CVE-2026-27447: The scheduler treated local user and group names as case-insensitive.

michaelrsweet · michaelrsweet · commit a0c62c1e6960 · 2026-03-31T14:04:21.000-04:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -5,6 +5,8 @@ CHANGES - OpenPrinting CUPS
 Changes in CUPS v2.4.17 (YYYY-MM-DD)
 ------------------------------------
 
+- CVE-2026-27447: The scheduler treated local user and group names as case-
+  insensitive.
 - The scheduler followed symbolic links when cleaning out its temporary
   directory (Issue #1448)
 - Updated `cupsFileGetConf` and `cupsFilePutConf` to escape more characters.
diff --git a/scheduler/auth.c b/scheduler/auth.c
@@ -1,7 +1,7 @@
 /*
  * Authorization routines for the CUPS scheduler.
  *
- * Copyright © 2020-2024 by OpenPrinting.
+ * Copyright © 2020-2026 by OpenPrinting.
  * Copyright © 2007-2019 by Apple Inc.
  * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
  *
@@ -1184,7 +1184,7 @@ cupsdCheckGroup(
   group = getgrnam(groupname);
   endgrent();
 
-  if (group != NULL)
+  if (user && group)
   {
    /*
     * Group exists, check it...
@@ -1198,7 +1198,7 @@ cupsdCheckGroup(
       * User appears in the group membership...
       */
 
-      if (!_cups_strcasecmp(username, group->gr_mem[i]))
+      if (!strcmp(user->pw_name, group->gr_mem[i]))
 	return (1);
     }
 
@@ -1209,25 +1209,24 @@ cupsdCheckGroup(
     * belongs to...
     */
 
-    if (user)
-    {
-      int	ngroups;		/* Number of groups */
+    int		ngroups;		/* Number of groups */
 #  ifdef __APPLE__
-      int	groups[2048];		/* Groups that user belongs to */
+    int		groups[2048];		/* Groups that user belongs to */
 #  else
-      gid_t	groups[2048];		/* Groups that user belongs to */
+    gid_t	groups[2048];		/* Groups that user belongs to */
 #  endif /* __APPLE__ */
 
-      ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
+    ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
 #  ifdef __APPLE__
-      getgrouplist(username, (int)user->pw_gid, groups, &ngroups);
+    getgrouplist(user->pw_name, (int)user->pw_gid, groups, &ngroups);
 #  else
-      getgrouplist(username, user->pw_gid, groups, &ngroups);
+    getgrouplist(user->pw_name, user->pw_gid, groups, &ngroups);
 #endif /* __APPLE__ */
 
-      for (i = 0; i < ngroups; i ++)
-        if ((int)groupid == (int)groups[i])
-	  return (1);
+    for (i = 0; i < ngroups; i ++)
+    {
+      if ((int)groupid == (int)groups[i])
+	return (1);
     }
 #endif /* HAVE_GETGROUPLIST */
   }
@@ -1837,7 +1836,7 @@ cupsdIsAuthorized(cupsd_client_t *con,	/* I - Connection */
 	 name = (char *)cupsArrayNext(best->names))
     {
       if (!_cups_strcasecmp(name, "@OWNER") && owner &&
-          !_cups_strcasecmp(username, ownername))
+          !strcmp(pw->pw_name, ownername))
 	return (HTTP_OK);
       else if (!_cups_strcasecmp(name, "@SYSTEM"))
       {
@@ -1849,7 +1848,7 @@ cupsdIsAuthorized(cupsd_client_t *con,	/* I - Connection */
         if (cupsdCheckGroup(username, pw, name + 1))
           return (HTTP_OK);
       }
-      else if (!_cups_strcasecmp(username, name))
+      else if (pw && !strcmp(pw->pw_name, name))
         return (HTTP_OK);
     }
 
