Bug#1120703: libcupsfilters: CVE-2025-57812

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1120703: libcupsfilters: CVE-2025-57812
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 14 Nov 2025 22:56:23 +0100
Message-id: <[🔎] 176315738317.2966901.17682764972397898598.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1120703@bugs.debian.org

Source: libcupsfilters
Version: 2.0.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: clone -1 -2
Control: reassign -2 src:cups-filters 1.28.17-6
Control: retitle -2 src:cups-filters CVE-2025-57812

Hi,

The following vulnerability was published for libcupsfilters.

CVE-2025-57812[0]:
| CUPS is a standards-based, open-source printing system, and
| `libcupsfilters` contains the code of the filters of the former
| `cups-filters` package as library functions to be used for the data
| format conversion tasks needed in Printer Applications. In CUPS-
| Filters versions up to and including 1.28.17 and libscupsfilters
| versions 2.0.0 through 2.1.1, CUPS-Filters's `imagetoraster` filter
| has an out of bounds read/write vulnerability in the processing of
| TIFF image files.  While the pixel buffer is allocated with the
| number of pixels times a pre-calculated bytes-per-pixel value, the
| function which processes these pixels is called with a size of the
| number of pixels times 3.  When suitable inputs are passed, the
| bytes-per-pixel value can be set to 1 and bytes outside of the
| buffer bounds get processed. In order to trigger the bug, an
| attacker must issue a print job with a crafted TIFF file, and pass
| appropriate print job options to control the bytes-per-pixel value
| of the output format. They must choose a printer configuration under
| which the `imagetoraster` filter or its C-function equivalent
| `cfFilterImageToRaster()` gets invoked. The vulnerability exists in
| both CUPS-Filters 1.x and the successor library libcupsfilters
| (CUPS-Filters 2.x). In CUPS-Filters 2.x, the vulnerable function is
| `_cfImageReadTIFF() in libcupsfilters`. When this function is
| invoked as part of `cfFilterImageToRaster()`, the caller passes a
| look-up-table during whose processing the out of bounds memory
| access happens. In CUPS-Filters 1.x, the equivalent functions are
| all found in the cups-filters repository, which is not split into
| subprojects yet, and the vulnerable code is in
| `_cupsImageReadTIFF()`, which is called through `cupsImageOpen()`
| from the `imagetoraster` tool. A patch is available in commit
| b69dfacec7f176281782e2f7ac44f04bf9633cfa.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-57812
    https://www.cve.org/CVERecord?id=CVE-2025-57812
[1] https://www.openwall.com/lists/oss-security/2025/11/12/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Processed: libcupsfilters: CVE-2025-57812
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1120704: marked as done (src:cups-filters CVE-2025-57812)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1120703: marked as done (libcupsfilters: CVE-2025-57812)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: libcupsfilters: CVE-2025-64503
Next by Date: Processed: libcupsfilters: CVE-2025-57812
Previous by thread: Bug#1120697: marked as done (libcupsfilters: CVE-2025-64503)
Next by thread: Processed: libcupsfilters: CVE-2025-57812
Index(es):
- Date
- Thread