From d475d5fbf4750ffca9834965db02e6ea1a09d19a Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Fri, 3 Jul 2026 10:38:32 +0200 Subject: [PATCH] RHEL-192009 CVE-2026-14544 hplip: Incomplete Fix for CVE-2026-8631 Resolves: RHEL-192009 --- hplip-CVE-2026-8631-osh.patch | 21 +++++++++------------ hplip.spec | 5 ++++- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/hplip-CVE-2026-8631-osh.patch b/hplip-CVE-2026-8631-osh.patch index 91baaa7..226a570 100644 --- a/hplip-CVE-2026-8631-osh.patch +++ b/hplip-CVE-2026-8631-osh.patch @@ -1,13 +1,10 @@ -diff --git a/prnt/hpcups/genPCLm.cpp b/prnt/hpcups/genPCLm.cpp -index 0e1650c..5f83cba 100644 ---- a/prnt/hpcups/genPCLm.cpp -+++ b/prnt/hpcups/genPCLm.cpp -@@ -1917,8 +1917,11 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh - #ifdef SUPPORT_WHITE_STRIPS +diff -up hplip-3.21.2/prnt/hpcups/genPCLm.cpp.CVE-2026-8631-osh hplip-3.21.2/prnt/hpcups/genPCLm.cpp +--- hplip-3.21.2/prnt/hpcups/genPCLm.cpp.CVE-2026-8631-osh 2026-07-03 08:25:17.717888763 +0200 ++++ hplip-3.21.2/prnt/hpcups/genPCLm.cpp 2026-07-03 08:48:22.225130940 +0200 +@@ -1922,7 +1922,10 @@ int PCLmGenerator::Encapsulate(void *pI int whiteStripLen=0; if(!safe_mul_int_positive(thisHeight, currSourceWidth, &whiteStripLen) || -- !safe_mul_int_positive(whiteStripLen, srcNumComponents, &whiteStripLen)) -+ !safe_mul_int_positive(thisHeight, srcNumComponents, &whiteStripLen)) + !safe_mul_int_positive(whiteStripLen, srcNumComponents, &whiteStripLen)) + { + free(newStripPtr); return(errorOutAndCleanUp()); @@ -15,7 +12,7 @@ index 0e1650c..5f83cba 100644 bool whiteStrip=isWhiteStrip(pInBuffer, whiteStripLen); if(DebugIt2) { -@@ -1940,11 +1943,17 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh +@@ -1944,11 +1947,17 @@ int PCLmGenerator::Encapsulate(void *pI ubyte whitePt=0xff; size_t tmpStripSize=0; if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize)) @@ -33,7 +30,7 @@ index 0e1650c..5f83cba 100644 memset(tmpStrip,whitePt,tmpStripSize); -@@ -2012,7 +2021,10 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh +@@ -2016,7 +2025,10 @@ int PCLmGenerator::Encapsulate(void *pI { int sourceLen=0; if(!safe_mul_int_positive(numLinesThisCall, scanlineWidth, &sourceLen)) @@ -44,7 +41,7 @@ index 0e1650c..5f83cba 100644 uint32 len=(uint32)sourceLen; uLongf destSize=len; -@@ -2021,12 +2033,18 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh +@@ -2025,12 +2037,18 @@ int PCLmGenerator::Encapsulate(void *pI ubyte whitePt=0xff; size_t tmpStripSize=0; if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize)) @@ -63,7 +60,7 @@ index 0e1650c..5f83cba 100644 uLongf tmpDestSize=destSize; memset(tmpStrip,whitePt,tmpStripSize); -@@ -2075,20 +2093,29 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh +@@ -2079,20 +2097,29 @@ int PCLmGenerator::Encapsulate(void *pI { int sourceLen=0; if(!safe_mul_int_positive(numLinesThisCall, scanlineWidth, &sourceLen)) diff --git a/hplip.spec b/hplip.spec index e1ade0e..b8532d2 100644 --- a/hplip.spec +++ b/hplip.spec @@ -7,7 +7,7 @@ Summary: HP Linux Imaging and Printing Project Name: hplip Version: 3.18.4 -Release: 13%{?dist} +Release: 14%{?dist} License: GPLv2+ and MIT and BSD and IJG and Public Domain and GPLv2+ with exceptions and ISC Url: https://developers.hp.com/hp-linux-imaging-and-printing @@ -554,6 +554,9 @@ rm -f %{buildroot}%{_sysconfdir}/xdg/autostart/hplip-systray.desktop %config(noreplace) %{_sysconfdir}/sane.d/dll.d/hpaio %changelog +* Fri Jul 03 2026 Zdenek Dohnal - 3.18.4-14 +- RHEL-192009 CVE-2026-14544 hplip: Incomplete Fix for CVE-2026-8631 + * Mon Jun 15 2026 Zdenek Dohnal - 3.18.4-13 - Fix more leaks in hpcups