Source: libcupsfilters Version: 2.0.0-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: clone -1 -2 Control: reassign -2 src:cups-filters 1.28.17-6 Control: retitle -2 src:cups-filters CVE-2025-57812
Hi, The following vulnerability was published for libcupsfilters. CVE-2025-57812[0]: | CUPS is a standards-based, open-source printing system, and | `libcupsfilters` contains the code of the filters of the former | `cups-filters` package as library functions to be used for the data | format conversion tasks needed in Printer Applications. In CUPS- | Filters versions up to and including 1.28.17 and libscupsfilters | versions 2.0.0 through 2.1.1, CUPS-Filters's `imagetoraster` filter | has an out of bounds read/write vulnerability in the processing of | TIFF image files. While the pixel buffer is allocated with the | number of pixels times a pre-calculated bytes-per-pixel value, the | function which processes these pixels is called with a size of the | number of pixels times 3. When suitable inputs are passed, the | bytes-per-pixel value can be set to 1 and bytes outside of the | buffer bounds get processed. In order to trigger the bug, an | attacker must issue a print job with a crafted TIFF file, and pass | appropriate print job options to control the bytes-per-pixel value | of the output format. They must choose a printer configuration under | which the `imagetoraster` filter or its C-function equivalent | `cfFilterImageToRaster()` gets invoked. The vulnerability exists in | both CUPS-Filters 1.x and the successor library libcupsfilters | (CUPS-Filters 2.x). In CUPS-Filters 2.x, the vulnerable function is | `_cfImageReadTIFF() in libcupsfilters`. When this function is | invoked as part of `cfFilterImageToRaster()`, the caller passes a | look-up-table during whose processing the out of bounds memory | access happens. In CUPS-Filters 1.x, the equivalent functions are | all found in the cups-filters repository, which is not split into | subprojects yet, and the vulnerable code is in | `_cupsImageReadTIFF()`, which is called through `cupsImageOpen()` | from the `imagetoraster` tool. A patch is available in commit | b69dfacec7f176281782e2f7ac44f04bf9633cfa. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-57812 https://www.cve.org/CVERecord?id=CVE-2025-57812 [1] https://www.openwall.com/lists/oss-security/2025/11/12/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
