[meta-oe,4/9] libcupsfilters: patch CVE-2025-64503

Message ID	20260202163714.2359370-4-skandigraun@gmail.com
State	Under Review
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 4/9] libcupsfilters: patch CVE-2025-64503 Date: Mon, 2 Feb 2026 17:37:09 +0100 Message-ID: <20260202163714.2359370-4-skandigraun@gmail.com> In-Reply-To: <20260202163714.2359370-1-skandigraun@gmail.com> References: <20260202163714.2359370-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-gnome,1/9] gimp: mark CVE-2025-15059 patched \| expand [meta-gnome,1/9] gimp: mark CVE-2025-15059 patched [meta-webserver,2/9] hiawatha: upgrade 11.7 -> 11.8 [meta-oe,3/9] libcdio: upgrade 2.2.0 -> 2.3.0 [meta-oe,4/9] libcupsfilters: patch CVE-2025-64503 [meta-oe,5/9] ndpi: ignore CVE-2025-25066 [meta-oe,6/9] proftpd: ignore CVE-2021-47865 [meta-oe,7/9] python3-pyjwt: ignore CVE-2025-45768 [meta-oe,8/9] python3-pyjwt: upgrade 2.10.1 -> 2.11.0 [meta-oe,9/9] xrdp: upgrade 0.10.4.1 -> 0.10.5

Message ID

20260202163714.2359370-4-skandigraun@gmail.com

State

Under Review

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][PATCH 4/9] libcupsfilters: patch CVE-2025-64503
Date: Mon,  2 Feb 2026 17:37:09 +0100
Message-ID: <20260202163714.2359370-4-skandigraun@gmail.com>
In-Reply-To: <20260202163714.2359370-1-skandigraun@gmail.com>
References: <20260202163714.2359370-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-gnome,1/9] gimp: mark CVE-2025-15059 patched | expand

Commit Message

Gyorgy Sarvari Feb. 2, 2026, 4:37 p.m. UTC

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64503

Pick the patch that explicitly refernces the CVE ID in its message.
(The NVD advisory mentions only the cups-filters patch, but
the developer indicated the CVE ID in the libcupsfilters patch also)

Between this recipe version and the patch the project has decided to
eliminate c++ from the project, and use c only. The patch however
is straightforward enough that it could be backported with very small
modifications.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../cups/libcupsfilters/CVE-2025-64503.patch  | 47 +++++++++++++++++++
 .../cups/libcupsfilters_2.1.1.bb              |  8 ++--
 2 files changed, 51 insertions(+), 4 deletions(-)
 create mode 100644 meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-64503.patch

diff --git a/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-64503.patch b/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-64503.patch
new file mode 100644
index 0000000000..b70586296e
--- /dev/null
+++ b/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-64503.patch
@@ -0,0 +1,47 @@ 
+From da9a7db3b9125c87b11c43b05354ca2eb21ed684 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Mon, 10 Nov 2025 21:10:56 +0100
+Subject: [PATCH] Fix out-of-bounds write in cfFilterPDFToRaster()
+
+From: Till Kamppeter <till.kamppeter@gmail.com>
+
+PDFs with too large page dimensions could cause an integer overflow and then a too small buffer for the pixel line to be allocated.
+
+Fixed this by cropping the page size to the maximum allowed by the standard, 14400x14400pt, 200x200in, 5x5m
+
+https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
+
+Fixes CVE-2025-64503
+
+CVE: CVE-2025-64503
+Upstream-Status: Backport [https://github.com/OpenPrinting/libcupsfilters/commit/fd01543f372ca3ba1f1c27bd3427110fa0094e3f]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ cupsfilters/pdftoraster.cxx | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/cupsfilters/pdftoraster.cxx b/cupsfilters/pdftoraster.cxx
+index 0235b54..09583df 100644
+--- a/cupsfilters/pdftoraster.cxx
++++ b/cupsfilters/pdftoraster.cxx
+@@ -1606,6 +1606,20 @@ out_page(pdftoraster_doc_t *doc,
+   l = inputPageBox.height();
+   if (l < 0)
+     l = -l;
++
++  //
++  // Maximum allowed page size for PDF is 200x200 inches (~ 5x5 m), or 14400x14400 pt
++  // https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
++  //
++  if (doc->header.cupsPageSize[0] > 14400) {
++    fprintf(stderr, "ERROR: Page width is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[0]);
++    doc->header.cupsPageSize[0] = 14400;
++  }
++  if (doc->header.cupsPageSize[1] > 14400) {
++    fprintf(stderr, "ERROR: Page height is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[1]);
++    doc->header.cupsPageSize[1] = 14400;
++  }
++
+   if (rotate == 90 || rotate == 270)
+     doc->header.cupsPageSize[0] = l;
+   else
diff --git a/meta-oe/recipes-printing/cups/libcupsfilters_2.1.1.bb b/meta-oe/recipes-printing/cups/libcupsfilters_2.1.1.bb
index 51d8c4f18b..311f33e134 100644
--- a/meta-oe/recipes-printing/cups/libcupsfilters_2.1.1.bb
+++ b/meta-oe/recipes-printing/cups/libcupsfilters_2.1.1.bb
@@ -5,10 +5,10 @@  LIC_FILES_CHKSUM = "file://COPYING;md5=aab2024bd2a475438a154cd1640c9684"
 
 DEPENDS = "cups fontconfig libexif dbus lcms qpdf poppler libpng jpeg tiff"
 
-SRC_URI = " \
-	https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
-	file://0001-use-noexcept-false-instead-of-throw-from-c-17-onward.patch \
-"
+SRC_URI = "https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
+           file://0001-use-noexcept-false-instead-of-throw-from-c-17-onward.patch \
+           file://CVE-2025-64503.patch \
+           "
 SRC_URI[sha256sum] = "6c303e36cfde05a6c88fb940c62b6a18e7cdbfb91f077733ebc98f104925ce36"
 
 inherit autotools gettext pkgconfig github-releases

[meta-oe,4/9] libcupsfilters: patch CVE-2025-64503

Commit Message

Patch