summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVijay Anusuri <vanusuri@mvista.com>2025-09-17 08:17:00 +0530
committerSteve Sakoman <steve@sakoman.com>2025-09-19 07:03:31 -0700
commit9e8df15269a759420d19048f8abde6d80b52fc92 (patch)
treef23b2d5bfe2b06cf5fe1c9d6f4b37df4ac0e67e2
parent6d64cdb02bea36656df82691c93494ee8246937c (diff)
downloadpoky-9e8df15269a759420d19048f8abde6d80b52fc92.tar.gz
cups: Fix for CVE-2025-58060 and CVE-2025-58364
import patch from debian to fix CVE-2025-58060 CVE-2025-58364 Upstream-Status: Backport [import from debian cups 2.4.2-3+deb12u9 Upstream commit https://github.com/OpenPrinting/cups/commit/595d691075b1d396d2edfaa0a8fd0873a0a1f221 & https://github.com/OpenPrinting/cups/commit/e58cba9d6fceed4242980e51dbd1302cf638ab1d] (From OE-Core rev: 88585645a041c3c2ee7b39bf5f72885ed7c8775f) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-extended/cups/cups.inc2
-rw-r--r--meta/recipes-extended/cups/cups/CVE-2025-58060.patch76
-rw-r--r--meta/recipes-extended/cups/cups/CVE-2025-58364.patch63
3 files changed, 141 insertions, 0 deletions
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index b87f9dee13..cba4406720 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -25,6 +25,8 @@ SRC_URI = "https://github.com/OpenPrinting/cups/releases/download/v${PV}/cups-${
25 file://CVE-2024-47175-3.patch \ 25 file://CVE-2024-47175-3.patch \
26 file://CVE-2024-47175-4.patch \ 26 file://CVE-2024-47175-4.patch \
27 file://CVE-2024-47175-5.patch \ 27 file://CVE-2024-47175-5.patch \
28 file://CVE-2025-58060.patch \
29 file://CVE-2025-58364.patch \
28 " 30 "
29 31
30UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases" 32UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2025-58060.patch b/meta/recipes-extended/cups/cups/CVE-2025-58060.patch
new file mode 100644
index 0000000000..0aea12a9ea
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2025-58060.patch
@@ -0,0 +1,76 @@
1From 595d691075b1d396d2edfaa0a8fd0873a0a1f221 Mon Sep 17 00:00:00 2001
2From: Zdenek Dohnal <zdohnal@redhat.com>
3Date: Thu, 11 Sep 2025 14:44:59 +0200
4Subject: [PATCH] cupsd: Block authentication using alternate method
5
6Fixes: CVE-2025-58060
7
8Upstream-Status: Backport [import from debian 2.4.2-3+deb12u9
9Upstream commit https://github.com/OpenPrinting/cups/commit/595d691075b1d396d2edfaa0a8fd0873a0a1f221]
10CVE: CVE-2025-58060
11Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
12---
13 scheduler/auth.c | 26 ++++++++++++++++++++------
14 1 file changed, 20 insertions(+), 6 deletions(-)
15
16diff --git a/scheduler/auth.c b/scheduler/auth.c
17index aa773f9..55f8912 100644
18--- a/scheduler/auth.c
19+++ b/scheduler/auth.c
20@@ -513,6 +513,16 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
21 int userlen; /* Username:password length */
22
23
24+ /*
25+ * Only allow Basic if enabled...
26+ */
27+
28+ if (type != CUPSD_AUTH_BASIC)
29+ {
30+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled.");
31+ return;
32+ }
33+
34 authorization += 5;
35 while (isspace(*authorization & 255))
36 authorization ++;
37@@ -558,10 +568,6 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
38 * Validate the username and password...
39 */
40
41- switch (type)
42- {
43- default :
44- case CUPSD_AUTH_BASIC :
45 {
46 #if HAVE_LIBPAM
47 /*
48@@ -715,8 +721,6 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
49 }
50
51 cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username);
52- break;
53- }
54
55 con->type = type;
56 }
57@@ -733,6 +737,16 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
58 /* Output token for username */
59 gss_name_t client_name; /* Client name */
60
61+ /*
62+ * Only allow Kerberos if enabled...
63+ */
64+
65+ if (type != CUPSD_AUTH_NEGOTIATE)
66+ {
67+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled.");
68+ return;
69+ }
70+
71 # ifdef __APPLE__
72 /*
73 * If the weak-linked GSSAPI/Kerberos library is not present, don't try
74--
752.25.1
76
diff --git a/meta/recipes-extended/cups/cups/CVE-2025-58364.patch b/meta/recipes-extended/cups/cups/CVE-2025-58364.patch
new file mode 100644
index 0000000000..89c6f7bcb3
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2025-58364.patch
@@ -0,0 +1,63 @@
1From e58cba9d6fceed4242980e51dbd1302cf638ab1d Mon Sep 17 00:00:00 2001
2From: Zdenek Dohnal <zdohnal@redhat.com>
3Date: Thu, 11 Sep 2025 14:53:49 +0200
4Subject: [PATCH] libcups: Fix handling of extension tag in `ipp_read_io()`
5
6Fixes: CVE-2025-58364
7
8Upstream-Status: Backport [import from debian 2.4.2-3+deb12u9
9Upstream commit https://github.com/OpenPrinting/cups/commit/e58cba9d6fceed4242980e51dbd1302cf638ab1d]
10CVE: CVE-2025-58364
11Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
12---
13 cups/ipp.c | 27 +--------------------------
14 1 file changed, 1 insertion(+), 26 deletions(-)
15
16diff --git a/cups/ipp.c b/cups/ipp.c
17index 42cf2fc..4b9dc4e 100644
18--- a/cups/ipp.c
19+++ b/cups/ipp.c
20@@ -2949,32 +2949,6 @@ ippReadIO(void *src, /* I - Data source */
21 */
22
23 tag = (ipp_tag_t)buffer[0];
24- if (tag == IPP_TAG_EXTENSION)
25- {
26- /*
27- * Read 32-bit "extension" tag...
28- */
29-
30- if ((*cb)(src, buffer, 4) < 4)
31- {
32- DEBUG_puts("1ippReadIO: Callback returned EOF/error");
33- goto rollback;
34- }
35-
36- tag = (ipp_tag_t)((((((buffer[0] << 8) | buffer[1]) << 8) |
37- buffer[2]) << 8) | buffer[3]);
38-
39- if (tag & IPP_TAG_CUPS_CONST)
40- {
41- /*
42- * Fail if the high bit is set in the tag...
43- */
44-
45- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
46- DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag));
47- goto rollback;
48- }
49- }
50
51 if (tag == IPP_TAG_END)
52 {
53@@ -3323,6 +3297,7 @@ ippReadIO(void *src, /* I - Data source */
54 {
55 if ((*cb)(src, buffer, (size_t)n) < n)
56 {
57+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
58 DEBUG_puts("1ippReadIO: unable to read string value.");
59 goto rollback;
60 }
61--
622.25.1
63