Your message dated Sat, 10 Jan 2026 11:52:34 +0000
with message-id <[email protected]>
and subject line Released with 13.3
has caused the Debian Bug report #1121342,
regarding trixie-pu: libcupsfilter 2.0.0-3+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121342: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121342
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
User: [email protected]
Usertags: pu
The attached debdiff for libcupsfilter fixes CVE-2025-64503 and
CVE-2025-57812 in Trixie. Both CVEs are marked as no-dsa from the security
team.
The same patches have been uploaded to unstable and nobody complained yet.
Thorsten
diff -Nru libcupsfilters-2.0.0/debian/changelog
libcupsfilters-2.0.0/debian/changelog
--- libcupsfilters-2.0.0/debian/changelog 2024-09-26 23:45:05.000000000
+0200
+++ libcupsfilters-2.0.0/debian/changelog 2025-11-20 10:45:05.000000000
+0100
@@ -1,3 +1,17 @@
+libcupsfilters (2.0.0-3+deb13u1) trixie; urgency=medium
+
+ * CVE-2025-64503
+ fix an out of bounds write vulnerability when processing crafted
+ PDF files containing a large 'Mediabox' value.
+ (Closes: #1120697)
+
+ * CVE-2025-57812
+ fix an out of bounds read/write vulnerability in the processing
+ of TIFF image files.
+ (Closes: #1120703)
+
+ -- Thorsten Alteholz <[email protected]> Thu, 20 Nov 2025 10:45:05 +0100
+
libcupsfilters (2.0.0-3) unstable; urgency=medium
* CVE-2024-47076 (Closes: #1082821)
diff -Nru libcupsfilters-2.0.0/debian/patches/CVE-2025-57812.patch
libcupsfilters-2.0.0/debian/patches/CVE-2025-57812.patch
--- libcupsfilters-2.0.0/debian/patches/CVE-2025-57812.patch 1970-01-01
01:00:00.000000000 +0100
+++ libcupsfilters-2.0.0/debian/patches/CVE-2025-57812.patch 2025-11-20
10:45:05.000000000 +0100
@@ -0,0 +1,124 @@
+From b69dfacec7f176281782e2f7ac44f04bf9633cfa Mon Sep 17 00:00:00 2001
+From: zdohnal <[email protected]>
+Date: Mon, 10 Nov 2025 18:58:31 +0100
+Subject: [PATCH] Merge commit from fork
+
+* Fix heap-buffer overflow write in cfImageLut
+
+1. fix for CVE-2025-57812
+
+* Reject color images with 1 bit per sample
+
+2. fix for CVE-2025-57812
+
+* Reject images where the number of samples does not correspond with the color
space
+
+3. fix for CVE-2025-57812
+
+* Reject images with planar color configuration
+
+4. fix for CVE-2025-57812
+
+* Reject images with vertical scanlines
+
+5. fix for CVE-2025-57812
+
+---------
+
+Co-authored-by: Till Kamppeter <[email protected]>
+---
+ cupsfilters/image-tiff.c | 46 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 45 insertions(+), 1 deletion(-)
+
+Index: libcupsfilters-2.0.0/cupsfilters/image-tiff.c
+===================================================================
+--- libcupsfilters-2.0.0.orig/cupsfilters/image-tiff.c 2025-11-20
13:30:30.492726380 +0100
++++ libcupsfilters-2.0.0/cupsfilters/image-tiff.c 2025-11-20
13:30:30.492726380 +0100
+@@ -41,6 +41,7 @@
+ TIFF *tif; // TIFF file
+ uint32_t width, height; // Size of image
+ uint16_t photometric, // Colorspace
++ planar, // Color components in separate planes
+ compression, // Type of compression
+ orientation, // Orientation
+ resunit, // Units for resolution
+@@ -113,6 +114,15 @@
+ return (-1);
+ }
+
++ if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) &&
++ planar == PLANARCONFIG_SEPARATE)
++ {
++ fputs("DEBUG: Images with planar color configuration are not
supported!\n", stderr);
++ TIFFClose(tif);
++ fclose(fp);
++ return (1);
++ }
++
+ if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression))
+ {
+ DEBUG_puts("DEBUG: No compression tag in the file!\n");
+@@ -127,6 +137,15 @@
+ if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits))
+ bits = 1;
+
++ if (bits == 1 && samples > 1)
++ {
++ fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported!
"
++ "Samples per pixel: %d; Bits per sample: %d\n", samples,
bits);
++ TIFFClose(tif);
++ fclose(fp);
++ return (1);
++ }
++
+ //
+ // Get the image orientation...
+ //
+@@ -194,6 +213,23 @@
+ alpha = 0;
+
+ //
++ // Check whether number of samples per pixel corresponds with color space
++ //
++
++ if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) ||
++ (photometric == PHOTOMETRIC_SEPARATED && samples != 4))
++ {
++ fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond
to color space! "
++ "Color space: %s; Samples per pixel: %d\n",
++ (photometric == PHOTOMETRIC_RGB ? "RGB" :
++ (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" :
"Unknown")),
++ samples);
++ TIFFClose(tif);
++ fclose(fp);
++ return (1);
++ }
++
++ //
+ // Check the size of the image...
+ //
+
+@@ -265,6 +301,14 @@
+ break;
+ }
+
++ if (orientation >= ORIENTATION_LEFTTOP)
++ {
++ fputs("ERROR: TIFF files with vertical scanlines are not supported!\n",
stderr);
++ TIFFClose(tif);
++ fclose(fp);
++ return (-1);
++ }
++
+ switch (orientation)
+ {
+ case ORIENTATION_TOPRIGHT :
+@@ -1467,7 +1511,7 @@
+ }
+
+ if (lut)
+- cfImageLut(out, img->xsize * 3, lut);
++ cfImageLut(out, img->xsize * bpp, lut);
+
+ _cfImagePutRow(img, 0, y, img->xsize, out);
+ }
diff -Nru libcupsfilters-2.0.0/debian/patches/CVE-2025-64503.patch
libcupsfilters-2.0.0/debian/patches/CVE-2025-64503.patch
--- libcupsfilters-2.0.0/debian/patches/CVE-2025-64503.patch 1970-01-01
01:00:00.000000000 +0100
+++ libcupsfilters-2.0.0/debian/patches/CVE-2025-64503.patch 2025-11-20
10:45:05.000000000 +0100
@@ -0,0 +1,41 @@
+From fd01543f372ca3ba1f1c27bd3427110fa0094e3f Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <[email protected]>
+Date: Mon, 10 Nov 2025 21:10:56 +0100
+Subject: [PATCH] Fix out-of-bounds write in cfFilterPDFToRaster()
+
+PDFs with too large page dimensions could cause an integer overflow and then a
too small buffer for the pixel line to be allocated.
+
+Fixed this by cropping the page size to the maximum allowed by the standard,
14400x14400pt, 200x200in, 5x5m
+
+https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
+
+Fixes CVE-2025-64503
+---
+ cupsfilters/pdftoraster.cxx | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+Index: libcupsfilters-2.0.0/cupsfilters/pdftoraster.cxx
+===================================================================
+--- libcupsfilters-2.0.0.orig/cupsfilters/pdftoraster.cxx 2025-11-20
13:30:34.444758465 +0100
++++ libcupsfilters-2.0.0/cupsfilters/pdftoraster.cxx 2025-11-20
13:30:34.440758433 +0100
+@@ -1609,6 +1609,20 @@
+ doc->header.cupsPageSize[0] = l;
+ else
+ doc->header.cupsPageSize[1] = l;
++
++ //
++ // Maximum allowed page size for PDF is 200x200 inches (~ 5x5 m), or
14400x14400 pt
++ //
https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
++ //
++ if (doc->header.cupsPageSize[0] > 14400) {
++ fprintf(stderr, "ERROR: Page width is %.2fpt, too large, cropping to
14400pt\n", doc->header.cupsPageSize[0]);
++ doc->header.cupsPageSize[0] = 14400;
++ }
++ if (doc->header.cupsPageSize[1] > 14400) {
++ fprintf(stderr, "ERROR: Page height is %.2fpt, too large, cropping to
14400pt\n", doc->header.cupsPageSize[1]);
++ doc->header.cupsPageSize[1] = 14400;
++ }
++
+ if (rotate == 90 || rotate == 270)
+ {
+ doc->header.cupsImagingBBox[0] =
diff -Nru libcupsfilters-2.0.0/debian/patches/series
libcupsfilters-2.0.0/debian/patches/series
--- libcupsfilters-2.0.0/debian/patches/series 2024-09-26 23:45:05.000000000
+0200
+++ libcupsfilters-2.0.0/debian/patches/series 2025-11-20 10:45:05.000000000
+0100
@@ -1 +1,5 @@
CVE-2024-47076.patch
+
+CVE-2025-57812.patch
+CVE-2025-64503.patch
+
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 13.3\n\nThis update has been released as
part of Debian 13.3.
--- End Message ---
