GTK has a specific IPP processing which stopped working after
CVE-2025-58436 fix. GTK depends on internal behavior of `_httpUpdate()`
which read a line from connection at the start of function, which was
one of culprits behind CVE-2025-58436.
To mitigate CVE-2025-58436 `_httpUpdate()` started to read from
connection only if there was data in internal HTTP buffer and there
was at least one newline buffered - otherwise the function returns
HTTP_ERROR/HTTP_CONTINUE, which caused the loop in GTK.
The change which fixes GTK behavior in the PR is to read data from
connection at the start of `_httpUpdate()` for non-blocking connections
immediately with no timeout if internal HTTP buffer is not full. The
change mitigates the CVE as well as the previous implementation.
projects / thirdparty / cups.git / commit
