2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index aa55d41b84..dd035634c5 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -16,6 +16,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
           file://volatiles.99_cups \
           file://cups-volatiles.conf \
           file://CVE-2025-58060.patch \
+           file://CVE-2025-58364.patch \
           "
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2025-58364.patch b/meta/recipes-extended/cups/cups/CVE-2025-58364.patch
new file mode 100644
index 0000000000..0f155ee736
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2025-58364.patch
@@ -0,0 +1,58 @@
+From e58cba9d6fceed4242980e51dbd1302cf638ab1d Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 11 Sep 2025 14:53:49 +0200
+Subject: [PATCH] libcups: Fix handling of extension tag in `ipp_read_io()`
+Fixes: CVE-2025-58364
+CVE: CVE-2025-58364
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/e58cba9d6fceed4242980e51dbd1302cf638ab1d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ cups/ipp.c | 26 +-------------------------
+ 1 file changed, 1 insertion(+), 25 deletions(-)
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 283e386b6..e1e361b2c 100644
+--- a/cups/ipp.c
+++ b/cups/ipp.c
+@@ -2949,31 +2949,6 @@ ippReadIO(void       *src,               /* I - Data source */
+          */
+ 
+           tag = (ipp_tag_t)buffer[0];
+-          if (tag == IPP_TAG_EXTENSION)
+-          {
+-           /*
+-            * Read 32-bit "extension" tag...
+-            */
+-
+-           if ((*cb)(src, buffer, 4) < 4)
+-           {
+-             DEBUG_puts("1ippReadIO: Callback returned EOF/error");
+-             goto rollback;
+-           }
+-
+-           tag = (ipp_tag_t)((buffer[0] << 24) | (buffer[1] << 16) | (buffer[2] << 8) | buffer[3]);
+-
+-            if (tag & IPP_TAG_CUPS_CONST)
+-            {
+-             /*
+-              * Fail if the high bit is set in the tag...
+-              */
+-
+-             _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
+-             DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag));
+-             goto rollback;
+-            }
+-          }
+ 
+          if (tag == IPP_TAG_END)
+          {
+@@ -3196,6 +3171,7 @@ ippReadIO(void       *src,                /* I - Data source */
+ 
+            if ((*cb)(src, buffer, (size_t)n) < n)
+            {
+             _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
+              DEBUG_puts("1ippReadIO: unable to read name.");
+              goto rollback;
+            }

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index aa55d41b84..dd035634c5 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc
@@ -16,6 +16,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
16	file://volatiles.99_cups \	16	file://volatiles.99_cups \
17	file://cups-volatiles.conf \	17	file://cups-volatiles.conf \
18	file://CVE-2025-58060.patch \	18	file://CVE-2025-58060.patch \
		19	file://CVE-2025-58364.patch \
19	"	20	"
20		21
21	GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"	22	GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"


diff --git a/meta/recipes-extended/cups/cups/CVE-2025-58364.patch b/meta/recipes-extended/cups/cups/CVE-2025-58364.patch new file mode 100644 index 0000000000..0f155ee736 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2025-58364.patch
@@ -0,0 +1,58 @@
		1	From e58cba9d6fceed4242980e51dbd1302cf638ab1d Mon Sep 17 00:00:00 2001
		2	From: Zdenek Dohnal <zdohnal@redhat.com>
		3	Date: Thu, 11 Sep 2025 14:53:49 +0200
		4	Subject: [PATCH] libcups: Fix handling of extension tag in `ipp_read_io()`
		5
		6	Fixes: CVE-2025-58364
		7
		8	CVE: CVE-2025-58364
		9	Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/e58cba9d6fceed4242980e51dbd1302cf638ab1d]
		10	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		11	---
		12	cups/ipp.c \| 26 +-------------------------
		13	1 file changed, 1 insertion(+), 25 deletions(-)
		14
		15	diff --git a/cups/ipp.c b/cups/ipp.c
		16	index 283e386b6..e1e361b2c 100644
		17	--- a/cups/ipp.c
		18	+++ b/cups/ipp.c
		19	@@ -2949,31 +2949,6 @@ ippReadIO(void src, / I - Data source */
		20	*/
		21
		22	tag = (ipp_tag_t)buffer[0];
		23	- if (tag == IPP_TAG_EXTENSION)
		24	- {
		25	- /*
		26	- * Read 32-bit "extension" tag...
		27	- */
		28	-
		29	- if ((*cb)(src, buffer, 4) < 4)
		30	- {
		31	- DEBUG_puts("1ippReadIO: Callback returned EOF/error");
		32	- goto rollback;
		33	- }
		34	-
		35	- tag = (ipp_tag_t)((buffer[0] << 24) \| (buffer[1] << 16) \| (buffer[2] << 8) \| buffer[3]);
		36	-
		37	- if (tag & IPP_TAG_CUPS_CONST)
		38	- {
		39	- /*
		40	- * Fail if the high bit is set in the tag...
		41	- */
		42	-
		43	- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
		44	- DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag));
		45	- goto rollback;
		46	- }
		47	- }
		48
		49	if (tag == IPP_TAG_END)
		50	{
		51	@@ -3196,6 +3171,7 @@ ippReadIO(void src, / I - Data source */
		52
		53	if ((*cb)(src, buffer, (size_t)n) < n)
		54	{
		55	+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
		56	DEBUG_puts("1ippReadIO: unable to read name.");
		57	goto rollback;
		58	}