From c8f7748616ad4dba3928a473f5b747d34a91ceca Mon Sep 17 00:00:00 2001 From: Ankur Tyagi Date: Wed, 24 Dec 2025 11:31:49 +0530 Subject: [PATCH] cups-filters: patch CVE-2025-64524 Details https://nvd.nist.gov/vuln/detail/CVE-2025-64524 Signed-off-by: Ankur Tyagi Signed-off-by: Anuj Mittal --- .../cups/cups-filters/CVE-2025-64524.patch | 81 +++++++++++++++++++ .../cups/cups-filters_2.0.0.bb | 1 + 2 files changed, 82 insertions(+) create mode 100644 meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch new file mode 100644 index 0000000000..80671ee484 --- /dev/null +++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch @@ -0,0 +1,81 @@ +From a6cc1c750006a8ac4e5d692f3a7d9ade479519ec Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Wed, 12 Nov 2025 15:47:24 +0100 +Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file + +Infinite loop happened because of crafted input raster file, which led +into heap buffer overflow of `CompressBuf` array. + +Based on comments there should be always some `count` when compressing +the data, and processing of crafted file ended with offset and count +being 0. + +Fixes CVE-2025-64524 + +CVE: CVE-2025-64524 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/0fe46c511e81062575b05936f804eb18c9f0a011] +(cherry picked from commit 0fe46c511e81062575b05936f804eb18c9f0a011) +Signed-off-by: Ankur Tyagi +--- + filter/rastertopclx.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c +index ded86f114..39cb378bf 100644 +--- a/filter/rastertopclx.c ++++ b/filter/rastertopclx.c +@@ -825,10 +825,10 @@ StartPage(cf_filter_data_t *data, // I - filter data + } + + if (header->cupsCompression) +- CompBuffer = malloc(DotBufferSize * 4); ++ CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char)); + + if (header->cupsCompression >= 3) +- SeedBuffer = malloc(DotBufferSize); ++ SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char)); + + SeedInvalid = 1; + +@@ -1159,6 +1159,13 @@ CompressData(unsigned char *line, // I - Data to compress + seed ++; + count ++; + } ++ ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; + } + + // +@@ -1252,6 +1259,13 @@ CompressData(unsigned char *line, // I - Data to compress + + count = line_ptr - start; + ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + #if 0 + fprintf(stderr, + "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n", +@@ -1424,6 +1438,13 @@ CompressData(unsigned char *line, // I - Data to compress + + count = (line_ptr - start) / 3; + ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + // + // Place mode 10 compression data in the buffer; each sequence + // starts with a command byte that looks like: diff --git a/meta-oe/recipes-printing/cups/cups-filters_2.0.0.bb b/meta-oe/recipes-printing/cups/cups-filters_2.0.0.bb index efcd1aab8a..f9242379c1 100644 --- a/meta-oe/recipes-printing/cups/cups-filters_2.0.0.bb +++ b/meta-oe/recipes-printing/cups/cups-filters_2.0.0.bb @@ -8,6 +8,7 @@ DEPENDS = "libcupsfilters libppd glib-2.0 poppler" SRC_URI = " \ https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \ file://fix-make-race.patch \ + file://CVE-2025-64524.patch \ " SRC_URI[sha256sum] = "b5152e3dd148ed73835827ac2f219df7cf5808dbf9dbaec2aa0127b44de800d8"