2 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index b8761df0d5..aa55d41b84 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -15,6 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
           file://0004-cups-fix-multilib-install-file-conflicts.patch \
           file://volatiles.99_cups \
           file://cups-volatiles.conf \
+           file://CVE-2025-58060.patch \
           "
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2025-58060.patch b/meta/recipes-extended/cups/cups/CVE-2025-58060.patch
new file mode 100644
index 0000000000..adb1f10a05
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2025-58060.patch
@@ -0,0 +1,60 @@
+From 595d691075b1d396d2edfaa0a8fd0873a0a1f221 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 11 Sep 2025 14:44:59 +0200
+Subject: [PATCH] cupsd: Block authentication using alternate method
+Fixes: CVE-2025-58060
+CVE: CVE-2025-58060
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/595d691075b1d396d2edfaa0a8fd0873a0a1f221]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ scheduler/auth.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 5fa53644d..3c9aa72aa 100644
+--- a/scheduler/auth.c
+++ b/scheduler/auth.c
+@@ -513,6 +513,16 @@ cupsdAuthorize(cupsd_client_t *con)        /* I - Client connection */
+     int        userlen;                        /* Username:password length */
+ 
+ 
+   /*
+    * Only allow Basic if enabled...
+    */
+
+    if (type != CUPSD_AUTH_BASIC)
+    {
+      cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled.");
+      return;
+    }
+
+     authorization += 5;
+     while (isspace(*authorization & 255))
+       authorization ++;
+@@ -558,7 +568,6 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
+     * Validate the username and password...
+     */
+ 
+-    if (type == CUPSD_AUTH_BASIC)
+     {
+ #if HAVE_LIBPAM
+      /*
+@@ -727,6 +736,16 @@ cupsdAuthorize(cupsd_client_t *con)        /* I - Client connection */
+                                        /* Output token for username */
+     gss_name_t         client_name;    /* Client name */
+ 
+   /*
+    * Only allow Kerberos if enabled...
+    */
+
+    if (type != CUPSD_AUTH_NEGOTIATE)
+    {
+      cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled.");
+      return;
+    }
+
+ #  ifdef __APPLE__
+    /*
+     * If the weak-linked GSSAPI/Kerberos library is not present, don't try

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index b8761df0d5..aa55d41b84 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc
@@ -15,6 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
15	file://0004-cups-fix-multilib-install-file-conflicts.patch \	15	file://0004-cups-fix-multilib-install-file-conflicts.patch \
16	file://volatiles.99_cups \	16	file://volatiles.99_cups \
17	file://cups-volatiles.conf \	17	file://cups-volatiles.conf \
		18	file://CVE-2025-58060.patch \
18	"	19	"
19		20
20	GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"	21	GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"


diff --git a/meta/recipes-extended/cups/cups/CVE-2025-58060.patch b/meta/recipes-extended/cups/cups/CVE-2025-58060.patch new file mode 100644 index 0000000000..adb1f10a05 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2025-58060.patch
@@ -0,0 +1,60 @@
		1	From 595d691075b1d396d2edfaa0a8fd0873a0a1f221 Mon Sep 17 00:00:00 2001
		2	From: Zdenek Dohnal <zdohnal@redhat.com>
		3	Date: Thu, 11 Sep 2025 14:44:59 +0200
		4	Subject: [PATCH] cupsd: Block authentication using alternate method
		5
		6	Fixes: CVE-2025-58060
		7
		8	CVE: CVE-2025-58060
		9	Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/595d691075b1d396d2edfaa0a8fd0873a0a1f221]
		10	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		11	---
		12	scheduler/auth.c \| 21 ++++++++++++++++++++-
		13	1 file changed, 20 insertions(+), 1 deletion(-)
		14
		15	diff --git a/scheduler/auth.c b/scheduler/auth.c
		16	index 5fa53644d..3c9aa72aa 100644
		17	--- a/scheduler/auth.c
		18	+++ b/scheduler/auth.c
		19	@@ -513,6 +513,16 @@ cupsdAuthorize(cupsd_client_t con) / I - Client connection */
		20	int userlen; /* Username:password length */
		21
		22
		23	+ /*
		24	+ * Only allow Basic if enabled...
		25	+ */
		26	+
		27	+ if (type != CUPSD_AUTH_BASIC)
		28	+ {
		29	+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled.");
		30	+ return;
		31	+ }
		32	+
		33	authorization += 5;
		34	while (isspace(*authorization & 255))
		35	authorization ++;
		36	@@ -558,7 +568,6 @@ cupsdAuthorize(cupsd_client_t con) / I - Client connection */
		37	* Validate the username and password...
		38	*/
		39
		40	- if (type == CUPSD_AUTH_BASIC)
		41	{
		42	#if HAVE_LIBPAM
		43	/*
		44	@@ -727,6 +736,16 @@ cupsdAuthorize(cupsd_client_t con) / I - Client connection */
		45	/* Output token for username */
		46	gss_name_t client_name; /* Client name */
		47
		48	+ /*
		49	+ * Only allow Kerberos if enabled...
		50	+ */
		51	+
		52	+ if (type != CUPSD_AUTH_NEGOTIATE)
		53	+ {
		54	+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled.");
		55	+ return;
		56	+ }
		57	+
		58	# ifdef __APPLE__
		59	/*
		60	* If the weak-linked GSSAPI/Kerberos library is not present, don't try