diff --git a/SOURCES/0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch b/SOURCES/0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch new file mode 100644 index 0000000..a4bb8df --- /dev/null +++ b/SOURCES/0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch @@ -0,0 +1,26 @@ +From 2dc021f33a3ea358c9f5c5c54643adc4c46a84a1 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Wed, 3 Dec 2025 07:25:30 -0500 +Subject: [PATCH] Fix an infinite loop issue in GTK+ (Issue #1439) + +--- + CHANGES.md | 1 + + cups/http.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/cups/http.c b/cups/http.c +index 214e45158..31ed6ddc1 100644 +--- a/cups/http.c ++++ b/cups/http.c +@@ -2779,7 +2779,7 @@ _httpUpdate(http_t *http, /* I - HTTP connection */ + /* See whether our read buffer is full... */ + DEBUG_printf(("2_httpUpdate: used=%d", http->used)); + +- if (http->used > 0 && !memchr(http->buffer, '\n', (size_t)http->used) && (size_t)http->used < sizeof(http->buffer)) ++ if (http->used < sizeof(http->buffer)) + { + /* No, try filling in more data... */ + if ((bytes = http_read(http, http->buffer + http->used, sizeof(http->buffer) - (size_t)http->used, /*timeout*/0)) > 0) +-- +2.52.0 + diff --git a/SOURCES/0001-Fix-various-issues-in-cupsd.patch b/SOURCES/0001-Fix-various-issues-in-cupsd.patch new file mode 100644 index 0000000..08850f0 --- /dev/null +++ b/SOURCES/0001-Fix-various-issues-in-cupsd.patch @@ -0,0 +1,283 @@ +diff -up cups-2.2.6/conf/cups-files.conf.in.config-issues cups-2.2.6/conf/cups-files.conf.in +--- cups-2.2.6/conf/cups-files.conf.in.config-issues 2025-12-10 09:55:08.849687904 +0100 ++++ cups-2.2.6/conf/cups-files.conf.in 2025-12-10 09:55:08.963762383 +0100 +@@ -19,6 +19,9 @@ + SystemGroup @CUPS_SYSTEM_GROUPS@ + @CUPS_SYSTEM_AUTHKEY@ + ++# Are Unix domain socket peer credentials used for authorization? ++PeerCred @CUPS_PEER_CRED@ ++ + # User that is substituted for unauthenticated (remote) root accesses... + #RemoteRoot remroot + +diff -up cups-2.2.6/config.h.in.config-issues cups-2.2.6/config.h.in +--- cups-2.2.6/config.h.in.config-issues 2025-12-10 09:55:08.852849134 +0100 ++++ cups-2.2.6/config.h.in 2025-12-10 09:56:38.680857561 +0100 +@@ -88,6 +88,13 @@ + + + /* ++ * Default PeerCred value... ++ */ ++ ++#define CUPS_DEFAULT_PEER_CRED "on" ++ ++ ++/* + * Default MaxCopies value... + */ + +diff -up cups-2.2.6/config-scripts/cups-defaults.m4.config-issues cups-2.2.6/config-scripts/cups-defaults.m4 +--- cups-2.2.6/config-scripts/cups-defaults.m4.config-issues 2025-12-10 09:55:08.913734163 +0100 ++++ cups-2.2.6/config-scripts/cups-defaults.m4 2025-12-10 09:55:57.696584490 +0100 +@@ -95,6 +95,15 @@ AC_ARG_WITH(log_level, [ --with-log-lev + AC_SUBST(CUPS_LOG_LEVEL) + AC_DEFINE_UNQUOTED(CUPS_DEFAULT_LOG_LEVEL, "$CUPS_LOG_LEVEL") + ++dnl Default PeerCred ++AC_ARG_WITH([peer_cred], AS_HELP_STRING([--with-peer-cred], [set default PeerCred value (on/off/root-only), default=on]), [ ++ CUPS_PEER_CRED="$withval" ++], [ ++ CUPS_PEER_CRED="on" ++]) ++AC_SUBST([CUPS_PEER_CRED]) ++AC_DEFINE_UNQUOTED([CUPS_DEFAULT_PEER_CRED], ["$CUPS_PEER_CRED"], [Default PeerCred value.]) ++ + dnl Default AccessLogLevel + AC_ARG_WITH(access_log_level, [ --with-access-log-level set default AccessLogLevel value, default=none], + CUPS_ACCESS_LOG_LEVEL="$withval", +diff -up cups-2.2.6/doc/help/man-cups-files.conf.html.config-issues cups-2.2.6/doc/help/man-cups-files.conf.html +--- cups-2.2.6/doc/help/man-cups-files.conf.html.config-issues 2025-12-10 09:55:08.849902857 +0100 ++++ cups-2.2.6/doc/help/man-cups-files.conf.html 2025-12-10 09:57:25.160598126 +0100 +@@ -119,6 +119,13 @@ The server name may be included in filen + + + The default is "/var/log/cups/page_log". ++
PeerCred off ++
PeerCred on ++
PeerCred root-only ++
Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket. ++When on, the peer credentials of any user are accepted for authorization. ++The value off disables the use of peer credentials entirely, while the value root-only allows peer credentials only for the root user. ++Note: for security reasons, the on setting is reduced to root-only for authorization of PUT requests. +
RemoteRoot username +
Specifies the username that is associated with unauthenticated accesses by clients claiming to be the root user. + The default is "remroot". +diff -up cups-2.2.6/man/cups-files.conf.man.in.config-issues cups-2.2.6/man/cups-files.conf.man.in +--- cups-2.2.6/man/cups-files.conf.man.in.config-issues 2025-12-10 09:59:33.227883234 +0100 ++++ cups-2.2.6/man/cups-files.conf.man.in 2025-12-10 09:59:57.400174430 +0100 +@@ -162,6 +162,17 @@ The default is "/var/log/cups/page_log". + \fBPassEnv \fIvariable \fR[ ... \fIvariable \fR] + Passes the specified environment variable(s) to child processes. + Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive. ++.\"#PeerCred ++.TP 5 ++\fBPeerCred off\fR ++.TP 5 ++\fBPeerCred on\fR ++.TP 5 ++\fBPeerCred root-only\fR ++Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket. ++When \fBon\fR, the peer credentials of any user are accepted for authorization. ++The value \fBoff\fR disables the use of peer credentials entirely, while the value \fBroot-only\fR allows peer credentials only for the root user. ++Note: for security reasons, the \fBon\fR setting is reduced to \fBroot-only\fR for authorization of PUT requests. + .\"#RemoteRoot + .TP 5 + \fBRemoteRoot \fIusername\fR +diff -up cups-2.2.6/scheduler/auth.c.config-issues cups-2.2.6/scheduler/auth.c +--- cups-2.2.6/scheduler/auth.c.config-issues 2025-12-10 09:55:08.953939209 +0100 ++++ cups-2.2.6/scheduler/auth.c 2025-12-10 09:55:08.965011783 +0100 +@@ -401,7 +401,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I + } + #endif /* HAVE_AUTHORIZATION_H */ + #if defined(SO_PEERCRED) && defined(AF_LOCAL) +- else if (!strncmp(authorization, "PeerCred ", 9) && ++ else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) && + con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best) + { + /* +@@ -444,6 +444,12 @@ cupsdAuthorize(cupsd_client_t *con) /* I + } + #endif /* HAVE_AUTHORIZATION_H */ + ++ if ((PeerCred == CUPSD_PEERCRED_ROOTONLY || httpGetState(con->http) == HTTP_STATE_PUT_RECV) && strcmp(authorization + 9, "root")) ++ { ++ cupsdLogClient(con, CUPSD_LOG_INFO, "User \"%s\" is not allowed to use peer credentials.", authorization + 9); ++ return; ++ } ++ + if ((pwd = getpwnam(authorization + 9)) == NULL) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9); +diff -up cups-2.2.6/scheduler/auth.h.config-issues cups-2.2.6/scheduler/auth.h +--- cups-2.2.6/scheduler/auth.h.config-issues 2017-11-01 15:57:53.000000000 +0100 ++++ cups-2.2.6/scheduler/auth.h 2025-12-10 10:00:29.472254041 +0100 +@@ -52,6 +52,10 @@ + #define CUPSD_AUTH_LIMIT_ALL 127 /* Limit all requests */ + #define CUPSD_AUTH_LIMIT_IPP 128 /* Limit IPP requests */ + ++#define CUPSD_PEERCRED_OFF 0 /* Don't allow PeerCred authorization */ ++#define CUPSD_PEERCRED_ON 1 /* Allow PeerCred authorization for all users */ ++#define CUPSD_PEERCRED_ROOTONLY 2 /* Allow PeerCred authorization for root user */ ++ + #define IPP_ANY_OPERATION (ipp_op_t)0 + /* Any IPP operation */ + #define IPP_BAD_OPERATION (ipp_op_t)-1 +@@ -109,6 +113,9 @@ typedef struct cupsd_client_s cupsd_clie + + VAR cups_array_t *Locations VALUE(NULL); + /* Authorization locations */ ++VAR int PeerCred VALUE(CUPSD_PEERCRED_ON); ++ /* Allow PeerCred authorization? */ ++ + #ifdef HAVE_SSL + VAR http_encryption_t DefaultEncryption VALUE(HTTP_ENCRYPT_REQUIRED); + /* Default encryption for authentication */ +diff -up cups-2.2.6/scheduler/client.c.config-issues cups-2.2.6/scheduler/client.c +diff -up cups-2.2.6/scheduler/conf.c.config-issues cups-2.2.6/scheduler/conf.c +--- cups-2.2.6/scheduler/conf.c.config-issues 2025-12-10 09:55:08.946765727 +0100 ++++ cups-2.2.6/scheduler/conf.c 2025-12-10 09:55:08.964315379 +0100 +@@ -52,6 +52,7 @@ typedef enum + { + CUPSD_VARTYPE_INTEGER, /* Integer option */ + CUPSD_VARTYPE_TIME, /* Time interval option */ ++ CUPSD_VARTYPE_NULLSTRING, /* String option or NULL/empty string */ + CUPSD_VARTYPE_STRING, /* String option */ + CUPSD_VARTYPE_BOOLEAN, /* Boolean option */ + CUPSD_VARTYPE_PATHNAME, /* File/directory name option */ +@@ -74,7 +75,7 @@ static const cupsd_var_t cupsd_vars[] = + { + { "AutoPurgeJobs", &JobAutoPurge, CUPSD_VARTYPE_BOOLEAN }, + #if defined(HAVE_DNSSD) || defined(HAVE_AVAHI) +- { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_STRING }, ++ { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_NULLSTRING }, + #endif /* HAVE_DNSSD || HAVE_AVAHI */ + { "BrowseWebIF", &BrowseWebIF, CUPSD_VARTYPE_BOOLEAN }, + { "Browsing", &Browsing, CUPSD_VARTYPE_BOOLEAN }, +@@ -124,7 +125,7 @@ static const cupsd_var_t cupsd_vars[] = + { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter, CUPSD_VARTYPE_INTEGER }, + { "MaxSubscriptionsPerUser", &MaxSubscriptionsPerUser, CUPSD_VARTYPE_INTEGER }, + { "MultipleOperationTimeout", &MultipleOperationTimeout, CUPSD_VARTYPE_TIME }, +- { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_STRING }, ++ { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_NULLSTRING }, + { "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_TIME }, + { "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_TIME }, + { "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_TIME }, +@@ -807,6 +808,13 @@ cupsdReadConfiguration(void) + IdleExitTimeout = 60; + #endif /* HAVE_ONDEMAND */ + ++ if (!strcmp(CUPS_DEFAULT_PEER_CRED, "off")) ++ PeerCred = CUPSD_PEERCRED_OFF; ++ else if (!strcmp(CUPS_DEFAULT_PEER_CRED, "root-only")) ++ PeerCred = CUPSD_PEERCRED_ROOTONLY; ++ else ++ PeerCred = CUPSD_PEERCRED_ON; ++ + /* + * Setup environment variables... + */ +@@ -1837,7 +1845,7 @@ get_addr_and_mask(const char *value, /* + + family = AF_INET6; + +- for (i = 0, ptr = value + 1; *ptr && i < 8; i ++) ++ for (i = 0, ptr = value + 1; *ptr && i >= 0 && i < 8; i ++) + { + if (*ptr == ']') + break; +@@ -1986,7 +1994,7 @@ get_addr_and_mask(const char *value, /* + #ifdef AF_INET6 + if (family == AF_INET6) + { +- if (i > 128) ++ if (i < 0 || i > 128) + return (0); + + i = 128 - i; +@@ -2020,7 +2028,7 @@ get_addr_and_mask(const char *value, /* + else + #endif /* AF_INET6 */ + { +- if (i > 32) ++ if (i < 0 || i > 32) + return (0); + + mask[0] = 0xffffffff; +@@ -2930,7 +2938,17 @@ parse_variable( + cupsdSetString((char **)var->ptr, temp); + break; + ++ case CUPSD_VARTYPE_NULLSTRING : ++ cupsdSetString((char **)var->ptr, value); ++ break; ++ + case CUPSD_VARTYPE_STRING : ++ if (!value) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.", line, linenum, filename); ++ return (0); ++ } ++ + cupsdSetString((char **)var->ptr, value); + break; + } +@@ -3438,9 +3456,10 @@ read_cupsd_conf(cups_file_t *fp) /* I - + line, value ? " " : "", value ? value : "", linenum, + ConfigurationFile, CupsFilesFile); + } +- else +- parse_variable(ConfigurationFile, linenum, line, value, +- sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars); ++ else if (!parse_variable(ConfigurationFile, linenum, line, value, ++ sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars) && ++ (FatalErrors & CUPSD_FATAL_CONFIG)) ++ return (0); + } + + return (1); +@@ -3575,6 +3594,31 @@ read_cups_files_conf(cups_file_t *fp) /* + break; + } + } ++ else if (!_cups_strcasecmp(line, "PeerCred") && value) ++ { ++ /* ++ * PeerCred {off,on,root-only} ++ */ ++ ++ if (!_cups_strcasecmp(value, "off")) ++ { ++ PeerCred = CUPSD_PEERCRED_OFF; ++ } ++ else if (!_cups_strcasecmp(value, "on")) ++ { ++ PeerCred = CUPSD_PEERCRED_ON; ++ } ++ else if (!_cups_strcasecmp(value, "root-only")) ++ { ++ PeerCred = CUPSD_PEERCRED_ROOTONLY; ++ } ++ else ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown PeerCred \"%s\" on line %d of %s.", value, linenum, CupsFilesFile); ++ if (FatalErrors & CUPSD_FATAL_CONFIG) ++ return (0); ++ } ++ } + else if (!_cups_strcasecmp(line, "PrintcapFormat") && value) + { + /* +diff -up cups-2.2.6/test/run-stp-tests.sh.config-issues cups-2.2.6/test/run-stp-tests.sh +--- cups-2.2.6/test/run-stp-tests.sh.config-issues 2025-12-10 09:55:08.861374808 +0100 ++++ cups-2.2.6/test/run-stp-tests.sh 2025-12-10 09:55:08.964582228 +0100 +@@ -511,7 +511,7 @@ fi + + cat >$BASE/cups-files.conf < +Date: Tue, 20 Feb 2018 20:18:05 -0500 +Subject: [PATCH] Setting the timeout should also timeout the TLS negotiation + (rdar://34938533) + +--- + cups/http.c | 6 +++--- + cups/tls-darwin.c | 35 +++++++++++++++++++++++++++++++---- + cups/tls-gnutls.c | 35 ++++++++++++++++++++++++++++++++--- + cups/tls.c | 2 +- + 4 files changed, 67 insertions(+), 11 deletions(-) + +diff --git a/cups/http.c b/cups/http.c +index 9af77c1c5..4d0a2a78e 100644 +--- a/cups/http.c ++++ b/cups/http.c +@@ -4027,7 +4027,7 @@ http_read(http_t *http, /* I - HTTP connection */ + + DEBUG_printf(("http_read(http=%p, buffer=%p, length=" CUPS_LLFMT ")", (void *)http, (void *)buffer, CUPS_LLCAST length)); + +- if (!http->blocking) ++ if (!http->blocking || http->timeout_value > 0.0) + { + while (!httpWait(http, http->wait_value)) + { +@@ -4626,7 +4626,7 @@ http_write(http_t *http, /* I - HTTP connection */ + { + DEBUG_printf(("3http_write: About to write %d bytes.", (int)length)); + +- if (http->timeout_cb) ++ if (http->timeout_value > 0.0) + { + #ifdef HAVE_POLL + struct pollfd pfd; /* Polled file descriptor */ +@@ -4670,7 +4670,7 @@ http_write(http_t *http, /* I - HTTP connection */ + http->error = errno; + return (-1); + } +- else if (nfds == 0 && !(*http->timeout_cb)(http, http->timeout_data)) ++ else if (nfds == 0 && (!http->timeout_cb || !(*http->timeout_cb)(http, http->timeout_data))) + { + #ifdef WIN32 + http->error = WSAEWOULDBLOCK; +diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c +index 0f0cd0028..bc3cdd07d 100644 +--- a/cups/tls-gnutls.c ++++ b/cups/tls-gnutls.c +@@ -1087,7 +1087,7 @@ http_gnutls_read( + + http = (http_t *)ptr; + +- if (!http->blocking) ++ if (!http->blocking || http->timeout_value > 0.0) + { + /* + * Make sure we have data before we read... +@@ -1245,6 +1245,9 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ + char priority_string[2048]; + /* Priority string */ + int version; /* Current version */ ++ double old_timeout; /* Old timeout value */ ++ http_timeout_cb_t old_cb; /* Old timeout callback */ ++ void *old_data; /* Old timeout data */ + static const char * const versions[] =/* SSL/TLS versions */ + { + "VERS-SSL3.0", +@@ -1578,6 +1581,24 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ + #endif /* HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION */ + gnutls_transport_set_push_function(http->tls, http_gnutls_write); + ++ /* ++ * Enforce a minimum timeout of 10 seconds for the TLS handshake... ++ */ ++ ++ old_timeout = http->timeout_value; ++ old_cb = http->timeout_cb; ++ old_data = http->timeout_data; ++ ++ if (!old_cb || old_timeout < 10.0) ++ { ++ DEBUG_puts("4_httpTLSStart: Setting timeout to 10 seconds."); ++ httpSetTimeout(http, 10.0, NULL, NULL); ++ } ++ ++ /* ++ * Do the TLS handshake... ++ */ ++ + while ((status = gnutls_handshake(http->tls)) != GNUTLS_E_SUCCESS) + { + DEBUG_printf(("5_httpStartTLS: gnutls_handshake returned %d (%s)", +@@ -1595,10 +1616,18 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ + free(credentials); + http->tls = NULL; + ++ httpSetTimeout(http, old_timeout, old_cb, old_data); ++ + return (-1); + } + } + ++ /* ++ * Restore the previous timeout settings... ++ */ ++ ++ httpSetTimeout(http, old_timeout, old_cb, old_data); ++ + http->tls_credentials = credentials; + + return (0); +diff --git a/cups/tls.c b/cups/tls.c +index e8874004f..278439db2 100644 +--- a/cups/tls.c ++++ b/cups/tls.c +@@ -30,7 +30,7 @@ + + + /* +- * Local functions... ++ * Include platform-specific TLS code... + */ + + #ifdef HAVE_SSL +-- +2.52.0 + diff --git a/SOURCES/0001-_httpWait-s-usessl-parameter-wasn-t-being-used.patch b/SOURCES/0001-_httpWait-s-usessl-parameter-wasn-t-being-used.patch new file mode 100644 index 0000000..d04ea90 --- /dev/null +++ b/SOURCES/0001-_httpWait-s-usessl-parameter-wasn-t-being-used.patch @@ -0,0 +1,12 @@ +diff -up cups-2.2.6/cups/http.c.use-usessl cups-2.2.6/cups/http.c +--- cups-2.2.6/cups/http.c.use-usessl 2025-12-09 14:59:32.677174678 +0100 ++++ cups-2.2.6/cups/http.c 2025-12-09 15:00:38.443279836 +0100 +@@ -3152,7 +3152,7 @@ _httpWait(http_t *http, /* I - HTTP co + */ + + #ifdef HAVE_SSL +- if (http->tls && _httpTLSPending(http)) ++ if (usessl && http->tls && _httpTLSPending(http)) + { + DEBUG_puts("5_httpWait: Return 1 since there is pending TLS data."); + return (1); diff --git a/SOURCES/0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch b/SOURCES/0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch new file mode 100644 index 0000000..2ca3534 --- /dev/null +++ b/SOURCES/0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch @@ -0,0 +1,43 @@ +From 277d3b1c49895f070bbf4b73cada011d71fbf9f3 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Thu, 4 Dec 2025 09:04:37 +0100 +Subject: [PATCH] conf.c: Fix stopping scheduler on unknown directive + +Change the return value to do not trigger stopping the scheduler in case +of unknown directive, because stopping the scheduler on config errors +should only happen in case of syntax errors. +--- + scheduler/conf.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/scheduler/conf.c b/scheduler/conf.c +index 7d6da0252..0e7be0ef4 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -2708,16 +2708,16 @@ parse_variable( + { + /* + * Unknown directive! Output an error message and continue... ++ * ++ * Return value 1 is on purpose - we ignore unknown directives to log ++ * error, but do not stop the scheduler in case error in configuration ++ * is set to be fatal. + */ + +- if (!value) +- cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.", +- line, linenum, filename); +- else +- cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.", +- line, linenum, filename); ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.", ++ line, linenum, filename); + +- return (0); ++ return (1); + } + + switch (var->type) +-- +2.52.0 + diff --git a/SOURCES/0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch b/SOURCES/0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch new file mode 100644 index 0000000..3b84753 --- /dev/null +++ b/SOURCES/0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch @@ -0,0 +1,29 @@ +From c1d2c631267f28131dd31df5b895b8bfb3005b0d Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Thu, 11 Dec 2025 15:12:55 +0100 +Subject: [PATCH] scheduler: Fix possible use_after_free in `cupsdReadClient()` + +If `cupsdSendHeader()` fails, we free the connection and return -1, but +in that case we try to free the connection again in `cupsdReadClient()`. +--- + scheduler/client.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/scheduler/client.c b/scheduler/client.c +index f6166091e..63844d531 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -2761,10 +2761,7 @@ check_start_tls(cupsd_client_t *con) /* I - Client connection */ + httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0"); + + if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE)) +- { +- cupsdCloseClient(con); + return (-1); +- } + } + + return (1); +-- +2.52.0 + diff --git a/SOURCES/cups-CVE-2025-58436.patch b/SOURCES/cups-CVE-2025-58436.patch new file mode 100644 index 0000000..6593369 --- /dev/null +++ b/SOURCES/cups-CVE-2025-58436.patch @@ -0,0 +1,524 @@ +diff -up cups-2.2.6/cups/http.c.slow-client cups-2.2.6/cups/http.c +--- cups-2.2.6/cups/http.c.slow-client 2025-12-09 15:13:08.505351097 +0100 ++++ cups-2.2.6/cups/http.c 2025-12-09 15:16:54.210443194 +0100 +@@ -52,7 +52,7 @@ static http_t *http_create(const char * + static void http_debug_hex(const char *prefix, const char *buffer, + int bytes); + #endif /* DEBUG */ +-static ssize_t http_read(http_t *http, char *buffer, size_t length); ++static ssize_t http_read(http_t *http, char *buffer, size_t length, int timeout); + static ssize_t http_read_buffered(http_t *http, char *buffer, size_t length); + static ssize_t http_read_chunk(http_t *http, char *buffer, size_t length); + static int http_send(http_t *http, http_state_t request, +@@ -1209,7 +1209,7 @@ httpGets(char *line, /* I - Line to + return (NULL); + } + +- bytes = http_read(http, http->buffer + http->used, (size_t)(HTTP_MAX_BUFFER - http->used)); ++ bytes = http_read(http, http->buffer + http->used, (size_t)(_HTTP_MAX_BUFFER - http->used), http->wait_value); + + DEBUG_printf(("4httpGets: read " CUPS_LLFMT " bytes.", CUPS_LLCAST bytes)); + +@@ -1724,24 +1724,13 @@ httpPeek(http_t *http, /* I - HTTP con + + ssize_t buflen; /* Length of read for buffer */ + +- if (!http->blocking) +- { +- while (!httpWait(http, http->wait_value)) +- { +- if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data)) +- continue; +- +- return (0); +- } +- } +- + if ((size_t)http->data_remaining > sizeof(http->buffer)) + buflen = sizeof(http->buffer); + else + buflen = (ssize_t)http->data_remaining; + + DEBUG_printf(("2httpPeek: Reading %d bytes into buffer.", (int)buflen)); +- bytes = http_read(http, http->buffer, (size_t)buflen); ++ bytes = http_read(http, http->buffer, (size_t)buflen, http->wait_value); + + DEBUG_printf(("2httpPeek: Read " CUPS_LLFMT " bytes into buffer.", + CUPS_LLCAST bytes)); +@@ -1762,9 +1751,9 @@ httpPeek(http_t *http, /* I - HTTP con + int zerr; /* Decompressor error */ + z_stream stream; /* Copy of decompressor stream */ + +- if (http->used > 0 && http->stream.avail_in < HTTP_MAX_BUFFER) ++ if (http->used > 0 && http->stream.avail_in < _HTTP_MAX_BUFFER) + { +- size_t buflen = buflen = HTTP_MAX_BUFFER - http->stream.avail_in; ++ size_t buflen = buflen = _HTTP_MAX_BUFFER - http->stream.avail_in; + /* Number of bytes to copy */ + + if (http->stream.avail_in > 0 && +@@ -2022,7 +2011,7 @@ httpRead2(http_t *http, /* I - HTTP co + + if (bytes == 0) + { +- ssize_t buflen = HTTP_MAX_BUFFER - (ssize_t)http->stream.avail_in; ++ ssize_t buflen = _HTTP_MAX_BUFFER - (ssize_t)http->stream.avail_in; + /* Additional bytes for buffer */ + + if (buflen > 0) +@@ -2893,7 +2882,7 @@ int /* O - 1 to continue, 0 to stop + _httpUpdate(http_t *http, /* I - HTTP connection */ + http_status_t *status) /* O - Current HTTP status */ + { +- char line[32768], /* Line from connection... */ ++ char line[_HTTP_MAX_BUFFER], /* Line from connection... */ + *value; /* Pointer to value on line */ + http_field_t field; /* Field index */ + int major, minor; /* HTTP version numbers */ +@@ -2901,12 +2890,46 @@ _httpUpdate(http_t *http, /* I - + + DEBUG_printf(("_httpUpdate(http=%p, status=%p), state=%s", (void *)http, (void *)status, httpStateString(http->state))); + ++ /* When doing non-blocking I/O, make sure we have a whole line... */ ++ if (!http->blocking) ++ { ++ ssize_t bytes; /* Bytes "peeked" from connection */ ++ ++ /* See whether our read buffer is full... */ ++ DEBUG_printf(("2_httpUpdate: used=%d", http->used)); ++ ++ if (http->used > 0 && !memchr(http->buffer, '\n', (size_t)http->used) && (size_t)http->used < sizeof(http->buffer)) ++ { ++ /* No, try filling in more data... */ ++ if ((bytes = http_read(http, http->buffer + http->used, sizeof(http->buffer) - (size_t)http->used, /*timeout*/0)) > 0) ++ { ++ DEBUG_printf(("2_httpUpdate: Read %d bytes.", (int)bytes)); ++ http->used += (int)bytes; ++ } ++ } ++ ++ /* Peek at the incoming data... */ ++ if (!http->used || !memchr(http->buffer, '\n', (size_t)http->used)) ++ { ++ /* Don't have a full line, tell the reader to try again when there is more data... */ ++ DEBUG_puts("1_htttpUpdate: No newline in buffer yet."); ++ if ((size_t)http->used == sizeof(http->buffer)) ++ *status = HTTP_STATUS_ERROR; ++ else ++ *status = HTTP_STATUS_CONTINUE; ++ return (0); ++ } ++ ++ DEBUG_puts("2_httpUpdate: Found newline in buffer."); ++ } ++ + /* + * Grab a single line from the connection... + */ + + if (!httpGets(line, sizeof(line), http)) + { ++ DEBUG_puts("1_httpUpdate: Error reading request line."); + *status = HTTP_STATUS_ERROR; + return (0); + } +@@ -4054,7 +4077,8 @@ http_debug_hex(const char *prefix, /* I + static ssize_t /* O - Number of bytes read or -1 on error */ + http_read(http_t *http, /* I - HTTP connection */ + char *buffer, /* I - Buffer */ +- size_t length) /* I - Maximum bytes to read */ ++ size_t length, /* I - Maximum bytes to read */ ++ int timeout) /* I - Wait timeout */ + { + ssize_t bytes; /* Bytes read */ + +@@ -4063,7 +4087,7 @@ http_read(http_t *http, /* I - HTTP co + + if (!http->blocking || http->timeout_value > 0.0) + { +- while (!httpWait(http, http->wait_value)) ++ while (!_httpWait(http, timeout, 1)) + { + if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data)) + continue; +@@ -4181,7 +4205,7 @@ http_read_buffered(http_t *http, /* I - + else + bytes = (ssize_t)length; + +- DEBUG_printf(("2http_read: Grabbing %d bytes from input buffer.", ++ DEBUG_printf(("2http_read_buffered: Grabbing %d bytes from input buffer.", + (int)bytes)); + + memcpy(buffer, http->buffer, (size_t)bytes); +@@ -4191,7 +4215,7 @@ http_read_buffered(http_t *http, /* I - + memmove(http->buffer, http->buffer + bytes, (size_t)http->used); + } + else +- bytes = http_read(http, buffer, length); ++ bytes = http_read(http, buffer, length, http->wait_value); + + return (bytes); + } +@@ -4536,15 +4560,15 @@ http_set_timeout(int fd, /* I - File + static void + http_set_wait(http_t *http) /* I - HTTP connection */ + { +- if (http->blocking) +- { +- http->wait_value = (int)(http->timeout_value * 1000); ++ http->wait_value = (int)(http->timeout_value * 1000); + +- if (http->wait_value <= 0) ++ if (http->wait_value <= 0) ++ { ++ if (http->blocking) + http->wait_value = 60000; ++ else ++ http->wait_value = 1000; + } +- else +- http->wait_value = 10000; + } + + +diff -up cups-2.2.6/cups/http-private.h.slow-client cups-2.2.6/cups/http-private.h +--- cups-2.2.6/cups/http-private.h.slow-client 2025-12-09 15:13:08.405517186 +0100 ++++ cups-2.2.6/cups/http-private.h 2025-12-09 15:14:41.466141368 +0100 +@@ -172,6 +172,7 @@ extern "C" { + * Constants... + */ + ++# define _HTTP_MAX_BUFFER 32768 /* Size of read buffer */ + # define _HTTP_MAX_SBUFFER 65536 /* Size of (de)compression buffer */ + # define _HTTP_RESOLVE_DEFAULT 0 /* Just resolve with default options */ + # define _HTTP_RESOLVE_STDERR 1 /* Log resolve progress to stderr */ +@@ -298,8 +299,8 @@ struct _http_s /**** HTTP connection + http_encoding_t data_encoding; /* Chunked or not */ + int _data_remaining;/* Number of bytes left (deprecated) */ + int used; /* Number of bytes used in buffer */ +- char buffer[HTTP_MAX_BUFFER]; +- /* Buffer for incoming data */ ++ char _buffer[HTTP_MAX_BUFFER]; ++ /* Old read buffer (deprecated) */ + int _auth_type; /* Authentication in use (deprecated) */ + _cups_md5_state_t md5_state; /* MD5 state */ + char nonce[HTTP_MAX_VALUE]; +@@ -368,6 +369,8 @@ struct _http_s /**** HTTP connection + z_stream stream; /* (De)compression stream */ + Bytef *sbuffer; /* (De)compression buffer */ + # endif /* HAVE_LIBZ */ ++ char buffer[_HTTP_MAX_BUFFER]; ++ /* Read buffer */ + }; + # endif /* !_HTTP_NO_PRIVATE */ + +diff -up cups-2.2.6/scheduler/client.c.slow-client cups-2.2.6/scheduler/client.c +--- cups-2.2.6/scheduler/client.c.slow-client 2025-12-09 15:13:08.478315602 +0100 ++++ cups-2.2.6/scheduler/client.c 2025-12-09 15:23:26.936553480 +0100 +@@ -44,11 +44,11 @@ + + static int check_if_modified(cupsd_client_t *con, + struct stat *filestats); +-static int compare_clients(cupsd_client_t *a, cupsd_client_t *b, +- void *data); + #ifdef HAVE_SSL +-static int cupsd_start_tls(cupsd_client_t *con, http_encryption_t e); ++static int check_start_tls(cupsd_client_t *con); + #endif /* HAVE_SSL */ ++static int compare_clients(cupsd_client_t *a, cupsd_client_t *b, ++ void *data); + static char *get_file(cupsd_client_t *con, struct stat *filestats, + char *filename, size_t len); + static http_status_t install_cupsd_conf(cupsd_client_t *con); +@@ -423,14 +423,20 @@ cupsdAcceptClient(cupsd_listener_t *lis) + if (lis->encryption == HTTP_ENCRYPTION_ALWAYS) + { + /* +- * https connection; go secure... ++ * HTTPS connection, force TLS negotiation... + */ + +- if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS)) +- cupsdCloseClient(con); ++ con->tls_start = time(NULL); ++ con->encryption = HTTP_ENCRYPTION_ALWAYS; + } + else ++ { ++ /* ++ * HTTP connection, but check for HTTPS negotiation on first data... ++ */ ++ + con->auto_ssl = 1; ++ } + #endif /* HAVE_SSL */ + } + +@@ -673,17 +679,46 @@ cupsdReadClient(cupsd_client_t *con) /* + + con->auto_ssl = 0; + +- if (recv(httpGetFd(con->http), buf, 1, MSG_PEEK) == 1 && +- (!buf[0] || !strchr("DGHOPT", buf[0]))) ++ if (recv(httpGetFd(con->http), buf, 5, MSG_PEEK) == 5 && buf[0] == 0x16 && buf[1] == 3 && buf[2]) + { + /* +- * Encrypt this connection... ++ * Client hello record, encrypt this connection... + */ + +- cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw first byte %02X, auto-negotiating SSL/TLS session.", buf[0] & 255); ++ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw client hello record, auto-negotiating TLS session."); ++ con->tls_start = time(NULL); ++ con->encryption = HTTP_ENCRYPTION_ALWAYS; ++ } ++ } + +- if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS)) +- cupsdCloseClient(con); ++ if (con->tls_start) ++ { ++ /* ++ * Try negotiating TLS... ++ */ ++ ++ int tls_status = check_start_tls(con); ++ ++ if (tls_status < 0) ++ { ++ /* ++ * TLS negotiation failed, close the connection. ++ */ ++ ++ cupsdCloseClient(con); ++ return; ++ } ++ else if (tls_status == 0) ++ { ++ /* ++ * Nothing to do yet... ++ */ ++ ++ if ((time(NULL) - con->tls_start) > 5) ++ { ++ // Timeout, close the connection... ++ cupsdCloseClient(con); ++ } + + return; + } +@@ -847,9 +882,7 @@ cupsdReadClient(cupsd_client_t *con) /* + * Parse incoming parameters until the status changes... + */ + +- while ((status = httpUpdate(con->http)) == HTTP_STATUS_CONTINUE) +- if (!httpGetReady(con->http)) +- break; ++ status = httpUpdate(con->http); + + if (status != HTTP_STATUS_OK && status != HTTP_STATUS_CONTINUE) + { +@@ -999,11 +1032,10 @@ cupsdReadClient(cupsd_client_t *con) /* + return; + } + +- if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED)) +- { +- cupsdCloseClient(con); +- return; +- } ++ con->tls_start = time(NULL); ++ con->tls_upgrade = 1; ++ con->encryption = HTTP_ENCRYPTION_REQUIRED; ++ return; + #else + if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE)) + { +@@ -1042,32 +1074,11 @@ cupsdReadClient(cupsd_client_t *con) /* + if (!_cups_strcasecmp(httpGetField(con->http, HTTP_FIELD_CONNECTION), + "Upgrade") && !httpIsEncrypted(con->http)) + { +-#ifdef HAVE_SSL +- /* +- * Do encryption stuff... +- */ +- +- httpClearFields(con->http); +- +- if (!cupsdSendHeader(con, HTTP_STATUS_SWITCHING_PROTOCOLS, NULL, +- CUPSD_AUTH_NONE)) +- { +- cupsdCloseClient(con); +- return; +- } +- +- if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED)) +- { +- cupsdCloseClient(con); +- return; +- } +-#else + if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE)) + { + cupsdCloseClient(con); + return; + } +-#endif /* HAVE_SSL */ + } + + if ((status = cupsdIsAuthorized(con, NULL)) != HTTP_STATUS_OK) +@@ -3003,6 +3014,69 @@ check_if_modified( + } + + ++#ifdef HAVE_SSL ++/* ++ * 'check_start_tls()' - Start encryption on a connection. ++ */ ++ ++static int /* O - 0 to continue, 1 on success, -1 on error */ ++check_start_tls(cupsd_client_t *con) /* I - Client connection */ ++{ ++ unsigned char chello[4096]; /* Client hello record */ ++ ssize_t chello_bytes; /* Bytes read/peeked */ ++ int chello_len; /* Length of record */ ++ ++ ++ /* ++ * See if we have a good and complete client hello record... ++ */ ++ ++ if ((chello_bytes = recv(httpGetFd(con->http), (char *)chello, sizeof(chello), MSG_PEEK)) < 5) ++ return (0); /* Not enough bytes (yet) */ ++ ++ if (chello[0] != 0x016 || chello[1] != 3 || chello[2] == 0) ++ return (-1); /* Not a TLS Client Hello record */ ++ ++ chello_len = (chello[3] << 8) | chello[4]; ++ ++ if ((chello_len + 5) > chello_bytes) ++ return (0); /* Not enough bytes yet */ ++ ++ /* ++ * OK, we do, try negotiating... ++ */ ++ ++ con->tls_start = 0; ++ ++ if (httpEncryption(con->http, con->encryption)) ++ { ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s", cupsLastErrorString()); ++ return (-1); ++ } ++ ++ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted."); ++ ++ if (con->tls_upgrade) ++ { ++ // Respond to the original OPTIONS command... ++ con->tls_upgrade = 0; ++ ++ httpClearFields(con->http); ++ httpClearCookie(con->http); ++ httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0"); ++ ++ if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE)) ++ { ++ cupsdCloseClient(con); ++ return (-1); ++ } ++ } ++ ++ return (1); ++} ++#endif /* HAVE_SSL */ ++ ++ + /* + * 'compare_clients()' - Compare two client connections. + */ +@@ -3023,28 +3097,6 @@ compare_clients(cupsd_client_t *a, /* I + } + + +-#ifdef HAVE_SSL +-/* +- * 'cupsd_start_tls()' - Start encryption on a connection. +- */ +- +-static int /* O - 0 on success, -1 on error */ +-cupsd_start_tls(cupsd_client_t *con, /* I - Client connection */ +- http_encryption_t e) /* I - Encryption mode */ +-{ +- if (httpEncryption(con->http, e)) +- { +- cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s", +- cupsLastErrorString()); +- return (-1); +- } +- +- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted."); +- return (0); +-} +-#endif /* HAVE_SSL */ +- +- + /* + * 'get_file()' - Get a filename and state info. + */ +diff -up cups-2.2.6/scheduler/client.h.slow-client cups-2.2.6/scheduler/client.h +--- cups-2.2.6/scheduler/client.h.slow-client 2025-12-09 15:13:08.395814648 +0100 ++++ cups-2.2.6/scheduler/client.h 2025-12-09 15:36:24.758565531 +0100 +@@ -59,6 +59,9 @@ struct cupsd_client_s + cups_lang_t *language; /* Language to use */ + #ifdef HAVE_SSL + int auto_ssl; /* Automatic test for SSL/TLS */ ++ time_t tls_start; /* Do TLS negotiation? */ ++ int tls_upgrade; /* Doing TLS upgrade via OPTIONS? */ ++ http_encryption_t encryption; /* Type of TLS negotiation */ + #endif /* HAVE_SSL */ + http_addr_t clientaddr; /* Client's server address */ + char clientname[256];/* Client's server name for connection */ +diff -up cups-2.2.6/scheduler/select.c.slow-client cups-2.2.6/scheduler/select.c +--- cups-2.2.6/scheduler/select.c.slow-client 2017-11-01 15:57:53.000000000 +0100 ++++ cups-2.2.6/scheduler/select.c 2025-12-09 15:13:08.508485767 +0100 +@@ -412,6 +412,9 @@ cupsdDoSelect(long timeout) /* I - Time + + cupsd_in_select = 1; + ++ // Prevent 100% CPU by releasing control before the kevent call... ++ usleep(1); ++ + if (timeout >= 0 && timeout < 86400) + { + ktimeout.tv_sec = timeout; +@@ -458,6 +461,9 @@ cupsdDoSelect(long timeout) /* I - Time + struct epoll_event *event; /* Current event */ + + ++ // Prevent 100% CPU by releasing control before the epoll_wait call... ++ usleep(1); ++ + if (timeout >= 0 && timeout < 86400) + nfds = epoll_wait(cupsd_epoll_fd, cupsd_epoll_events, MaxFDs, + timeout * 1000); +@@ -550,6 +556,9 @@ cupsdDoSelect(long timeout) /* I - Time + } + } + ++ // Prevent 100% CPU by releasing control before the poll call... ++ usleep(1); ++ + if (timeout >= 0 && timeout < 86400) + nfds = poll(cupsd_pollfds, (nfds_t)count, timeout * 1000); + else +@@ -603,6 +612,9 @@ cupsdDoSelect(long timeout) /* I - Time + cupsd_current_input = cupsd_global_input; + cupsd_current_output = cupsd_global_output; + ++ // Prevent 100% CPU by releasing control before the select call... ++ usleep(1); ++ + if (timeout >= 0 && timeout < 86400) + { + stimeout.tv_sec = timeout; diff --git a/SPECS/cups.spec b/SPECS/cups.spec index cbff363..86b4385 100644 --- a/SPECS/cups.spec +++ b/SPECS/cups.spec @@ -22,7 +22,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.2.6 -Release: 64%{?dist} +Release: 66%{?dist} License: GPLv2+ and LGPLv2 with exceptions and AML Url: http://www.cups.org/ Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz @@ -193,8 +193,25 @@ Patch95: 0001-ppdize-preset-and-template-names.patch Patch96: 0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch # RHEL-112424 CVE-2025-58060 cups: Authentication Bypass in CUPS Authorization Handling Patch97: CVE-2025-58060.patch -# RHEL-122666 CVE-2025-58364 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS +# RHEL-122045 CVE-2025-58364 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS Patch98: CVE-2025-58364.patch +# RHEL-129729 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack +# 0001-_httpWait-s-usessl-parameter-wasn-t-being-used.patch +# 0001-Setting-the-timeout-should-also-timeout-the-TLS-nego.patch +# cups-CVE-2025-58436.patch +# 0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch +Patch99: 0001-_httpWait-s-usessl-parameter-wasn-t-being-used.patch +Patch100: 0001-Setting-the-timeout-should-also-timeout-the-TLS-nego.patch +Patch101: cups-CVE-2025-58436.patch +Patch102: 0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch +# RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues +# 0001-Fix-various-issues-in-cupsd.patch +# 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch +Patch103: 0001-Fix-various-issues-in-cupsd.patch +Patch104: 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch +# fix use-after-free reported by OSH +# https://github.com/OpenPrinting/cups/pull/1454 +Patch105: 0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch Patch1000: cups-lspp.patch @@ -525,8 +542,18 @@ Sends IPP requests to the specified URI and tests and/or displays the results. %patch96 -p1 -b .make-model-trim # RHEL-112424 CVE-2025-58060 cups: Authentication Bypass in CUPS Authorization Handling %patch97 -p1 -b .cve-2025-58060 -# RHEL-122666 CVE-2025-58364 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS +# RHEL-122045 CVE-2025-58364 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS %patch98 -p1 -b .cve-2025-58364 +# RHEL-129729 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack +%patch99 -p1 -b .use-usessl +%patch100 -p1 -b .timeout-tls +%patch101 -p1 -b .slow-client +%patch102 -p1 -b .gtk-infinite-loop +# RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues +%patch103 -p1 -b .config-issues +%patch104 -p1 -b .ignore-unknown +# fix use-after-free reported by OSH +%patch105 -p1 -b .osh-use-after-free sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in @@ -954,8 +981,15 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Fri Dec 12 2025 Zdenek Dohnal - 1:2.2.6-66 +- fix use-after-free reported by OSH + +* Tue Dec 09 2025 Zdenek Dohnal - 1:2.2.6-65 +- RHEL-129729 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack +- RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues + * Wed Oct 22 2025 Zdenek Dohnal - 1:2.2.6-64 -- RHEL-122666 CVE-2025-58364 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS +- RHEL-122045 CVE-2025-58364 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS * Thu Sep 04 2025 Zdenek Dohnal - 1:2.2.6-63 - RHEL-112424 CVE-2025-58060 cups: Authentication Bypass in CUPS Authorization Handling