Version in base suite: 1.28.17-6

Base version: cups-filters_1.28.17-6
Target version: cups-filters_1.28.17-6+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cups-filters/cups-filters_1.28.17-6.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cups-filters/cups-filters_1.28.17-6+deb13u1.dsc

 changelog                      |   18 +++++++++
 patches/CVE-2025-57812-1.patch |   23 +++++++++++
 patches/CVE-2025-57812-2.patch |   30 +++++++++++++++
 patches/CVE-2025-57812-3.patch |   39 ++++++++++++++++++++
 patches/CVE-2025-57812-4.patch |   38 +++++++++++++++++++
 patches/CVE-2025-57812-5.patch |   29 +++++++++++++++
 patches/CVE-2025-64503.patch   |   39 ++++++++++++++++++++
 patches/CVE-2025-64524.patch   |   79 +++++++++++++++++++++++++++++++++++++++++
 patches/series                 |    8 ++++
 9 files changed, 303 insertions(+)

diff -Nru cups-filters-1.28.17/debian/changelog cups-filters-1.28.17/debian/changelog
--- cups-filters-1.28.17/debian/changelog	2025-03-15 11:45:05.000000000 +0000
+++ cups-filters-1.28.17/debian/changelog	2025-11-20 09:45:05.000000000 +0000
@@ -1,3 +1,21 @@
+cups-filters (1.28.17-6+deb13u1) trixie; urgency=medium
+
+  * CVE-2025-64503
+    fix an out of bounds write vulnerability when processing crafted
+    PDF files containing a large 'Mediabox' value.
+    (Closes: #1120698)
+
+  * CVE-2025-57812
+    fix an out of bounds read/write vulnerability in the processing
+    of TIFF image files.
+    (Closes: #1120704)
+
+  * CVE-2025-64524
+    fix infinite loop with crafted input raster file, that resuls
+    into a heap buffer overflow
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Thu, 20 Nov 2025 10:45:05 +0100
+
 cups-filters (1.28.17-6) unstable; urgency=medium
 
   * add patch 0006-qpdf-12.patch (Closes: #1100207)
diff -Nru cups-filters-1.28.17/debian/patches/CVE-2025-57812-1.patch cups-filters-1.28.17/debian/patches/CVE-2025-57812-1.patch
--- cups-filters-1.28.17/debian/patches/CVE-2025-57812-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ cups-filters-1.28.17/debian/patches/CVE-2025-57812-1.patch	2025-11-20 09:45:05.000000000 +0000
@@ -0,0 +1,23 @@
+From 5e5f1c5d46a043c57cbbe6e043aa95896d9c40fa Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 18:42:52 +0100
+Subject: [PATCH] Fix heap-buffer overflow write in cfImageLut
+
+1. fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index 5fe89071c..5eb29abc3 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -1469,7 +1469,7 @@ _cupsImageReadTIFF(
+ 	      }
+ 
+ 	      if (lut)
+-	        cupsImageLut(out, img->xsize * 3, lut);
++	        cupsImageLut(out, img->xsize * bpp, lut);
+ 
+               _cupsImagePutRow(img, 0, y, img->xsize, out);
+             }
diff -Nru cups-filters-1.28.17/debian/patches/CVE-2025-57812-2.patch cups-filters-1.28.17/debian/patches/CVE-2025-57812-2.patch
--- cups-filters-1.28.17/debian/patches/CVE-2025-57812-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ cups-filters-1.28.17/debian/patches/CVE-2025-57812-2.patch	2025-11-20 09:45:05.000000000 +0000
@@ -0,0 +1,30 @@
+From 7bd588a1fc5c99ac0b1951beb1b54b438137a7b5 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 18:44:59 +0100
+Subject: [PATCH] Reject color images with 1 bit per sample
+
+2. fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index 5eb29abc3..48fc8a28b 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -129,6 +129,15 @@ _cupsImageReadTIFF(
+   if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits))
+     bits = 1;
+ 
++  if (bits == 1 && samples > 1)
++  {
++    fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! "
++                    "Samples per pixel: %d; Bits per sample: %d\n", samples, bits);
++    TIFFClose(tif);
++    fclose(fp);
++    return (-1);
++  }
++
+  /*
+   * Get the image orientation...
+   */
diff -Nru cups-filters-1.28.17/debian/patches/CVE-2025-57812-3.patch cups-filters-1.28.17/debian/patches/CVE-2025-57812-3.patch
--- cups-filters-1.28.17/debian/patches/CVE-2025-57812-3.patch	1970-01-01 00:00:00.000000000 +0000
+++ cups-filters-1.28.17/debian/patches/CVE-2025-57812-3.patch	2025-11-20 09:45:05.000000000 +0000
@@ -0,0 +1,39 @@
+From 719c557c9a29db32b855e6e108d7f4e7c5397613 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 18:46:10 +0100
+Subject: [PATCH] Reject images where the number of samples does not correspond
+ with the color space
+
+3. fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index 48fc8a28b..a207f7ce9 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -204,6 +204,23 @@ _cupsImageReadTIFF(
+   else
+     alpha = 0;
+ 
++ /*
++  * Check whether number of samples per pixel corresponds with color space
++  */
++
++  if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) ||
++      (photometric == PHOTOMETRIC_SEPARATED && samples != 4))
++  {
++    fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond to color space! "
++                    "Color space: %s; Samples per pixel: %d\n",
++                    (photometric == PHOTOMETRIC_RGB ? "RGB" :
++                     (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : "Unknown")),
++                    samples);
++    TIFFClose(tif);
++    fclose(fp);
++    return (1);
++  }
++
+  /*
+   * Check the size of the image...
+   */
diff -Nru cups-filters-1.28.17/debian/patches/CVE-2025-57812-4.patch cups-filters-1.28.17/debian/patches/CVE-2025-57812-4.patch
--- cups-filters-1.28.17/debian/patches/CVE-2025-57812-4.patch	1970-01-01 00:00:00.000000000 +0000
+++ cups-filters-1.28.17/debian/patches/CVE-2025-57812-4.patch	2025-11-20 09:45:05.000000000 +0000
@@ -0,0 +1,38 @@
+From cb927006747b797aa9163cd0cbd41b9bbdf05db0 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 18:50:10 +0100
+Subject: [PATCH] Reject images with planar color configuration
+
+4. fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index a207f7ce9..04ec0719a 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -43,6 +43,7 @@ _cupsImageReadTIFF(
+   TIFF		*tif;			/* TIFF file */
+   uint32_t	width, height;		/* Size of image */
+   uint16_t	photometric,		/* Colorspace */
++    planar,         /* Color components in separate planes */
+ 		compression,		/* Type of compression */
+ 		orientation,		/* Orientation */
+ 		resunit,		/* Units for resolution */
+@@ -115,6 +116,15 @@ _cupsImageReadTIFF(
+     return (-1);
+   }
+ 
++  if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) &&
++      planar == PLANARCONFIG_SEPARATE)
++  {
++    fputs("DEBUG: Images with planar color configuration are not supported!\n", stderr);
++    TIFFClose(tif);
++    fclose(fp);
++    return (1);
++  }
++
+   if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression))
+   {
+     fputs("DEBUG: No compression tag in the file!\n", stderr);
diff -Nru cups-filters-1.28.17/debian/patches/CVE-2025-57812-5.patch cups-filters-1.28.17/debian/patches/CVE-2025-57812-5.patch
--- cups-filters-1.28.17/debian/patches/CVE-2025-57812-5.patch	1970-01-01 00:00:00.000000000 +0000
+++ cups-filters-1.28.17/debian/patches/CVE-2025-57812-5.patch	2025-11-20 09:45:05.000000000 +0000
@@ -0,0 +1,29 @@
+From 5122052dd8f06949242099401c59f6c3b14e61c3 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 18:57:07 +0100
+Subject: [PATCH] Reject images with vertical scanlines
+
+5.  fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index 04ec0719a..e9a78d3d5 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -303,6 +303,14 @@ _cupsImageReadTIFF(
+         break;
+   }
+ 
++  if (orientation >= ORIENTATION_LEFTTOP)
++  {
++    fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", stderr);
++    TIFFClose(tif);
++    fclose(fp);
++    return (-1);
++  }
++
+   switch (orientation)
+   {
+     case ORIENTATION_TOPRIGHT :
diff -Nru cups-filters-1.28.17/debian/patches/CVE-2025-64503.patch cups-filters-1.28.17/debian/patches/CVE-2025-64503.patch
--- cups-filters-1.28.17/debian/patches/CVE-2025-64503.patch	1970-01-01 00:00:00.000000000 +0000
+++ cups-filters-1.28.17/debian/patches/CVE-2025-64503.patch	2025-11-20 09:45:05.000000000 +0000
@@ -0,0 +1,39 @@
+From 50d94ca0f2fa6177613c97c59791bde568631865 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 18:31:48 +0100
+Subject: [PATCH] Fix out-of-bounds write in pdftoraster
+
+PDFs with too large page dimensions could cause an integer overflow and then a too small buffer for the pixel line to be allocated.
+
+Fixed this by cropping the page size to the maximum allowed by the standard, 14400x14400pt, 200x200in, 5x5m
+
+https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
+
+Fixes CVE-2025-64503
+---
+ filter/pdftoraster.cxx | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+Index: cups-filters/filter/pdftoraster.cxx
+===================================================================
+--- cups-filters.orig/filter/pdftoraster.cxx	2025-11-20 15:15:39.795443588 +0100
++++ cups-filters/filter/pdftoraster.cxx	2025-11-20 15:15:39.791443557 +0100
+@@ -1688,6 +1688,18 @@
+     header.PageSize[0] = (unsigned)l;
+   else
+     header.PageSize[1] = (unsigned)l;
++  /*
++    Maximum allowed page size for PDF is 200x200 inches (~ 5x5 m), or 14400x14400 pt
++    https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
++  */
++  if (header.PageSize[0] > 14400) {
++    fprintf(stderr, "ERROR: Page width is %dpt, too large, cropping to 14400pt\n", header.PageSize[0]);
++    header.PageSize[0] = 14400;
++  }
++  if (header.PageSize[1] > 14400) {
++    fprintf(stderr, "ERROR: Page height is %dpt, too large, cropping to 14400pt\n", header.PageSize[1]);
++    header.PageSize[1] = 14400;
++  }
+ 
+   memset(paperdimensions, 0, sizeof(paperdimensions));
+   memset(margins, 0, sizeof(margins));
diff -Nru cups-filters-1.28.17/debian/patches/CVE-2025-64524.patch cups-filters-1.28.17/debian/patches/CVE-2025-64524.patch
--- cups-filters-1.28.17/debian/patches/CVE-2025-64524.patch	1970-01-01 00:00:00.000000000 +0000
+++ cups-filters-1.28.17/debian/patches/CVE-2025-64524.patch	2025-11-20 09:45:05.000000000 +0000
@@ -0,0 +1,79 @@
+From b03866fd2e251a6d822a5e8c807c8d47b4d2dce2 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 12 Nov 2025 16:02:20 +0100
+Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file
+
+Infinite loop happened because of crafted input raster file, which led
+into heap buffer overflow of `CompressBuf` array.
+
+Based on comments there should be always some `count` when compressing
+the data, and processing of crafted file ended with offset and count
+being 0.
+
+Fixes CVE-2025-64524
+---
+ filter/rastertopclx.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c
+index 3e7c129da..1015308da 100644
+--- a/filter/rastertopclx.c
++++ b/filter/rastertopclx.c
+@@ -818,10 +818,10 @@ StartPage(ppd_file_t         *ppd,	/* I - PPD file */
+   }
+ 
+   if (header->cupsCompression)
+-    CompBuffer = malloc(DotBufferSize * 4);
++    CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char));
+ 
+   if (header->cupsCompression >= 3)
+-    SeedBuffer = malloc(DotBufferSize);
++    SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char));
+ 
+   SeedInvalid = 1;
+ 
+@@ -1152,6 +1152,13 @@ CompressData(unsigned char *line,	/* I - Data to compress */
+               seed ++;
+               count ++;
+             }
++
++	    //
++	    // Bail out if we don't have count to compress
++	    //
++
++	    if (count == 0)
++	      break;
+ 	  }
+ 
+          /*
+@@ -1245,6 +1252,13 @@ CompressData(unsigned char *line,	/* I - Data to compress */
+ 
+             count = line_ptr - start;
+ 
++	    //
++	    // Bail out if we don't have count to compress
++	    //
++
++	    if (count == 0)
++	      break;
++
+ #if 0
+             fprintf(stderr, "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n",
+ 	            offset, count, comp_ptr, comp_ptr - CompBuffer,
+@@ -1416,6 +1430,13 @@ CompressData(unsigned char *line,	/* I - Data to compress */
+ 
+             count = (line_ptr - start) / 3;
+ 
++	    //
++	    // Bail out if we don't have count to compress
++	    //
++
++	    if (count == 0)
++	      break;
++
+            /*
+             * Place mode 10 compression data in the buffer; each sequence
+ 	    * starts with a command byte that looks like:
+-- 
+2.51.1
+
diff -Nru cups-filters-1.28.17/debian/patches/series cups-filters-1.28.17/debian/patches/series
--- cups-filters-1.28.17/debian/patches/series	2025-03-15 11:45:05.000000000 +0000
+++ cups-filters-1.28.17/debian/patches/series	2025-11-20 09:45:05.000000000 +0000
@@ -4,3 +4,11 @@
 0004-CVE-2024-47076.patch
 0005-CVE-2024-47176.patch
 0006-qpdf-12.patch
+
+CVE-2025-57812-1.patch
+CVE-2025-57812-2.patch
+CVE-2025-57812-3.patch
+CVE-2025-57812-4.patch
+CVE-2025-57812-5.patch
+CVE-2025-64503.patch
+CVE-2025-64524.patch