commit: 37b3f2668ce5689185e37bff9bd3d4cff4be63e0 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sun Feb 22 23:56:11 2026 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Feb 23 00:05:58 2026 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37b3f266
net-print/cups-filters: fix CVE-2025-64524 Bug: https://bugs.gentoo.org/970481 Signed-off-by: Sam James <sam <AT> gentoo.org> .../cups-filters/cups-filters-2.0.1-r1.ebuild | 59 ++++++++++++++++ .../files/cups-filters-2.0.1-CVE-2025-64524.patch | 80 ++++++++++++++++++++++ 2 files changed, 139 insertions(+) diff --git a/net-print/cups-filters/cups-filters-2.0.1-r1.ebuild b/net-print/cups-filters/cups-filters-2.0.1-r1.ebuild new file mode 100644 index 000000000000..86f6e999ad5b --- /dev/null +++ b/net-print/cups-filters/cups-filters-2.0.1-r1.ebuild @@ -0,0 +1,59 @@ +# Copyright 2023-2026 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit flag-o-matic + +DESCRIPTION="Cups filters" +HOMEPAGE="https://wiki.linuxfoundation.org/openprinting/cups-filters"; +SRC_URI="https://github.com/OpenPrinting/cups-filters/releases/download/${PV}/${P}.tar.xz"; + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="+foomatic" + +RDEPEND=" + net-print/libcupsfilters + net-print/libppd + >=net-print/cups-1.7.3 +" +DEPEND="${RDEPEND}" +BDEPEND=" + >=sys-devel/gettext-0.18.3 + virtual/pkgconfig +" + +# The tests are composed of: +# - built program +# - test case itself: filter/test.sh +# +# The latter is not wired up, and it becomes immediately evident why. +# Bow to this reality and don't claim we can run anything. As a side +# effect, don't compile in src_test, that which we never use. +RESTRICT="test" + +PATCHES=( + "${FILESDIR}"/${PN}-2.0.1-CVE-2025-64524.patch +) + +src_configure() { + # https://github.com/OpenPrinting/cups-filters/issues/605 (bug #944074) + append-cflags -std=gnu17 + + local myeconfargs=( + --enable-imagefilters + --enable-driverless + --enable-poppler + --localstatedir="${EPREFIX}"/var + --with-fontdir="fonts/conf.avail" + # These are just probed for the path. Always enable them. + --with-gs-path="${EPREFIX}"/usr/bin/gs + --with-mutool-path="${EPREFIX}"/usr/bin/mutool + + $(use_enable foomatic) + ) + + econf "${myeconfargs[@]}" +} diff --git a/net-print/cups-filters/files/cups-filters-2.0.1-CVE-2025-64524.patch b/net-print/cups-filters/files/cups-filters-2.0.1-CVE-2025-64524.patch new file mode 100644 index 000000000000..e9808766ebce --- /dev/null +++ b/net-print/cups-filters/files/cups-filters-2.0.1-CVE-2025-64524.patch @@ -0,0 +1,80 @@ +https://bugs.gentoo.org/970481 +https://github.com/OpenPrinting/cups-filters/commit/0fe46c511e81062575b05936f804eb18c9f0a011 + +From 0fe46c511e81062575b05936f804eb18c9f0a011 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal <[email protected]> +Date: Wed, 12 Nov 2025 15:47:24 +0100 +Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file + +Infinite loop happened because of crafted input raster file, which led +into heap buffer overflow of `CompressBuf` array. + +Based on comments there should be always some `count` when compressing +the data, and processing of crafted file ended with offset and count +being 0. + +Fixes CVE-2025-64524 +--- + filter/rastertopclx.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c +index ded86f114..39cb378bf 100644 +--- a/filter/rastertopclx.c ++++ b/filter/rastertopclx.c +@@ -825,10 +825,10 @@ StartPage(cf_filter_data_t *data, // I - filter data + } + + if (header->cupsCompression) +- CompBuffer = malloc(DotBufferSize * 4); ++ CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char)); + + if (header->cupsCompression >= 3) +- SeedBuffer = malloc(DotBufferSize); ++ SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char)); + + SeedInvalid = 1; + +@@ -1159,6 +1159,13 @@ CompressData(unsigned char *line, // I - Data to compress + seed ++; + count ++; + } ++ ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; + } + + // +@@ -1252,6 +1259,13 @@ CompressData(unsigned char *line, // I - Data to compress + + count = line_ptr - start; + ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + #if 0 + fprintf(stderr, + "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n", +@@ -1424,6 +1438,13 @@ CompressData(unsigned char *line, // I - Data to compress + + count = (line_ptr - start) / 3; + ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + // + // Place mode 10 compression data in the buffer; each sequence + // starts with a command byte that looks like: +
