mirror of
https://git.yoctoproject.org/poky
synced 2026-04-20 00:32:13 +02:00
cups: patch CVE-2025-58060
Pick commit mentioned in NVD report. (From OE-Core rev: cd732eb0cf1f4dc4fbfd64c7cc67125736480b37) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Peter Marko
committed by
Steve Sakoman
Steve Sakoman
parent
77fb27f680
commit
a443a81cf8
@@ -15,6 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
|
||||
file://0004-cups-fix-multilib-install-file-conflicts.patch \
|
||||
file://volatiles.99_cups \
|
||||
file://cups-volatiles.conf \
|
||||
file://CVE-2025-58060.patch \
|
||||
"
|
||||
|
||||
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
|
||||
|
||||
60
meta/recipes-extended/cups/cups/CVE-2025-58060.patch
Normal file
60
meta/recipes-extended/cups/cups/CVE-2025-58060.patch
Normal file
@@ -0,0 +1,60 @@
|
||||
From 595d691075b1d396d2edfaa0a8fd0873a0a1f221 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Dohnal <zdohnal@redhat.com>
|
||||
Date: Thu, 11 Sep 2025 14:44:59 +0200
|
||||
Subject: [PATCH] cupsd: Block authentication using alternate method
|
||||
|
||||
Fixes: CVE-2025-58060
|
||||
|
||||
CVE: CVE-2025-58060
|
||||
Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/595d691075b1d396d2edfaa0a8fd0873a0a1f221]
|
||||
Signed-off-by: Peter Marko <peter.marko@siemens.com>
|
||||
---
|
||||
scheduler/auth.c | 21 ++++++++++++++++++++-
|
||||
1 file changed, 20 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/scheduler/auth.c b/scheduler/auth.c
|
||||
index 5fa53644d..3c9aa72aa 100644
|
||||
--- a/scheduler/auth.c
|
||||
+++ b/scheduler/auth.c
|
||||
@@ -513,6 +513,16 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
|
||||
int userlen; /* Username:password length */
|
||||
|
||||
|
||||
+ /*
|
||||
+ * Only allow Basic if enabled...
|
||||
+ */
|
||||
+
|
||||
+ if (type != CUPSD_AUTH_BASIC)
|
||||
+ {
|
||||
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled.");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
authorization += 5;
|
||||
while (isspace(*authorization & 255))
|
||||
authorization ++;
|
||||
@@ -558,7 +568,6 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
|
||||
* Validate the username and password...
|
||||
*/
|
||||
|
||||
- if (type == CUPSD_AUTH_BASIC)
|
||||
{
|
||||
#if HAVE_LIBPAM
|
||||
/*
|
||||
@@ -727,6 +736,16 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
|
||||
/* Output token for username */
|
||||
gss_name_t client_name; /* Client name */
|
||||
|
||||
+ /*
|
||||
+ * Only allow Kerberos if enabled...
|
||||
+ */
|
||||
+
|
||||
+ if (type != CUPSD_AUTH_NEGOTIATE)
|
||||
+ {
|
||||
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled.");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
# ifdef __APPLE__
|
||||
/*
|
||||
* If the weak-linked GSSAPI/Kerberos library is not present, don't try
|
||||
Reference in New Issue
Block a user