From ffc8ac1e43e85d97da290848604bfc493e797e51 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Thu, 25 Jun 2026 09:37:16 -0400 Subject: [PATCH] import Oracle_OSS hplip-3.21.2-6.el9_8.4 --- SOURCES/hpcups-update-ppds.sh | 0 SOURCES/hplip-CVE-2026-8631-osh.patch | 95 +++++ SOURCES/hplip-CVE-2026-8631.patch | 495 ++++++++++++++++++++++++++ SOURCES/hplip-CVE-2026-8632.patch | 75 ++++ SPECS/hplip.spec | 31 +- 5 files changed, 695 insertions(+), 1 deletion(-) mode change 100644 => 100755 SOURCES/hpcups-update-ppds.sh create mode 100644 SOURCES/hplip-CVE-2026-8631-osh.patch create mode 100644 SOURCES/hplip-CVE-2026-8631.patch create mode 100644 SOURCES/hplip-CVE-2026-8632.patch diff --git a/SOURCES/hpcups-update-ppds.sh b/SOURCES/hpcups-update-ppds.sh old mode 100644 new mode 100755 diff --git a/SOURCES/hplip-CVE-2026-8631-osh.patch b/SOURCES/hplip-CVE-2026-8631-osh.patch new file mode 100644 index 0000000..91baaa7 --- /dev/null +++ b/SOURCES/hplip-CVE-2026-8631-osh.patch @@ -0,0 +1,95 @@ +diff --git a/prnt/hpcups/genPCLm.cpp b/prnt/hpcups/genPCLm.cpp +index 0e1650c..5f83cba 100644 +--- a/prnt/hpcups/genPCLm.cpp ++++ b/prnt/hpcups/genPCLm.cpp +@@ -1917,8 +1917,11 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh + #ifdef SUPPORT_WHITE_STRIPS + int whiteStripLen=0; + if(!safe_mul_int_positive(thisHeight, currSourceWidth, &whiteStripLen) || +- !safe_mul_int_positive(whiteStripLen, srcNumComponents, &whiteStripLen)) ++ !safe_mul_int_positive(thisHeight, srcNumComponents, &whiteStripLen)) ++ { ++ free(newStripPtr); + return(errorOutAndCleanUp()); ++ } + bool whiteStrip=isWhiteStrip(pInBuffer, whiteStripLen); + if(DebugIt2) + { +@@ -1940,11 +1943,17 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh + ubyte whitePt=0xff; + size_t tmpStripSize=0; + if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize)) ++ { ++ free(newStripPtr); + return(errorOutAndCleanUp()); ++ } + + ubyte *tmpStrip=(ubyte*)malloc(tmpStripSize); + if(!tmpStrip) ++ { ++ free(newStripPtr); + return(errorOutAndCleanUp()); ++ } + memset(tmpStrip,whitePt,tmpStripSize); + + +@@ -2012,7 +2021,10 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh + { + int sourceLen=0; + if(!safe_mul_int_positive(numLinesThisCall, scanlineWidth, &sourceLen)) ++ { ++ free(newStripPtr); + return(errorOutAndCleanUp()); ++ } + uint32 len=(uint32)sourceLen; + uLongf destSize=len; + +@@ -2021,12 +2033,18 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh + ubyte whitePt=0xff; + size_t tmpStripSize=0; + if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize)) ++ { ++ free(newStripPtr); + return(errorOutAndCleanUp()); ++ } + + // We need to inject a blank image-strip with a height==topMarginInPix + ubyte *tmpStrip=(ubyte*)malloc(tmpStripSize); + if(!tmpStrip) ++ { ++ free(newStripPtr); + return(errorOutAndCleanUp()); ++ } + uLongf tmpDestSize=destSize; + memset(tmpStrip,whitePt,tmpStripSize); + +@@ -2075,20 +2093,29 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh + { + int sourceLen=0; + if(!safe_mul_int_positive(numLinesThisCall, scanlineWidth, &sourceLen)) ++ { ++ free(newStripPtr); + return(errorOutAndCleanUp()); ++ } + + if(firstStrip && topMarginInPix) + { + ubyte whitePt=0xff; + size_t tmpStripSize=0; + if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize)) ++ { ++ free(newStripPtr); + return(errorOutAndCleanUp()); ++ } + + // We need to inject a blank image-strip with a height==topMarginInPix + + ubyte *tmpStrip=(ubyte*)malloc(tmpStripSize); + if(!tmpStrip) ++ { ++ free(newStripPtr); + return(errorOutAndCleanUp()); ++ } + memset(tmpStrip,whitePt,tmpStripSize); + + for(sint32 stripCntr=0; stripCntr + #include + #include ++#include ++#include ++#include ++#include + //#include "hpmud.h" + + #define _STRINGIZE(x) #x +@@ -54,6 +58,52 @@ enum UTILS_PLUGIN_LIBRARY_TYPE + }; + + ++/* Safe multiplication helpers - prevent integer overflow */ ++ ++/** ++ * safe_mul_size_t - Safely multiply two size_t values ++ * @a: First operand ++ * @b: Second operand ++ * @out: Output buffer for result ++ * Returns: true if multiplication succeeded, false if overflow detected ++ */ ++static inline bool safe_mul_size_t(size_t a, size_t b, size_t *out) ++{ ++ if (!out) ++ return false; ++ if (a == 0 || b == 0) ++ { ++ *out = 0; ++ return true; ++ } ++ if (a > ((size_t)-1) / b) ++ return false; ++ *out = a * b; ++ return true; ++} ++ ++/** ++ * safe_mul_int_positive - Safely multiply two positive integers ++ * @a: First operand (must be >= 0) ++ * @b: Second operand (must be >= 0) ++ * @out: Output buffer for result ++ * Returns: true if multiplication succeeded, false if negative input or overflow detected ++ */ ++static inline bool safe_mul_int_positive(int a, int b, int *out) ++{ ++ if (!out || a < 0 || b < 0) ++ return false; ++ if (a == 0 || b == 0) ++ { ++ *out = 0; ++ return true; ++ } ++ if (a > INT_MAX / b) ++ return false; ++ *out = a * b; ++ return true; ++} ++ + #ifdef __cplusplus + extern "C" { + #endif +diff -up hplip-3.21.2/prnt/hpcups/genPCLm.cpp.CVE-2026-8631 hplip-3.21.2/prnt/hpcups/genPCLm.cpp +--- hplip-3.21.2/prnt/hpcups/genPCLm.cpp.CVE-2026-8631 2026-06-10 10:43:30.459529186 +0200 ++++ hplip-3.21.2/prnt/hpcups/genPCLm.cpp 2026-06-10 10:43:30.497932359 +0200 +@@ -127,6 +127,7 @@ + #include + #include + #include ++#include + #include + //#include + +@@ -1674,7 +1675,12 @@ int PCLmGenerator::StartPage(PCLmPageSe + destColorSpace=PCLmPageContent->dstColorSpaceSpefication; + + // Calculate how large the output buffer needs to be based upon the page specifications +- int tmp_outBuffSize=mediaWidthInPixels*currStripHeight*dstNumComponents; ++ int tmp_outBuffSize=0; ++ if(!safe_mul_int_positive(mediaWidthInPixels,currStripHeight,&tmp_outBuffSize) || ++ !safe_mul_int_positive(tmp_outBuffSize,dstNumComponents,&tmp_outBuffSize)) ++ { ++ return(errorOutAndCleanUp()); ++ } + + if(tmp_outBuffSize>currOutBuffSize) + { +@@ -1742,7 +1748,14 @@ int PCLmGenerator::StartPage(PCLmPageSe + { + // We need to pad the scratchBuffer size to allow for compression expansion (RLE can create + // compressed segments that are slightly larger than the source. +- scratchBuffer=(ubyte*)malloc(currStripHeight*mediaWidthInPixels*srcNumComponents*2); ++ size_t scratchSize=0; ++ if(currStripHeight<=0 || mediaWidthInPixels<=0 || srcNumComponents<=0 || ++ !safe_mul_size_t((size_t)currStripHeight, (size_t)mediaWidthInPixels, &scratchSize) || ++ !safe_mul_size_t(scratchSize, (size_t)srcNumComponents, &scratchSize) || ++ !safe_mul_size_t(scratchSize, 2u, &scratchSize)) ++ return(errorOutAndCleanUp()); ++ ++ scratchBuffer=(ubyte*)malloc(scratchSize); + if(!scratchBuffer) + return(errorOutAndCleanUp()); + /*if(DebugIt2) +@@ -1798,7 +1811,9 @@ int PCLmGenerator::SkipLines(int iSkipL + int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeight, void **pOutBuffer, int *iOutBufferSize) + { + int result=0, numCompBytes; +- int scanlineWidth=mediaWidthInPixels*srcNumComponents; ++ int scanlineWidth=0; ++ if(!safe_mul_int_positive(mediaWidthInPixels, srcNumComponents, &scanlineWidth)) ++ return(errorOutAndCleanUp()); + int compSize; + // int numLinesThisCall=inBufferSize/(currSourceWidth*srcNumComponents); + int numLinesThisCall=thisHeight; +@@ -1888,7 +1903,8 @@ int PCLmGenerator::Encapsulate(void *pI + { + colorConvertSource(sourceColorSpace, grayScale, (ubyte*)localInBuffer, currSourceWidth, numLinesThisCall); + // Adjust the scanline width accordingly +- scanlineWidth = mediaWidthInPixels * dstNumComponents; ++ if(!safe_mul_int_positive(mediaWidthInPixels, dstNumComponents, &scanlineWidth)) ++ return(errorOutAndCleanUp()); + } + + if(leftMarginInPix) +@@ -1903,7 +1919,11 @@ int PCLmGenerator::Encapsulate(void *pI + } + + #ifdef SUPPORT_WHITE_STRIPS +- bool whiteStrip=isWhiteStrip(pInBuffer, thisHeight*currSourceWidth*srcNumComponents); ++ int whiteStripLen=0; ++ if(!safe_mul_int_positive(thisHeight, currSourceWidth, &whiteStripLen) || ++ !safe_mul_int_positive(whiteStripLen, srcNumComponents, &whiteStripLen)) ++ return(errorOutAndCleanUp()); ++ bool whiteStrip=isWhiteStrip(pInBuffer, whiteStripLen); + if(DebugIt2) + { + if(whiteStrip){ +@@ -1922,9 +1942,14 @@ int PCLmGenerator::Encapsulate(void *pI + if(firstStrip && topMarginInPix) + { + ubyte whitePt=0xff; +- +- ubyte *tmpStrip=(ubyte*)malloc(scanlineWidth*topMarginInPix); +- memset(tmpStrip,whitePt,scanlineWidth*topMarginInPix); ++ size_t tmpStripSize=0; ++ if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize)) ++ return(errorOutAndCleanUp()); ++ ++ ubyte *tmpStrip=(ubyte*)malloc(tmpStripSize); ++ if(!tmpStrip) ++ return(errorOutAndCleanUp()); ++ memset(tmpStrip,whitePt,tmpStripSize); + + + for(sint32 stripCntr=0; stripCntruser_name); + if(DebugIt2) + { +- dbglog("Allocated zlib dest buffer of size %d\n",numLinesThisCall*scanlineWidth); ++ dbglog("Allocated zlib dest buffer of size %d\n",sourceLen); + dbglog("zlib compression return result=%d, compSize=%d\n",result,(int)destSize); + } + free(newStripPtr); +@@ -2030,12 +2063,12 @@ int PCLmGenerator::Encapsulate(void *pI + } + else + { +- result=compress((Bytef*)scratchBuffer, &destSize, (const Bytef*)localInBuffer, scanlineWidth*numLinesThisCall); ++ result=compress((Bytef*)scratchBuffer, &destSize, (const Bytef*)localInBuffer, (uLong)sourceLen); + if(DebugIt2) + writeOutputFile(destSize, scratchBuffer, m_pPCLmSSettings->user_name); + if(DebugIt2) + { +- dbglog("Allocated zlib dest buffer of size %d\n",numLinesThisCall*scanlineWidth); ++ dbglog("Allocated zlib dest buffer of size %d\n",sourceLen); + dbglog("zlib compression return result=%d, compSize=%d\n",result,(int)destSize); + } + } +@@ -2044,14 +2077,23 @@ int PCLmGenerator::Encapsulate(void *pI + + else if(currCompressionDisposition==compressRLE) + { ++ int sourceLen=0; ++ if(!safe_mul_int_positive(numLinesThisCall, scanlineWidth, &sourceLen)) ++ return(errorOutAndCleanUp()); ++ + if(firstStrip && topMarginInPix) + { + ubyte whitePt=0xff; ++ size_t tmpStripSize=0; ++ if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize)) ++ return(errorOutAndCleanUp()); + + // We need to inject a blank image-strip with a height==topMarginInPix + +- ubyte *tmpStrip=(ubyte*)malloc(scanlineWidth*topMarginInPix); +- memset(tmpStrip,whitePt,scanlineWidth*topMarginInPix); ++ ubyte *tmpStrip=(ubyte*)malloc(tmpStripSize); ++ if(!tmpStrip) ++ return(errorOutAndCleanUp()); ++ memset(tmpStrip,whitePt,tmpStripSize); + + for(sint32 stripCntr=0; stripCntrStartJob((void**)&m_pOutBuffer, &m_OutBuffSize); +- err = sendBuffer(static_cast(m_pOutBuffer), m_OutBuffSize); +- m_pHbpl1Wrapper->FreeBuffer(m_pOutBuffer, m_OutBuffSize); ++ if (err != NO_ERROR) ++ { ++ return err; ++ } ++ if (m_pOutBuffer != NULL && m_OutBuffSize > 0) ++ { ++ err = sendBuffer(static_cast(m_pOutBuffer), m_OutBuffSize); ++ m_pHbpl1Wrapper->FreeBuffer(m_pOutBuffer, m_OutBuffSize); ++ if (err != NO_ERROR) ++ { ++ return err; ++ } ++ } + + if (m_PrintinGrayscale == ON){ //Grayscale = ON + m_ColorMode = COLORTYPE_BOTH; +@@ -156,8 +167,15 @@ DRIVER_ERROR Hbpl1::EndJob() + } + + err = m_pHbpl1Wrapper->EndJob((void**)&m_pOutBuffer, &m_OutBuffSize); +- err = sendBuffer(static_cast(m_pOutBuffer), m_OutBuffSize); +- m_pHbpl1Wrapper->FreeBuffer(m_pOutBuffer, m_OutBuffSize); ++ if (err != NO_ERROR) ++ { ++ return err; ++ } ++ if (m_pOutBuffer != NULL && m_OutBuffSize > 0) ++ { ++ err = sendBuffer(static_cast(m_pOutBuffer), m_OutBuffSize); ++ m_pHbpl1Wrapper->FreeBuffer(m_pOutBuffer, m_OutBuffSize); ++ } + return err; + } + +@@ -167,8 +185,15 @@ DRIVER_ERROR Hbpl1::StartPage (JobAttrib + DRIVER_ERROR err = NO_ERROR; + + err = m_pHbpl1Wrapper->StartPage((void**)&m_pOutBuffer, &m_OutBuffSize); +- err = sendBuffer(static_cast(m_pOutBuffer), m_OutBuffSize); +- m_pHbpl1Wrapper->FreeBuffer(m_pOutBuffer, m_OutBuffSize); ++ if (err != NO_ERROR) ++ { ++ return err; ++ } ++ if (m_pOutBuffer != NULL && m_OutBuffSize > 0) ++ { ++ err = sendBuffer(static_cast(m_pOutBuffer), m_OutBuffSize); ++ m_pHbpl1Wrapper->FreeBuffer(m_pOutBuffer, m_OutBuffSize); ++ } + return err; + } + +@@ -183,28 +208,50 @@ DRIVER_ERROR Hbpl1::sendBlankBands() + + DRIVER_ERROR Hbpl1::FormFeed () + { ++ DRIVER_ERROR err = NO_ERROR; + + if (0 != m_numScanLines && m_pbyStripData && 0 != m_nStripSize) +- { +- ++m_nBandCount; +- m_pHbpl1Wrapper->Encapsulate(m_pbyStripData, m_nStripSize, m_nStripHeight, (void**)&m_pOutBuffer, &m_OutBuffSize); +- sendBuffer(m_pOutBuffer, m_OutBuffSize); +- memset(m_pbyStripData,0xFF,m_nStripSize); +- } +- +- while(m_nBandCount < m_numStrips) +- { +- ++m_nBandCount; +- m_pHbpl1Wrapper->Encapsulate(m_pbyStripData, m_nStripSize, m_nStripHeight, (void**)&m_pOutBuffer, &m_OutBuffSize); +- sendBuffer(m_pOutBuffer, m_OutBuffSize); +- } ++ { ++ ++m_nBandCount; ++ err = m_pHbpl1Wrapper->Encapsulate(m_pbyStripData, m_nStripSize, m_nStripHeight, (void**)&m_pOutBuffer, &m_OutBuffSize); ++ if (err != NO_ERROR) ++ return err; ++ if (m_pOutBuffer != NULL && m_OutBuffSize > 0) ++ { ++ err = sendBuffer(m_pOutBuffer, m_OutBuffSize); ++ if (err != NO_ERROR) ++ return err; ++ } ++ memset(m_pbyStripData,0xFF,m_nStripSize); ++ } ++ ++ while(m_nBandCount < m_numStrips) ++ { ++ ++m_nBandCount; ++ err = m_pHbpl1Wrapper->Encapsulate(m_pbyStripData, m_nStripSize, m_nStripHeight, (void**)&m_pOutBuffer, &m_OutBuffSize); ++ if (err != NO_ERROR) ++ return err; ++ if (m_pOutBuffer != NULL && m_OutBuffSize > 0) ++ { ++ err = sendBuffer(m_pOutBuffer, m_OutBuffSize); ++ if (err != NO_ERROR) ++ return err; ++ } ++ } + +- m_pHbpl1Wrapper->EndPage((void**)&m_pOutBuffer, &m_OutBuffSize); +- sendBuffer(m_pOutBuffer, m_OutBuffSize); ++ err = m_pHbpl1Wrapper->EndPage((void**)&m_pOutBuffer, &m_OutBuffSize); ++ if (err != NO_ERROR) ++ return err; ++ if (m_pOutBuffer != NULL && m_OutBuffSize > 0) ++ { ++ err = sendBuffer(m_pOutBuffer, m_OutBuffSize); ++ if (err != NO_ERROR) ++ return err; ++ } + m_pHbpl1Wrapper->FreeBuffer(m_pOutBuffer,m_OutBuffSize); +- m_nBandCount = 0; ++ m_nBandCount = 0; + +- return NO_ERROR; ++ return err; + + } + +diff -up hplip-3.21.2/prnt/hpcups/Hbpl1_Wrapper.cpp.CVE-2026-8631 hplip-3.21.2/prnt/hpcups/Hbpl1_Wrapper.cpp +--- hplip-3.21.2/prnt/hpcups/Hbpl1_Wrapper.cpp.CVE-2026-8631 2021-02-15 00:55:21.000000000 +0100 ++++ hplip-3.21.2/prnt/hpcups/Hbpl1_Wrapper.cpp 2026-06-10 10:43:30.497695304 +0200 +@@ -77,19 +77,31 @@ void Hbpl1Wrapper::FreeStripBuffer(void) + + DRIVER_ERROR Hbpl1Wrapper::StartJob(void **pOutBuffer, int *pOutBufferSize) + { +- DRIVER_ERROR err = NO_ERROR; +- +- m_pPCLmGenerator->StartJob(pOutBuffer,pOutBufferSize,false); +- return err; ++ int ret = m_pPCLmGenerator->StartJob(pOutBuffer,pOutBufferSize,false); ++ if (ret != success) ++ { ++ if (pOutBuffer) ++ *pOutBuffer = NULL; ++ if (pOutBufferSize) ++ *pOutBufferSize = 0; ++ return SYSTEM_ERROR; ++ } ++ return NO_ERROR; + } + + + DRIVER_ERROR Hbpl1Wrapper::EndJob(void **pOutBuffer, int *pOutBufferSize) + { +- DRIVER_ERROR err = NO_ERROR; +- +- m_pPCLmGenerator->EndJob(pOutBuffer,pOutBufferSize); +- return err; ++ int ret = m_pPCLmGenerator->EndJob(pOutBuffer,pOutBufferSize); ++ if (ret != success) ++ { ++ if (pOutBuffer) ++ *pOutBuffer = NULL; ++ if (pOutBufferSize) ++ *pOutBufferSize = 0; ++ return SYSTEM_ERROR; ++ } ++ return NO_ERROR; + } + + +@@ -173,8 +185,15 @@ DRIVER_ERROR Hbpl1Wrapper::StartPage(voi + + PCLmPageContent.duplexDisposition = (duplexDispositionEnum)o_Hbpl1->m_JA.args_duplex_mode; + +- m_pPCLmGenerator->StartPage(&PCLmSContent,true,pOutBuffer,pOutBufferSize); +- ++ int ret = m_pPCLmGenerator->StartPage(&PCLmSContent,true,pOutBuffer,pOutBufferSize); ++ if (ret != success) ++ { ++ if (pOutBuffer) ++ *pOutBuffer = NULL; ++ if (pOutBufferSize) ++ *pOutBufferSize = 0; ++ return SYSTEM_ERROR; ++ } + + return err; + } +@@ -182,9 +201,16 @@ DRIVER_ERROR Hbpl1Wrapper::StartPage(voi + + DRIVER_ERROR Hbpl1Wrapper::EndPage(void **pOutBuffer, int *pOutBufferSize) + { +- DRIVER_ERROR err = NO_ERROR; +- m_pPCLmGenerator->EndPage(pOutBuffer, pOutBufferSize); +- return err; ++ int ret = m_pPCLmGenerator->EndPage(pOutBuffer, pOutBufferSize); ++ if (ret != success) ++ { ++ if (pOutBuffer) ++ *pOutBuffer = NULL; ++ if (pOutBufferSize) ++ *pOutBufferSize = 0; ++ return SYSTEM_ERROR; ++ } ++ return NO_ERROR; + } + + +@@ -195,9 +221,16 @@ DRIVER_ERROR Hbpl1Wrapper::FormFeed() + + DRIVER_ERROR Hbpl1Wrapper::Encapsulate (void *pInBuffer, int inBufferSize, int numLines, void **pOutBuffer, int *pOutBufferSize) + { +- DRIVER_ERROR err = NO_ERROR; +- m_pPCLmGenerator->Encapsulate(pInBuffer, inBufferSize, numLines, pOutBuffer, pOutBufferSize); +- return err; ++ int ret = m_pPCLmGenerator->Encapsulate(pInBuffer, inBufferSize, numLines, pOutBuffer, pOutBufferSize); ++ if (ret != success) ++ { ++ if (pOutBuffer) ++ *pOutBuffer = NULL; ++ if (pOutBufferSize) ++ *pOutBufferSize = 0; ++ return SYSTEM_ERROR; ++ } ++ return NO_ERROR; + } + + DRIVER_ERROR Hbpl1Wrapper::SkipLines (int iSkipLines) diff --git a/SOURCES/hplip-CVE-2026-8632.patch b/SOURCES/hplip-CVE-2026-8632.patch new file mode 100644 index 0000000..67f2a87 --- /dev/null +++ b/SOURCES/hplip-CVE-2026-8632.patch @@ -0,0 +1,75 @@ +From cc245a1117ae478e916662a7d9bded65b55765b8 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Mon, 25 May 2026 15:27:09 +0200 +Subject: [PATCH] 3.26.4 + +--- + base/utils.py | 42 ++++++++++++++++++++---------------------- + 1 file changed, 20 insertions(+), 22 deletions(-) + +diff --git a/base/utils.py b/base/utils.py +index d176c0ddd..780e4766e 100644 +--- a/base/utils.py ++++ b/base/utils.py +@@ -2359,11 +2359,10 @@ def check_pkg_mgr( package_mgrs = None): + log.debug("Not found") + return (0, '') + +-# checks if given process is running. +-#return value: +-# True or False +-# None - if process is not running +-# grep output - if process is running ++# Check whether any running process command line contains the requested name. ++# Return value: ++# (True, {pid: cmdline, ...}) when one or more matching processes are found ++# (False, {}) when no matching process is found or enumeration fails + + def Is_Process_Running(process_name): + if not process_name: +@@ -2371,28 +2370,27 @@ def Is_Process_Running(process_name): + + try: + process = {} +- p1 = Popen(["ps", "-w", "-w", "aux"], stdout=PIPE) +- p2 = Popen(["grep", process_name], stdin=p1.stdout, stdout=PIPE) +- p3 = Popen(["grep", "-v", "grep"], stdin=p2.stdout, stdout=PIPE) +- output = p3.communicate()[0] +- log.debug("Is_Process_Running output = %s " %output) +- +- if output: +- for p in output.splitlines(): +- cmd = "echo '%s' | awk {'print $2'}" %p +- status,pid = subprocess.getstatusoutput(cmd) +- cmd = "echo '%s' | awk {'print $11,$12'}" %p +- status,cmdline = subprocess.getstatusoutput(cmd) +- if pid : ++ for entry in os.listdir('/proc'): ++ if not entry.isdigit(): ++ continue ++ pid = entry ++ try: ++ with open('/proc/%s/cmdline' % pid, 'rb') as f: ++ raw = f.read() ++ cmdline = raw.replace(b'\x00', b' ').decode('utf-8', 'replace').strip() ++ if process_name in cmdline: + process[pid] = cmdline ++ except (IOError, OSError): ++ continue + ++ log.debug("Is_Process_Running matches = %s " % process) ++ if process: + return True, process + else: + return False, {} + + except Exception as e: +- log.error("Execution failed: process Name[%s]" %process_name) +- print >>sys.stderr, "Execution failed:", e ++ log.error("Execution failed: process Name[%s] - error - %s" % (process_name, str(e))) + return False, {} + + +-- +2.54.0 + diff --git a/SPECS/hplip.spec b/SPECS/hplip.spec index f1ecedf..854fce6 100644 --- a/SPECS/hplip.spec +++ b/SPECS/hplip.spec @@ -7,7 +7,7 @@ Summary: HP Linux Imaging and Printing Project Name: hplip Version: 3.21.2 -Release: 6%{?dist} +Release: 6%{?dist}.4 License: GPLv2+ and MIT and BSD and IJG and Public Domain and GPLv2+ with exceptions and ISC Url: https://developers.hp.com/hp-linux-imaging-and-printing @@ -187,6 +187,15 @@ Patch60: hplip-fab-import.patch # it fails further down - break out earlier with a message # reported upstream as https://bugs.launchpad.net/hplip/+bug/1916114 Patch61: hplip-hpsetup-noscanjets.patch +# CVE-2026-8632 - Privilege escalation and arbitrary code execution +# via operating system command injection in Is_Process_Running() +# https://redhat.atlassian.net/browse/RHEL-178364 +Patch62: hplip-CVE-2026-8632.patch +# CVE-2026-8631 hplip: HPLIP: Arbitrary code execution and privilege escalation via integer overflow in hpcups +# https://redhat.atlassian.net/browse/RHEL-178724 +Patch63: hplip-CVE-2026-8631.patch +# OSH fixes after CVE-2026-8631 +Patch64: hplip-CVE-2026-8631-osh.patch %if 0%{?fedora} || 0%{?rhel} <= 8 # mention hplip-gui if you want to have GUI @@ -478,6 +487,12 @@ done # if an user tries to install scanner via hp-setup (printer/fax utility) # it fails further down - break out earlier with a message %patch61 -p1 -b .hpsetup-noscanjets +# CVE-2026-8632 - command injection in Is_Process_Running() +%patch -P 62 -p1 -b .CVE-2026-8632 +# CVE-2026-8631 hplip: HPLIP: Arbitrary code execution and privilege escalation via integer overflow in hpcups +%patch -P 63 -p1 -b .CVE-2026-8631 +# OSH fixes after CVE-2026-8631 +%patch -P 64 -p1 -b .CVE-2026-8631-osh %if 0%{?fedora} || 0%{?rhel} <= 8 # mention hplip-gui should be installed if you want GUI @@ -826,6 +841,20 @@ rm -f %{buildroot}%{_sysconfdir}/xdg/autostart/hplip-systray.desktop %config(noreplace) %{_sysconfdir}/sane.d/dll.d/hpaio %changelog +* Mon Jun 15 2026 Zdenek Dohnal - 3.21.2-6.4 +- Fix more leaks in hpcups + +* Fri Jun 12 2026 Zdenek Dohnal - 3.21.2-6.3 +- OSH fixes after CVE-2026-8631 + +* Wed Jun 10 2026 Zdenek Dohnal - 3.21.2-6.2 +- CVE-2026-8631 hplip: HPLIP: Arbitrary code execution and privilege escalation + via integer overflow in hpcups + +* Wed May 27 2026 Zdenek Dohnal - 3.21.2-6.1 +- CVE-2026-8632 hplip: Privilege escalation and arbitrary code execution + via OS command injection in Is_Process_Running() + * Mon Aug 09 2021 Mohan Boddu - 3.21.2-6 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688