diff mbox series

[meta-oe,scarthgap,1/2] cups-filters: patch CVE-2025-64524

Message ID 20251224060150.1294484-1-ankur.tyagi85@gmail.com
State New
Headers show
Series [meta-oe,scarthgap,1/2] cups-filters: patch CVE-2025-64524 | expand

Commit Message

Ankur Tyagi Dec. 24, 2025, 6:01 a.m. UTC 
From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details https://nvd.nist.gov/vuln/detail/CVE-2025-64524

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../cups/cups-filters/CVE-2025-64524.patch    | 81 +++++++++++++++++++
 .../cups/cups-filters_2.0.0.bb                |  1 +
 2 files changed, 82 insertions(+)
 create mode 100644 meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch
new file mode 100644
index 0000000000..80671ee484
--- /dev/null
+++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch
@@ -0,0 +1,81 @@ 
+From a6cc1c750006a8ac4e5d692f3a7d9ade479519ec Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 12 Nov 2025 15:47:24 +0100
+Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file
+
+Infinite loop happened because of crafted input raster file, which led
+into heap buffer overflow of `CompressBuf` array.
+
+Based on comments there should be always some `count` when compressing
+the data, and processing of crafted file ended with offset and count
+being 0.
+
+Fixes CVE-2025-64524
+
+CVE: CVE-2025-64524
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/0fe46c511e81062575b05936f804eb18c9f0a011]
+(cherry picked from commit 0fe46c511e81062575b05936f804eb18c9f0a011)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ filter/rastertopclx.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c
+index ded86f114..39cb378bf 100644
+--- a/filter/rastertopclx.c
++++ b/filter/rastertopclx.c
+@@ -825,10 +825,10 @@ StartPage(cf_filter_data_t      *data,	// I - filter data
+   }
+ 
+   if (header->cupsCompression)
+-    CompBuffer = malloc(DotBufferSize * 4);
++    CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char));
+ 
+   if (header->cupsCompression >= 3)
+-    SeedBuffer = malloc(DotBufferSize);
++    SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char));
+ 
+   SeedInvalid = 1;
+ 
+@@ -1159,6 +1159,13 @@ CompressData(unsigned char *line,	// I - Data to compress
+               seed ++;
+               count ++;
+             }
++
++	    //
++	    // Bail out if we don't have count to compress
++	    //
++
++	    if (count == 0)
++	      break;
+ 	  }
+ 
+ 	  //
+@@ -1252,6 +1259,13 @@ CompressData(unsigned char *line,	// I - Data to compress
+ 
+             count = line_ptr - start;
+ 
++	    //
++	    // Bail out if we don't have count to compress
++	    //
++
++	    if (count == 0)
++	      break;
++
+ #if 0
+             fprintf(stderr,
+ 		    "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n",
+@@ -1424,6 +1438,13 @@ CompressData(unsigned char *line,	// I - Data to compress
+ 
+             count = (line_ptr - start) / 3;
+ 
++	    //
++	    // Bail out if we don't have count to compress
++	    //
++
++	    if (count == 0)
++	      break;
++
+ 	    //
+ 	    // Place mode 10 compression data in the buffer; each sequence
+ 	    // starts with a command byte that looks like:
diff --git a/meta-oe/recipes-printing/cups/cups-filters_2.0.0.bb b/meta-oe/recipes-printing/cups/cups-filters_2.0.0.bb
index efcd1aab8a..f9242379c1 100644
--- a/meta-oe/recipes-printing/cups/cups-filters_2.0.0.bb
+++ b/meta-oe/recipes-printing/cups/cups-filters_2.0.0.bb
@@ -8,6 +8,7 @@  DEPENDS = "libcupsfilters libppd glib-2.0 poppler"
 SRC_URI = " \
 	https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
 	file://fix-make-race.patch \
+	file://CVE-2025-64524.patch \
 "
 SRC_URI[sha256sum] = "b5152e3dd148ed73835827ac2f219df7cf5808dbf9dbaec2aa0127b44de800d8"