From 49f4908cbdc533f27c664b70c82797278f839d2c Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Fri, 12 Dec 2025 09:48:18 +0100 Subject: [PATCH] fix use-after-free reported by OSH Resolves: RHEL-129729 --- ...ssible-use_after_free-in-cupsdReadCl.patch | 29 +++++++++++++++++++ cups.spec | 10 ++++++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch diff --git a/0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch b/0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch new file mode 100644 index 0000000..3b84753 --- /dev/null +++ b/0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch @@ -0,0 +1,29 @@ +From c1d2c631267f28131dd31df5b895b8bfb3005b0d Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Thu, 11 Dec 2025 15:12:55 +0100 +Subject: [PATCH] scheduler: Fix possible use_after_free in `cupsdReadClient()` + +If `cupsdSendHeader()` fails, we free the connection and return -1, but +in that case we try to free the connection again in `cupsdReadClient()`. +--- + scheduler/client.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/scheduler/client.c b/scheduler/client.c +index f6166091e..63844d531 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -2761,10 +2761,7 @@ check_start_tls(cupsd_client_t *con) /* I - Client connection */ + httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0"); + + if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE)) +- { +- cupsdCloseClient(con); + return (-1); +- } + } + + return (1); +-- +2.52.0 + diff --git a/cups.spec b/cups.spec index 23f81d7..86b4385 100644 --- a/cups.spec +++ b/cups.spec @@ -22,7 +22,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.2.6 -Release: 65%{?dist} +Release: 66%{?dist} License: GPLv2+ and LGPLv2 with exceptions and AML Url: http://www.cups.org/ Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz @@ -209,6 +209,9 @@ Patch102: 0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch # 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch Patch103: 0001-Fix-various-issues-in-cupsd.patch Patch104: 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch +# fix use-after-free reported by OSH +# https://github.com/OpenPrinting/cups/pull/1454 +Patch105: 0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch Patch1000: cups-lspp.patch @@ -549,6 +552,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results. # RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues %patch103 -p1 -b .config-issues %patch104 -p1 -b .ignore-unknown +# fix use-after-free reported by OSH +%patch105 -p1 -b .osh-use-after-free sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in @@ -976,6 +981,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Fri Dec 12 2025 Zdenek Dohnal - 1:2.2.6-66 +- fix use-after-free reported by OSH + * Tue Dec 09 2025 Zdenek Dohnal - 1:2.2.6-65 - RHEL-129729 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack - RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues