From 125bb305469faaadaf791bbbf361d8914ff5058b Mon Sep 17 00:00:00 2001
From: Funda Wang <fundawang@yeah.net>
Date: Wed, 17 Sep 2025 09:51:30 +0800
Subject: [PATCH] fix CVE-2025-58060, CVE-2025-58364

---
 backport-CVE-2025-58060.patch | 66 +++++++++++++++++++++++++++++++++++
 backport-CVE-2025-58364.patch | 55 +++++++++++++++++++++++++++++
 cups.spec                     | 29 +++++++++------
 3 files changed, 140 insertions(+), 10 deletions(-)
 create mode 100644 backport-CVE-2025-58060.patch
 create mode 100644 backport-CVE-2025-58364.patch

diff --git a/backport-CVE-2025-58060.patch b/backport-CVE-2025-58060.patch
new file mode 100644
index 0000000..c6848f7
--- /dev/null
+++ b/backport-CVE-2025-58060.patch
@@ -0,0 +1,66 @@
+From: Thorsten Alteholz <debian@alteholz.de>
+Date: Wed, 10 Sep 2025 10:46:21 +0200
+Subject: fix authentication bypass with AuthType negotiate
+
+---
+ scheduler/auth.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+Index: cups-2.3.3op2/scheduler/auth.c
+===================================================================
+--- cups-2.3.3op2.orig/scheduler/auth.c	2025-09-10 14:37:32.455183214 +0200
++++ cups-2.3.3op2/scheduler/auth.c	2025-09-10 14:37:32.455183214 +0200
+@@ -505,6 +505,16 @@
+     int	userlen;			/* Username:password length */
+ 
+ 
++   /*
++    * Only allow Basic if enabled...
++    */
++
++    if (type != CUPSD_AUTH_BASIC)
++    {
++      cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled.");
++      return;
++    }
++
+     authorization += 5;
+     while (isspace(*authorization & 255))
+       authorization ++;
+@@ -550,10 +560,6 @@
+     * Validate the username and password...
+     */
+ 
+-    switch (type)
+-    {
+-      default :
+-      case CUPSD_AUTH_BASIC :
+           {
+ #if HAVE_LIBPAM
+ 	   /*
+@@ -707,8 +713,6 @@
+           }
+ 
+ 	  cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username);
+-          break;
+-    }
+ 
+     con->type = type;
+   }
+@@ -726,6 +730,16 @@
+     gss_name_t		client_name;	/* Client name */
+ 
+ 
++   /*
++    * Only allow Kerberos if enabled...
++    */
++
++    if (type != CUPSD_AUTH_NEGOTIATE)
++    {
++      cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled.");
++      return;
++    }
++
+ #  ifdef __APPLE__
+    /*
+     * If the weak-linked GSSAPI/Kerberos library is not present, don't try
diff --git a/backport-CVE-2025-58364.patch b/backport-CVE-2025-58364.patch
new file mode 100644
index 0000000..e14a2d4
--- /dev/null
+++ b/backport-CVE-2025-58364.patch
@@ -0,0 +1,55 @@
+From: Thorsten Alteholz <debian@alteholz.de>
+Date: Wed, 10 Sep 2025 11:05:30 +0200
+Subject: fix remote DoS via null dereference
+
+---
+ cups/ipp.c | 26 +-------------------------
+ 1 file changed, 1 insertion(+), 25 deletions(-)
+
+Index: cups-2.3.3op2/cups/ipp.c
+===================================================================
+--- cups-2.3.3op2.orig/cups/ipp.c	2025-09-10 14:37:43.159185969 +0200
++++ cups-2.3.3op2/cups/ipp.c	2025-09-10 14:38:19.091195224 +0200
+@@ -2951,34 +2951,6 @@
+ 	  */
+ 
+           tag = (ipp_tag_t)buffer[0];
+-          if (tag == IPP_TAG_EXTENSION)
+-          {
+-           /*
+-            * Read 32-bit "extension" tag...
+-            */
+-
+-	    if ((*cb)(src, buffer, 4) < 4)
+-	    {
+-	      DEBUG_puts("1ippReadIO: Callback returned EOF/error");
+-	      _cupsBufferRelease((char *)buffer);
+-	      return (IPP_STATE_ERROR);
+-	    }
+-
+-	    tag = (ipp_tag_t)((((((buffer[0] << 8) | buffer[1]) << 8) |
+-	                        buffer[2]) << 8) | buffer[3]);
+-
+-            if (tag & IPP_TAG_CUPS_CONST)
+-            {
+-             /*
+-              * Fail if the high bit is set in the tag...
+-              */
+-
+-	      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
+-	      DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag));
+-	      _cupsBufferRelease((char *)buffer);
+-	      return (IPP_STATE_ERROR);
+-            }
+-          }
+ 
+ 	  if (tag == IPP_TAG_END)
+ 	  {
+@@ -3199,6 +3171,7 @@
+ 
+ 	    if ((*cb)(src, buffer, (size_t)n) < n)
+ 	    {
++              _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
+ 	      DEBUG_puts("1ippReadIO: unable to read name.");
+ 	      _cupsBufferRelease((char *)buffer);
+ 	      return (IPP_STATE_ERROR);
diff --git a/cups.spec b/cups.spec
index df68c25..b5e1b17 100644
--- a/cups.spec
+++ b/cups.spec
@@ -1,7 +1,7 @@
 Name:    cups
 Epoch:   1
 Version: 2.2.13
-Release: 21
+Release: 22
 Summary: CUPS is the standards-based, open source printing system for linux operating systems.
 License: GPLv2+ and LGPLv2+ with exceptions and AML
 Url:     http://www.cups.org/
@@ -45,6 +45,8 @@ Patch6007: backport-CVE-2023-34241.patch
 Patch6008: backport-CVE-2023-4504.patch
 Patch6009: backport-Fix-CVE-2024-35235.patch
 Patch6010: backport-Fix-CVE-2024-35235-regression.patch
+Patch6011: backport-CVE-2025-58060.patch
+Patch6012: backport-CVE-2025-58364.patch
 
 Provides: cupsddk cupsddk-drivers cups-filesystem cups-client cups-ipptool cups-lpd
 Provides: lpd lpr /usr/bin/lpq /usr/bin/lpr /usr/bin/lp /usr/bin/cancel /usr/bin/lprm /usr/bin/lpstat
@@ -54,6 +56,7 @@ BuildRequires: pam-devel pkgconf-pkg-config pkgconfig(gnutls) libacl-devel openl
 BuildRequires: krb5-devel pkgconfig(avahi-client) systemd pkgconfig(libsystemd) pkgconfig(dbus-1) python3-cups
 BuildRequires: automake zlib-devel gcc gcc-c++ libselinux-devel audit-libs-devel
 Requires: dbus systemd acl cups-filters /usr/sbin/alternatives %{name}-libs = %{epoch}:%{version}-%{release}
+Conflicts: cups-help < 1:2.2.13-22
 
 %description
 CUPS is the standards-based, open source printing system developed by Apple Inc.
@@ -300,8 +303,19 @@ rm -f %{_exec_prefix}/lib/cups/backend/smb
 %{_datadir}/cups/ppdc/*.defs
 %{_datadir}/cups/ppdc/*.h
 
+%dir %{_datadir}/%{name}/www
 %{_datadir}/%{name}/www/images
 %{_datadir}/%{name}/www/*.css
+%{_datadir}/%{name}/www/index.html
+%{_datadir}/%{name}/www/help
+%{_datadir}/%{name}/www/robots.txt
+%{_datadir}/%{name}/www/apple-touch-icon.png
+%lang(de) %{_datadir}/%{name}/www/de
+%lang(es) %{_datadir}/%{name}/www/es
+%lang(ja) %{_datadir}/%{name}/www/ja
+%lang(pt_BR) %{_datadir}/%{name}/www/pt_BR
+%lang(ru) %{_datadir}/%{name}/www/ru
+
 %dir %{_datadir}/%{name}/usb
 %{_datadir}/%{name}/usb/org.cups.usb-quirks
 %dir %{_datadir}/cups/ipptool
@@ -328,17 +342,12 @@ rm -f %{_exec_prefix}/lib/cups/backend/smb
 %{_mandir}/man8/lpc-cups.8.gz
 
 %doc README.md CREDITS.md CHANGES.md
-%doc %{_datadir}/%{name}/www/index.html
-%doc %{_datadir}/%{name}/www/help
-%doc %{_datadir}/%{name}/www/robots.txt
-%doc %{_datadir}/%{name}/www/de/index.html
-%doc %{_datadir}/%{name}/www/es/index.html
-%doc %{_datadir}/%{name}/www/ja/index.html
-%doc %{_datadir}/%{name}/www/ru/index.html
-%doc %{_datadir}/%{name}/www/pt_BR/index.html
-%doc %{_datadir}/%{name}/www/apple-touch-icon.png
 
 %changelog
+* Wed Sep 17 2025 Funda Wang <fundawang@yeah.net> - 1:2.2.13-22
+- fix CVE-2025-58060, CVE-2025-58364
+- move www files into main package due to requirement by web interface
+
 * Wed Aug 14 2024 Funda Wang <fundawang@yeah.net> - 1:2.2.13-21
 - Fix regression of fixing CVE-2024-35235 (upstream issue#985)
 
-- 
Gitee