Bug#1120703: marked as done (libcupsfilters: CVE-2025-57812)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 22 Nov 2025 13:05:10 +0000
with message-id <E1vMnIc-00CCUv-2o@fasolo.debian.org>
and subject line Bug#1120703: fixed in libcupsfilters 2.1.1-2
has caused the Debian Bug report #1120703,
regarding libcupsfilters: CVE-2025-57812
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1120703: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120703
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libcupsfilters: CVE-2025-57812
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Fri, 14 Nov 2025 22:56:23 +0100
• Message-id: <[🔎] 176315738317.2966901.17682764972397898598.reportbug@eldamar.lan>

Source: libcupsfilters
Version: 2.0.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: clone -1 -2
Control: reassign -2 src:cups-filters 1.28.17-6
Control: retitle -2 src:cups-filters CVE-2025-57812

Hi,

The following vulnerability was published for libcupsfilters.

CVE-2025-57812[0]:
| CUPS is a standards-based, open-source printing system, and
| `libcupsfilters` contains the code of the filters of the former
| `cups-filters` package as library functions to be used for the data
| format conversion tasks needed in Printer Applications. In CUPS-
| Filters versions up to and including 1.28.17 and libscupsfilters
| versions 2.0.0 through 2.1.1, CUPS-Filters's `imagetoraster` filter
| has an out of bounds read/write vulnerability in the processing of
| TIFF image files.  While the pixel buffer is allocated with the
| number of pixels times a pre-calculated bytes-per-pixel value, the
| function which processes these pixels is called with a size of the
| number of pixels times 3.  When suitable inputs are passed, the
| bytes-per-pixel value can be set to 1 and bytes outside of the
| buffer bounds get processed. In order to trigger the bug, an
| attacker must issue a print job with a crafted TIFF file, and pass
| appropriate print job options to control the bytes-per-pixel value
| of the output format. They must choose a printer configuration under
| which the `imagetoraster` filter or its C-function equivalent
| `cfFilterImageToRaster()` gets invoked. The vulnerability exists in
| both CUPS-Filters 1.x and the successor library libcupsfilters
| (CUPS-Filters 2.x). In CUPS-Filters 2.x, the vulnerable function is
| `_cfImageReadTIFF() in libcupsfilters`. When this function is
| invoked as part of `cfFilterImageToRaster()`, the caller passes a
| look-up-table during whose processing the out of bounds memory
| access happens. In CUPS-Filters 1.x, the equivalent functions are
| all found in the cups-filters repository, which is not split into
| subprojects yet, and the vulnerable code is in
| `_cupsImageReadTIFF()`, which is called through `cupsImageOpen()`
| from the `imagetoraster` tool. A patch is available in commit
| b69dfacec7f176281782e2f7ac44f04bf9633cfa.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-57812
    https://www.cve.org/CVERecord?id=CVE-2025-57812
[1] https://www.openwall.com/lists/oss-security/2025/11/12/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1120703-close@bugs.debian.org
• Subject: Bug#1120703: fixed in libcupsfilters 2.1.1-2
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sat, 22 Nov 2025 13:05:10 +0000
• Message-id: <E1vMnIc-00CCUv-2o@fasolo.debian.org>
• Reply-to: Thorsten Alteholz <debian@alteholz.de>

Source: libcupsfilters
Source-Version: 2.1.1-2
Done: Thorsten Alteholz <debian@alteholz.de>

We believe that the bug you reported is fixed in the latest version of
libcupsfilters, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1120703@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated libcupsfilters package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 20 Nov 2025 10:45:05 +0100
Source: libcupsfilters
Architecture: source
Version: 2.1.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Closes: 1120697 1120703
Changes:
 libcupsfilters (2.1.1-2) unstable; urgency=medium
 .
   * CVE-2025-64503
     fix an out of bounds write vulnerability when processing crafted
     PDF files containing a large 'Mediabox' value.
     (Closes: #1120697)
 .
   * CVE-2025-57812
     fix an out of bounds read/write vulnerability in the processing
     of TIFF image files.
     (Closes: #1120703)
Checksums-Sha1:
 ca9532ff64db5db4e564b6dbc8efcef09c5fa955 2899 libcupsfilters_2.1.1-2.dsc
 f9f17f5b476a675b6e1cb119dd79df942b2f2c60 1370053 libcupsfilters_2.1.1.orig.tar.gz
 2d9bf717e6c183b9dd9032282c309afda0fb4554 64384 libcupsfilters_2.1.1-2.debian.tar.xz
 8f36d563663f533d1dce42a1399bfdb0838894d2 13265 libcupsfilters_2.1.1-2_amd64.buildinfo
Checksums-Sha256:
 1a76541c5a7ad4ce7d7e2d8d07dfc31eceac89b634a9f26808e3ca807ff76ebe 2899 libcupsfilters_2.1.1-2.dsc
 26dc9dc502d811c6f7e24ddea54dac5e7b8db2e2781e6ec6854ec98cc3260f45 1370053 libcupsfilters_2.1.1.orig.tar.gz
 fef1e2d2cb6b743fdb324972cc21c1f2ca32bd767d536e490c636200391edc3d 64384 libcupsfilters_2.1.1-2.debian.tar.xz
 0e541917b1158bbfbd4bb7d35bb078895fecd9f75ec1c10a8fb4773a4f9b1e46 13265 libcupsfilters_2.1.1-2_amd64.buildinfo
Files:
 5da58b5f4cddc2181cb63b0fcfd4b52e 2899 net optional libcupsfilters_2.1.1-2.dsc
 d4190ffac666a1f3fd70ad9a91ae9606 1370053 net optional libcupsfilters_2.1.1.orig.tar.gz
 a6dfc68b2b99ce3ab4f6604980db3500 64384 net optional libcupsfilters_2.1.1-2.debian.tar.xz
 a74b622534f628157c5d9dc70b767a4c 13265 net optional libcupsfilters_2.1.1-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmkhrwJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR282EACetKCV9wDYsDwFQZr0ndtWedG8I1T7
J18gS7+VHnlKbki6js6weto64YlBDDNg2lJf7Zh2o/zd1HpcPYQ6akFaq7I+0jH4
wD/2XQqS5glrQowlCZE8grPIyU6BMbfxzJIXFUdDh8+WXvw58ORMc5HlwGSrx22X
DvAmYaD3L7oCdLWjdNEn6CCPLTK0KoiWDHbCuhGdh6DNWJROnOK3jB0pvJzFtV23
WCv9Rw24xTWNBkbjbJc7QeCmzkY7u2TKqp5WIPIeQ6T4XIkemjUhdAyh7bGS0E/8
P6DZnTFzFy3wQNz8XTS7UE9yK2dUptAqYXMLfSWwS/U7kPUNCBXNuQsgH+b/oIcs
zZtiDrONW+Wn8iP3dzbIWtYZk+SU9Lo/rpqlUgCn+eo5oSebkeHxKqZvV099g2t2
Kat+LdJcAqqpDHFarktnVNE5kLAVmZIvRxxpUPGbxMrTw2KeWFunDDV912a8yjg0
u1Tw+uM2X1zkA29En+5i4VfSBRRWWiM0nR3Vze/NiEAwPjfq7FsmGlw3ZthZ+sYa
VpQYGqv7D9yvUzadLyM+EHCflzw+VpCH982NEXgP8QI6r7yLECaArjgFpt5qy83y
y3rXrKIij839DZDJvpXiFuKo+WecvXuau0HcYUoK8lfAGagOh5WErU9u240khz8x
2mqsa/wwrhNYlg==
=UYCb
-----END PGP SIGNATURE-----

Attachment: pgpxzpmgZd8gJ.pgp
Description: PGP signature

--- End Message ---