a7b41b --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2026-39316.patch @@ -0,0 +1,51 @@ +From 7c4d7951d189e931563f21086196d5a55fb2fa15 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet <[email protected]> +Date: Sun, 5 Apr 2026 11:33:23 -0400 +Subject: [PATCH] Expire per-printer subscriptions before deleting. + +CVE: CVE-2026-39316 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f] + +Backport Changes: +- Rebase CHANGES.md placement and scheduler/printers.c delete-printer context + to the CUPS 2.4.11 source carried by this recipe. + +(cherry picked from commit 0142eeb58e0d718b7d2e1f0d5dd214bd2192cc7f) +Signed-off-by: Anil Dongare <[email protected]> +--- + CHANGES.md | 1 + + scheduler/printers.c | 6 ++++++ + 2 files changed, 7 insertions(+) + +diff --git a/CHANGES.md b/CHANGES.md +index 082b9f7..cde280d 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -16,6 +16,7 @@ Changes in CUPS v2.4.10 (2024-06-18) + - CVE-2026-34990: The scheduler incorrectly allowed local certificates over the + loopback interface. + - Fixed the range check for job password strings. ++- Fixed a printer subscription bug in the scheduler. + - Fixed error handling when reading a mixed `1setOf` attribute. + - Fixed scheduler start if there is only domain socket to listen on (Issue #985) + +diff --git a/scheduler/printers.c b/scheduler/printers.c +index bf493a3..ca983f9 100644 +--- a/scheduler/printers.c ++++ b/scheduler/printers.c +@@ -641,6 +641,12 @@ cupsdDeletePrinter( + update ? "Job stopped due to printer being deleted." : + "Job stopped."); + ++ /* ++ * Expire subscriptions on the printer... ++ */ ++ ++ cupsdExpireSubscriptions(p, /*job*/NULL); ++ + /* + * Remove the printer from the list... + */ +-- +2.43.7 + -- 2.44.4
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239353): https://lists.openembedded.org/g/openembedded-core/message/239353 Mute This Topic: https://lists.openembedded.org/mt/119938947/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
