2 files changed, 130 insertions, 1 deletions
diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc
index 5952b5a2a6..26a7c5037a 100644
--- a/meta-oe/recipes-printing/cups/cups-filters.inc
+++ b/meta-oe/recipes-printing/cups/cups-filters.inc
@@ -9,7 +9,9 @@ SECTION = "console/utils"
 DEPENDS = "cups glib-2.0 glib-2.0-native dbus dbus-glib lcms ghostscript poppler qpdf libpng"
 DEPENDS:class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-native gettext-native libpng-native"
-SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz"
+SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \
+           file://CVE-2025-57812.patch \
+           "
 inherit autotools-brokensep gettext pkgconfig
diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-57812.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-57812.patch
new file mode 100644
index 0000000000..1af27c10c1
--- /dev/null
+++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-57812.patch
@@ -0,0 +1,127 @@
+From c21664d57ebecb2c6ed05b38b1c39995ab14e916 Mon Sep 17 00:00:00 2001
+From: zdohnal <zdohnal@redhat.com>
+Date: Mon, 10 Nov 2025 18:58:31 +0100
+Subject: [PATCH] Merge commit from fork
+* Fix heap-buffer overflow write in cfImageLut
+1. fix for CVE-2025-57812
+* Reject color images with 1 bit per sample
+2. fix for CVE-2025-57812
+* Reject images where the number of samples does not correspond with the color space
+3. fix for CVE-2025-57812
+* Reject images with planar color configuration
+4. fix for CVE-2025-57812
+* Reject images with vertical scanlines
+5.  fix for CVE-2025-57812
+---------
+Co-authored-by: Till Kamppeter <till.kamppeter@gmail.com>
+CVE: CVE-2025-57812
+Upstream-Status: Backport [https://github.com/OpenPrinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ cupsfilters/image-tiff.c | 46 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 45 insertions(+), 1 deletion(-)
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index 4fd8756..b34c1ef 100644
+--- a/cupsfilters/image-tiff.c
+++ b/cupsfilters/image-tiff.c
+@@ -43,6 +43,7 @@ _cupsImageReadTIFF(
+   TIFF         *tif;                   /* TIFF file */
+   uint32       width, height;          /* Size of image */
+   uint16       photometric,            /* Colorspace */
+               planar,                 /* Color components in separate planes */
+                compression,            /* Type of compression */
+                orientation,            /* Orientation */
+                resunit,                /* Units for resolution */
+@@ -115,6 +116,15 @@ _cupsImageReadTIFF(
+     return (-1);
+   }
+ 
+  if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) &&
+      planar == PLANARCONFIG_SEPARATE)
+  {
+    fputs("DEBUG: Images with planar color configuration are not supported!\n", stderr);
+    TIFFClose(tif);
+    fclose(fp);
+    return (1);
+  }
+
+   if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression))
+   {
+     fputs("DEBUG: No compression tag in the file!\n", stderr);
+@@ -129,6 +139,15 @@ _cupsImageReadTIFF(
+   if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits))
+     bits = 1;
+ 
+  if (bits == 1 && samples > 1)
+  {
+    fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! "
+                    "Samples per pixel: %d; Bits per sample: %d\n", samples, bits);
+    TIFFClose(tif);
+    fclose(fp);
+    return (1);
+  }
+
+  /*
+   * Get the image orientation...
+   */
+@@ -181,6 +200,23 @@ _cupsImageReadTIFF(
+   else
+     alpha = 0;
+ 
+  //
+  // Check whether number of samples per pixel corresponds with color space
+  //
+
+  if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) ||
+      (photometric == PHOTOMETRIC_SEPARATED && samples != 4))
+  {
+    fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond to color space! "
+                    "Color space: %s; Samples per pixel: %d\n",
+                    (photometric == PHOTOMETRIC_RGB ? "RGB" :
+                     (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : "Unknown")),
+                    samples);
+    TIFFClose(tif);
+    fclose(fp);
+    return (1);
+  }
+
+  /*
+   * Check the size of the image...
+   */
+@@ -253,6 +289,14 @@ _cupsImageReadTIFF(
+         break;
+   }
+ 
+  if (orientation >= ORIENTATION_LEFTTOP)
+  {
+    fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", stderr);
+    TIFFClose(tif);
+    fclose(fp);
+    return (-1);
+  }
+
+   switch (orientation)
+   {
+     case ORIENTATION_TOPRIGHT :
+@@ -1455,7 +1499,7 @@ _cupsImageReadTIFF(
+              }
+ 
+              if (lut)
+-               cupsImageLut(out, img->xsize * 3, lut);
+               cupsImageLut(out, img->xsize * bpp, lut);
+ 
+               _cupsImagePutRow(img, 0, y, img->xsize, out);
+             }

diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc index 5952b5a2a6..26a7c5037a 100644 --- a/meta-oe/recipes-printing/cups/cups-filters.inc +++ b/meta-oe/recipes-printing/cups/cups-filters.inc
@@ -9,7 +9,9 @@ SECTION = "console/utils"
9	DEPENDS = "cups glib-2.0 glib-2.0-native dbus dbus-glib lcms ghostscript poppler qpdf libpng"	9	DEPENDS = "cups glib-2.0 glib-2.0-native dbus dbus-glib lcms ghostscript poppler qpdf libpng"
10	DEPENDS:class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-native gettext-native libpng-native"	10	DEPENDS:class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-native gettext-native libpng-native"
11		11
12	SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz"	12	SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \
		13	file://CVE-2025-57812.patch \
		14	"
13		15
14	inherit autotools-brokensep gettext pkgconfig	16	inherit autotools-brokensep gettext pkgconfig
15		17


diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-57812.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-57812.patch new file mode 100644 index 0000000000..1af27c10c1 --- /dev/null +++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-57812.patch
@@ -0,0 +1,127 @@
		1	From c21664d57ebecb2c6ed05b38b1c39995ab14e916 Mon Sep 17 00:00:00 2001
		2	From: zdohnal <zdohnal@redhat.com>
		3	Date: Mon, 10 Nov 2025 18:58:31 +0100
		4	Subject: [PATCH] Merge commit from fork
		5
		6	* Fix heap-buffer overflow write in cfImageLut
		7
		8	1. fix for CVE-2025-57812
		9
		10	* Reject color images with 1 bit per sample
		11
		12	2. fix for CVE-2025-57812
		13
		14	* Reject images where the number of samples does not correspond with the color space
		15
		16	3. fix for CVE-2025-57812
		17
		18	* Reject images with planar color configuration
		19
		20	4. fix for CVE-2025-57812
		21
		22	* Reject images with vertical scanlines
		23
		24	5. fix for CVE-2025-57812
		25
		26	---------
		27
		28	Co-authored-by: Till Kamppeter <till.kamppeter@gmail.com>
		29	CVE: CVE-2025-57812
		30	Upstream-Status: Backport [https://github.com/OpenPrinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa]
		31	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		32	---
		33	cupsfilters/image-tiff.c \| 46 +++++++++++++++++++++++++++++++++++++++-
		34	1 file changed, 45 insertions(+), 1 deletion(-)
		35
		36	diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
		37	index 4fd8756..b34c1ef 100644
		38	--- a/cupsfilters/image-tiff.c
		39	+++ b/cupsfilters/image-tiff.c
		40	@@ -43,6 +43,7 @@ _cupsImageReadTIFF(
		41	TIFF tif; / TIFF file */
		42	uint32 width, height; /* Size of image */
		43	uint16 photometric, /* Colorspace */
		44	+ planar, /* Color components in separate planes */
		45	compression, /* Type of compression */
		46	orientation, /* Orientation */
		47	resunit, /* Units for resolution */
		48	@@ -115,6 +116,15 @@ _cupsImageReadTIFF(
		49	return (-1);
		50	}
		51
		52	+ if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) &&
		53	+ planar == PLANARCONFIG_SEPARATE)
		54	+ {
		55	+ fputs("DEBUG: Images with planar color configuration are not supported!\n", stderr);
		56	+ TIFFClose(tif);
		57	+ fclose(fp);
		58	+ return (1);
		59	+ }
		60	+
		61	if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression))
		62	{
		63	fputs("DEBUG: No compression tag in the file!\n", stderr);
		64	@@ -129,6 +139,15 @@ _cupsImageReadTIFF(
		65	if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits))
		66	bits = 1;
		67
		68	+ if (bits == 1 && samples > 1)
		69	+ {
		70	+ fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! "
		71	+ "Samples per pixel: %d; Bits per sample: %d\n", samples, bits);
		72	+ TIFFClose(tif);
		73	+ fclose(fp);
		74	+ return (1);
		75	+ }
		76	+
		77	/*
		78	* Get the image orientation...
		79	*/
		80	@@ -181,6 +200,23 @@ _cupsImageReadTIFF(
		81	else
		82	alpha = 0;
		83
		84	+ //
		85	+ // Check whether number of samples per pixel corresponds with color space
		86	+ //
		87	+
		88	+ if ((photometric == PHOTOMETRIC_RGB && (samples < 3 \|\| samples > 4)) \|\|
		89	+ (photometric == PHOTOMETRIC_SEPARATED && samples != 4))
		90	+ {
		91	+ fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond to color space! "
		92	+ "Color space: %s; Samples per pixel: %d\n",
		93	+ (photometric == PHOTOMETRIC_RGB ? "RGB" :
		94	+ (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : "Unknown")),
		95	+ samples);
		96	+ TIFFClose(tif);
		97	+ fclose(fp);
		98	+ return (1);
		99	+ }
		100	+
		101	/*
		102	* Check the size of the image...
		103	*/
		104	@@ -253,6 +289,14 @@ _cupsImageReadTIFF(
		105	break;
		106	}
		107
		108	+ if (orientation >= ORIENTATION_LEFTTOP)
		109	+ {
		110	+ fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", stderr);
		111	+ TIFFClose(tif);
		112	+ fclose(fp);
		113	+ return (-1);
		114	+ }
		115	+
		116	switch (orientation)
		117	{
		118	case ORIENTATION_TOPRIGHT :
		119	@@ -1455,7 +1499,7 @@ _cupsImageReadTIFF(
		120	}
		121
		122	if (lut)
		123	- cupsImageLut(out, img->xsize * 3, lut);
		124	+ cupsImageLut(out, img->xsize * bpp, lut);
		125
		126	_cupsImagePutRow(img, 0, y, img->xsize, out);
		127	}