Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57812
Backport the patch that is referenced by te nvd report. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../recipes-printing/cups/cups-filters.inc | 4 +- .../cups/cups-filters/CVE-2025-57812.patch | 127 ++++++++++++++++++ 2 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-printing/cups/cups-filters/CVE-2025-57812.patch diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc index 5952b5a2a6..26a7c5037a 100644 --- a/meta-oe/recipes-printing/cups/cups-filters.inc +++ b/meta-oe/recipes-printing/cups/cups-filters.inc @@ -9,7 +9,9 @@ SECTION = "console/utils" DEPENDS = "cups glib-2.0 glib-2.0-native dbus dbus-glib lcms ghostscript poppler qpdf libpng" DEPENDS:class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-native gettext-native libpng-native" -SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz"; +SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \ + file://CVE-2025-57812.patch \ + " inherit autotools-brokensep gettext pkgconfig diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-57812.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-57812.patch new file mode 100644 index 0000000000..1af27c10c1 --- /dev/null +++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-57812.patch @@ -0,0 +1,127 @@ +From c21664d57ebecb2c6ed05b38b1c39995ab14e916 Mon Sep 17 00:00:00 2001 +From: zdohnal <[email protected]> +Date: Mon, 10 Nov 2025 18:58:31 +0100 +Subject: [PATCH] Merge commit from fork + +* Fix heap-buffer overflow write in cfImageLut + +1. fix for CVE-2025-57812 + +* Reject color images with 1 bit per sample + +2. fix for CVE-2025-57812 + +* Reject images where the number of samples does not correspond with the color space + +3. fix for CVE-2025-57812 + +* Reject images with planar color configuration + +4. fix for CVE-2025-57812 + +* Reject images with vertical scanlines + +5. fix for CVE-2025-57812 + +--------- + +Co-authored-by: Till Kamppeter <[email protected]> +CVE: CVE-2025-57812 +Upstream-Status: Backport [https://github.com/OpenPrinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + cupsfilters/image-tiff.c | 46 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 45 insertions(+), 1 deletion(-) + +diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c +index 4fd8756..b34c1ef 100644 +--- a/cupsfilters/image-tiff.c ++++ b/cupsfilters/image-tiff.c +@@ -43,6 +43,7 @@ _cupsImageReadTIFF( + TIFF *tif; /* TIFF file */ + uint32 width, height; /* Size of image */ + uint16 photometric, /* Colorspace */ ++ planar, /* Color components in separate planes */ + compression, /* Type of compression */ + orientation, /* Orientation */ + resunit, /* Units for resolution */ +@@ -115,6 +116,15 @@ _cupsImageReadTIFF( + return (-1); + } + ++ if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) && ++ planar == PLANARCONFIG_SEPARATE) ++ { ++ fputs("DEBUG: Images with planar color configuration are not supported!\n", stderr); ++ TIFFClose(tif); ++ fclose(fp); ++ return (1); ++ } ++ + if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression)) + { + fputs("DEBUG: No compression tag in the file!\n", stderr); +@@ -129,6 +139,15 @@ _cupsImageReadTIFF( + if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits)) + bits = 1; + ++ if (bits == 1 && samples > 1) ++ { ++ fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! " ++ "Samples per pixel: %d; Bits per sample: %d\n", samples, bits); ++ TIFFClose(tif); ++ fclose(fp); ++ return (1); ++ } ++ + /* + * Get the image orientation... + */ +@@ -181,6 +200,23 @@ _cupsImageReadTIFF( + else + alpha = 0; + ++ // ++ // Check whether number of samples per pixel corresponds with color space ++ // ++ ++ if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) || ++ (photometric == PHOTOMETRIC_SEPARATED && samples != 4)) ++ { ++ fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond to color space! " ++ "Color space: %s; Samples per pixel: %d\n", ++ (photometric == PHOTOMETRIC_RGB ? "RGB" : ++ (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : "Unknown")), ++ samples); ++ TIFFClose(tif); ++ fclose(fp); ++ return (1); ++ } ++ + /* + * Check the size of the image... + */ +@@ -253,6 +289,14 @@ _cupsImageReadTIFF( + break; + } + ++ if (orientation >= ORIENTATION_LEFTTOP) ++ { ++ fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", stderr); ++ TIFFClose(tif); ++ fclose(fp); ++ return (-1); ++ } ++ + switch (orientation) + { + case ORIENTATION_TOPRIGHT : +@@ -1455,7 +1499,7 @@ _cupsImageReadTIFF( + } + + if (lut) +- cupsImageLut(out, img->xsize * 3, lut); ++ cupsImageLut(out, img->xsize * bpp, lut); + + _cupsImagePutRow(img, 0, y, img->xsize, out); + }
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122917): https://lists.openembedded.org/g/openembedded-devel/message/122917 Mute This Topic: https://lists.openembedded.org/mt/116939929/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
