From 776bf140dabaf7b046ad775ba5e97a4c5037f255 Mon Sep 17 00:00:00 2001 From: sa-buc Date: Fri, 28 Nov 2025 15:36:48 +0800 Subject: [PATCH] fix CVE-2025-64524 --- 0001-fix-CVE-2025-64524.patch | 76 +++++++++++++++++++++++++++++++++++ cups-filters.spec | 10 ++++- 2 files changed, 84 insertions(+), 2 deletions(-) create mode 100644 0001-fix-CVE-2025-64524.patch diff --git a/0001-fix-CVE-2025-64524.patch b/0001-fix-CVE-2025-64524.patch new file mode 100644 index 0000000..5b0e7f9 --- /dev/null +++ b/0001-fix-CVE-2025-64524.patch @@ -0,0 +1,76 @@ +From 0fe46c511e81062575b05936f804eb18c9f0a011 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Wed, 12 Nov 2025 15:47:24 +0100 +Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file + +Infinite loop happened because of crafted input raster file, which led +into heap buffer overflow of `CompressBuf` array. + +Based on comments there should be always some `count` when compressing +the data, and processing of crafted file ended with offset and count +being 0. + +Fixes CVE-2025-64524 +--- + filter/rastertopclx.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c +index ded86f114..39cb378bf 100644 +--- a/filter/rastertopclx.c ++++ b/filter/rastertopclx.c +@@ -825,10 +825,10 @@ StartPage(cf_filter_data_t *data, // I - filter data + } + + if (header->cupsCompression) +- CompBuffer = malloc(DotBufferSize * 4); ++ CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char)); + + if (header->cupsCompression >= 3) +- SeedBuffer = malloc(DotBufferSize); ++ SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char)); + + SeedInvalid = 1; + +@@ -1159,6 +1159,13 @@ CompressData(unsigned char *line, // I - Data to compress + seed ++; + count ++; + } ++ ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; + } + + // +@@ -1252,6 +1259,13 @@ CompressData(unsigned char *line, // I - Data to compress + + count = line_ptr - start; + ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + #if 0 + fprintf(stderr, + "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n", +@@ -1424,6 +1438,13 @@ CompressData(unsigned char *line, // I - Data to compress + + count = (line_ptr - start) / 3; + ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + // + // Place mode 10 compression data in the buffer; each sequence + // starts with a command byte that looks like: diff --git a/cups-filters.spec b/cups-filters.spec index 5480d63..6dad4b4 100644 --- a/cups-filters.spec +++ b/cups-filters.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 # we build CUPS also with relro %global _hardened_build 1 @@ -18,6 +18,9 @@ Source0: %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz Source1: lftocrlf.ppd Source2: lftocrlf +# https://github.com/OpenPrinting/cups-filters/commit/0fe46c511e81062575b05936f804eb18c9f0a011 +Patch1: 0001-fix-CVE-2025-64524.patch + # driverless backend/driver was moved into a separate package to # remove avahi dependency for filters # remove once C10S is released and F40 is EOL @@ -93,7 +96,7 @@ Requires: %{name} = %{version}-%{release} Doc pages for %{name}. %prep -%autosetup -S git +%autosetup -p1 -S git %build # work-around Rpath @@ -197,6 +200,9 @@ make check %doc README.md AUTHORS NEWS %changelog +* Fri Nov 28 2025 zhoujiajiia111 - 2.0.0-2 +- Fix CVE-2025-64524 + * Fri Feb 28 2025 Zhao Hang - 2.0.0-1 - Update to 2.0.0-1 from 1.28.17-3 - Migrated to SPDX license -- Gitee