rpms/cups
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI cups-2.3.3op2-34.el9_7.2

Browse Source
This commit is contained in:
eabdullin 2026-01-10 23:45:53 +00:00
parent 77b985f32d
commit 5f7d9c0015
7 changed files with 961 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
SOURCES/0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch Normal file
View File

@ -0,0 +1,26 @@
From 2dc021f33a3ea358c9f5c5c54643adc4c46a84a1 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <msweet@msweet.org>
Date: Wed, 3 Dec 2025 07:25:30 -0500
Subject: [PATCH] Fix an infinite loop issue in GTK+ (Issue #1439)
---
CHANGES.md | 1 +
cups/http.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/cups/http.c b/cups/http.c
index 214e45158..31ed6ddc1 100644
--- a/cups/http.c
+++ b/cups/http.c
@@ -2779,7 +2779,7 @@ _httpUpdate(http_t *http, /* I - HTTP connection */
/* See whether our read buffer is full... */
DEBUG_printf(("2_httpUpdate: used=%d", http->used));
- if (http->used > 0 && !memchr(http->buffer, '\n', (size_t)http->used) && (size_t)http->used < sizeof(http->buffer))
+ if (http->used < sizeof(http->buffer))
{
/* No, try filling in more data... */
if ((bytes = http_read(http, http->buffer + http->used, sizeof(http->buffer) - (size_t)http->used, /*timeout*/0)) > 0)
--
2.52.0

294
SOURCES/0001-Fix-various-issues-in-cupsd.patch Normal file
View File

@ -0,0 +1,294 @@
diff -up cups-2.3.3op2/conf/cups-files.conf.in.config-issues cups-2.3.3op2/conf/cups-files.conf.in
--- cups-2.3.3op2/conf/cups-files.conf.in.config-issues 2021-02-01 22:10:25.000000000 +0100
+++ cups-2.3.3op2/conf/cups-files.conf.in 2025-12-09 18:41:09.687817899 +0100
@@ -19,6 +19,9 @@
SystemGroup @CUPS_SYSTEM_GROUPS@
@CUPS_SYSTEM_AUTHKEY@
+# Are Unix domain socket peer credentials used for authorization?
+PeerCred @CUPS_PEER_CRED@
+
# User that is substituted for unauthenticated (remote) root accesses...
#RemoteRoot remroot
diff -up cups-2.3.3op2/config.h.in.config-issues cups-2.3.3op2/config.h.in
--- cups-2.3.3op2/config.h.in.config-issues 2021-02-01 22:10:25.000000000 +0100
+++ cups-2.3.3op2/config.h.in 2025-12-09 18:41:09.688176411 +0100
@@ -95,6 +95,13 @@
/*
+ * Default PeerCred value...
+ */
+
+#define CUPS_DEFAULT_PEER_CRED "on"
+
+
+/*
* Default MaxCopies value...
*/
diff -up cups-2.3.3op2/config-scripts/cups-defaults.m4.config-issues cups-2.3.3op2/config-scripts/cups-defaults.m4
--- cups-2.3.3op2/config-scripts/cups-defaults.m4.config-issues 2025-12-09 18:41:09.634850790 +0100
+++ cups-2.3.3op2/config-scripts/cups-defaults.m4 2025-12-09 18:43:05.131232695 +0100
@@ -121,6 +121,15 @@ AC_ARG_WITH(log_level, [ --with-log-lev
AC_SUBST(CUPS_LOG_LEVEL)
AC_DEFINE_UNQUOTED(CUPS_DEFAULT_LOG_LEVEL, "$CUPS_LOG_LEVEL")
+dnl Default PeerCred
+AC_ARG_WITH([peer_cred], AS_HELP_STRING([--with-peer-cred], [set default PeerCred value (on/off/root-only), default=on]), [
+ CUPS_PEER_CRED="$withval"
+], [
+ CUPS_PEER_CRED="on"
+])
+AC_SUBST([CUPS_PEER_CRED])
+AC_DEFINE_UNQUOTED([CUPS_DEFAULT_PEER_CRED], ["$CUPS_PEER_CRED"], [Default PeerCred value.])
+
dnl Default AccessLogLevel
AC_ARG_WITH(access_log_level, [ --with-access-log-level set default AccessLogLevel value, default=none],
CUPS_ACCESS_LOG_LEVEL="$withval",
diff -up cups-2.3.3op2/doc/help/man-cups-files.conf.html.config-issues cups-2.3.3op2/doc/help/man-cups-files.conf.html
--- cups-2.3.3op2/doc/help/man-cups-files.conf.html.config-issues 2021-02-01 22:10:25.000000000 +0100
+++ cups-2.3.3op2/doc/help/man-cups-files.conf.html 2025-12-09 18:41:09.688311554 +0100
@@ -122,6 +122,13 @@ The default is "/var/log/cups/page_log".
<dt><a name="PassEnv"></a><b>PassEnv </b><i>variable </i>[ ... <i>variable </i>]
<dd style="margin-left: 5.0em">Passes the specified environment variable(s) to child processes.
Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive.
+<dt><a name="PeerCred"></a><b>PeerCred off</b>
+<dd style="margin-left: 5.0em"><dt><b>PeerCred on</b>
+<dd style="margin-left: 5.0em"><dt><b>PeerCred root-only</b>
+<dd style="margin-left: 5.0em">Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket.
+When <b>on</b>, the peer credentials of any user are accepted for authorization.
+The value <b>off</b> disables the use of peer credentials entirely, while the value <b>root-only</b> allows peer credentials only for the root user.
+Note: for security reasons, the <b>on</b> setting is reduced to <b>root-only</b> for authorization of PUT requests.
<dt><a name="RemoteRoot"></a><b>RemoteRoot </b><i>username</i>
<dd style="margin-left: 5.0em">Specifies the username that is associated with unauthenticated accesses by clients claiming to be the root user.
The default is "remroot".
diff -up cups-2.3.3op2/man/cups-files.conf.5.config-issues cups-2.3.3op2/man/cups-files.conf.5
--- cups-2.3.3op2/man/cups-files.conf.5.config-issues 2021-02-01 22:10:25.000000000 +0100
+++ cups-2.3.3op2/man/cups-files.conf.5 2025-12-09 18:41:09.688443001 +0100
@@ -166,6 +166,17 @@ The default is "/var/log/cups/page_log".
\fBPassEnv \fIvariable \fR[ ... \fIvariable \fR]
Passes the specified environment variable(s) to child processes.
Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive.
+.\"#PeerCred
+.TP 5
+\fBPeerCred off\fR
+.TP 5
+\fBPeerCred on\fR
+.TP 5
+\fBPeerCred root-only\fR
+Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket.
+When \fBon\fR, the peer credentials of any user are accepted for authorization.
+The value \fBoff\fR disables the use of peer credentials entirely, while the value \fBroot-only\fR allows peer credentials only for the root user.
+Note: for security reasons, the \fBon\fR setting is reduced to \fBroot-only\fR for authorization of PUT requests.
.\"#RemoteRoot
.TP 5
\fBRemoteRoot \fIusername\fR
diff -up cups-2.3.3op2/scheduler/auth.c.config-issues cups-2.3.3op2/scheduler/auth.c
--- cups-2.3.3op2/scheduler/auth.c.config-issues 2025-12-09 18:41:09.679531444 +0100
+++ cups-2.3.3op2/scheduler/auth.c 2025-12-09 18:41:09.688567136 +0100
@@ -390,7 +390,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I
}
#endif /* HAVE_AUTHORIZATION_H */
#if defined(SO_PEERCRED) && defined(AF_LOCAL)
- else if (!strncmp(authorization, "PeerCred ", 9) &&
+ else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) &&
con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
{
/*
@@ -433,6 +433,12 @@ cupsdAuthorize(cupsd_client_t *con) /* I
}
#endif /* HAVE_AUTHORIZATION_H */
+ if ((PeerCred == CUPSD_PEERCRED_ROOTONLY || httpGetState(con->http) == HTTP_STATE_PUT_RECV) && strcmp(authorization + 9, "root"))
+ {
+ cupsdLogClient(con, CUPSD_LOG_INFO, "User \"%s\" is not allowed to use peer credentials.", authorization + 9);
+ return;
+ }
+
if ((pwd = getpwnam(authorization + 9)) == NULL)
{
cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9);
diff -up cups-2.3.3op2/scheduler/auth.h.config-issues cups-2.3.3op2/scheduler/auth.h
--- cups-2.3.3op2/scheduler/auth.h.config-issues 2021-02-01 22:10:25.000000000 +0100
+++ cups-2.3.3op2/scheduler/auth.h 2025-12-09 18:44:14.355908987 +0100
@@ -48,6 +48,10 @@
#define CUPSD_AUTH_LIMIT_ALL 127 /* Limit all requests */
#define CUPSD_AUTH_LIMIT_IPP 128 /* Limit IPP requests */
+#define CUPSD_PEERCRED_OFF 0 /* Don't allow PeerCred authorization */
+#define CUPSD_PEERCRED_ON 1 /* Allow PeerCred authorization for all users */
+#define CUPSD_PEERCRED_ROOTONLY 2 /* Allow PeerCred authorization for root user */
+
#define IPP_ANY_OPERATION (ipp_op_t)0
/* Any IPP operation */
#define IPP_BAD_OPERATION (ipp_op_t)-1
@@ -105,6 +109,9 @@ typedef struct cupsd_client_s cupsd_clie
VAR cups_array_t *Locations VALUE(NULL);
/* Authorization locations */
+VAR int PeerCred VALUE(CUPSD_PEERCRED_ON);
+ /* Allow PeerCred authorization? */
+
#ifdef HAVE_SSL
VAR http_encryption_t DefaultEncryption VALUE(HTTP_ENCRYPT_REQUIRED);
/* Default encryption for authentication */
diff -up cups-2.3.3op2/scheduler/client.c.config-issues cups-2.3.3op2/scheduler/client.c
--- cups-2.3.3op2/scheduler/client.c.config-issues 2025-12-09 18:41:09.684930590 +0100
+++ cups-2.3.3op2/scheduler/client.c 2025-12-09 18:41:09.689126051 +0100
@@ -2141,7 +2141,7 @@ cupsdSendHeader(
auth_size = sizeof(auth_str) - (size_t)(auth_key - auth_str);
#if defined(SO_PEERCRED) && defined(AF_LOCAL)
- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
+ if (PeerCred != CUPSD_PEERCRED_OFF && httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
{
strlcpy(auth_key, ", PeerCred", auth_size);
auth_key += 10;
diff -up cups-2.3.3op2/scheduler/conf.c.config-issues cups-2.3.3op2/scheduler/conf.c
--- cups-2.3.3op2/scheduler/conf.c.config-issues 2025-12-09 18:41:09.677898084 +0100
+++ cups-2.3.3op2/scheduler/conf.c 2025-12-09 18:44:45.947226612 +0100
@@ -46,6 +46,7 @@ typedef enum
{
CUPSD_VARTYPE_INTEGER, /* Integer option */
CUPSD_VARTYPE_TIME, /* Time interval option */
+ CUPSD_VARTYPE_NULLSTRING, /* String option or NULL/empty string */
CUPSD_VARTYPE_STRING, /* String option */
CUPSD_VARTYPE_BOOLEAN, /* Boolean option */
CUPSD_VARTYPE_PATHNAME, /* File/directory name option */
@@ -68,7 +69,7 @@ static const cupsd_var_t cupsd_vars[] =
{
{ "AutoPurgeJobs", &JobAutoPurge, CUPSD_VARTYPE_BOOLEAN },
#if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
- { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_STRING },
+ { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_NULLSTRING },
#endif /* HAVE_DNSSD || HAVE_AVAHI */
{ "BrowseWebIF", &BrowseWebIF, CUPSD_VARTYPE_BOOLEAN },
{ "Browsing", &Browsing, CUPSD_VARTYPE_BOOLEAN },
@@ -121,7 +122,7 @@ static const cupsd_var_t cupsd_vars[] =
{ "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter, CUPSD_VARTYPE_INTEGER },
{ "MaxSubscriptionsPerUser", &MaxSubscriptionsPerUser, CUPSD_VARTYPE_INTEGER },
{ "MultipleOperationTimeout", &MultipleOperationTimeout, CUPSD_VARTYPE_TIME },
- { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_STRING },
+ { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_NULLSTRING },
{ "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_TIME },
{ "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_TIME },
{ "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_TIME },
@@ -800,6 +801,13 @@ cupsdReadConfiguration(void)
IdleExitTimeout = 60;
#endif /* HAVE_ONDEMAND */
+ if (!strcmp(CUPS_DEFAULT_PEER_CRED, "off"))
+ PeerCred = CUPSD_PEERCRED_OFF;
+ else if (!strcmp(CUPS_DEFAULT_PEER_CRED, "root-only"))
+ PeerCred = CUPSD_PEERCRED_ROOTONLY;
+ else
+ PeerCred = CUPSD_PEERCRED_ON;
+
/*
* Setup environment variables...
*/
@@ -1809,7 +1817,7 @@ get_addr_and_mask(const char *value, /*
family = AF_INET6;
- for (i = 0, ptr = value + 1; *ptr && i < 8; i ++)
+ for (i = 0, ptr = value + 1; *ptr && i >= 0 && i < 8; i ++)
{
if (*ptr == ']')
break;
@@ -1958,7 +1966,7 @@ get_addr_and_mask(const char *value, /*
#ifdef AF_INET6
if (family == AF_INET6)
{
- if (i > 128)
+ if (i < 0 || i > 128)
return (0);
i = 128 - i;
@@ -1992,7 +2000,7 @@ get_addr_and_mask(const char *value, /*
else
#endif /* AF_INET6 */
{
- if (i > 32)
+ if (i < 0 || i > 32)
return (0);
mask[0] = 0xffffffff;
@@ -2902,7 +2910,17 @@ parse_variable(
cupsdSetString((char **)var->ptr, temp);
break;
+ case CUPSD_VARTYPE_NULLSTRING :
+ cupsdSetString((char **)var->ptr, value);
+ break;
+
case CUPSD_VARTYPE_STRING :
+ if (!value)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.", line, linenum, filename);
+ return (0);
+ }
+
cupsdSetString((char **)var->ptr, value);
break;
}
@@ -3412,9 +3430,10 @@ read_cupsd_conf(cups_file_t *fp) /* I -
line, value ? " " : "", value ? value : "", linenum,
ConfigurationFile, CupsFilesFile);
}
- else
- parse_variable(ConfigurationFile, linenum, line, value,
- sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars);
+ else if (!parse_variable(ConfigurationFile, linenum, line, value,
+ sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars) &&
+ (FatalErrors & CUPSD_FATAL_CONFIG))
+ return (0);
}
return (1);
@@ -3574,6 +3593,31 @@ read_cups_files_conf(cups_file_t *fp) /*
break;
}
}
+ else if (!_cups_strcasecmp(line, "PeerCred") && value)
+ {
+ /*
+ * PeerCred {off,on,root-only}
+ */
+
+ if (!_cups_strcasecmp(value, "off"))
+ {
+ PeerCred = CUPSD_PEERCRED_OFF;
+ }
+ else if (!_cups_strcasecmp(value, "on"))
+ {
+ PeerCred = CUPSD_PEERCRED_ON;
+ }
+ else if (!_cups_strcasecmp(value, "root-only"))
+ {
+ PeerCred = CUPSD_PEERCRED_ROOTONLY;
+ }
+ else
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown PeerCred \"%s\" on line %d of %s.", value, linenum, CupsFilesFile);
+ if (FatalErrors & CUPSD_FATAL_CONFIG)
+ return (0);
+ }
+ }
else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)
{
/*
diff -up cups-2.3.3op2/test/run-stp-tests.sh.config-issues cups-2.3.3op2/test/run-stp-tests.sh
--- cups-2.3.3op2/test/run-stp-tests.sh.config-issues 2025-12-09 18:41:09.632865921 +0100
+++ cups-2.3.3op2/test/run-stp-tests.sh 2025-12-09 18:41:09.690311271 +0100
@@ -511,7 +511,7 @@ fi
cat >$BASE/cups-files.conf <<EOF
FileDevice yes
-Printcap
+Printcap $BASE/printcap
User $user
ServerRoot $BASE
StateDir $BASE

12
SOURCES/0001-_httpWait-s-usessl-parameter-wasn-t-being-used.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up cups-2.3.3op2/cups/http.c.use-usessl cups-2.3.3op2/cups/http.c
--- cups-2.3.3op2/cups/http.c.use-usessl 2025-12-09 16:42:30.220757118 +0100
+++ cups-2.3.3op2/cups/http.c 2025-12-09 16:43:29.725348820 +0100
@@ -3004,7 +3004,7 @@ _httpWait(http_t *http, /* I - HTTP co
*/
#ifdef HAVE_SSL
- if (http->tls && _httpTLSPending(http))
+ if (usessl && http->tls && _httpTLSPending(http))
{
DEBUG_puts("5_httpWait: Return 1 since there is pending TLS data.");
return (1);

43
SOURCES/0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch Normal file
View File

@ -0,0 +1,43 @@
From 277d3b1c49895f070bbf4b73cada011d71fbf9f3 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 4 Dec 2025 09:04:37 +0100
Subject: [PATCH] conf.c: Fix stopping scheduler on unknown directive
Change the return value to do not trigger stopping the scheduler in case
of unknown directive, because stopping the scheduler on config errors
should only happen in case of syntax errors.
---
scheduler/conf.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/scheduler/conf.c b/scheduler/conf.c
index 7d6da0252..0e7be0ef4 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -2708,16 +2708,16 @@ parse_variable(
{
/*
* Unknown directive! Output an error message and continue...
+ *
+ * Return value 1 is on purpose - we ignore unknown directives to log
+ * error, but do not stop the scheduler in case error in configuration
+ * is set to be fatal.
*/
- if (!value)
- cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.",
- line, linenum, filename);
- else
- cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
- line, linenum, filename);
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
+ line, linenum, filename);
- return (0);
+ return (1);
}
switch (var->type)
--
2.52.0

29
SOURCES/0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch Normal file
View File

@ -0,0 +1,29 @@
From c1d2c631267f28131dd31df5b895b8bfb3005b0d Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 11 Dec 2025 15:12:55 +0100
Subject: [PATCH] scheduler: Fix possible use_after_free in `cupsdReadClient()`
If `cupsdSendHeader()` fails, we free the connection and return -1, but
in that case we try to free the connection again in `cupsdReadClient()`.
---
scheduler/client.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/scheduler/client.c b/scheduler/client.c
index f6166091e..63844d531 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -2761,10 +2761,7 @@ check_start_tls(cupsd_client_t *con) /* I - Client connection */
httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0");
if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE))
- {
- cupsdCloseClient(con);
return (-1);
- }
}
return (1);
--
2.52.0

524
SOURCES/cups-CVE-2025-58436.patch Normal file
View File

@ -0,0 +1,524 @@
diff -up cups-2.3.3op2/cups/http.c.slow-client cups-2.3.3op2/cups/http.c
--- cups-2.3.3op2/cups/http.c.slow-client 2025-12-09 16:43:51.300291120 +0100
+++ cups-2.3.3op2/cups/http.c 2025-12-09 16:44:49.182521935 +0100
@@ -52,7 +52,7 @@ static http_t *http_create(const char *
static void http_debug_hex(const char *prefix, const char *buffer,
int bytes);
#endif /* DEBUG */
-static ssize_t http_read(http_t *http, char *buffer, size_t length);
+static ssize_t http_read(http_t *http, char *buffer, size_t length, int timeout);
static ssize_t http_read_buffered(http_t *http, char *buffer, size_t length);
static ssize_t http_read_chunk(http_t *http, char *buffer, size_t length);
static int http_send(http_t *http, http_state_t request,
@@ -1175,7 +1175,7 @@ httpGets(char *line, /* I - Line to
return (NULL);
}
- bytes = http_read(http, http->buffer + http->used, (size_t)(HTTP_MAX_BUFFER - http->used));
+ bytes = http_read(http, http->buffer + http->used, (size_t)(_HTTP_MAX_BUFFER - http->used), http->wait_value);
DEBUG_printf(("4httpGets: read " CUPS_LLFMT " bytes.", CUPS_LLCAST bytes));
@@ -1693,24 +1693,13 @@ httpPeek(http_t *http, /* I - HTTP con
ssize_t buflen; /* Length of read for buffer */
- if (!http->blocking)
- {
- while (!httpWait(http, http->wait_value))
- {
- if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
- continue;
-
- return (0);
- }
- }
-
if ((size_t)http->data_remaining > sizeof(http->buffer))
buflen = sizeof(http->buffer);
else
buflen = (ssize_t)http->data_remaining;
DEBUG_printf(("2httpPeek: Reading %d bytes into buffer.", (int)buflen));
- bytes = http_read(http, http->buffer, (size_t)buflen);
+ bytes = http_read(http, http->buffer, (size_t)buflen, http->wait_value);
DEBUG_printf(("2httpPeek: Read " CUPS_LLFMT " bytes into buffer.",
CUPS_LLCAST bytes));
@@ -1731,9 +1720,9 @@ httpPeek(http_t *http, /* I - HTTP con
int zerr; /* Decompressor error */
z_stream stream; /* Copy of decompressor stream */
- if (http->used > 0 && ((z_stream *)http->stream)->avail_in < HTTP_MAX_BUFFER)
+ if (http->used > 0 && ((z_stream *)http->stream)->avail_in < _HTTP_MAX_BUFFER)
{
- size_t buflen = HTTP_MAX_BUFFER - ((z_stream *)http->stream)->avail_in;
+ size_t buflen = _HTTP_MAX_BUFFER - ((z_stream *)http->stream)->avail_in;
/* Number of bytes to copy */
if (((z_stream *)http->stream)->avail_in > 0 &&
@@ -1991,7 +1980,7 @@ httpRead2(http_t *http, /* I - HTTP co
if (bytes == 0)
{
- ssize_t buflen = HTTP_MAX_BUFFER - (ssize_t)((z_stream *)http->stream)->avail_in;
+ ssize_t buflen = _HTTP_MAX_BUFFER - (ssize_t)((z_stream *)http->stream)->avail_in;
/* Additional bytes for buffer */
if (buflen > 0)
@@ -2740,7 +2729,7 @@ int /* O - 1 to continue, 0 to stop
_httpUpdate(http_t *http, /* I - HTTP connection */
http_status_t *status) /* O - Current HTTP status */
{
- char line[32768], /* Line from connection... */
+ char line[_HTTP_MAX_BUFFER], /* Line from connection... */
*value; /* Pointer to value on line */
http_field_t field; /* Field index */
int major, minor; /* HTTP version numbers */
@@ -2748,12 +2737,46 @@ _httpUpdate(http_t *http, /* I -
DEBUG_printf(("_httpUpdate(http=%p, status=%p), state=%s", (void *)http, (void *)status, httpStateString(http->state)));
+ /* When doing non-blocking I/O, make sure we have a whole line... */
+ if (!http->blocking)
+ {
+ ssize_t bytes; /* Bytes "peeked" from connection */
+
+ /* See whether our read buffer is full... */
+ DEBUG_printf(("2_httpUpdate: used=%d", http->used));
+
+ if (http->used > 0 && !memchr(http->buffer, '\n', (size_t)http->used) && (size_t)http->used < sizeof(http->buffer))
+ {
+ /* No, try filling in more data... */
+ if ((bytes = http_read(http, http->buffer + http->used, sizeof(http->buffer) - (size_t)http->used, /*timeout*/0)) > 0)
+ {
+ DEBUG_printf(("2_httpUpdate: Read %d bytes.", (int)bytes));
+ http->used += (int)bytes;
+ }
+ }
+
+ /* Peek at the incoming data... */
+ if (!http->used || !memchr(http->buffer, '\n', (size_t)http->used))
+ {
+ /* Don't have a full line, tell the reader to try again when there is more data... */
+ DEBUG_puts("1_htttpUpdate: No newline in buffer yet.");
+ if ((size_t)http->used == sizeof(http->buffer))
+ *status = HTTP_STATUS_ERROR;
+ else
+ *status = HTTP_STATUS_CONTINUE;
+ return (0);
+ }
+
+ DEBUG_puts("2_httpUpdate: Found newline in buffer.");
+ }
+
/*
* Grab a single line from the connection...
*/
if (!httpGets(line, sizeof(line), http))
{
+ DEBUG_puts("1_httpUpdate: Error reading request line.");
*status = HTTP_STATUS_ERROR;
return (0);
}
@@ -4074,7 +4097,8 @@ http_debug_hex(const char *prefix, /* I
static ssize_t /* O - Number of bytes read or -1 on error */
http_read(http_t *http, /* I - HTTP connection */
char *buffer, /* I - Buffer */
- size_t length) /* I - Maximum bytes to read */
+ size_t length, /* I - Maximum bytes to read */
+ int timeout) /* I - Wait timeout */
{
ssize_t bytes; /* Bytes read */
@@ -4083,7 +4107,7 @@ http_read(http_t *http, /* I - HTTP co
if (!http->blocking || http->timeout_value > 0.0)
{
- while (!httpWait(http, http->wait_value))
+ while (!_httpWait(http, timeout, 1))
{
if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
continue;
@@ -4201,7 +4225,7 @@ http_read_buffered(http_t *http, /* I -
else
bytes = (ssize_t)length;
- DEBUG_printf(("2http_read: Grabbing %d bytes from input buffer.",
+ DEBUG_printf(("2http_read_buffered: Grabbing %d bytes from input buffer.",
(int)bytes));
memcpy(buffer, http->buffer, (size_t)bytes);
@@ -4211,7 +4235,7 @@ http_read_buffered(http_t *http, /* I -
memmove(http->buffer, http->buffer + bytes, (size_t)http->used);
}
else
- bytes = http_read(http, buffer, length);
+ bytes = http_read(http, buffer, length, http->wait_value);
return (bytes);
}
@@ -4554,15 +4578,15 @@ http_set_timeout(int fd, /* I - File
static void
http_set_wait(http_t *http) /* I - HTTP connection */
{
- if (http->blocking)
- {
- http->wait_value = (int)(http->timeout_value * 1000);
+ http->wait_value = (int)(http->timeout_value * 1000);
- if (http->wait_value <= 0)
+ if (http->wait_value <= 0)
+ {
+ if (http->blocking)
http->wait_value = 60000;
+ else
+ http->wait_value = 1000;
}
- else
- http->wait_value = 10000;
}
diff -up cups-2.3.3op2/cups/http-private.h.slow-client cups-2.3.3op2/cups/http-private.h
--- cups-2.3.3op2/cups/http-private.h.slow-client 2025-12-09 16:43:51.294691642 +0100
+++ cups-2.3.3op2/cups/http-private.h 2025-12-09 16:43:51.300841104 +0100
@@ -116,6 +116,7 @@ extern "C" {
* Constants...
*/
+# define _HTTP_MAX_BUFFER 32768 /* Size of read buffer */
# define _HTTP_MAX_SBUFFER 65536 /* Size of (de)compression buffer */
# define _HTTP_RESOLVE_DEFAULT 0 /* Just resolve with default options */
# define _HTTP_RESOLVE_STDERR 1 /* Log resolve progress to stderr */
@@ -228,8 +229,8 @@ struct _http_s /**** HTTP connection
http_encoding_t data_encoding; /* Chunked or not */
int _data_remaining;/* Number of bytes left (deprecated) */
int used; /* Number of bytes used in buffer */
- char buffer[HTTP_MAX_BUFFER];
- /* Buffer for incoming data */
+ char _buffer[HTTP_MAX_BUFFER];
+ /* Old read buffer (deprecated) */
int _auth_type; /* Authentication in use (deprecated) */
unsigned char _md5_state[88]; /* MD5 state (deprecated) */
char nonce[HTTP_MAX_VALUE];
@@ -303,6 +304,8 @@ struct _http_s /**** HTTP connection
/* Allocated field values */
*default_fields[HTTP_FIELD_MAX];
/* Default field values, if any */
+ char buffer[_HTTP_MAX_BUFFER];
+ /* Read buffer */
};
# endif /* !_HTTP_NO_PRIVATE */
diff -up cups-2.3.3op2/scheduler/client.c.slow-client cups-2.3.3op2/scheduler/client.c
--- cups-2.3.3op2/scheduler/client.c.slow-client 2025-12-09 16:43:51.277144267 +0100
+++ cups-2.3.3op2/scheduler/client.c 2025-12-09 16:48:53.350252758 +0100
@@ -33,11 +33,11 @@
static int check_if_modified(cupsd_client_t *con,
struct stat *filestats);
-static int compare_clients(cupsd_client_t *a, cupsd_client_t *b,
- void *data);
#ifdef HAVE_SSL
-static int cupsd_start_tls(cupsd_client_t *con, http_encryption_t e);
+static int check_start_tls(cupsd_client_t *con);
#endif /* HAVE_SSL */
+static int compare_clients(cupsd_client_t *a, cupsd_client_t *b,
+ void *data);
static char *get_file(cupsd_client_t *con, struct stat *filestats,
char *filename, size_t len);
static http_status_t install_cupsd_conf(cupsd_client_t *con);
@@ -359,14 +359,20 @@ cupsdAcceptClient(cupsd_listener_t *lis)
if (lis->encryption == HTTP_ENCRYPTION_ALWAYS)
{
/*
- * https connection; go secure...
+ * HTTPS connection, force TLS negotiation...
*/
- if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS))
- cupsdCloseClient(con);
+ con->tls_start = time(NULL);
+ con->encryption = HTTP_ENCRYPTION_ALWAYS;
}
else
+ {
+ /*
+ * HTTP connection, but check for HTTPS negotiation on first data...
+ */
+
con->auto_ssl = 1;
+ }
#endif /* HAVE_SSL */
}
@@ -596,17 +602,46 @@ cupsdReadClient(cupsd_client_t *con) /*
con->auto_ssl = 0;
- if (recv(httpGetFd(con->http), buf, 1, MSG_PEEK) == 1 &&
- (!buf[0] || !strchr("DGHOPT", buf[0])))
+ if (recv(httpGetFd(con->http), buf, 5, MSG_PEEK) == 5 && buf[0] == 0x16 && buf[1] == 3 && buf[2])
{
/*
- * Encrypt this connection...
+ * Client hello record, encrypt this connection...
*/
- cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw first byte %02X, auto-negotiating SSL/TLS session.", buf[0] & 255);
+ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw client hello record, auto-negotiating TLS session.");
+ con->tls_start = time(NULL);
+ con->encryption = HTTP_ENCRYPTION_ALWAYS;
+ }
+ }
- if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS))
- cupsdCloseClient(con);
+ if (con->tls_start)
+ {
+ /*
+ * Try negotiating TLS...
+ */
+
+ int tls_status = check_start_tls(con);
+
+ if (tls_status < 0)
+ {
+ /*
+ * TLS negotiation failed, close the connection.
+ */
+
+ cupsdCloseClient(con);
+ return;
+ }
+ else if (tls_status == 0)
+ {
+ /*
+ * Nothing to do yet...
+ */
+
+ if ((time(NULL) - con->tls_start) > 5)
+ {
+ // Timeout, close the connection...
+ cupsdCloseClient(con);
+ }
return;
}
@@ -770,9 +805,7 @@ cupsdReadClient(cupsd_client_t *con) /*
* Parse incoming parameters until the status changes...
*/
- while ((status = httpUpdate(con->http)) == HTTP_STATUS_CONTINUE)
- if (!httpGetReady(con->http))
- break;
+ status = httpUpdate(con->http);
if (status != HTTP_STATUS_OK && status != HTTP_STATUS_CONTINUE)
{
@@ -934,11 +967,10 @@ cupsdReadClient(cupsd_client_t *con) /*
return;
}
- if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED))
- {
- cupsdCloseClient(con);
- return;
- }
+ con->tls_start = time(NULL);
+ con->tls_upgrade = 1;
+ con->encryption = HTTP_ENCRYPTION_REQUIRED;
+ return;
#else
if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE))
{
@@ -977,32 +1009,11 @@ cupsdReadClient(cupsd_client_t *con) /*
if (!_cups_strcasecmp(httpGetField(con->http, HTTP_FIELD_CONNECTION),
"Upgrade") && !httpIsEncrypted(con->http))
{
-#ifdef HAVE_SSL
- /*
- * Do encryption stuff...
- */
-
- httpClearFields(con->http);
-
- if (!cupsdSendHeader(con, HTTP_STATUS_SWITCHING_PROTOCOLS, NULL,
- CUPSD_AUTH_NONE))
- {
- cupsdCloseClient(con);
- return;
- }
-
- if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED))
- {
- cupsdCloseClient(con);
- return;
- }
-#else
if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
}
-#endif /* HAVE_SSL */
}
if ((status = cupsdIsAuthorized(con, NULL)) != HTTP_STATUS_OK)
@@ -2622,6 +2633,69 @@ check_if_modified(
}
+#ifdef HAVE_SSL
+/*
+ * 'check_start_tls()' - Start encryption on a connection.
+ */
+
+static int /* O - 0 to continue, 1 on success, -1 on error */
+check_start_tls(cupsd_client_t *con) /* I - Client connection */
+{
+ unsigned char chello[4096]; /* Client hello record */
+ ssize_t chello_bytes; /* Bytes read/peeked */
+ int chello_len; /* Length of record */
+
+
+ /*
+ * See if we have a good and complete client hello record...
+ */
+
+ if ((chello_bytes = recv(httpGetFd(con->http), (char *)chello, sizeof(chello), MSG_PEEK)) < 5)
+ return (0); /* Not enough bytes (yet) */
+
+ if (chello[0] != 0x016 || chello[1] != 3 || chello[2] == 0)
+ return (-1); /* Not a TLS Client Hello record */
+
+ chello_len = (chello[3] << 8) | chello[4];
+
+ if ((chello_len + 5) > chello_bytes)
+ return (0); /* Not enough bytes yet */
+
+ /*
+ * OK, we do, try negotiating...
+ */
+
+ con->tls_start = 0;
+
+ if (httpEncryption(con->http, con->encryption))
+ {
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s", cupsLastErrorString());
+ return (-1);
+ }
+
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted.");
+
+ if (con->tls_upgrade)
+ {
+ // Respond to the original OPTIONS command...
+ con->tls_upgrade = 0;
+
+ httpClearFields(con->http);
+ httpClearCookie(con->http);
+ httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0");
+
+ if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE))
+ {
+ cupsdCloseClient(con);
+ return (-1);
+ }
+ }
+
+ return (1);
+}
+#endif /* HAVE_SSL */
+
+
/*
* 'compare_clients()' - Compare two client connections.
*/
@@ -2642,28 +2716,6 @@ compare_clients(cupsd_client_t *a, /* I
}
-#ifdef HAVE_SSL
-/*
- * 'cupsd_start_tls()' - Start encryption on a connection.
- */
-
-static int /* O - 0 on success, -1 on error */
-cupsd_start_tls(cupsd_client_t *con, /* I - Client connection */
- http_encryption_t e) /* I - Encryption mode */
-{
- if (httpEncryption(con->http, e))
- {
- cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s",
- cupsLastErrorString());
- return (-1);
- }
-
- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted.");
- return (0);
-}
-#endif /* HAVE_SSL */
-
-
/*
* 'get_file()' - Get a filename and state info.
*/
diff -up cups-2.3.3op2/scheduler/client.h.slow-client cups-2.3.3op2/scheduler/client.h
--- cups-2.3.3op2/scheduler/client.h.slow-client 2021-02-01 22:10:25.000000000 +0100
+++ cups-2.3.3op2/scheduler/client.h 2025-12-09 16:49:11.429631071 +0100
@@ -50,6 +50,9 @@ struct cupsd_client_s
cups_lang_t *language; /* Language to use */
#ifdef HAVE_SSL
int auto_ssl; /* Automatic test for SSL/TLS */
+ time_t tls_start; /* Do TLS negotiation? */
+ int tls_upgrade; /* Doing TLS upgrade via OPTIONS? */
+ http_encryption_t encryption; /* Type of TLS negotiation */
#endif /* HAVE_SSL */
http_addr_t clientaddr; /* Client's server address */
char clientname[256];/* Client's server name for connection */
diff -up cups-2.3.3op2/scheduler/select.c.slow-client cups-2.3.3op2/scheduler/select.c
--- cups-2.3.3op2/scheduler/select.c.slow-client 2021-02-01 22:10:25.000000000 +0100
+++ cups-2.3.3op2/scheduler/select.c 2025-12-09 16:43:51.303241145 +0100
@@ -408,6 +408,9 @@ cupsdDoSelect(long timeout) /* I - Time
cupsd_in_select = 1;
+ // Prevent 100% CPU by releasing control before the kevent call...
+ usleep(1);
+
if (timeout >= 0 && timeout < 86400)
{
ktimeout.tv_sec = timeout;
@@ -454,6 +457,9 @@ cupsdDoSelect(long timeout) /* I - Time
struct epoll_event *event; /* Current event */
+ // Prevent 100% CPU by releasing control before the epoll_wait call...
+ usleep(1);
+
if (timeout >= 0 && timeout < 86400)
nfds = epoll_wait(cupsd_epoll_fd, cupsd_epoll_events, MaxFDs,
timeout * 1000);
@@ -546,6 +552,9 @@ cupsdDoSelect(long timeout) /* I - Time
}
}
+ // Prevent 100% CPU by releasing control before the poll call...
+ usleep(1);
+
if (timeout >= 0 && timeout < 86400)
nfds = poll(cupsd_pollfds, (nfds_t)count, timeout * 1000);
else
@@ -599,6 +608,9 @@ cupsdDoSelect(long timeout) /* I - Time
cupsd_current_input = cupsd_global_input;
cupsd_current_output = cupsd_global_output;
+ // Prevent 100% CPU by releasing control before the select call...
+ usleep(1);
+
if (timeout >= 0 && timeout < 86400)
{
stimeout.tv_sec = timeout;

35
SPECS/cups.spec
View File

@ -24,7 +24,7 @@ Summary: CUPS printing system
Name: cups
Epoch: 1
Version: 2.3.3%{OP_VER}
Release: 34%{?dist}
Release: 34%{?dist}.2
License: ASL 2.0
Url: http://www.cups.org/
# Apple stopped uploading the new versions into github, use OpenPrinting fork
@ -165,6 +165,21 @@ Patch51: 0001-Add-NoSystem-SSLOptions-value.patch
Patch52: CVE-2025-58060.patch
# RHEL-113078 CVE-2025-58364 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS
Patch53: CVE-2025-58364.patch
# RHEL-129746 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack
# 0001-_httpWait-s-usessl-parameter-wasn-t-being-used.patch
# cups-CVE-2025-58436.patch
# 0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch
Patch54: 0001-_httpWait-s-usessl-parameter-wasn-t-being-used.patch
Patch55: cups-CVE-2025-58436.patch
Patch56: 0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch
# RHEL-129738 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues
# 0001-Fix-various-issues-in-cupsd.patch
# 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
Patch57: 0001-Fix-various-issues-in-cupsd.patch
Patch58: 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
# fix use-after-free reported by OSH
# https://github.com/OpenPrinting/cups/pull/1454
Patch59: 0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch
##### Patches removed because IMHO they aren't no longer needed
@ -456,6 +471,15 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
%patch52 -p1 -b .cve-2025-58060
# RHEL-113078 CVE-2025-58364 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS
%patch53 -p1 -b .cve-2025-58364
# RHEL-129746 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack
%patch54 -p1 -b .use-usessl
%patch55 -p1 -b .slow-client
%patch56 -p1 -b .gtk-infinite-loop
# RHEL-129738 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues
%patch57 -p1 -b .config-issues
%patch58 -p1 -b .ignore-unknown
# fix use-after-free reported by OSH
%patch59 -p1 -b .osh-use-after-free
%if %{lspp}
@ -921,7 +945,14 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man7/ippeveps.7.gz
%changelog
* Thu Sep 11 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1.2.3.3op2-34
* Fri Dec 12 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-34.2
- fix use-after-free reported by OSH
* Tue Dec 09 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-34.1
- RHEL-129746 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack
- RHEL-129738 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues
* Thu Sep 11 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-34
- RHEL-112435 CVE-2025-58060 cups: Authentication Bypass in CUPS Authorization Handling
- RHEL-113078 CVE-2025-58364 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS