Re: [OE-core] [scarthgap] [PATCH 1/8] cups: Fix CVE-2026-27447

Sun, 28 Jun 2026 14:48:57 -0700 

On Tue Jun 23, 2026 at 1:30 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS 
PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <[email protected]>
>
> Pick the upstream backport [1] for CVE-2026-27447 as mentioned in [2], where
> the scheduler treated local user and group names as case-insensitive.
>
> Also include the two upstream regression fixes that followed the CVE
> fix:
> - CVE-2026-27447-regression_p1.patch [3] fixes a cupsd crash when the
>   referenced user does not exist on the server. This regression was
>   reported in OpenPrinting/cups Issue [5].
> - CVE-2026-27447-regression_p2.patch [4] fixes unauthenticated print
>   policies for non-local accounts. This regression was reported in
>   OpenPrinting/cups Issue [6].
>
> [1] 
> https://github.com/OpenPrinting/cups/commit/a0c62c1e69604ff061089b750073199fab5a1beb
> [2] https://security-tracker.debian.org/tracker/CVE-2026-27447
> [3] 
> https://github.com/OpenPrinting/cups/commit/6d97ee39fedf12a7a5429a74f4156ef9bb67f562
> [4] 
> https://github.com/OpenPrinting/cups/commit/849fba7d7a1144e48d45c5e6ba2504765912ece0
> [5] https://github.com/OpenPrinting/cups/issues/1555
> [6] https://github.com/OpenPrinting/cups/issues/1557
>
> Signed-off-by: Anil Dongare <[email protected]>
> ---
>  meta/recipes-extended/cups/cups.inc           |   3 +
>  .../cups/CVE-2026-27447-regression_p1.patch   |  48 +++++++
>  .../cups/CVE-2026-27447-regression_p2.patch   |  46 +++++++
>  .../cups/cups/CVE-2026-27447.patch            | 120 ++++++++++++++++++
>  4 files changed, 217 insertions(+)
>  create mode 100644 
> meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p1.patch
>  create mode 100644 
> meta/recipes-extended/cups/cups/CVE-2026-27447-regression_p2.patch
>  create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-27447.patch

Hello,

As far as I can tell this fix is needed for wrynose:
CVE impacts "up to 2.4.16 including" as per NVD but wrynose is 2.4.16.

Can you send a fix for wrynose so I can take this one for scarthgap?

Thanks!
-- 
Yoann Congal
Smile ECS


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239716): 
https://lists.openembedded.org/g/openembedded-core/message/239716
Mute This Topic: https://lists.openembedded.org/mt/119938949/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
  • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
      • ... Yoann Congal via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Yoann Congal via lists.openembedded.org

Reply via email to