libcupsfilters: patch CVE-2025-57812

Details https://nvd.nist.gov/vuln/detail/CVE-2025-57812 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-01 13:58:06 +00:00 · 2025-12-16 12:43:27 +05:30 · 2025-12-16 12:43:27 +05:30 · af50080591
commit af50080591
parent a0292cd209
2 changed files with 130 additions and 0 deletions
--- a/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-57812.patch
+++ b/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-57812.patch
@ -0,0 +1,129 @@
+From f62b9dffa58b19d0292c41ba826aad79062e2be6 Mon Sep 17 00:00:00 2001
+From: zdohnal <zdohnal@redhat.com>
+Date: Mon, 10 Nov 2025 18:58:31 +0100
+Subject: [PATCH] Merge commit from fork
+
+* Fix heap-buffer overflow write in cfImageLut
+
+1. fix for CVE-2025-57812
+
+* Reject color images with 1 bit per sample
+
+2. fix for CVE-2025-57812
+
+* Reject images where the number of samples does not correspond with the color space
+
+3. fix for CVE-2025-57812
+
+* Reject images with planar color configuration
+
+4. fix for CVE-2025-57812
+
+* Reject images with vertical scanlines
+
+5.  fix for CVE-2025-57812
+
+---------
+
+Co-authored-by: Till Kamppeter <till.kamppeter@gmail.com>
+
+CVE: CVE-2025-57812
+Upstream-Status: Backport [https://github.com/OpenPrinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa]
+(cherry picked from commit b69dfacec7f176281782e2f7ac44f04bf9633cfa)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ cupsfilters/image-tiff.c | 46 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 45 insertions(+), 1 deletion(-)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index d92cce25..ff0a0fb3 100644
+--- a/cupsfilters/image-tiff.c
+++ b/cupsfilters/image-tiff.c
+@@ -41,6 +41,7 @@ _cfImageReadTIFF(
+   TIFF		*tif;			// TIFF file
+   uint32_t	width, height;		// Size of image
+   uint16_t	photometric,		// Colorspace
+    planar,         // Color components in separate planes
+ 		compression,		// Type of compression
+ 		orientation,		// Orientation
+ 		resunit,		// Units for resolution
+@@ -113,6 +114,15 @@ _cfImageReadTIFF(
+     return (-1);
+   }
+ 
+  if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) &&
+      planar == PLANARCONFIG_SEPARATE)
+  {
+    fputs("DEBUG: Images with planar color configuration are not supported!\n", stderr);
+    TIFFClose(tif);
+    fclose(fp);
+    return (1);
+  }
+
+   if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression))
+   {
+     DEBUG_puts("DEBUG: No compression tag in the file!\n");
+@@ -127,6 +137,15 @@ _cfImageReadTIFF(
+   if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits))
+     bits = 1;
+ 
+  if (bits == 1 && samples > 1)
+  {
+    fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! "
+                    "Samples per pixel: %d; Bits per sample: %d\n", samples, bits);
+    TIFFClose(tif);
+    fclose(fp);
+    return (1);
+  }
+
+   //
+   // Get the image orientation...
+   //
+@@ -193,6 +212,23 @@ _cfImageReadTIFF(
+   else
+     alpha = 0;
+ 
+  //
+  // Check whether number of samples per pixel corresponds with color space
+  //
+
+  if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) ||
+      (photometric == PHOTOMETRIC_SEPARATED && samples != 4))
+  {
+    fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond to color space! "
+                    "Color space: %s; Samples per pixel: %d\n",
+                    (photometric == PHOTOMETRIC_RGB ? "RGB" :
+                     (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : "Unknown")),
+                    samples);
+    TIFFClose(tif);
+    fclose(fp);
+    return (1);
+  }
+
+   //
+   // Check the size of the image...
+   //
+@@ -265,6 +301,14 @@ _cfImageReadTIFF(
+         break;
+   }
+ 
+  if (orientation >= ORIENTATION_LEFTTOP)
+  {
+    fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", stderr);
+    TIFFClose(tif);
+    fclose(fp);
+    return (-1);
+  }
+
+   switch (orientation)
+   {
+     case ORIENTATION_TOPRIGHT :
+@@ -1467,7 +1511,7 @@ _cfImageReadTIFF(
+ 	      }
+ 
+ 	      if (lut)
+-	        cfImageLut(out, img->xsize * 3, lut);
+	        cfImageLut(out, img->xsize * bpp, lut);
+ 
+               _cfImagePutRow(img, 0, y, img->xsize, out);
+             }
--- a/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb
+++ b/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb
@ -9,6 +9,7 @@ SRC_URI = " \
 	https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
 	file://0001-use-noexcept-false-instead-of-throw-from-c-17-onward.patch \
 	file://0001-CVE-2024-47076.patch \
+	file://CVE-2025-57812.patch \
 "
 SRC_URI[sha256sum] = "542f2bfbc58136a4743c11dc8c86cee03c9aca705612654e36ac34aa0d9aa601"