Bug#1121391: trixie-pu: cups-filters/1.28.17-6+deb13u1
Package: release.debian.org
Severity: normal
Tags: trixie
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for cups-filters fixes CVE-2025-64524,
CVE-2025-64503, and CVE-2025-57812 in Trixie. All CVEs are marked as
no-dsa from the security team.
The same patches have been uploaded to unstable and nobody complained yet.
The version of this package in all releases is almost identical.
Thorsten
diff -Nru cups-filters-1.28.17/debian/changelog cups-filters-1.28.17/debian/changelog
--- cups-filters-1.28.17/debian/changelog 2025-03-15 12:45:05.000000000 +0100
+++ cups-filters-1.28.17/debian/changelog 2025-11-20 10:45:05.000000000 +0100
@@ -1,3 +1,21 @@
+cups-filters (1.28.17-6+deb13u1) trixie; urgency=medium
+
+ * CVE-2025-64503
+ fix an out of bounds write vulnerability when processing crafted
+ PDF files containing a large 'Mediabox' value.
+ (Closes: #1120698)
+
+ * CVE-2025-57812
+ fix an out of bounds read/write vulnerability in the processing
+ of TIFF image files.
+ (Closes: #1120704)
+
+ * CVE-2025-64524
+ fix infinite loop with crafted input raster file, that resuls
+ into a heap buffer overflow
+
+ -- Thorsten Alteholz <debian@alteholz.de> Thu, 20 Nov 2025 10:45:05 +0100
+
cups-filters (1.28.17-6) unstable; urgency=medium
* add patch 0006-qpdf-12.patch (Closes: #1100207)
diff -Nru cups-filters-1.28.17/debian/patches/CVE-2025-57812-1.patch cups-filters-1.28.17/debian/patches/CVE-2025-57812-1.patch
--- cups-filters-1.28.17/debian/patches/CVE-2025-57812-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-filters-1.28.17/debian/patches/CVE-2025-57812-1.patch 2025-11-20 10:45:05.000000000 +0100
@@ -0,0 +1,23 @@
+From 5e5f1c5d46a043c57cbbe6e043aa95896d9c40fa Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 18:42:52 +0100
+Subject: [PATCH] Fix heap-buffer overflow write in cfImageLut
+
+1. fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index 5fe89071c..5eb29abc3 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -1469,7 +1469,7 @@ _cupsImageReadTIFF(
+ }
+
+ if (lut)
+- cupsImageLut(out, img->xsize * 3, lut);
++ cupsImageLut(out, img->xsize * bpp, lut);
+
+ _cupsImagePutRow(img, 0, y, img->xsize, out);
+ }
diff -Nru cups-filters-1.28.17/debian/patches/CVE-2025-57812-2.patch cups-filters-1.28.17/debian/patches/CVE-2025-57812-2.patch
--- cups-filters-1.28.17/debian/patches/CVE-2025-57812-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-filters-1.28.17/debian/patches/CVE-2025-57812-2.patch 2025-11-20 10:45:05.000000000 +0100
@@ -0,0 +1,30 @@
+From 7bd588a1fc5c99ac0b1951beb1b54b438137a7b5 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 18:44:59 +0100
+Subject: [PATCH] Reject color images with 1 bit per sample
+
+2. fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index 5eb29abc3..48fc8a28b 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -129,6 +129,15 @@ _cupsImageReadTIFF(
+ if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits))
+ bits = 1;
+
++ if (bits == 1 && samples > 1)
++ {
++ fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! "
++ "Samples per pixel: %d; Bits per sample: %d\n", samples, bits);
++ TIFFClose(tif);
++ fclose(fp);
++ return (-1);
++ }
++
+ /*
+ * Get the image orientation...
+ */
diff -Nru cups-filters-1.28.17/debian/patches/CVE-2025-57812-3.patch cups-filters-1.28.17/debian/patches/CVE-2025-57812-3.patch
--- cups-filters-1.28.17/debian/patches/CVE-2025-57812-3.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-filters-1.28.17/debian/patches/CVE-2025-57812-3.patch 2025-11-20 10:45:05.000000000 +0100
@@ -0,0 +1,39 @@
+From 719c557c9a29db32b855e6e108d7f4e7c5397613 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 18:46:10 +0100
+Subject: [PATCH] Reject images where the number of samples does not correspond
+ with the color space
+
+3. fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index 48fc8a28b..a207f7ce9 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -204,6 +204,23 @@ _cupsImageReadTIFF(
+ else
+ alpha = 0;
+
++ /*
++ * Check whether number of samples per pixel corresponds with color space
++ */
++
++ if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) ||
++ (photometric == PHOTOMETRIC_SEPARATED && samples != 4))
++ {
++ fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond to color space! "
++ "Color space: %s; Samples per pixel: %d\n",
++ (photometric == PHOTOMETRIC_RGB ? "RGB" :
++ (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : "Unknown")),
++ samples);
++ TIFFClose(tif);
++ fclose(fp);
++ return (1);
++ }
++
+ /*
+ * Check the size of the image...
+ */
diff -Nru cups-filters-1.28.17/debian/patches/CVE-2025-57812-4.patch cups-filters-1.28.17/debian/patches/CVE-2025-57812-4.patch
--- cups-filters-1.28.17/debian/patches/CVE-2025-57812-4.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-filters-1.28.17/debian/patches/CVE-2025-57812-4.patch 2025-11-20 10:45:05.000000000 +0100
@@ -0,0 +1,38 @@
+From cb927006747b797aa9163cd0cbd41b9bbdf05db0 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 18:50:10 +0100
+Subject: [PATCH] Reject images with planar color configuration
+
+4. fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index a207f7ce9..04ec0719a 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -43,6 +43,7 @@ _cupsImageReadTIFF(
+ TIFF *tif; /* TIFF file */
+ uint32_t width, height; /* Size of image */
+ uint16_t photometric, /* Colorspace */
++ planar, /* Color components in separate planes */
+ compression, /* Type of compression */
+ orientation, /* Orientation */
+ resunit, /* Units for resolution */
+@@ -115,6 +116,15 @@ _cupsImageReadTIFF(
+ return (-1);
+ }
+
++ if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) &&
++ planar == PLANARCONFIG_SEPARATE)
++ {
++ fputs("DEBUG: Images with planar color configuration are not supported!\n", stderr);
++ TIFFClose(tif);
++ fclose(fp);
++ return (1);
++ }
++
+ if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression))
+ {
+ fputs("DEBUG: No compression tag in the file!\n", stderr);
diff -Nru cups-filters-1.28.17/debian/patches/CVE-2025-57812-5.patch cups-filters-1.28.17/debian/patches/CVE-2025-57812-5.patch
--- cups-filters-1.28.17/debian/patches/CVE-2025-57812-5.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-filters-1.28.17/debian/patches/CVE-2025-57812-5.patch 2025-11-20 10:45:05.000000000 +0100
@@ -0,0 +1,29 @@
+From 5122052dd8f06949242099401c59f6c3b14e61c3 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 18:57:07 +0100
+Subject: [PATCH] Reject images with vertical scanlines
+
+5. fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index 04ec0719a..e9a78d3d5 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -303,6 +303,14 @@ _cupsImageReadTIFF(
+ break;
+ }
+
++ if (orientation >= ORIENTATION_LEFTTOP)
++ {
++ fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", stderr);
++ TIFFClose(tif);
++ fclose(fp);
++ return (-1);
++ }
++
+ switch (orientation)
+ {
+ case ORIENTATION_TOPRIGHT :
diff -Nru cups-filters-1.28.17/debian/patches/CVE-2025-64503.patch cups-filters-1.28.17/debian/patches/CVE-2025-64503.patch
--- cups-filters-1.28.17/debian/patches/CVE-2025-64503.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-filters-1.28.17/debian/patches/CVE-2025-64503.patch 2025-11-20 10:45:05.000000000 +0100
@@ -0,0 +1,39 @@
+From 50d94ca0f2fa6177613c97c59791bde568631865 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 18:31:48 +0100
+Subject: [PATCH] Fix out-of-bounds write in pdftoraster
+
+PDFs with too large page dimensions could cause an integer overflow and then a too small buffer for the pixel line to be allocated.
+
+Fixed this by cropping the page size to the maximum allowed by the standard, 14400x14400pt, 200x200in, 5x5m
+
+https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
+
+Fixes CVE-2025-64503
+---
+ filter/pdftoraster.cxx | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+Index: cups-filters/filter/pdftoraster.cxx
+===================================================================
+--- cups-filters.orig/filter/pdftoraster.cxx 2025-11-20 15:15:39.795443588 +0100
++++ cups-filters/filter/pdftoraster.cxx 2025-11-20 15:15:39.791443557 +0100
+@@ -1688,6 +1688,18 @@
+ header.PageSize[0] = (unsigned)l;
+ else
+ header.PageSize[1] = (unsigned)l;
++ /*
++ Maximum allowed page size for PDF is 200x200 inches (~ 5x5 m), or 14400x14400 pt
++ https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
++ */
++ if (header.PageSize[0] > 14400) {
++ fprintf(stderr, "ERROR: Page width is %dpt, too large, cropping to 14400pt\n", header.PageSize[0]);
++ header.PageSize[0] = 14400;
++ }
++ if (header.PageSize[1] > 14400) {
++ fprintf(stderr, "ERROR: Page height is %dpt, too large, cropping to 14400pt\n", header.PageSize[1]);
++ header.PageSize[1] = 14400;
++ }
+
+ memset(paperdimensions, 0, sizeof(paperdimensions));
+ memset(margins, 0, sizeof(margins));
diff -Nru cups-filters-1.28.17/debian/patches/CVE-2025-64524.patch cups-filters-1.28.17/debian/patches/CVE-2025-64524.patch
--- cups-filters-1.28.17/debian/patches/CVE-2025-64524.patch 1970-01-01 01:00:00.000000000 +0100
+++ cups-filters-1.28.17/debian/patches/CVE-2025-64524.patch 2025-11-20 10:45:05.000000000 +0100
@@ -0,0 +1,79 @@
+From b03866fd2e251a6d822a5e8c807c8d47b4d2dce2 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 12 Nov 2025 16:02:20 +0100
+Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file
+
+Infinite loop happened because of crafted input raster file, which led
+into heap buffer overflow of `CompressBuf` array.
+
+Based on comments there should be always some `count` when compressing
+the data, and processing of crafted file ended with offset and count
+being 0.
+
+Fixes CVE-2025-64524
+---
+ filter/rastertopclx.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c
+index 3e7c129da..1015308da 100644
+--- a/filter/rastertopclx.c
++++ b/filter/rastertopclx.c
+@@ -818,10 +818,10 @@ StartPage(ppd_file_t *ppd, /* I - PPD file */
+ }
+
+ if (header->cupsCompression)
+- CompBuffer = malloc(DotBufferSize * 4);
++ CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char));
+
+ if (header->cupsCompression >= 3)
+- SeedBuffer = malloc(DotBufferSize);
++ SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char));
+
+ SeedInvalid = 1;
+
+@@ -1152,6 +1152,13 @@ CompressData(unsigned char *line, /* I - Data to compress */
+ seed ++;
+ count ++;
+ }
++
++ //
++ // Bail out if we don't have count to compress
++ //
++
++ if (count == 0)
++ break;
+ }
+
+ /*
+@@ -1245,6 +1252,13 @@ CompressData(unsigned char *line, /* I - Data to compress */
+
+ count = line_ptr - start;
+
++ //
++ // Bail out if we don't have count to compress
++ //
++
++ if (count == 0)
++ break;
++
+ #if 0
+ fprintf(stderr, "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n",
+ offset, count, comp_ptr, comp_ptr - CompBuffer,
+@@ -1416,6 +1430,13 @@ CompressData(unsigned char *line, /* I - Data to compress */
+
+ count = (line_ptr - start) / 3;
+
++ //
++ // Bail out if we don't have count to compress
++ //
++
++ if (count == 0)
++ break;
++
+ /*
+ * Place mode 10 compression data in the buffer; each sequence
+ * starts with a command byte that looks like:
+--
+2.51.1
+
diff -Nru cups-filters-1.28.17/debian/patches/series cups-filters-1.28.17/debian/patches/series
--- cups-filters-1.28.17/debian/patches/series 2025-03-15 12:45:05.000000000 +0100
+++ cups-filters-1.28.17/debian/patches/series 2025-11-20 10:45:05.000000000 +0100
@@ -4,3 +4,11 @@
0004-CVE-2024-47076.patch
0005-CVE-2024-47176.patch
0006-qpdf-12.patch
+
+CVE-2025-57812-1.patch
+CVE-2025-57812-2.patch
+CVE-2025-57812-3.patch
+CVE-2025-57812-4.patch
+CVE-2025-57812-5.patch
+CVE-2025-64503.patch
+CVE-2025-64524.patch
Reply to: