cups: Fix for CVE-2025-58060 and CVE-2025-58364

Upstream-Status: Backport from https://github.com/OpenPrinting/cups/commit/595d691075b1d396d2edfaa0a8fd0873a0a1f221 & https://github.com/OpenPrinting/cups/commit/e58cba9d6fceed4242980e51dbd1302cf638ab1d (From OE-Core rev: 6f3b7e6efdf14d080b74a48d8cdc445255e9025f) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-09-17 16:56:13 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-09-22 13:17:52 -0700
commit: c0775e49999088784dff543d02a1cb48d35f724c (patch)
tree: fa5f183cf9da6f2d3b85e98d0240f626212bdef7
parent: d4f27582ea22a5a702b215b9bcad95a80227037d (diff)
download: poky-c0775e49999088784dff543d02a1cb48d35f724c.tar.gz
3 files changed, 123 insertions, 0 deletions
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 50db18d42a..0a26a9b6de 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -15,6 +15,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
           file://0004-cups-fix-multilib-install-file-conflicts.patch \
           file://volatiles.99_cups \
           file://cups-volatiles.conf \
+           file://CVE-2025-58060.patch \
+           file://CVE-2025-58364.patch \
           "
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2025-58060.patch b/meta/recipes-extended/cups/cups/CVE-2025-58060.patch
new file mode 100644
index 0000000000..4162fa2c27
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2025-58060.patch
@@ -0,0 +1,60 @@
+From 595d691075b1d396d2edfaa0a8fd0873a0a1f221 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 11 Sep 2025 14:44:59 +0200
+Subject: [PATCH] cupsd: Block authentication using alternate method
+Fixes: CVE-2025-58060
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/595d691075b1d396d2edfaa0a8fd0873a0a1f221]
+CVE: CVE-2025-58060
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ scheduler/auth.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 5fa53644d..3c9aa72aa 100644
+--- a/scheduler/auth.c
+++ b/scheduler/auth.c
+@@ -513,6 +513,16 @@ cupsdAuthorize(cupsd_client_t *con)        /* I - Client connection */
+     int        userlen;                        /* Username:password length */
+ 
+ 
+   /*
+    * Only allow Basic if enabled...
+    */
+
+    if (type != CUPSD_AUTH_BASIC)
+    {
+      cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled.");
+      return;
+    }
+
+     authorization += 5;
+     while (isspace(*authorization & 255))
+       authorization ++;
+@@ -558,7 +568,6 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
+     * Validate the username and password...
+     */
+ 
+-    if (type == CUPSD_AUTH_BASIC)
+     {
+ #if HAVE_LIBPAM
+      /*
+@@ -727,6 +736,16 @@ cupsdAuthorize(cupsd_client_t *con)        /* I - Client connection */
+                                        /* Output token for username */
+     gss_name_t         client_name;    /* Client name */
+ 
+   /*
+    * Only allow Kerberos if enabled...
+    */
+
+    if (type != CUPSD_AUTH_NEGOTIATE)
+    {
+      cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled.");
+      return;
+    }
+
+ #  ifdef __APPLE__
+    /*
+     * If the weak-linked GSSAPI/Kerberos library is not present, don't try
diff --git a/meta/recipes-extended/cups/cups/CVE-2025-58364.patch b/meta/recipes-extended/cups/cups/CVE-2025-58364.patch
new file mode 100644
index 0000000000..2be36e3b7a
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2025-58364.patch
@@ -0,0 +1,61 @@
+From e58cba9d6fceed4242980e51dbd1302cf638ab1d Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 11 Sep 2025 14:53:49 +0200
+Subject: [PATCH] libcups: Fix handling of extension tag in `ipp_read_io()`
+Fixes: CVE-2025-58364
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/e58cba9d6fceed4242980e51dbd1302cf638ab1d]
+CVE: CVE-2025-58364
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ cups/ipp.c | 26 +-------------------------
+ 1 file changed, 1 insertion(+), 25 deletions(-)
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 47ba9fa..9b7bf3f 100644
+--- a/cups/ipp.c
+++ b/cups/ipp.c
+@@ -2949,31 +2949,6 @@ ippReadIO(void       *src,               /* I - Data source */
+          */
+ 
+           tag = (ipp_tag_t)buffer[0];
+-          if (tag == IPP_TAG_EXTENSION)
+-          {
+-           /*
+-            * Read 32-bit "extension" tag...
+-            */
+-
+-           if ((*cb)(src, buffer, 4) < 4)
+-           {
+-             DEBUG_puts("1ippReadIO: Callback returned EOF/error");
+-             goto rollback;
+-           }
+-
+-           tag = (ipp_tag_t)((buffer[0] << 24) | (buffer[1] << 16) | (buffer[2] << 8) | buffer[3]);
+-
+-            if (tag & IPP_TAG_CUPS_CONST)
+-            {
+-             /*
+-              * Fail if the high bit is set in the tag...
+-              */
+-
+-             _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
+-             DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag));
+-             goto rollback;
+-            }
+-          }
+ 
+          if (tag == IPP_TAG_END)
+          {
+@@ -3196,6 +3171,7 @@ ippReadIO(void       *src,                /* I - Data source */
+ 
+            if ((*cb)(src, buffer, (size_t)n) < n)
+            {
+                _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
+              DEBUG_puts("1ippReadIO: unable to read name.");
+              goto rollback;
+            }
+-- 
+2.25.1
author	Vijay Anusuri <vanusuri@mvista.com>	2025-09-17 16:56:13 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-09-22 13:17:52 -0700
commit	c0775e49999088784dff543d02a1cb48d35f724c (patch)
tree	fa5f183cf9da6f2d3b85e98d0240f626212bdef7
parent	d4f27582ea22a5a702b215b9bcad95a80227037d (diff)
download	poky-c0775e49999088784dff543d02a1cb48d35f724c.tar.gz

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 50db18d42a..0a26a9b6de 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc
@@ -15,6 +15,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
15	file://0004-cups-fix-multilib-install-file-conflicts.patch \	15	file://0004-cups-fix-multilib-install-file-conflicts.patch \
16	file://volatiles.99_cups \	16	file://volatiles.99_cups \
17	file://cups-volatiles.conf \	17	file://cups-volatiles.conf \
		18	file://CVE-2025-58060.patch \
		19	file://CVE-2025-58364.patch \
18	"	20	"
19		21
20	GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"	22	GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"


diff --git a/meta/recipes-extended/cups/cups/CVE-2025-58060.patch b/meta/recipes-extended/cups/cups/CVE-2025-58060.patch new file mode 100644 index 0000000000..4162fa2c27 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2025-58060.patch
@@ -0,0 +1,60 @@
		1	From 595d691075b1d396d2edfaa0a8fd0873a0a1f221 Mon Sep 17 00:00:00 2001
		2	From: Zdenek Dohnal <zdohnal@redhat.com>
		3	Date: Thu, 11 Sep 2025 14:44:59 +0200
		4	Subject: [PATCH] cupsd: Block authentication using alternate method
		5
		6	Fixes: CVE-2025-58060
		7
		8	Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/595d691075b1d396d2edfaa0a8fd0873a0a1f221]
		9	CVE: CVE-2025-58060
		10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		11	---
		12	scheduler/auth.c \| 21 ++++++++++++++++++++-
		13	1 file changed, 20 insertions(+), 1 deletion(-)
		14
		15	diff --git a/scheduler/auth.c b/scheduler/auth.c
		16	index 5fa53644d..3c9aa72aa 100644
		17	--- a/scheduler/auth.c
		18	+++ b/scheduler/auth.c
		19	@@ -513,6 +513,16 @@ cupsdAuthorize(cupsd_client_t con) / I - Client connection */
		20	int userlen; /* Username:password length */
		21
		22
		23	+ /*
		24	+ * Only allow Basic if enabled...
		25	+ */
		26	+
		27	+ if (type != CUPSD_AUTH_BASIC)
		28	+ {
		29	+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled.");
		30	+ return;
		31	+ }
		32	+
		33	authorization += 5;
		34	while (isspace(*authorization & 255))
		35	authorization ++;
		36	@@ -558,7 +568,6 @@ cupsdAuthorize(cupsd_client_t con) / I - Client connection */
		37	* Validate the username and password...
		38	*/
		39
		40	- if (type == CUPSD_AUTH_BASIC)
		41	{
		42	#if HAVE_LIBPAM
		43	/*
		44	@@ -727,6 +736,16 @@ cupsdAuthorize(cupsd_client_t con) / I - Client connection */
		45	/* Output token for username */
		46	gss_name_t client_name; /* Client name */
		47
		48	+ /*
		49	+ * Only allow Kerberos if enabled...
		50	+ */
		51	+
		52	+ if (type != CUPSD_AUTH_NEGOTIATE)
		53	+ {
		54	+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled.");
		55	+ return;
		56	+ }
		57	+
		58	# ifdef __APPLE__
		59	/*
		60	* If the weak-linked GSSAPI/Kerberos library is not present, don't try


diff --git a/meta/recipes-extended/cups/cups/CVE-2025-58364.patch b/meta/recipes-extended/cups/cups/CVE-2025-58364.patch new file mode 100644 index 0000000000..2be36e3b7a --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2025-58364.patch
@@ -0,0 +1,61 @@
		1	From e58cba9d6fceed4242980e51dbd1302cf638ab1d Mon Sep 17 00:00:00 2001
		2	From: Zdenek Dohnal <zdohnal@redhat.com>
		3	Date: Thu, 11 Sep 2025 14:53:49 +0200
		4	Subject: [PATCH] libcups: Fix handling of extension tag in `ipp_read_io()`
		5
		6	Fixes: CVE-2025-58364
		7
		8	Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/e58cba9d6fceed4242980e51dbd1302cf638ab1d]
		9	CVE: CVE-2025-58364
		10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		11	---
		12	cups/ipp.c \| 26 +-------------------------
		13	1 file changed, 1 insertion(+), 25 deletions(-)
		14
		15	diff --git a/cups/ipp.c b/cups/ipp.c
		16	index 47ba9fa..9b7bf3f 100644
		17	--- a/cups/ipp.c
		18	+++ b/cups/ipp.c
		19	@@ -2949,31 +2949,6 @@ ippReadIO(void src, / I - Data source */
		20	*/
		21
		22	tag = (ipp_tag_t)buffer[0];
		23	- if (tag == IPP_TAG_EXTENSION)
		24	- {
		25	- /*
		26	- * Read 32-bit "extension" tag...
		27	- */
		28	-
		29	- if ((*cb)(src, buffer, 4) < 4)
		30	- {
		31	- DEBUG_puts("1ippReadIO: Callback returned EOF/error");
		32	- goto rollback;
		33	- }
		34	-
		35	- tag = (ipp_tag_t)((buffer[0] << 24) \| (buffer[1] << 16) \| (buffer[2] << 8) \| buffer[3]);
		36	-
		37	- if (tag & IPP_TAG_CUPS_CONST)
		38	- {
		39	- /*
		40	- * Fail if the high bit is set in the tag...
		41	- */
		42	-
		43	- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
		44	- DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag));
		45	- goto rollback;
		46	- }
		47	- }
		48
		49	if (tag == IPP_TAG_END)
		50	{
		51	@@ -3196,6 +3171,7 @@ ippReadIO(void src, / I - Data source */
		52
		53	if ((*cb)(src, buffer, (size_t)n) < n)
		54	{
		55	+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
		56	DEBUG_puts("1ippReadIO: unable to read name.");
		57	goto rollback;
		58	}
		59	--
		60	2.25.1
		61