On Tue Jun 23, 2026 at 1:30 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS
PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <[email protected]>
>
> Pick the upstream patch [1] as mentioned in [2].
>
> [1]
> https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080
> [2] https://security-tracker.debian.org/tracker/CVE-2026-41079
>
> Signed-off-by: Anil Dongare <[email protected]>
As far as I know, this fix is also needed on wrynose:
CVE-2026-41079 impacts "up to 2.4.17 excluding" per NVD and wrynose has 2.4.16.
Can you send a fix for wrynose so I can take this one for scarthgap?
> ---
> meta/recipes-extended/cups/cups.inc | 1 +
> .../cups/cups/CVE-2026-27447.patch | 4 +-
> .../cups/cups/CVE-2026-34978.patch | 25 +++++--
> .../cups/CVE-2026-34980-regression_p2.patch | 8 +--
> .../cups/cups/CVE-2026-34990.patch | 19 ++---
> .../cups/cups/CVE-2026-41079.patch | 72 +++++++++++++++++++
This patch touches a lot of patches added previously in the series. I
think this is a mistake and those changes should either be dropped or
squashed in the proper commit.
Can you send a v2 of the whole series with this cleaned up?
Please split CVE-2026-41079 and CVE-2026-27447 into another series as
those need a wrynose fix.
Thanks!
> 6 files changed, 106 insertions(+), 23 deletions(-)
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2026-41079.patch
>
> diff --git a/meta/recipes-extended/cups/cups.inc
> b/meta/recipes-extended/cups/cups.inc
> index c2bf572bf5..64f71c9465 100644
> --- a/meta/recipes-extended/cups/cups.inc
> +++ b/meta/recipes-extended/cups/cups.inc
> @@ -31,6 +31,7 @@ SRC_URI =
> "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
> file://CVE-2026-34990.patch \
> file://CVE-2026-39314.patch \
> file://CVE-2026-39316.patch \
> + file://CVE-2026-41079.patch \
> "
>
> GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases";
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> index 77a26dae64..1884acfa9f 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-27447.patch
> @@ -22,9 +22,9 @@ diff --git a/CHANGES.md b/CHANGES.md
> index 4a2e25d..0da2c55 100644
> --- a/CHANGES.md
> +++ b/CHANGES.md
> -@@ -4,6 +4,8 @@ CHANGES - OpenPrinting CUPS 2.4.10 - (2024-06-18)
> +@@ -21,6 +21,8 @@
> Changes in CUPS v2.4.10 (2024-06-18)
> - -----------------------------
> + ------------------------------------
>
> +- CVE-2026-27447: The scheduler treated local user and group names as case-
> + insensitive.
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> index d05bc85588..b4b83a41d0 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34978.patch
> @@ -22,13 +22,10 @@ diff --git a/CHANGES.md b/CHANGES.md
> index 7a5e8813f..429ee874f 100644
> --- a/CHANGES.md
> +++ b/CHANGES.md
> -@@ -21,9 +21,11 @@ Changes in CUPS v2.4.11 (2024-09-30)
> - Changes in CUPS v2.4.10 (2024-06-18)
> - ------------------------------------
> -
> +@@ -24,6 +24,8 @@
> - CVE-2026-27447: The scheduler treated local user and group names as case-
> insensitive.
> -- Fixed cupsd crash if user does not exist (Issue #1555)
> + - Fixed cupsd crash if user does not exist (Issue #1555)
> +- CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
> + directory.
> - Fixed error handling when reading a mixed `1setOf` attribute.
> @@ -100,3 +97,21 @@ index 2d80a960e..2dc7376c1 100644
> + {
> + send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad
> notify-recipient-uri URI \"%s\"."), recipient);
> + ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM,
> "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
> ++ return;
> ++ }
> + }
> + else if (!strcmp(attr->name, "notify-pull-method") &&
> + attr->value_tag == IPP_TAG_KEYWORD)
> +@@ -6010,6 +6016,12 @@ create_subscriptions(
> + "notify-status-code", IPP_ATTRIBUTES);
> + return;
> + }
> ++ else if (!strcmp(scheme, "rss") && strstr(resource, "../") != NULL)
> ++ {
> ++ send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad
> notify-recipient-uri URI \"%s\"."), recipient);
> ++ ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_ENUM,
> "notify-status-code", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES);
> ++ return;
> ++ }
> + }
> + else if (!strcmp(attr->name, "notify-pull-method") &&
> + attr->value_tag == IPP_TAG_KEYWORD)
> diff --git
> a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> index 73846cb8a3..0cf63b10af 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34980-regression_p2.patch
> @@ -43,10 +43,10 @@ index 25e9d65..fe60890 100644
> #
> # Test the lp command.
> #
> --# Copyright © 2020-2024 by OpenPrinting.
> -+# Copyright © 2020-2026 by OpenPrinting.
> - # Copyright © 2007-2019 by Apple Inc.
> - # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
> +-# Copyright © 2020-2024 by OpenPrinting.
> ++# Copyright © 2020-2026 by OpenPrinting.
> + # Copyright © 2007-2019 by Apple Inc.
> + # Copyright © 1997-2005 by Easy Software Products, all rights reserved.
> #
> @@ -72,8 +72,8 @@ echo ""
>
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> index e3d6e10a23..916cdc09a3 100644
> --- a/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-34990.patch
> @@ -147,10 +147,10 @@ index 1dd520d..56855fc 100644
> {
> OSStatus status; /* Status */
> char authdata[HTTP_MAX_VALUE];
> -@@ -399,7 +399,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client
> connection */
> +@@ -399,6 +399,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client
> connection */
> #endif /* HAVE_AUTHORIZATION_H */
> #if defined(SO_PEERCRED) && defined(AF_LOCAL)
> -- else if (!strncmp(authorization, "PeerCred ", 9) &&
> +- else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization,
> "PeerCred ", 9) &&
> - con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
> + else if (PeerCred != CUPSD_PEERCRED_OFF &&
> + !strncmp(authorization, "PeerCred ", 9) &&
> @@ -202,24 +202,19 @@ index b0d1f5b..11dcd39 100644
> {
> send_ipp_status(con, IPP_STATUS_ERROR_FORBIDDEN, _("Only local users
> can create a local printer."));
> return;
> -@@ -5621,9 +5621,15 @@ create_local_printer(
> -
> - ptr = ippGetString(device_uri, 0, NULL);
> -
> -- if (!ptr || !ptr[0])
> -+ if (!ptr || !ptr[0])
> - {
> -- send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\"
> has empty value."), "device-uri");
> -+ send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("Attribute \"%s\"
> has empty value."), "device-uri");
> +@@ -5634,6 +5634,12 @@ create_local_printer(
>
> return;
> }
> + else if (strncmp(ptr, "ipp://", 6) && strncmp(ptr, "ipps://", 7))
> + {
> + send_ipp_status(con, IPP_STATUS_ERROR_NOT_POSSIBLE, _("Bad device-uri
> \"%s\"."), ptr);
> -+
> ++
> + return;
> + }
> +
> + printer_geo_location = ippFindAttribute(con->request,
> "printer-geo-location", IPP_TAG_URI);
> + printer_info = ippFindAttribute(con->request, "printer-info",
> IPP_TAG_TEXT);
> diff --git a/scheduler/job.c b/scheduler/job.c
> index 880c25f..6c033de 100644
> --- a/scheduler/job.c
> diff --git a/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
> b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
> new file mode 100644
> index 0000000000..f216c84e30
> --- /dev/null
> +++ b/meta/recipes-extended/cups/cups/CVE-2026-41079.patch
> @@ -0,0 +1,72 @@
> +From b8730b3e18852d203f7fa86a05ed0a8aa3a791e5 Mon Sep 17 00:00:00 2001
> +From: Michael R Sweet <[email protected]>
> +Date: Mon, 13 Apr 2026 11:50:23 -0400
> +Subject: [PATCH] Limit num_bytes for SNMP string values.
> +
> +CVE: CVE-2026-41079
> +Upstream-Status: Backport
> [https://github.com/OpenPrinting/cups/commit/b7c2525a885f528d243c3a92197ca99609b3f080]
> +
> +(cherry picked from commit b7c2525a885f528d243c3a92197ca99609b3f080)
> +Signed-off-by: Anil Dongare <[email protected]>
> +---
> + cups/snmp-private.h | 6 +++---
> + cups/snmp.c | 8 ++++++--
> + 2 files changed, 9 insertions(+), 5 deletions(-)
> +
> +diff --git a/cups/snmp-private.h b/cups/snmp-private.h
> +index 52b8740..015f53e 100644
> +--- a/cups/snmp-private.h
> ++++ b/cups/snmp-private.h
> +@@ -1,7 +1,7 @@
> + /*
> + * Private SNMP definitions for CUPS.
> + *
> +- * Copyright © 2020-2024 by OpenPrinting.
> ++ * Copyright © 2020-2026 by OpenPrinting.
> + * Copyright © 2007-2014 by Apple Inc.
> + * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
> + *
> +@@ -58,9 +58,9 @@ typedef enum cups_asn1_e cups_asn1_t; /**** ASN1
> request/object types ****/
> +
> + typedef struct cups_snmp_string_s /**** String value ****/
> + {
> +- unsigned char bytes[CUPS_SNMP_MAX_STRING];
> +- /* Bytes in string */
> + unsigned num_bytes; /* Number of bytes */
> ++ unsigned char bytes[CUPS_SNMP_MAX_STRING + 1];
> ++ /* Bytes in string */
> + } cups_snmp_string_t;
> +
> + union cups_snmp_value_u /**** Object value ****/
> +diff --git a/cups/snmp.c b/cups/snmp.c
> +index 54e348f..3222ff3 100644
> +--- a/cups/snmp.c
> ++++ b/cups/snmp.c
> +@@ -1,7 +1,7 @@
> + /*
> + * SNMP functions for CUPS.
> + *
> +- * Copyright © 2020-2024 by OpenPrinting.
> ++ * Copyright © 2020-2026 by OpenPrinting.
> + * Copyright © 2007-2019 by Apple Inc.
> + * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
> + *
> +@@ -1042,10 +1042,14 @@ asn1_decode_snmp(unsigned char *buffer, /* I -
> Buffer */
> + case CUPS_ASN1_OCTET_STRING :
> + case CUPS_ASN1_BIT_STRING :
> + case CUPS_ASN1_HEX_STRING :
> +- packet->object_value.string.num_bytes = length;
> + asn1_get_string(&bufptr, bufend, length,
> + (char *)packet->object_value.string.bytes,
> + sizeof(packet->object_value.string.bytes));
> ++
> ++ if (length >= sizeof(packet->object_value.string.bytes))
> ++ packet->object_value.string.num_bytes =
> sizeof(packet->object_value.string.bytes) - 1;
> ++ else
> ++ packet->object_value.string.num_bytes = length;
> + break;
> +
> + case CUPS_ASN1_OID :
> +--
> +2.43.7
> +
--
Yoann Congal
Smile ECS
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239717):
https://lists.openembedded.org/g/openembedded-core/message/239717
Mute This Topic: https://lists.openembedded.org/mt/119938948/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
