diff -Nru cups-filters-1.27.4/debian/changelog cups-filters-1.27.4/debian/changelog
--- cups-filters-1.27.4/debian/changelog	2020-04-10 13:12:50.000000000 +0000
+++ cups-filters-1.27.4/debian/changelog	2023-05-15 14:35:05.000000000 +0000
@@ -1,3 +1,16 @@
+cups-filters (1.27.4-1ubuntu0.2) focal-security; urgency=medium
+
+  * SECURITY UPDATE: code execution in beh CUPS backend
+    - debian/patches/CVE-2023-24805-1.patch: use execv() instead of
+      system() in backend/beh.c.
+    - debian/patches/CVE-2023-24805-2.patch: extra checks against
+      odd/forged input in backend/beh.c.
+    - debian/patches/CVE-2023-24805-3.patch: further improvements in
+      backend/beh.c.
+    - CVE-2023-24805
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 15 May 2023 10:35:05 -0400
+
 cups-filters (1.27.4-1) unstable; urgency=medium
 
   * New upstream version 1.27.4
diff -Nru cups-filters-1.27.4/debian/control cups-filters-1.27.4/debian/control
--- cups-filters-1.27.4/debian/control	2020-04-10 13:12:50.000000000 +0000
+++ cups-filters-1.27.4/debian/control	2023-05-10 19:44:08.000000000 +0000
@@ -1,5 +1,6 @@
 Source: cups-filters
-Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
 Uploaders: Till Kamppeter <till.kamppeter@gmail.com>,
            Didier Raboud <odyx@debian.org>
 Section: net
diff -Nru cups-filters-1.27.4/debian/patches/CVE-2023-24805-1.patch cups-filters-1.27.4/debian/patches/CVE-2023-24805-1.patch
--- cups-filters-1.27.4/debian/patches/CVE-2023-24805-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ cups-filters-1.27.4/debian/patches/CVE-2023-24805-1.patch	2023-05-15 14:35:05.000000000 +0000
@@ -0,0 +1,121 @@
+Backport of:
+
+From 714fa46f6a0dd446baa0e7b9a64a83d2cd4a0ec1 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Tue, 31 Jan 2023 00:55:36 -0300
+Subject: [PATCH 1/3] beh backend: Use execv() instead of system() -
+ CVE-2023-24805
+
+With execv() command line arguments are passed as separate strings and
+not the full command line in a single string. This prevents arbitrary
+command execution by escaping the quoting of the arguments in a job
+with forged job title.
+---
+ backend/beh.c | 67 +++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 49 insertions(+), 18 deletions(-)
+
+--- a/backend/beh.c
++++ b/backend/beh.c
+@@ -22,6 +22,7 @@
+ #include "backend-private.h"
+ #include <cups/array.h>
+ #include <ctype.h>
++#include <sys/wait.h>
+ 
+ /*
+  * Local globals...
+@@ -213,10 +214,14 @@ call_backend(char *uri,
+ 	     char **argv,		/* I - Command-line arguments */
+ 	     char *filename) {          /* I - File name of input data */
+   const char	*cups_serverbin;	/* Location of programs */
++  char          *backend_argv[8];       // Arguments for called CUPS backend
+   char		scheme[1024],           /* Scheme from URI */
+                 *ptr,			/* Pointer into scheme */
+-		cmdline[65536];		/* Backend command line */
+-  int           retval;
++		backend_path[2048];	// Backend path
++  int           pid,
++                wait_pid,
++                wait_status,
++                retval = 0;
+ 
+  /*
+   * Build the backend command line...
+@@ -235,16 +240,19 @@ call_backend(char *uri,
+     fprintf(stderr,
+ 	    "ERROR: beh: Direct output into a file not supported.\n");
+     exit (CUPS_BACKEND_FAILED);
+-  } else
+-    snprintf(cmdline, sizeof(cmdline),
+-	     "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
+-	     cups_serverbin, scheme, argv[1], argv[2], argv[3],
+-	     /* Apply number of copies only if beh was called with a
+-		file name and not with the print data in stdin, as
+-	        backends should handle copies only if they are called
+-	        with a file name */
+-	     (argc == 6 ? "1" : argv[4]),
+-	     argv[5], filename);
++  }
++
++  backend_argv[0] = uri;
++  backend_argv[1] = argv[1];
++  backend_argv[2] = argv[2];
++  backend_argv[3] = argv[3];
++  backend_argv[4] = (argc == 6 ? "1" : argv[4]);
++  backend_argv[5] = argv[5];
++  backend_argv[6] = filename;
++  backend_argv[7] = NULL;
++
++  snprintf(backend_path, sizeof(backend_path),
++	   "%s/backend/%s", cups_serverbin, scheme);
+ 
+  /*
+   * Overwrite the device URI and run the actual backend...
+@@ -253,17 +261,41 @@ call_backend(char *uri,
+   setenv("DEVICE_URI", uri, 1);
+ 
+   fprintf(stderr,
+-	  "DEBUG: beh: Executing backend command line \"%s\"...\n",
+-	  cmdline);
++	  "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s' '%s'%s%s\"...\n",
++	  backend_path, backend_argv[1], backend_argv[2], backend_argv[3],
++	  backend_argv[4], backend_argv[5],
++	  (backend_argv[6] && backend_argv[6][0] ? " " : ""),
++	  (backend_argv[6] && backend_argv[6][0] ? backend_argv[6] : ""));
+   fprintf(stderr,
+ 	  "DEBUG: beh: Using device URI: %s\n",
+ 	  uri);
+ 
+-  retval = system(cmdline) >> 8;
++  if ((pid = fork()) == 0)
++  {
++    retval = execv(backend_path, backend_argv);
++
++    if (retval == -1)
++      fprintf(stderr, "ERROR: Unable to execute backend: %s\n",
++	      strerror(errno));
++    exit (CUPS_BACKEND_FAILED);
++  }
++  else if (pid < 0)
++  {
++    fprintf(stderr, "ERROR: Unable to fork for backend\n");
++    return (CUPS_BACKEND_FAILED);
++  }
++
++  while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR);
+ 
+-  if (retval == -1)
+-    fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n",
+-	    strerror(errno));
++  if (wait_pid >= 0 && wait_status)
++  {
++    if (WIFEXITED(wait_status))
++      retval = WEXITSTATUS(wait_status);
++    else if (WTERMSIG(wait_status) != SIGTERM)
++      retval = WTERMSIG(wait_status);
++    else
++      retval = 0;
++  }
+ 
+   return (retval);
+ }
diff -Nru cups-filters-1.27.4/debian/patches/CVE-2023-24805-2.patch cups-filters-1.27.4/debian/patches/CVE-2023-24805-2.patch
--- cups-filters-1.27.4/debian/patches/CVE-2023-24805-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ cups-filters-1.27.4/debian/patches/CVE-2023-24805-2.patch	2023-05-15 14:35:05.000000000 +0000
@@ -0,0 +1,78 @@
+Backport of:
+
+From c87c9a0f41cc2124d3c13c1836474191697660a9 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Thu, 11 May 2023 14:46:18 +0200
+Subject: [PATCH 2/3] beh backend: Extra checks against odd/forged input -
+ CVE-2023-24805
+
+- Do not allow '/' in the scheme of the URI (= backend executable
+  name), to assure that only backends inside /usr/lib/cups/backend/
+  are used.
+
+- Pre-define scheme buffer to empty string, to be defined for case of
+  uri being NULL.
+
+- URI must have ':', to split off scheme, otherwise error.
+
+- Check return value of snprintf() to create call path for backend, to
+  error out on truncation of a too long scheme or on complete failure
+  due to a completely odd scheme.
+---
+ backend/beh.c | 30 ++++++++++++++++++++++++++----
+ 1 file changed, 26 insertions(+), 4 deletions(-)
+
+--- a/backend/beh.c
++++ b/backend/beh.c
+@@ -222,16 +222,31 @@ call_backend(char *uri,
+                 wait_pid,
+                 wait_status,
+                 retval = 0;
++  int           bytes;
++
+ 
+  /*
+   * Build the backend command line...
+   */
+ 
++  scheme[0] = '\0';
+   strncpy(scheme, uri, sizeof(scheme) - 1);
+-  if (strlen(uri) > 1023)
+-    scheme[1023] = '\0';
++  if (strlen(uri) > sizeof(scheme) - 1)
++    scheme[sizeof(scheme) - 1] = '\0';
+   if ((ptr = strchr(scheme, ':')) != NULL)
+     *ptr = '\0';
++  else
++  {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme part.\n");
++    exit (CUPS_BACKEND_FAILED);
++  }
++  if (strchr(scheme, '/'))
++  {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n");
++    exit (CUPS_BACKEND_FAILED);
++  }
+ 
+   if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL)
+     cups_serverbin = CUPS_SERVERBIN;
+@@ -251,8 +266,15 @@ call_backend(char *uri,
+   backend_argv[6] = filename;
+   backend_argv[7] = NULL;
+ 
+-  snprintf(backend_path, sizeof(backend_path),
+-	   "%s/backend/%s", cups_serverbin, scheme);
++  bytes = snprintf(backend_path, sizeof(backend_path),
++		   "%s/backend/%s", cups_serverbin, scheme);
++  if (bytes < 0 || bytes >= sizeof(backend_path))
++  {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid scheme (\"%s\"), could not determing backend path.\n",
++	    scheme);
++    exit (CUPS_BACKEND_FAILED);
++  }
+ 
+  /*
+   * Overwrite the device URI and run the actual backend...
diff -Nru cups-filters-1.27.4/debian/patches/CVE-2023-24805-3.patch cups-filters-1.27.4/debian/patches/CVE-2023-24805-3.patch
--- cups-filters-1.27.4/debian/patches/CVE-2023-24805-3.patch	1970-01-01 00:00:00.000000000 +0000
+++ cups-filters-1.27.4/debian/patches/CVE-2023-24805-3.patch	2023-05-15 14:35:05.000000000 +0000
@@ -0,0 +1,72 @@
+Backport of:
+
+From 09b917bf164a27a1188dac30a294bc20d56438e8 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Fri, 12 May 2023 01:24:51 +0200
+Subject: [PATCH 3/3] beh backend: Further improvements - CVE-2023-24805
+
+- Use strncat() instead of strncpy() for getting scheme from URI, the latter
+  does not require setting terminating zero byte in case of truncation.
+
+- Also exclude "." or ".." as scheme, as directories are not valid CUPS
+  backends.
+
+- Do not use fprintf() in sigterm_handler(), to not interfere with a
+  fprintf() which could be running in the main process when
+  sigterm_handler() is triggered.
+
+- Use "static volatile int" for global variable job_canceled.
+---
+ backend/beh.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/backend/beh.c
++++ b/backend/beh.c
+@@ -28,7 +28,7 @@
+  * Local globals...
+  */
+ 
+-static int		job_canceled = 0; /* Set to 1 on SIGTERM */
++static volatile int	job_canceled = 0; // Set to 1 on SIGTERM
+ 
+ /*
+  * Local functions...
+@@ -230,9 +230,7 @@ call_backend(char *uri,
+   */
+ 
+   scheme[0] = '\0';
+-  strncpy(scheme, uri, sizeof(scheme) - 1);
+-  if (strlen(uri) > sizeof(scheme) - 1)
+-    scheme[sizeof(scheme) - 1] = '\0';
++  strncat(scheme, uri, sizeof(scheme) - 1);
+   if ((ptr = strchr(scheme, ':')) != NULL)
+     *ptr = '\0';
+   else
+@@ -247,7 +245,13 @@ call_backend(char *uri,
+ 	    "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n");
+     exit (CUPS_BACKEND_FAILED);
+   }
+-
++  if (!strcmp(scheme, ".") || !strcmp(scheme, ".."))
++  {
++    fprintf(stderr,
++	    "ERROR: beh: Invalid URI, scheme (\"%s\") is a directory.\n",
++	    scheme);
++    exit (CUPS_BACKEND_FAILED);
++  }
+   if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL)
+     cups_serverbin = CUPS_SERVERBIN;
+ 
+@@ -331,8 +335,10 @@ static void
+ sigterm_handler(int sig) {		/* I - Signal number (unused) */
+   (void)sig;
+ 
+-  fprintf(stderr,
+-	  "DEBUG: beh: Job canceled.\n");
++  const char * const msg = "DEBUG: beh: Job canceled.\n";
++  // The if() is to eliminate the return value and silence the warning
++  // about an unused return value.
++  if (write(2, msg, strlen(msg)));
+ 
+   if (job_canceled)
+     _exit(CUPS_BACKEND_OK);
diff -Nru cups-filters-1.27.4/debian/patches/series cups-filters-1.27.4/debian/patches/series
--- cups-filters-1.27.4/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ cups-filters-1.27.4/debian/patches/series	2023-05-15 14:35:05.000000000 +0000
@@ -0,0 +1,3 @@
+CVE-2023-24805-1.patch
+CVE-2023-24805-2.patch
+CVE-2023-24805-3.patch