libcupsfilters: patch CVE-2025-64503

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64503 Pick the patch that explicitly refernces the CVE ID in its message. (The NVD advisory mentions only the cups-filters patch, but the developer indicated the CVE ID in the libcupsfilters patch also) Between this recipe version and the patch the project has decided to eliminate c++ from the project, and use c only. The patch however is straightforward enough that it could be backported with very small modifications. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-04-02 02:49:12 +00:00 · 2026-02-02 17:37:09 +01:00 · 2026-02-02 17:37:09 +01:00 · 5a74edf28b
commit 5a74edf28b
parent 1a31d20cea
2 changed files with 51 additions and 4 deletions
--- a/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-64503.patch
+++ b/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-64503.patch
@ -0,0 +1,47 @@
+From da9a7db3b9125c87b11c43b05354ca2eb21ed684 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Mon, 10 Nov 2025 21:10:56 +0100
+Subject: [PATCH] Fix out-of-bounds write in cfFilterPDFToRaster()
+
+From: Till Kamppeter <till.kamppeter@gmail.com>
+
+PDFs with too large page dimensions could cause an integer overflow and then a too small buffer for the pixel line to be allocated.
+
+Fixed this by cropping the page size to the maximum allowed by the standard, 14400x14400pt, 200x200in, 5x5m
+
+https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
+
+Fixes CVE-2025-64503
+
+CVE: CVE-2025-64503
+Upstream-Status: Backport [https://github.com/OpenPrinting/libcupsfilters/commit/fd01543f372ca3ba1f1c27bd3427110fa0094e3f]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ cupsfilters/pdftoraster.cxx | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/cupsfilters/pdftoraster.cxx b/cupsfilters/pdftoraster.cxx
+index 0235b54..09583df 100644
+--- a/cupsfilters/pdftoraster.cxx
+++ b/cupsfilters/pdftoraster.cxx
+@@ -1606,6 +1606,20 @@ out_page(pdftoraster_doc_t *doc,
+   l = inputPageBox.height();
+   if (l < 0)
+     l = -l;
+
+  //
+  // Maximum allowed page size for PDF is 200x200 inches (~ 5x5 m), or 14400x14400 pt
+  // https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
+  //
+  if (doc->header.cupsPageSize[0] > 14400) {
+    fprintf(stderr, "ERROR: Page width is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[0]);
+    doc->header.cupsPageSize[0] = 14400;
+  }
+  if (doc->header.cupsPageSize[1] > 14400) {
+    fprintf(stderr, "ERROR: Page height is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[1]);
+    doc->header.cupsPageSize[1] = 14400;
+  }
+
+   if (rotate == 90 || rotate == 270)
+     doc->header.cupsPageSize[0] = l;
+   else
--- a/meta-oe/recipes-printing/cups/libcupsfilters_2.1.1.bb
+++ b/meta-oe/recipes-printing/cups/libcupsfilters_2.1.1.bb
@ -5,10 +5,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=aab2024bd2a475438a154cd1640c9684"

 DEPENDS = "cups fontconfig libexif dbus lcms qpdf poppler libpng jpeg tiff"

-SRC_URI = " \
-	https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
-	file://0001-use-noexcept-false-instead-of-throw-from-c-17-onward.patch \
-"
+SRC_URI = "https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
+           file://0001-use-noexcept-false-instead-of-throw-from-c-17-onward.patch \
+           file://CVE-2025-64503.patch \
+           "
 SRC_URI[sha256sum] = "6c303e36cfde05a6c88fb940c62b6a18e7cdbfb91f077733ebc98f104925ce36"

 inherit autotools gettext pkgconfig github-releases