From 056ee43dd1d0e46a9b40339e877a4bf76cf8196b Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Tue, 9 Dec 2025 16:39:51 +0100 Subject: [PATCH] cups-filters: patch CVE-2025-64524 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64524 Pick the patch mentioned in the nvd report. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj --- .../cups/cups-filters/CVE-2025-64524.patch | 82 +++++++++++++++++++ .../cups/cups-filters_2.0.1.bb | 10 +-- 2 files changed, 87 insertions(+), 5 deletions(-) create mode 100644 meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch new file mode 100644 index 0000000000..b8338e333a --- /dev/null +++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch @@ -0,0 +1,82 @@ +From 4230ceaec8a6751f724a0d556ce4650d52a83a02 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Wed, 12 Nov 2025 15:47:24 +0100 +Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file + +From: Zdenek Dohnal + +Infinite loop happened because of crafted input raster file, which led +into heap buffer overflow of `CompressBuf` array. + +Based on comments there should be always some `count` when compressing +the data, and processing of crafted file ended with offset and count +being 0. + +Fixes CVE-2025-64524 + +CVE: CVE-2025-64524 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/956283c74a34ae924266a2a63f8e5f529a1abd06] +Signed-off-by: Gyorgy Sarvari +--- + filter/rastertopclx.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c +index ded86f1..39cb378 100644 +--- a/filter/rastertopclx.c ++++ b/filter/rastertopclx.c +@@ -825,10 +825,10 @@ StartPage(cf_filter_data_t *data, // I - filter data + } + + if (header->cupsCompression) +- CompBuffer = malloc(DotBufferSize * 4); ++ CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char)); + + if (header->cupsCompression >= 3) +- SeedBuffer = malloc(DotBufferSize); ++ SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char)); + + SeedInvalid = 1; + +@@ -1159,6 +1159,13 @@ CompressData(unsigned char *line, // I - Data to compress + seed ++; + count ++; + } ++ ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; + } + + // +@@ -1252,6 +1259,13 @@ CompressData(unsigned char *line, // I - Data to compress + + count = line_ptr - start; + ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + #if 0 + fprintf(stderr, + "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n", +@@ -1424,6 +1438,13 @@ CompressData(unsigned char *line, // I - Data to compress + + count = (line_ptr - start) / 3; + ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + // + // Place mode 10 compression data in the buffer; each sequence + // starts with a command byte that looks like: diff --git a/meta-oe/recipes-printing/cups/cups-filters_2.0.1.bb b/meta-oe/recipes-printing/cups/cups-filters_2.0.1.bb index e488bd3039..a6eedda5d7 100644 --- a/meta-oe/recipes-printing/cups/cups-filters_2.0.1.bb +++ b/meta-oe/recipes-printing/cups/cups-filters_2.0.1.bb @@ -5,11 +5,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6d5b952b53dbe7752199903d082e5f07" DEPENDS = "libcupsfilters libppd glib-2.0 poppler" -SRC_URI = " \ - https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \ - file://fix-make-race.patch \ - file://0001-Fix-build-failure-with-GCC-15-and-std-c23.patch \ -" +SRC_URI = "https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \ + file://fix-make-race.patch \ + file://0001-Fix-build-failure-with-GCC-15-and-std-c23.patch \ + file://CVE-2025-64524.patch \ + " SRC_URI[sha256sum] = "39e71de3ce06762b342749f1dc7cba6817738f7bf4d322c1bb9ab10b8569ab80" UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups-filters/releases"