MIRRORS/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2025-12-13 22:05:27 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

cups-filters: patch CVE-2025-64524

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64524

Pick the patch mentioned in the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
Gyorgy Sarvari 2025-12-09 16:39:51 +01:00 committed by Khem Raj
parent bfb76da63b
commit 056ee43dd1
No known key found for this signature in database
GPG Key ID: BB053355919D3314
2 changed files with 87 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch Normal file
View File

@ -0,0 +1,82 @@
From 4230ceaec8a6751f724a0d556ce4650d52a83a02 Mon Sep 17 00:00:00 2001
From: Gyorgy Sarvari <skandigraun@gmail.com>
Date: Wed, 12 Nov 2025 15:47:24 +0100
Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file
From: Zdenek Dohnal <zdohnal@redhat.com>
Infinite loop happened because of crafted input raster file, which led
into heap buffer overflow of `CompressBuf` array.
Based on comments there should be always some `count` when compressing
the data, and processing of crafted file ended with offset and count
being 0.
Fixes CVE-2025-64524
CVE: CVE-2025-64524
Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/956283c74a34ae924266a2a63f8e5f529a1abd06]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
filter/rastertopclx.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c
index ded86f1..39cb378 100644
--- a/filter/rastertopclx.c
+++ b/filter/rastertopclx.c
@@ -825,10 +825,10 @@ StartPage(cf_filter_data_t *data, // I - filter data
}
if (header->cupsCompression)
- CompBuffer = malloc(DotBufferSize * 4);
+ CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char));
if (header->cupsCompression >= 3)
- SeedBuffer = malloc(DotBufferSize);
+ SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char));
SeedInvalid = 1;
@@ -1159,6 +1159,13 @@ CompressData(unsigned char *line, // I - Data to compress
seed ++;
count ++;
}
+
+ //
+ // Bail out if we don't have count to compress
+ //
+
+ if (count == 0)
+ break;
}
//
@@ -1252,6 +1259,13 @@ CompressData(unsigned char *line, // I - Data to compress
count = line_ptr - start;
+ //
+ // Bail out if we don't have count to compress
+ //
+
+ if (count == 0)
+ break;
+
#if 0
fprintf(stderr,
"DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n",
@@ -1424,6 +1438,13 @@ CompressData(unsigned char *line, // I - Data to compress
count = (line_ptr - start) / 3;
+ //
+ // Bail out if we don't have count to compress
+ //
+
+ if (count == 0)
+ break;
+
//
// Place mode 10 compression data in the buffer; each sequence
// starts with a command byte that looks like:

10
meta-oe/recipes-printing/cups/cups-filters_2.0.1.bb
View File

@ -5,11 +5,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6d5b952b53dbe7752199903d082e5f07"
DEPENDS = "libcupsfilters libppd glib-2.0 poppler"
SRC_URI = " \
https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
file://fix-make-race.patch \
file://0001-Fix-build-failure-with-GCC-15-and-std-c23.patch \
"
SRC_URI = "https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
file://fix-make-race.patch \
file://0001-Fix-build-failure-with-GCC-15-and-std-c23.patch \
file://CVE-2025-64524.patch \
"
SRC_URI[sha256sum] = "39e71de3ce06762b342749f1dc7cba6817738f7bf4d322c1bb9ab10b8569ab80"
UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups-filters/releases"