commit: 0c23c099b2131b5b51d1b74b17d31301faede0ea Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sun Feb 22 23:48:45 2026 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Feb 23 00:05:57 2026 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c23c099
net-print/libcupsfilters: fix CVE-2025-57812, CVE-2025-64503 The fixes for these CVEs seem to touch the same code as the other BIGSLEEP vulns so I think this may be enough. Bug: https://bugs.gentoo.org/966005 Signed-off-by: Sam James <sam <AT> gentoo.org> .../libcupsfilters-2.1.1-CVE-2025-57812.patch | 128 +++++++++++++++++++++ .../libcupsfilters-2.1.1-CVE-2025-64503.patch | 45 ++++++++ .../libcupsfilters/libcupsfilters-2.1.1-r1.ebuild | 76 ++++++++++++ 3 files changed, 249 insertions(+) diff --git a/net-print/libcupsfilters/files/libcupsfilters-2.1.1-CVE-2025-57812.patch b/net-print/libcupsfilters/files/libcupsfilters-2.1.1-CVE-2025-57812.patch new file mode 100644 index 000000000000..857966edac83 --- /dev/null +++ b/net-print/libcupsfilters/files/libcupsfilters-2.1.1-CVE-2025-57812.patch @@ -0,0 +1,128 @@ +https://bugs.gentoo.org/966005 +https://github.com/OpenPrinting/libcupsfilters/commit/ce1174b47948b00818479aba96f8ea23e895fe42 + +From ce1174b47948b00818479aba96f8ea23e895fe42 Mon Sep 17 00:00:00 2001 +From: zdohnal <[email protected]> +Date: Mon, 10 Nov 2025 18:58:31 +0100 +Subject: [PATCH] Merge commit from fork + +* Fix heap-buffer overflow write in cfImageLut + +1. fix for CVE-2025-57812 + +* Reject color images with 1 bit per sample + +2. fix for CVE-2025-57812 + +* Reject images where the number of samples does not correspond with the color space + +3. fix for CVE-2025-57812 + +* Reject images with planar color configuration + +4. fix for CVE-2025-57812 + +* Reject images with vertical scanlines + +5. fix for CVE-2025-57812 + +--------- + +Co-authored-by: Till Kamppeter <[email protected]> +--- + cupsfilters/image-tiff.c | 46 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 45 insertions(+), 1 deletion(-) + +diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c +index 20dfbaee6..748e2db63 100644 +--- a/cupsfilters/image-tiff.c ++++ b/cupsfilters/image-tiff.c +@@ -41,6 +41,7 @@ _cfImageReadTIFF( + TIFF *tif; // TIFF file + uint32_t width, height; // Size of image + uint16_t photometric, // Colorspace ++ planar, // Color components in separate planes + compression, // Type of compression + orientation, // Orientation + resunit, // Units for resolution +@@ -113,6 +114,15 @@ _cfImageReadTIFF( + return (-1); + } + ++ if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) && ++ planar == PLANARCONFIG_SEPARATE) ++ { ++ fputs("DEBUG: Images with planar color configuration are not supported!\n", stderr); ++ TIFFClose(tif); ++ fclose(fp); ++ return (1); ++ } ++ + if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression)) + { + DEBUG_puts("DEBUG: No compression tag in the file!\n"); +@@ -127,6 +137,15 @@ _cfImageReadTIFF( + if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits)) + bits = 1; + ++ if (bits == 1 && samples > 1) ++ { ++ fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! " ++ "Samples per pixel: %d; Bits per sample: %d\n", samples, bits); ++ TIFFClose(tif); ++ fclose(fp); ++ return (1); ++ } ++ + // + // Get the image orientation... + // +@@ -193,6 +212,23 @@ _cfImageReadTIFF( + else + alpha = 0; + ++ // ++ // Check whether number of samples per pixel corresponds with color space ++ // ++ ++ if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) || ++ (photometric == PHOTOMETRIC_SEPARATED && samples != 4)) ++ { ++ fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond to color space! " ++ "Color space: %s; Samples per pixel: %d\n", ++ (photometric == PHOTOMETRIC_RGB ? "RGB" : ++ (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : "Unknown")), ++ samples); ++ TIFFClose(tif); ++ fclose(fp); ++ return (1); ++ } ++ + // + // Check the size of the image... + // +@@ -265,6 +301,14 @@ _cfImageReadTIFF( + break; + } + ++ if (orientation >= ORIENTATION_LEFTTOP) ++ { ++ fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", stderr); ++ TIFFClose(tif); ++ fclose(fp); ++ return (-1); ++ } ++ + switch (orientation) + { + case ORIENTATION_TOPRIGHT : +@@ -1493,7 +1537,7 @@ _cfImageReadTIFF( + } + + if (lut) +- cfImageLut(out, img->xsize * 3, lut); ++ cfImageLut(out, img->xsize * bpp, lut); + + _cfImagePutRow(img, 0, y, img->xsize, out); + } + diff --git a/net-print/libcupsfilters/files/libcupsfilters-2.1.1-CVE-2025-64503.patch b/net-print/libcupsfilters/files/libcupsfilters-2.1.1-CVE-2025-64503.patch new file mode 100644 index 000000000000..6c67a420d271 --- /dev/null +++ b/net-print/libcupsfilters/files/libcupsfilters-2.1.1-CVE-2025-64503.patch @@ -0,0 +1,45 @@ +https://bugs.gentoo.org/966005 +https://github.com/OpenPrinting/libcupsfilters/commit/c726672e5bfd8b353f18a8c62ce27bc954552c16 + +From c726672e5bfd8b353f18a8c62ce27bc954552c16 Mon Sep 17 00:00:00 2001 +From: Till Kamppeter <[email protected]> +Date: Mon, 10 Nov 2025 22:07:00 +0100 +Subject: [PATCH] Fix out-of-bounds write in cfFilterPDFToRaster() + +PDFs with too large page dimensions could cause an integer overflow and then a too small buffer for the pixel line to be allocated. + +Fixed this by cropping the page size to the maximum allowed by the standard, 14400x14400pt, 200x200in, 5x5m + +https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372 + +Fixes CVE-2025-64503 +--- + cupsfilters/pdftoraster.cxx | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/cupsfilters/pdftoraster.cxx b/cupsfilters/pdftoraster.cxx +index 3b50030a6..b52c75631 100644 +--- a/cupsfilters/pdftoraster.cxx ++++ b/cupsfilters/pdftoraster.cxx +@@ -1610,6 +1610,20 @@ out_page(pdftoraster_doc_t *doc, + doc->header.cupsPageSize[0] = l; + else + doc->header.cupsPageSize[1] = l; ++ ++ // ++ // Maximum allowed page size for PDF is 200x200 inches (~ 5x5 m), or 14400x14400 pt ++ // https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372 ++ // ++ if (doc->header.cupsPageSize[0] > 14400) { ++ fprintf(stderr, "ERROR: Page width is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[0]); ++ doc->header.cupsPageSize[0] = 14400; ++ } ++ if (doc->header.cupsPageSize[1] > 14400) { ++ fprintf(stderr, "ERROR: Page height is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[1]); ++ doc->header.cupsPageSize[1] = 14400; ++ } ++ + if (rotate == 90 || rotate == 270) + { + doc->header.cupsImagingBBox[0] = + diff --git a/net-print/libcupsfilters/libcupsfilters-2.1.1-r1.ebuild b/net-print/libcupsfilters/libcupsfilters-2.1.1-r1.ebuild new file mode 100644 index 000000000000..aa1a3cadf9d7 --- /dev/null +++ b/net-print/libcupsfilters/libcupsfilters-2.1.1-r1.ebuild @@ -0,0 +1,76 @@ +# Copyright 2023-2026 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit libtool + +DESCRIPTION="library for developing printing features, split out of cups-filters" +HOMEPAGE="https://github.com/OpenPrinting/libcupsfilters"; +SRC_URI="https://github.com/OpenPrinting/libcupsfilters/releases/download/${PV/_beta/b}/${P/_beta/b}.tar.xz"; +S="${WORKDIR}"/${P/_beta/b} + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="dbus exif jpeg pdf +poppler +postscript png test tiff" +RESTRICT="!test? ( test )" + +RDEPEND=" + >=app-text/qpdf-8.3.0:= + media-libs/fontconfig + media-libs/lcms:2 + >=net-print/cups-2 + !<net-print/cups-filters-2.0.0 + + exif? ( media-libs/libexif ) + dbus? ( sys-apps/dbus ) + jpeg? ( media-libs/libjpeg-turbo:= ) + pdf? ( app-text/mupdf ) + postscript? ( app-text/ghostscript-gpl[cups] ) + poppler? ( >=app-text/poppler-0.32:=[cxx] ) + png? ( media-libs/libpng:= ) + tiff? ( media-libs/tiff:= ) +" +DEPEND="${RDEPEND}" +BDEPEND=" + >=sys-devel/gettext-0.18.3 + virtual/pkgconfig + test? ( media-fonts/dejavu ) +" + +PATCHES=( + "${FILESDIR}"/${P}-CVE-2025-57812.patch + "${FILESDIR}"/${P}-CVE-2025-64503.patch +) + +src_prepare() { + default + + # respect --as-needed + elibtoolize +} + +src_configure() { + local myeconfargs=( + --enable-imagefilters + --localstatedir="${EPREFIX}"/var + --with-cups-rundir="${EPREFIX}"/run/cups + + $(use_enable exif) + $(use_enable dbus) + $(use_enable poppler) + $(use_enable postscript ghostscript) + $(use_enable pdf mutool) + $(use_with jpeg) + $(use_with png) + $(use_with tiff) + ) + + econf "${myeconfargs[@]}" +} + +src_install() { + default + find "${ED}" -name '*.la' -delete || die +}
