[oe][meta-oe][scarthgap][PATCH 2/4] libcupsfilters: patch CVE-2025-57812

Mon, 15 Dec 2025 23:13:45 -0800 

From: Ankur Tyagi <[email protected]>

Details https://nvd.nist.gov/vuln/detail/CVE-2025-57812

Signed-off-by: Ankur Tyagi <[email protected]>
---
 .../cups/libcupsfilters/CVE-2025-57812.patch  | 129 ++++++++++++++++++
 .../cups/libcupsfilters_2.0.0.bb              |   1 +
 2 files changed, 130 insertions(+)
 create mode 100644 
meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-57812.patch

diff --git a/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-57812.patch 
b/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-57812.patch
new file mode 100644
index 0000000000..e6f307b26a
--- /dev/null
+++ b/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-57812.patch
@@ -0,0 +1,129 @@
+From f62b9dffa58b19d0292c41ba826aad79062e2be6 Mon Sep 17 00:00:00 2001
+From: zdohnal <[email protected]>
+Date: Mon, 10 Nov 2025 18:58:31 +0100
+Subject: [PATCH] Merge commit from fork
+
+* Fix heap-buffer overflow write in cfImageLut
+
+1. fix for CVE-2025-57812
+
+* Reject color images with 1 bit per sample
+
+2. fix for CVE-2025-57812
+
+* Reject images where the number of samples does not correspond with the color 
space
+
+3. fix for CVE-2025-57812
+
+* Reject images with planar color configuration
+
+4. fix for CVE-2025-57812
+
+* Reject images with vertical scanlines
+
+5.  fix for CVE-2025-57812
+
+---------
+
+Co-authored-by: Till Kamppeter <[email protected]>
+
+CVE: CVE-2025-57812
+Upstream-Status: Backport 
[https://github.com/OpenPrinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa]
+(cherry picked from commit b69dfacec7f176281782e2f7ac44f04bf9633cfa)
+Signed-off-by: Ankur Tyagi <[email protected]>
+---
+ cupsfilters/image-tiff.c | 46 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 45 insertions(+), 1 deletion(-)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index d92cce25..ff0a0fb3 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -41,6 +41,7 @@ _cfImageReadTIFF(
+   TIFF                *tif;                   // TIFF file
+   uint32_t    width, height;          // Size of image
+   uint16_t    photometric,            // Colorspace
++    planar,         // Color components in separate planes
+               compression,            // Type of compression
+               orientation,            // Orientation
+               resunit,                // Units for resolution
+@@ -113,6 +114,15 @@ _cfImageReadTIFF(
+     return (-1);
+   }
+ 
++  if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) &&
++      planar == PLANARCONFIG_SEPARATE)
++  {
++    fputs("DEBUG: Images with planar color configuration are not 
supported!\n", stderr);
++    TIFFClose(tif);
++    fclose(fp);
++    return (1);
++  }
++
+   if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression))
+   {
+     DEBUG_puts("DEBUG: No compression tag in the file!\n");
+@@ -127,6 +137,15 @@ _cfImageReadTIFF(
+   if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits))
+     bits = 1;
+ 
++  if (bits == 1 && samples > 1)
++  {
++    fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! 
"
++                    "Samples per pixel: %d; Bits per sample: %d\n", samples, 
bits);
++    TIFFClose(tif);
++    fclose(fp);
++    return (1);
++  }
++
+   //
+   // Get the image orientation...
+   //
+@@ -193,6 +212,23 @@ _cfImageReadTIFF(
+   else
+     alpha = 0;
+ 
++  //
++  // Check whether number of samples per pixel corresponds with color space
++  //
++
++  if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) ||
++      (photometric == PHOTOMETRIC_SEPARATED && samples != 4))
++  {
++    fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond 
to color space! "
++                    "Color space: %s; Samples per pixel: %d\n",
++                    (photometric == PHOTOMETRIC_RGB ? "RGB" :
++                     (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : 
"Unknown")),
++                    samples);
++    TIFFClose(tif);
++    fclose(fp);
++    return (1);
++  }
++
+   //
+   // Check the size of the image...
+   //
+@@ -265,6 +301,14 @@ _cfImageReadTIFF(
+         break;
+   }
+ 
++  if (orientation >= ORIENTATION_LEFTTOP)
++  {
++    fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", 
stderr);
++    TIFFClose(tif);
++    fclose(fp);
++    return (-1);
++  }
++
+   switch (orientation)
+   {
+     case ORIENTATION_TOPRIGHT :
+@@ -1467,7 +1511,7 @@ _cfImageReadTIFF(
+             }
+ 
+             if (lut)
+-              cfImageLut(out, img->xsize * 3, lut);
++              cfImageLut(out, img->xsize * bpp, lut);
+ 
+               _cfImagePutRow(img, 0, y, img->xsize, out);
+             }
diff --git a/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb 
b/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb
index 827172a6a1..9178829611 100644
--- a/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb
+++ b/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb
@@ -9,6 +9,7 @@ SRC_URI = " \
        
https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
        file://0001-use-noexcept-false-instead-of-throw-from-c-17-onward.patch \
        file://0001-CVE-2024-47076.patch \
+       file://CVE-2025-57812.patch \
 "
 SRC_URI[sha256sum] = 
"542f2bfbc58136a4743c11dc8c86cee03c9aca705612654e36ac34aa0d9aa601"
 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#122677): 
https://lists.openembedded.org/g/openembedded-devel/message/122677
Mute This Topic: https://lists.openembedded.org/mt/116806369/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to