[meta-oe,kirkstone,6/8] cups-filters: patch CVE-2025-64524

Message ID	20251225125139.2436941-6-skandigraun@gmail.com
State	New
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.221.51, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 6/8] cups-filters: patch CVE-2025-64524 Date: Thu, 25 Dec 2025 13:51:37 +0100 Message-ID: <20251225125139.2436941-6-skandigraun@gmail.com> In-Reply-To: <20251225125139.2436941-1-skandigraun@gmail.com> References: <20251225125139.2436941-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-networking,kirkstone,1/8] mtr: patch CVE-2025-49809 \| expand [meta-networking,kirkstone,1/8] mtr: patch CVE-2025-49809 [meta-multimedia,kirkstone,2/8] mpd: Update status for CVE-2020-7465 and CVE-2020-7466 [meta-oe,kirkstone,3/8] nanopb: patch CVE-2024-53984 [meta-oe,kirkstone,4/8] redis: ignore CVE-2025-46686 [meta-oe,kirkstone,5/8] cups-filters: patch CVE-2025-57812 [meta-oe,kirkstone,6/8] cups-filters: patch CVE-2025-64524 [meta-oe,kirkstone,7/8] cups-filters: patch CVE-2023-24805 [meta-oe,kirkstone,8/8] dbus-broker: patch CVE-2022-31212

Message ID

20251225125139.2436941-6-skandigraun@gmail.com

State

New

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 6/8] cups-filters: patch CVE-2025-64524
Date: Thu, 25 Dec 2025 13:51:37 +0100
Message-ID: <20251225125139.2436941-6-skandigraun@gmail.com>
In-Reply-To: <20251225125139.2436941-1-skandigraun@gmail.com>
References: <20251225125139.2436941-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-networking,kirkstone,1/8] mtr: patch CVE-2025-49809 | expand

Commit Message

Gyorgy Sarvari Dec. 25, 2025, 12:51 p.m. UTC

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64524

Pick the patch referenced by the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../recipes-printing/cups/cups-filters.inc    |  1 +
 .../cups/cups-filters/CVE-2025-64524.patch    | 81 +++++++++++++++++++
 2 files changed, 82 insertions(+)
 create mode 100644 meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch

diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc
index 26a7c5037a..fe87ac98ae 100644
--- a/meta-oe/recipes-printing/cups/cups-filters.inc
+++ b/meta-oe/recipes-printing/cups/cups-filters.inc
@@ -11,6 +11,7 @@  DEPENDS:class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-nat
 
 SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \
            file://CVE-2025-57812.patch \
+           file://CVE-2025-64524.patch \
            "
 
 inherit autotools-brokensep gettext pkgconfig
diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch
new file mode 100644
index 0000000000..f3481ddaa5
--- /dev/null
+++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch
@@ -0,0 +1,81 @@ 
+From 3f24ec5518f3f7f9a7020cd88bb9bbf4e81475fe Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 12 Nov 2025 15:47:24 +0100
+Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file
+
+Infinite loop happened because of crafted input raster file, which led
+into heap buffer overflow of `CompressBuf` array.
+
+Based on comments there should be always some `count` when compressing
+the data, and processing of crafted file ended with offset and count
+being 0.
+
+Fixes CVE-2025-64524
+
+CVE: CVE-2025-64524
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/956283c74a34ae924266a2a63f8e5f529a1abd06]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ filter/rastertopclx.c | 26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c
+index 3e7c129..b20d195 100644
+--- a/filter/rastertopclx.c
++++ b/filter/rastertopclx.c
+@@ -818,10 +818,10 @@ StartPage(ppd_file_t         *ppd,	/* I - PPD file */
+   }
+ 
+   if (header->cupsCompression)
+-    CompBuffer = malloc(DotBufferSize * 4);
++    CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char));
+ 
+   if (header->cupsCompression >= 3)
+-    SeedBuffer = malloc(DotBufferSize);
++    SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char));
+ 
+   SeedInvalid = 1;
+ 
+@@ -1152,6 +1152,14 @@ CompressData(unsigned char *line,	/* I - Data to compress */
+               seed ++;
+               count ++;
+             }
++
++           //
++           // Bail out if we don't have count to compress
++           //
++
++           if (count == 0)
++             break;
++
+ 	  }
+ 
+          /*
+@@ -1245,6 +1253,13 @@ CompressData(unsigned char *line,	/* I - Data to compress */
+ 
+             count = line_ptr - start;
+ 
++           //
++           // Bail out if we don't have count to compress
++           //
++
++           if (count == 0)
++             break;
++
+ #if 0
+             fprintf(stderr, "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n",
+ 	            offset, count, comp_ptr, comp_ptr - CompBuffer,
+@@ -1416,6 +1431,13 @@ CompressData(unsigned char *line,	/* I - Data to compress */
+ 
+             count = (line_ptr - start) / 3;
+ 
++           //
++           // Bail out if we don't have count to compress
++           //
++
++           if (count == 0)
++             break;
++
+            /*
+             * Place mode 10 compression data in the buffer; each sequence
+ 	    * starts with a command byte that looks like:

[meta-oe,kirkstone,6/8] cups-filters: patch CVE-2025-64524

Commit Message

Patch