From 99bcdb773352d59e9841c94cfff0606e6d6e25ac Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Mon, 9 Mar 2026 14:44:02 +0100 Subject: [PATCH] RHEL-147214 - endless poll loop in http_write when POLLHUP is returned Resolves: RHEL-147214 --- ...not-check-for-errno-after-I-O-operat.patch | 44 +++++++++++++++++++ cups.spec | 9 +++- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 0001-tls-gnutls.c-Do-not-check-for-errno-after-I-O-operat.patch diff --git a/0001-tls-gnutls.c-Do-not-check-for-errno-after-I-O-operat.patch b/0001-tls-gnutls.c-Do-not-check-for-errno-after-I-O-operat.patch new file mode 100644 index 0000000..1ddfebd --- /dev/null +++ b/0001-tls-gnutls.c-Do-not-check-for-errno-after-I-O-operat.patch @@ -0,0 +1,44 @@ +From e2419c698922fb65ef62250a4588104021449b55 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Fri, 6 Mar 2026 08:31:47 +0100 +Subject: [PATCH] tls-gnutls.c: Do not check for errno after I/O operations + +Based on gnutls_record_send/recv man pages, we should use the return +value of the functions as indicator what happened in the function and do +not look into errno at all. + +Checking the errno value caused infinity loop in cupsd on busy servers +if there were enough connection errors when cupsd wrote the response. + +The patch is provided by Paul Zirnik from SUSE - thank you for the +patch! + +Fixes #827 +--- + cups/tls-gnutls.c | 4 ++-- + +diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c +index 64f2af372..5769d6313 100644 +--- a/cups/tls-gnutls.c ++++ b/cups/tls-gnutls.c +@@ -1208,7 +1208,7 @@ _httpTLSRead(http_t *http, /* I - Connection to server */ + + result = gnutls_record_recv(http->tls, buf, (size_t)len); + +- if (result < 0 && !errno) ++ if (result < 0) + { + /* + * Convert GNU TLS error to errno value... +@@ -1669,7 +1669,7 @@ _httpTLSWrite(http_t *http, /* I - Connection to server */ + + result = gnutls_record_send(http->tls, buf, (size_t)len); + +- if (result < 0 && !errno) ++ if (result < 0) + { + /* + * Convert GNU TLS error to errno value... +-- +2.53.0 + diff --git a/cups.spec b/cups.spec index b9a99fb..626d270 100644 --- a/cups.spec +++ b/cups.spec @@ -24,7 +24,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 37%{?dist} +Release: 38%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -182,6 +182,8 @@ Patch58: 0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch # 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch Patch59: 0001-Fix-various-issues-in-cupsd.patch Patch60: 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch +# RHEL-147214 - endless poll loop in http_write when POLLHUP is returned +Patch61: 0001-tls-gnutls.c-Do-not-check-for-errno-after-I-O-operat.patch ##### Patches removed because IMHO they aren't no longer needed @@ -486,6 +488,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in # RHEL-129740 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues %patch59 -p1 -b .config-issues %patch60 -p1 -b .ignore-unknown +# RHEL-147214 - endless poll loop in http_write when POLLHUP is returned +%patch61 -p1 -b .httpwrite-endless-poll %if %{lspp} @@ -953,6 +957,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Mon Mar 09 2026 Zdenek Dohnal - 1:2.3.3op2-38 +- RHEL-147214 - endless poll loop in http_write when POLLHUP is returned + * Fri Dec 12 2025 Zdenek Dohnal - 1:2.3.3op2-37 - RHEL-129747 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack - RHEL-129740 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues