diff mbox series

[meta-oe,kirkstone,1/7] cups-filters: patch CVE-2025-64503

Message ID 20260226144624.3743168-1-skandigraun@gmail.com
State New
Headers show
Series [meta-oe,kirkstone,1/7] cups-filters: patch CVE-2025-64503 | expand

Commit Message

Gyorgy Sarvari Feb. 26, 2026, 2:46 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64503

Pick the patch that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../recipes-printing/cups/cups-filters.inc    |  1 +
 .../cups/cups-filters/CVE-2025-64503.patch    | 43 +++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64503.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc
index ddd6451ccc..401ca9a9e9 100644
--- a/meta-oe/recipes-printing/cups/cups-filters.inc
+++ b/meta-oe/recipes-printing/cups/cups-filters.inc
@@ -13,6 +13,7 @@  SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.
            file://CVE-2025-57812.patch \
            file://CVE-2025-64524.patch \
            file://CVE-2023-24805.patch \
+           file://CVE-2025-64503.patch \
            "
 
 inherit autotools-brokensep gettext pkgconfig
diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64503.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64503.patch
new file mode 100644
index 0000000000..32ded99d92
--- /dev/null
+++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64503.patch
@@ -0,0 +1,43 @@ 
+From 019bb270f0a8a1db4761e580dc7bb636c1586555 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 18:31:48 +0100
+Subject: [PATCH] Fix out-of-bounds write in pdftoraster
+
+PDFs with too large page dimensions could cause an integer overflow and then a too small buffer for the pixel line to be allocated.
+
+Fixed this by cropping the page size to the maximum allowed by the standard, 14400x14400pt, 200x200in, 5x5m
+
+https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
+
+Fixes CVE-2025-64503
+
+CVE: CVE-2025-64503
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/50d94ca0f2fa6177613c97c59791bde568631865]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ filter/pdftoraster.cxx | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/filter/pdftoraster.cxx b/filter/pdftoraster.cxx
+index e8af184..e6fc573 100755
+--- a/filter/pdftoraster.cxx
++++ b/filter/pdftoraster.cxx
+@@ -1688,6 +1688,18 @@ static void outPage(poppler::document *doc, int pageNo,
+     header.PageSize[0] = (unsigned)l;
+   else
+     header.PageSize[1] = (unsigned)l;
++  /*
++    Maximum allowed page size for PDF is 200x200 inches (~ 5x5 m), or 14400x14400 pt
++    https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
++  */
++  if (header.PageSize[0] > 14400) {
++    fprintf(stderr, "ERROR: Page width is %dpt, too large, cropping to 14400pt\n", header.PageSize[0]);
++    header.PageSize[0] = 14400;
++  }
++  if (header.PageSize[1] > 14400) {
++    fprintf(stderr, "ERROR: Page height is %dpt, too large, cropping to 14400pt\n", header.PageSize[1]);
++    header.PageSize[1] = 14400;
++  }
+ 
+   memset(paperdimensions, 0, sizeof(paperdimensions));
+   memset(margins, 0, sizeof(margins));