Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64503
Pick the patch that explicitly refernces the CVE ID in its message. (The NVD advisory mentions only the cups-filters patch, but the developer indicated the CVE ID in the libcupsfilters patch also) Between this recipe version and the patch the project has decided to eliminate c++ from the project, and use c only. The patch however is straightforward enough that it could be backported with very small modifications. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../cups/libcupsfilters/CVE-2025-64503.patch | 47 +++++++++++++++++++ .../cups/libcupsfilters_2.1.1.bb | 8 ++-- 2 files changed, 51 insertions(+), 4 deletions(-) create mode 100644 meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-64503.patch diff --git a/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-64503.patch b/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-64503.patch new file mode 100644 index 0000000000..b70586296e --- /dev/null +++ b/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-64503.patch @@ -0,0 +1,47 @@ +From da9a7db3b9125c87b11c43b05354ca2eb21ed684 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari <[email protected]> +Date: Mon, 10 Nov 2025 21:10:56 +0100 +Subject: [PATCH] Fix out-of-bounds write in cfFilterPDFToRaster() + +From: Till Kamppeter <[email protected]> + +PDFs with too large page dimensions could cause an integer overflow and then a too small buffer for the pixel line to be allocated. + +Fixed this by cropping the page size to the maximum allowed by the standard, 14400x14400pt, 200x200in, 5x5m + +https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372 + +Fixes CVE-2025-64503 + +CVE: CVE-2025-64503 +Upstream-Status: Backport [https://github.com/OpenPrinting/libcupsfilters/commit/fd01543f372ca3ba1f1c27bd3427110fa0094e3f] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + cupsfilters/pdftoraster.cxx | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/cupsfilters/pdftoraster.cxx b/cupsfilters/pdftoraster.cxx +index 0235b54..09583df 100644 +--- a/cupsfilters/pdftoraster.cxx ++++ b/cupsfilters/pdftoraster.cxx +@@ -1606,6 +1606,20 @@ out_page(pdftoraster_doc_t *doc, + l = inputPageBox.height(); + if (l < 0) + l = -l; ++ ++ // ++ // Maximum allowed page size for PDF is 200x200 inches (~ 5x5 m), or 14400x14400 pt ++ // https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372 ++ // ++ if (doc->header.cupsPageSize[0] > 14400) { ++ fprintf(stderr, "ERROR: Page width is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[0]); ++ doc->header.cupsPageSize[0] = 14400; ++ } ++ if (doc->header.cupsPageSize[1] > 14400) { ++ fprintf(stderr, "ERROR: Page height is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[1]); ++ doc->header.cupsPageSize[1] = 14400; ++ } ++ + if (rotate == 90 || rotate == 270) + doc->header.cupsPageSize[0] = l; + else diff --git a/meta-oe/recipes-printing/cups/libcupsfilters_2.1.1.bb b/meta-oe/recipes-printing/cups/libcupsfilters_2.1.1.bb index 51d8c4f18b..311f33e134 100644 --- a/meta-oe/recipes-printing/cups/libcupsfilters_2.1.1.bb +++ b/meta-oe/recipes-printing/cups/libcupsfilters_2.1.1.bb @@ -5,10 +5,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=aab2024bd2a475438a154cd1640c9684" DEPENDS = "cups fontconfig libexif dbus lcms qpdf poppler libpng jpeg tiff" -SRC_URI = " \ - https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \ - file://0001-use-noexcept-false-instead-of-throw-from-c-17-onward.patch \ -" +SRC_URI = "https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \ + file://0001-use-noexcept-false-instead-of-throw-from-c-17-onward.patch \ + file://CVE-2025-64503.patch \ + " SRC_URI[sha256sum] = "6c303e36cfde05a6c88fb940c62b6a18e7cdbfb91f077733ebc98f104925ce36" inherit autotools gettext pkgconfig github-releases
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124065): https://lists.openembedded.org/g/openembedded-devel/message/124065 Mute This Topic: https://lists.openembedded.org/mt/117599345/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
