1 files changed, 33 insertions, 0 deletions
diff --git a/meta/recipes-extended/cups/cups/CVE-2022-26691.patch b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch
new file mode 100644
index 0000000000..1fa5a54c70
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch
@@ -0,0 +1,33 @@
+From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 26 May 2022 06:27:04 +0200
+Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes
+ CVE-2022-26691)
+The previous algorithm didn't expect the strings can have a different
+length, so one string can be a substring of the other and such substring
+was reported as equal to the longer string.
+CVE: CVE-2022-26691
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444]
+Signed-off-by: Steve Sakoman
+---
+diff --git a/scheduler/cert.c b/scheduler/cert.c
+index b268bf1b2..9b65b96c9 100644
+--- a/scheduler/cert.c
+++ b/scheduler/cert.c
+@@ -434,5 +434,12 @@ ctcompare(const char *a,           /* I - First string */
+     b ++;
+   }
+ 
+-  return (result);
+ /*
+  * The while loop finishes when *a == '\0' or *b == '\0'
+  * so after the while loop either both *a and *b == '\0',
+  * or one points inside a string, so when we apply logical OR on *a,
+  * *b and result, we get a non-zero return value if the compared strings don't match.
+  */
+
+  return (result | *a | *b);
+ }

diff --git a/meta/recipes-extended/cups/cups/CVE-2022-26691.patch b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch new file mode 100644 index 0000000000..1fa5a54c70 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch
@@ -0,0 +1,33 @@
	1	From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001
	2	From: Zdenek Dohnal <zdohnal@redhat.com>
	3	Date: Thu, 26 May 2022 06:27:04 +0200
	4	Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes
	5	CVE-2022-26691)
	6
	7	The previous algorithm didn't expect the strings can have a different
	8	length, so one string can be a substring of the other and such substring
	9	was reported as equal to the longer string.
	10
	11	CVE: CVE-2022-26691
	12	Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444]
	13	Signed-off-by: Steve Sakoman
	14
	15	---
	16	diff --git a/scheduler/cert.c b/scheduler/cert.c
	17	index b268bf1b2..9b65b96c9 100644
	18	--- a/scheduler/cert.c
	19	+++ b/scheduler/cert.c
	20	@@ -434,5 +434,12 @@ ctcompare(const char a, / I - First string */
	21	b ++;
	22	}
	23
	24	- return (result);
	25	+ /*
	26	+ * The while loop finishes when a == '\0' or b == '\0'
	27	+ * so after the while loop either both a and b == '\0',
	28	+ * or one points inside a string, so when we apply logical OR on *a,
	29	+ * *b and result, we get a non-zero return value if the compared strings don't match.
	30	+ */
	31	+
	32	+ return (result \| a \| b);
	33	}