Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64524
Pick the patch referenced by the nvd report. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../recipes-printing/cups/cups-filters.inc | 1 + .../cups/cups-filters/CVE-2025-64524.patch | 81 +++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc index 26a7c5037a..fe87ac98ae 100644 --- a/meta-oe/recipes-printing/cups/cups-filters.inc +++ b/meta-oe/recipes-printing/cups/cups-filters.inc @@ -11,6 +11,7 @@ DEPENDS:class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-nat SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \ file://CVE-2025-57812.patch \ + file://CVE-2025-64524.patch \ " inherit autotools-brokensep gettext pkgconfig diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch new file mode 100644 index 0000000000..f3481ddaa5 --- /dev/null +++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch @@ -0,0 +1,81 @@ +From 3f24ec5518f3f7f9a7020cd88bb9bbf4e81475fe Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal <[email protected]> +Date: Wed, 12 Nov 2025 15:47:24 +0100 +Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file + +Infinite loop happened because of crafted input raster file, which led +into heap buffer overflow of `CompressBuf` array. + +Based on comments there should be always some `count` when compressing +the data, and processing of crafted file ended with offset and count +being 0. + +Fixes CVE-2025-64524 + +CVE: CVE-2025-64524 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/956283c74a34ae924266a2a63f8e5f529a1abd06] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + filter/rastertopclx.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c +index 3e7c129..b20d195 100644 +--- a/filter/rastertopclx.c ++++ b/filter/rastertopclx.c +@@ -818,10 +818,10 @@ StartPage(ppd_file_t *ppd, /* I - PPD file */ + } + + if (header->cupsCompression) +- CompBuffer = malloc(DotBufferSize * 4); ++ CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char)); + + if (header->cupsCompression >= 3) +- SeedBuffer = malloc(DotBufferSize); ++ SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char)); + + SeedInvalid = 1; + +@@ -1152,6 +1152,14 @@ CompressData(unsigned char *line, /* I - Data to compress */ + seed ++; + count ++; + } ++ ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + } + + /* +@@ -1245,6 +1253,13 @@ CompressData(unsigned char *line, /* I - Data to compress */ + + count = line_ptr - start; + ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + #if 0 + fprintf(stderr, "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n", + offset, count, comp_ptr, comp_ptr - CompBuffer, +@@ -1416,6 +1431,13 @@ CompressData(unsigned char *line, /* I - Data to compress */ + + count = (line_ptr - start) / 3; + ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + /* + * Place mode 10 compression data in the buffer; each sequence + * starts with a command byte that looks like:
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122918): https://lists.openembedded.org/g/openembedded-devel/message/122918 Mute This Topic: https://lists.openembedded.org/mt/116939930/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
