Home Explore Help
Sign In
crispAudio
/
poky
mirror of git://git.yoctoproject.org/poky
5
0
Fork 0
Files Issues 0 Wiki
Browse Source

cups: patch CVE-2025-58060

Pick commit mentioned in NVD report.

(From OE-Core rev: cd732eb0cf1f4dc4fbfd64c7cc67125736480b37)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Peter Marko 3 weeks ago
parent
77fb27f680
commit
a443a81cf8
2 changed files with 61 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      meta/recipes-extended/cups/cups.inc
  2. 60 0
      meta/recipes-extended/cups/cups/CVE-2025-58060.patch

+ 1 - 0
meta/recipes-extended/cups/cups.inc
View File 

@@ -15,6 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
 
            file://0004-cups-fix-multilib-install-file-conflicts.patch \
 
            file://volatiles.99_cups \
 
            file://cups-volatiles.conf \
 
+           file://CVE-2025-58060.patch \
 
            "
 
 
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"

+ 60 - 0
meta/recipes-extended/cups/cups/CVE-2025-58060.patch
View File 

@@ -0,0 +1,60 @@
 
+From 595d691075b1d396d2edfaa0a8fd0873a0a1f221 Mon Sep 17 00:00:00 2001
 
+From: Zdenek Dohnal <zdohnal@redhat.com>
 
+Date: Thu, 11 Sep 2025 14:44:59 +0200
 
+Subject: [PATCH] cupsd: Block authentication using alternate method
 
+
 
+Fixes: CVE-2025-58060
 
+
 
+CVE: CVE-2025-58060
 
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/595d691075b1d396d2edfaa0a8fd0873a0a1f221]
 
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
 
+---
 
+ scheduler/auth.c | 21 ++++++++++++++++++++-
 
+ 1 file changed, 20 insertions(+), 1 deletion(-)
 
+
 
+diff --git a/scheduler/auth.c b/scheduler/auth.c
 
+index 5fa53644d..3c9aa72aa 100644
 
+--- a/scheduler/auth.c
 
++++ b/scheduler/auth.c
 
+@@ -513,6 +513,16 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
 
+     int	userlen;			/* Username:password length */
 
+ 
+ 
++   /*
 
++    * Only allow Basic if enabled...
 
++    */
 
++
 
++    if (type != CUPSD_AUTH_BASIC)
 
++    {
 
++      cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled.");
 
++      return;
 
++    }
 
++
 
+     authorization += 5;
 
+     while (isspace(*authorization & 255))
 
+       authorization ++;
 
+@@ -558,7 +568,6 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
 
+     * Validate the username and password...
 
+     */
 
+ 
+-    if (type == CUPSD_AUTH_BASIC)
 
+     {
 
+ #if HAVE_LIBPAM
 
+      /*
 
+@@ -727,6 +736,16 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
 
+ 					/* Output token for username */
 
+     gss_name_t		client_name;	/* Client name */
 
+ 
++   /*
 
++    * Only allow Kerberos if enabled...
 
++    */
 
++
 
++    if (type != CUPSD_AUTH_NEGOTIATE)
 
++    {
 
++      cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled.");
 
++      return;
 
++    }
 
++
 
+ #  ifdef __APPLE__
 
+    /*
 
+     * If the weak-linked GSSAPI/Kerberos library is not present, don't try