Bug#1121342: trixie-pu: libcupsfilter 2.0.0-3+deb13u1
Package: release.debian.org
Severity: normal
Tags: trixie
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for libcupsfilter fixes CVE-2025-64503 and
CVE-2025-57812 in Trixie. Both CVEs are marked as no-dsa from the security
team.
The same patches have been uploaded to unstable and nobody complained yet.
Thorsten
diff -Nru libcupsfilters-2.0.0/debian/changelog libcupsfilters-2.0.0/debian/changelog
--- libcupsfilters-2.0.0/debian/changelog 2024-09-26 23:45:05.000000000 +0200
+++ libcupsfilters-2.0.0/debian/changelog 2025-11-20 10:45:05.000000000 +0100
@@ -1,3 +1,17 @@
+libcupsfilters (2.0.0-3+deb13u1) trixie; urgency=medium
+
+ * CVE-2025-64503
+ fix an out of bounds write vulnerability when processing crafted
+ PDF files containing a large 'Mediabox' value.
+ (Closes: #1120697)
+
+ * CVE-2025-57812
+ fix an out of bounds read/write vulnerability in the processing
+ of TIFF image files.
+ (Closes: #1120703)
+
+ -- Thorsten Alteholz <debian@alteholz.de> Thu, 20 Nov 2025 10:45:05 +0100
+
libcupsfilters (2.0.0-3) unstable; urgency=medium
* CVE-2024-47076 (Closes: #1082821)
diff -Nru libcupsfilters-2.0.0/debian/patches/CVE-2025-57812.patch libcupsfilters-2.0.0/debian/patches/CVE-2025-57812.patch
--- libcupsfilters-2.0.0/debian/patches/CVE-2025-57812.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcupsfilters-2.0.0/debian/patches/CVE-2025-57812.patch 2025-11-20 10:45:05.000000000 +0100
@@ -0,0 +1,124 @@
+From b69dfacec7f176281782e2f7ac44f04bf9633cfa Mon Sep 17 00:00:00 2001
+From: zdohnal <zdohnal@redhat.com>
+Date: Mon, 10 Nov 2025 18:58:31 +0100
+Subject: [PATCH] Merge commit from fork
+
+* Fix heap-buffer overflow write in cfImageLut
+
+1. fix for CVE-2025-57812
+
+* Reject color images with 1 bit per sample
+
+2. fix for CVE-2025-57812
+
+* Reject images where the number of samples does not correspond with the color space
+
+3. fix for CVE-2025-57812
+
+* Reject images with planar color configuration
+
+4. fix for CVE-2025-57812
+
+* Reject images with vertical scanlines
+
+5. fix for CVE-2025-57812
+
+---------
+
+Co-authored-by: Till Kamppeter <till.kamppeter@gmail.com>
+---
+ cupsfilters/image-tiff.c | 46 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 45 insertions(+), 1 deletion(-)
+
+Index: libcupsfilters-2.0.0/cupsfilters/image-tiff.c
+===================================================================
+--- libcupsfilters-2.0.0.orig/cupsfilters/image-tiff.c 2025-11-20 13:30:30.492726380 +0100
++++ libcupsfilters-2.0.0/cupsfilters/image-tiff.c 2025-11-20 13:30:30.492726380 +0100
+@@ -41,6 +41,7 @@
+ TIFF *tif; // TIFF file
+ uint32_t width, height; // Size of image
+ uint16_t photometric, // Colorspace
++ planar, // Color components in separate planes
+ compression, // Type of compression
+ orientation, // Orientation
+ resunit, // Units for resolution
+@@ -113,6 +114,15 @@
+ return (-1);
+ }
+
++ if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) &&
++ planar == PLANARCONFIG_SEPARATE)
++ {
++ fputs("DEBUG: Images with planar color configuration are not supported!\n", stderr);
++ TIFFClose(tif);
++ fclose(fp);
++ return (1);
++ }
++
+ if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression))
+ {
+ DEBUG_puts("DEBUG: No compression tag in the file!\n");
+@@ -127,6 +137,15 @@
+ if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits))
+ bits = 1;
+
++ if (bits == 1 && samples > 1)
++ {
++ fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! "
++ "Samples per pixel: %d; Bits per sample: %d\n", samples, bits);
++ TIFFClose(tif);
++ fclose(fp);
++ return (1);
++ }
++
+ //
+ // Get the image orientation...
+ //
+@@ -194,6 +213,23 @@
+ alpha = 0;
+
+ //
++ // Check whether number of samples per pixel corresponds with color space
++ //
++
++ if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) ||
++ (photometric == PHOTOMETRIC_SEPARATED && samples != 4))
++ {
++ fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond to color space! "
++ "Color space: %s; Samples per pixel: %d\n",
++ (photometric == PHOTOMETRIC_RGB ? "RGB" :
++ (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : "Unknown")),
++ samples);
++ TIFFClose(tif);
++ fclose(fp);
++ return (1);
++ }
++
++ //
+ // Check the size of the image...
+ //
+
+@@ -265,6 +301,14 @@
+ break;
+ }
+
++ if (orientation >= ORIENTATION_LEFTTOP)
++ {
++ fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", stderr);
++ TIFFClose(tif);
++ fclose(fp);
++ return (-1);
++ }
++
+ switch (orientation)
+ {
+ case ORIENTATION_TOPRIGHT :
+@@ -1467,7 +1511,7 @@
+ }
+
+ if (lut)
+- cfImageLut(out, img->xsize * 3, lut);
++ cfImageLut(out, img->xsize * bpp, lut);
+
+ _cfImagePutRow(img, 0, y, img->xsize, out);
+ }
diff -Nru libcupsfilters-2.0.0/debian/patches/CVE-2025-64503.patch libcupsfilters-2.0.0/debian/patches/CVE-2025-64503.patch
--- libcupsfilters-2.0.0/debian/patches/CVE-2025-64503.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcupsfilters-2.0.0/debian/patches/CVE-2025-64503.patch 2025-11-20 10:45:05.000000000 +0100
@@ -0,0 +1,41 @@
+From fd01543f372ca3ba1f1c27bd3427110fa0094e3f Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 21:10:56 +0100
+Subject: [PATCH] Fix out-of-bounds write in cfFilterPDFToRaster()
+
+PDFs with too large page dimensions could cause an integer overflow and then a too small buffer for the pixel line to be allocated.
+
+Fixed this by cropping the page size to the maximum allowed by the standard, 14400x14400pt, 200x200in, 5x5m
+
+https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
+
+Fixes CVE-2025-64503
+---
+ cupsfilters/pdftoraster.cxx | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+Index: libcupsfilters-2.0.0/cupsfilters/pdftoraster.cxx
+===================================================================
+--- libcupsfilters-2.0.0.orig/cupsfilters/pdftoraster.cxx 2025-11-20 13:30:34.444758465 +0100
++++ libcupsfilters-2.0.0/cupsfilters/pdftoraster.cxx 2025-11-20 13:30:34.440758433 +0100
+@@ -1609,6 +1609,20 @@
+ doc->header.cupsPageSize[0] = l;
+ else
+ doc->header.cupsPageSize[1] = l;
++
++ //
++ // Maximum allowed page size for PDF is 200x200 inches (~ 5x5 m), or 14400x14400 pt
++ // https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
++ //
++ if (doc->header.cupsPageSize[0] > 14400) {
++ fprintf(stderr, "ERROR: Page width is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[0]);
++ doc->header.cupsPageSize[0] = 14400;
++ }
++ if (doc->header.cupsPageSize[1] > 14400) {
++ fprintf(stderr, "ERROR: Page height is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[1]);
++ doc->header.cupsPageSize[1] = 14400;
++ }
++
+ if (rotate == 90 || rotate == 270)
+ {
+ doc->header.cupsImagingBBox[0] =
diff -Nru libcupsfilters-2.0.0/debian/patches/series libcupsfilters-2.0.0/debian/patches/series
--- libcupsfilters-2.0.0/debian/patches/series 2024-09-26 23:45:05.000000000 +0200
+++ libcupsfilters-2.0.0/debian/patches/series 2025-11-20 10:45:05.000000000 +0100
@@ -1 +1,5 @@
CVE-2024-47076.patch
+
+CVE-2025-57812.patch
+CVE-2025-64503.patch
+
Reply to: