summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGyorgy Sarvari <skandigraun@gmail.com>2025-12-25 13:51:37 +0100
committerGyorgy Sarvari <skandigraun@gmail.com>2025-12-25 13:57:02 +0100
commitc590e88d1948d7da2b0c3a1688c9b1e49a7a0470 (patch)
tree22f1dbf0a1dc46675997f254d5117e5b444f2921
parent16f6b4287c97d89fcf5b084dd81f546fdd9a5b17 (diff)
downloadmeta-openembedded-c590e88d1948d7da2b0c3a1688c9b1e49a7a0470.tar.gz
cups-filters: patch CVE-2025-64524
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64524 Pick the patch referenced by the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
-rw-r--r--meta-oe/recipes-printing/cups/cups-filters.inc1
-rw-r--r--meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch81
2 files changed, 82 insertions, 0 deletions
diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc
index 26a7c5037a..fe87ac98ae 100644
--- a/meta-oe/recipes-printing/cups/cups-filters.inc
+++ b/meta-oe/recipes-printing/cups/cups-filters.inc
@@ -11,6 +11,7 @@ DEPENDS:class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-nat
11 11
12SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \ 12SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \
13 file://CVE-2025-57812.patch \ 13 file://CVE-2025-57812.patch \
14 file://CVE-2025-64524.patch \
14 " 15 "
15 16
16inherit autotools-brokensep gettext pkgconfig 17inherit autotools-brokensep gettext pkgconfig
diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch
new file mode 100644
index 0000000000..f3481ddaa5
--- /dev/null
+++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch
@@ -0,0 +1,81 @@
1From 3f24ec5518f3f7f9a7020cd88bb9bbf4e81475fe Mon Sep 17 00:00:00 2001
2From: Zdenek Dohnal <zdohnal@redhat.com>
3Date: Wed, 12 Nov 2025 15:47:24 +0100
4Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file
5
6Infinite loop happened because of crafted input raster file, which led
7into heap buffer overflow of `CompressBuf` array.
8
9Based on comments there should be always some `count` when compressing
10the data, and processing of crafted file ended with offset and count
11being 0.
12
13Fixes CVE-2025-64524
14
15CVE: CVE-2025-64524
16Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/956283c74a34ae924266a2a63f8e5f529a1abd06]
17Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
18---
19 filter/rastertopclx.c | 26 ++++++++++++++++++++++++--
20 1 file changed, 24 insertions(+), 2 deletions(-)
21
22diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c
23index 3e7c129..b20d195 100644
24--- a/filter/rastertopclx.c
25+++ b/filter/rastertopclx.c
26@@ -818,10 +818,10 @@ StartPage(ppd_file_t *ppd, /* I - PPD file */
27 }
28
29 if (header->cupsCompression)
30- CompBuffer = malloc(DotBufferSize * 4);
31+ CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char));
32
33 if (header->cupsCompression >= 3)
34- SeedBuffer = malloc(DotBufferSize);
35+ SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char));
36
37 SeedInvalid = 1;
38
39@@ -1152,6 +1152,14 @@ CompressData(unsigned char *line, /* I - Data to compress */
40 seed ++;
41 count ++;
42 }
43+
44+ //
45+ // Bail out if we don't have count to compress
46+ //
47+
48+ if (count == 0)
49+ break;
50+
51 }
52
53 /*
54@@ -1245,6 +1253,13 @@ CompressData(unsigned char *line, /* I - Data to compress */
55
56 count = line_ptr - start;
57
58+ //
59+ // Bail out if we don't have count to compress
60+ //
61+
62+ if (count == 0)
63+ break;
64+
65 #if 0
66 fprintf(stderr, "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n",
67 offset, count, comp_ptr, comp_ptr - CompBuffer,
68@@ -1416,6 +1431,13 @@ CompressData(unsigned char *line, /* I - Data to compress */
69
70 count = (line_ptr - start) / 3;
71
72+ //
73+ // Bail out if we don't have count to compress
74+ //
75+
76+ if (count == 0)
77+ break;
78+
79 /*
80 * Place mode 10 compression data in the buffer; each sequence
81 * starts with a command byte that looks like: