Bug#1120697: marked as done (libcupsfilters: CVE-2025-64503)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 20 Dec 2025 13:47:09 +0000
with message-id <E1vWxIb-005GLh-08@fasolo.debian.org>
and subject line Bug#1120697: fixed in libcupsfilters 2.0.0-3+deb13u1
has caused the Debian Bug report #1120697,
regarding libcupsfilters: CVE-2025-64503
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1120697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120697
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libcupsfilters: CVE-2025-64503
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Fri, 14 Nov 2025 22:12:53 +0100
• Message-id: <176315477379.2958287.9264991793057476539.reportbug@eldamar.lan>

Source: libcupsfilters
Version: 2.0.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: clone -1 -2
Control: reassign -2 src:cups-filters 1.28.17-6
Control: retitle -2 cups-filters: CVE-2025-64503
Control: found -2 1.28.17-3+deb12u1

Hi,

The following vulnerability was published for
libcupsfilters/cups-filters.

CVE-2025-64503[0]:
| cups-filters contains backends, filters, and other software required
| to get the cups printing service working on operating systems other
| than macos. In cups-filters prior to 1.28.18, by crafting a PDF file
| with a large `MediaBox` value, an attacker can cause CUPS-Filter
| 1.x’s `pdftoraster` tool to write beyond the bounds of an array.
| First, a PDF with a large `MediaBox` width value causes
| `header.cupsWidth` to become large.  Next, the calculation of
| `bytesPerLine = (header.cupsBitsPerPixel * header.cupsWidth + 7) /
| 8` overflows, resulting in a small value. Then, `lineBuf` is
| allocated with the small `bytesPerLine` size. Finally,
| `convertLineChunked` calls `writePixel8`, which attempts to write to
| `lineBuf` outside of its buffer size (out of bounds write). In
| libcupsfilters, the maintainers found the same `bytesPerLine`
| multiplication without overflow check, but the provided test case
| does not cause an overflow there, because the values are different.
| Commit 50d94ca0f2fa6177613c97c59791bde568631865 contains a patch,
| which is incorporated into cups-filters version 1.28.18.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-64503
    https://www.cve.org/CVERecord?id=CVE-2025-64503
[1] https://www.openwall.com/lists/oss-security/2025/11/12/2
[2] https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-893j-2wr2-wrh9

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1120697-close@bugs.debian.org
• Subject: Bug#1120697: fixed in libcupsfilters 2.0.0-3+deb13u1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sat, 20 Dec 2025 13:47:09 +0000
• Message-id: <E1vWxIb-005GLh-08@fasolo.debian.org>
• Reply-to: Thorsten Alteholz <debian@alteholz.de>

Source: libcupsfilters
Source-Version: 2.0.0-3+deb13u1
Done: Thorsten Alteholz <debian@alteholz.de>

We believe that the bug you reported is fixed in the latest version of
libcupsfilters, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1120697@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated libcupsfilters package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 20 Nov 2025 10:45:05 +0100
Source: libcupsfilters
Architecture: source
Version: 2.0.0-3+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Closes: 1120697 1120703
Changes:
 libcupsfilters (2.0.0-3+deb13u1) trixie; urgency=medium
 .
   * CVE-2025-64503
     fix an out of bounds write vulnerability when processing crafted
     PDF files containing a large 'Mediabox' value.
     (Closes: #1120697)
 .
   * CVE-2025-57812
     fix an out of bounds read/write vulnerability in the processing
     of TIFF image files.
     (Closes: #1120703)
Checksums-Sha1:
 8e91cb4b14ad28eb8d90967611e194b5ebe1e1ed 2931 libcupsfilters_2.0.0-3+deb13u1.dsc
 e81e2623ba23e536e94906962661cad18adcb0fa 1279856 libcupsfilters_2.0.0.orig.tar.xz
 06e73f35a3cd3735c41e95e56fd9460bfa0383a8 64792 libcupsfilters_2.0.0-3+deb13u1.debian.tar.xz
 8e1e5cae6bcd8406749349788220f7720b2f47d4 13699 libcupsfilters_2.0.0-3+deb13u1_amd64.buildinfo
Checksums-Sha256:
 46a840a51f360fb75e2bf5d5561be213eecb0dd5182f4b68df60eb774096c248 2931 libcupsfilters_2.0.0-3+deb13u1.dsc
 542f2bfbc58136a4743c11dc8c86cee03c9aca705612654e36ac34aa0d9aa601 1279856 libcupsfilters_2.0.0.orig.tar.xz
 d19c777c84b47580966c3f1009bd0afd4760a2a0c4ee889a75dfe8ff5ce90a5d 64792 libcupsfilters_2.0.0-3+deb13u1.debian.tar.xz
 c9f5e4b2f5ad2a7c31cb80d92e47800869e3dc3693eb69226e17ca9727655ba9 13699 libcupsfilters_2.0.0-3+deb13u1_amd64.buildinfo
Files:
 0fbd6d4cb2624c0c2f759815feff5478 2931 net optional libcupsfilters_2.0.0-3+deb13u1.dsc
 267e569145bd20615fa18ae65ea6f870 1279856 net optional libcupsfilters_2.0.0.orig.tar.xz
 198bd108c3e16b4cc3763151be7c2297 64792 net optional libcupsfilters_2.0.0-3+deb13u1.debian.tar.xz
 42080fd5b8b37b9caea15e81085524a8 13699 net optional libcupsfilters_2.0.0-3+deb13u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmk8V6RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR0zfD/4i3xcnllUu2Ut3IloQW2Isfuj3UX3f
DwAX0unPNSZgaesD+xoBwEyf2zdCSixaSypOXy1Yb8mBCohLY/aK4zyNalYBc6eM
7WE+s86ijo2Xf/ak+suGecQKiyi5Q/U5YQXGA44jw3e6RSCHKYRBQTWLBytUEY4l
jAndSP5V3LzgB4FGVgqXbrR2uXDtLjtyuYavjqhzaXZsAPjaDcpA9G8Wr828gBW3
4LDur5rdm5ULsKRvk8vbsgXB9fSpeC3nrky0rNtwvrSJ31CPSKzzm0kRSuGeAPHV
uJ2/8gzLfShunDfyK/HDBIb4KIaIBnONJ4vs6oKhyGUdZCK7HbJp+0fDQlmA5rGA
a3BP/bb4pXiENUFHBDDg+hd7CWQ6T+15q059EG13duNnlBeaqWZX3gb6GGTX48c0
6eHB3yOe28iRvRVKzdTXWWDdEPqiNHLFUU6IQENzF4ADIbtvqvii7/UdESCs4Vm3
OM2lx+9OhlWNAV+8lgQUR49JHoeH29qEBltZ+dPwshQ2rkY95C8x8EbsvZg278oK
WNsgJ6qlkUxNTvvR1F2tOmMcA2ceh4/d2y2qju9WFWubZbbYEBIM6Ozfdb/XeWqZ
gfsdnp6Phs8CNXYCz5cBH7oR0gb8BlWl9EwE9cZscn181OOLpOZUBLuamij2E54K
bXgH+QyKvyXDhw==
=FJYN
-----END PGP SIGNATURE-----

Attachment: pgpNBgE7PZNk3.pgp
Description: PGP signature

--- End Message ---