[AutoPR- Security] Patch cups for CVE-2025-58364, CVE-2025-58060 [HIGH] (microsoft#14672)

Co-authored-by: Kanishk Bansal <[email protected]>
Co-authored-by: akhila-guruju <[email protected]>

Author: 3 people

SPECS/cups/CVE-2024-35235.patch

@@ -1,24 +1,31 @@
-From 192f5bd1b197e577b2332d4fdc8038c6b2993d6e Mon Sep 17 00:00:00 2001
-From: kavyasree <kkaitepalli@microsoft.com>
-Date: Thu, 21 Nov 2024 13:46:00 +0530
-Subject: [PATCH] Fix CVE-2024-35235
+From a436956f374b0fd7f5da9df482e4f5840fa1c0d2 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Mon, 3 Jun 2024 18:53:58 +0200
+Subject: [PATCH] Fix domain socket handling
 
+- Check status of unlink and bind system calls.
+- Don't allow extra domain sockets when running from launchd/systemd.
+- Validate length of domain socket path (< sizeof(sun_path))
+
+Fixes CVE-2024-35235, written by Mike Sweet
+
+Upstream Patch Reference: https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2.patch
 ---
  cups/http-addr.c | 37 +++++++++++++++++++------------------
  scheduler/conf.c | 20 ++++++++++++++++++++
  2 files changed, 39 insertions(+), 18 deletions(-)
 
 diff --git a/cups/http-addr.c b/cups/http-addr.c
-index 8e81c6f..d65d4cc 100644
+index cddb63c..5aba715 100644
 --- a/cups/http-addr.c
 +++ b/cups/http-addr.c
-@@ -199,28 +199,29 @@ httpAddrListen(http_addr_t *addr,	/* I - Address to bind to */
+@@ -203,28 +203,29 @@ httpAddrListen(http_addr_t *addr,	/* I - Address to bind to */
     /*
      * Remove any existing domain socket file...
      */
 +    if ((status = unlink(addr->un.sun_path)) < 0)
 +    {
-+      DEBUG_printf("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno));
++      DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
 
 -    unlink(addr->un.sun_path);
 -
@@ -52,7 +59,7 @@ index 8e81c6f..d65d4cc 100644
 +    // Bind the domain socket...
 +      if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
 +      {
-+	DEBUG_printf("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno));
++	DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
 +      }
 +      // Restore the umask...
 +      umask(mask);
@@ -61,10 +68,10 @@ index 8e81c6f..d65d4cc 100644
    else
  #endif /* AF_LOCAL */
 diff --git a/scheduler/conf.c b/scheduler/conf.c
-index 74531a8..180ef9b 100644
+index 8b40d59..0b557d4 100644
 --- a/scheduler/conf.c
 +++ b/scheduler/conf.c
-@@ -3071,6 +3071,26 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
+@@ -3112,6 +3112,26 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
        cupsd_listener_t	*lis;		/* New listeners array */
 
 
@@ -92,5 +99,5 @@ index 74531a8..180ef9b 100644
        * Get the address list...
        */
 -- 
-2.34.1
+2.43.0
 

SPECS/cups/CVE-2025-58060.patch

@@ -0,0 +1,61 @@
+From 595d691075b1d396d2edfaa0a8fd0873a0a1f221 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <[email protected]>
+Date: Thu, 11 Sep 2025 14:44:59 +0200
+Subject: [PATCH] cupsd: Block authentication using alternate method
+
+Fixes: CVE-2025-58060
+
+Upstream Patch Reference: https://github.com/OpenPrinting/cups/commit/595d691075b1d396d2edfaa0a8fd0873a0a1f221.patch
+
+---
+ scheduler/auth.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 4fbad6e..a94a5fe 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -505,6 +505,16 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
+     int	userlen;			/* Username:password length */
+ 
+ 
++   /*
++    * Only allow Basic if enabled...
++    */
++
++    if (type != CUPSD_AUTH_BASIC)
++    {
++      cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled.");
++      return;
++    }
++
+     authorization += 5;
+     while (isspace(*authorization & 255))
+       authorization ++;
+@@ -553,7 +563,6 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
+     switch (type)
+     {
+       default :
+-      case CUPSD_AUTH_BASIC :
+           {
+ #if HAVE_LIBPAM
+ 	   /*
+@@ -725,6 +734,15 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
+ 					/* Output token for username */
+     gss_name_t		client_name;	/* Client name */
+ 
++   /*
++    * Only allow Kerberos if enabled...
++    */
++
++    if (type != CUPSD_AUTH_NEGOTIATE)
++    {
++      cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled.");
++      return;
++    }
+ 
+ #  ifdef __APPLE__
+    /*
+-- 
+2.43.0
+

SPECS/cups/CVE-2025-58364.patch

@@ -0,0 +1,62 @@
+From 8e579af3dd4cb082e6a6bce68e2f3263952109c2 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Sat, 13 Sep 2025 04:40:46 +0000
+Subject: [PATCH] libcups: Fix handling of extension tag in ipp_read_io(); add
+ error on unable to read attribute name
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/OpenPrinting/cups/commit/e58cba9d6fceed4242980e51dbd1302cf638ab1d.patch
+---
+ cups/ipp.c | 28 +---------------------------
+ 1 file changed, 1 insertion(+), 27 deletions(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index adbb26f..ff53862 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -2951,34 +2951,7 @@ ippReadIO(void       *src,		/* I - Data source */
+ 	  */
+ 
+           tag = (ipp_tag_t)buffer[0];
+-          if (tag == IPP_TAG_EXTENSION)
+-          {
+-           /*
+-            * Read 32-bit "extension" tag...
+-            */
+-
+-	    if ((*cb)(src, buffer, 4) < 4)
+-	    {
+-	      DEBUG_puts("1ippReadIO: Callback returned EOF/error");
+-	      _cupsBufferRelease((char *)buffer);
+-	      return (IPP_STATE_ERROR);
+-	    }
+ 
+-	    tag = (ipp_tag_t)((((((buffer[0] << 8) | buffer[1]) << 8) |
+-	                        buffer[2]) << 8) | buffer[3]);
+-
+-            if (tag & IPP_TAG_CUPS_CONST)
+-            {
+-             /*
+-              * Fail if the high bit is set in the tag...
+-              */
+-
+-	      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
+-	      DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag));
+-	      _cupsBufferRelease((char *)buffer);
+-	      return (IPP_STATE_ERROR);
+-            }
+-          }
+ 
+ 	  if (tag == IPP_TAG_END)
+ 	  {
+@@ -3199,6 +3172,7 @@ ippReadIO(void       *src,		/* I - Data source */
+ 
+ 	    if ((*cb)(src, buffer, (size_t)n) < n)
+ 	    {
++            _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
+ 	      DEBUG_puts("1ippReadIO: unable to read name.");
+ 	      _cupsBufferRelease((char *)buffer);
+ 	      return (IPP_STATE_ERROR);
+-- 
+2.45.4
+

SPECS/cups/cups.spec

@@ -12,7 +12,7 @@
 Summary:        CUPS printing system
 Name:           cups
 Version:        2.3.3%{OP_VER}
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        ASL 2.0 with exceptions
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -65,6 +65,8 @@ Patch15:        CVE-2023-32324.patch
 Patch16:        CVE-2023-34241.patch
 Patch17:        CVE-2022-26691.patch
 Patch18:	CVE-2024-35235.patch
+Patch19:	CVE-2025-58060.patch
+Patch20:	CVE-2025-58364.patch
 #### UPSTREAM PATCHES (starts with 1000) ####
 ##### Patches removed because IMHO they aren't no longer needed
 ##### but still I'll leave them in git in case their removal
@@ -267,6 +269,9 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
 
 # LSPP support.
 %patch100 -p1 -b .lspp
@@ -658,6 +663,10 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz
 
 %changelog
+* Sat Sep 13 2025 Azure Linux Security Servicing Account <[email protected]> - 2.3.3op2-10
+- Patch for CVE-2025-58364, CVE-2025-58060
+- Fix patch of CVE-2024-35235
+
 * Thu Nov 21 2024 Kavya Sree Kaitepalli <[email protected]> - 2.3.3op2-9
 - Add patch for CVE-2024-35235