Version in base suite: 2.0.0-3

Base version: libcupsfilters_2.0.0-3
Target version: libcupsfilters_2.0.0-3+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libc/libcupsfilters/libcupsfilters_2.0.0-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libc/libcupsfilters/libcupsfilters_2.0.0-3+deb13u1.dsc

 changelog                    |   14 ++++
 patches/CVE-2025-57812.patch |  124 +++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2025-64503.patch |   41 ++++++++++++++
 patches/series               |    4 +
 4 files changed, 183 insertions(+)

diff -Nru libcupsfilters-2.0.0/debian/changelog libcupsfilters-2.0.0/debian/changelog
--- libcupsfilters-2.0.0/debian/changelog	2024-09-26 21:45:05.000000000 +0000
+++ libcupsfilters-2.0.0/debian/changelog	2025-11-20 09:45:05.000000000 +0000
@@ -1,3 +1,17 @@
+libcupsfilters (2.0.0-3+deb13u1) trixie; urgency=medium
+
+  * CVE-2025-64503
+    fix an out of bounds write vulnerability when processing crafted
+    PDF files containing a large 'Mediabox' value.
+    (Closes: #1120697)
+
+  * CVE-2025-57812
+    fix an out of bounds read/write vulnerability in the processing
+    of TIFF image files.
+    (Closes: #1120703)
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Thu, 20 Nov 2025 10:45:05 +0100
+
 libcupsfilters (2.0.0-3) unstable; urgency=medium
 
   * CVE-2024-47076 (Closes: #1082821)
diff -Nru libcupsfilters-2.0.0/debian/patches/CVE-2025-57812.patch libcupsfilters-2.0.0/debian/patches/CVE-2025-57812.patch
--- libcupsfilters-2.0.0/debian/patches/CVE-2025-57812.patch	1970-01-01 00:00:00.000000000 +0000
+++ libcupsfilters-2.0.0/debian/patches/CVE-2025-57812.patch	2025-11-20 09:45:05.000000000 +0000
@@ -0,0 +1,124 @@
+From b69dfacec7f176281782e2f7ac44f04bf9633cfa Mon Sep 17 00:00:00 2001
+From: zdohnal <zdohnal@redhat.com>
+Date: Mon, 10 Nov 2025 18:58:31 +0100
+Subject: [PATCH] Merge commit from fork
+
+* Fix heap-buffer overflow write in cfImageLut
+
+1. fix for CVE-2025-57812
+
+* Reject color images with 1 bit per sample
+
+2. fix for CVE-2025-57812
+
+* Reject images where the number of samples does not correspond with the color space
+
+3. fix for CVE-2025-57812
+
+* Reject images with planar color configuration
+
+4. fix for CVE-2025-57812
+
+* Reject images with vertical scanlines
+
+5.  fix for CVE-2025-57812
+
+---------
+
+Co-authored-by: Till Kamppeter <till.kamppeter@gmail.com>
+---
+ cupsfilters/image-tiff.c | 46 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 45 insertions(+), 1 deletion(-)
+
+Index: libcupsfilters-2.0.0/cupsfilters/image-tiff.c
+===================================================================
+--- libcupsfilters-2.0.0.orig/cupsfilters/image-tiff.c	2025-11-20 13:30:30.492726380 +0100
++++ libcupsfilters-2.0.0/cupsfilters/image-tiff.c	2025-11-20 13:30:30.492726380 +0100
+@@ -41,6 +41,7 @@
+   TIFF		*tif;			// TIFF file
+   uint32_t	width, height;		// Size of image
+   uint16_t	photometric,		// Colorspace
++    planar,         // Color components in separate planes
+ 		compression,		// Type of compression
+ 		orientation,		// Orientation
+ 		resunit,		// Units for resolution
+@@ -113,6 +114,15 @@
+     return (-1);
+   }
+ 
++  if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) &&
++      planar == PLANARCONFIG_SEPARATE)
++  {
++    fputs("DEBUG: Images with planar color configuration are not supported!\n", stderr);
++    TIFFClose(tif);
++    fclose(fp);
++    return (1);
++  }
++
+   if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression))
+   {
+     DEBUG_puts("DEBUG: No compression tag in the file!\n");
+@@ -127,6 +137,15 @@
+   if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits))
+     bits = 1;
+ 
++  if (bits == 1 && samples > 1)
++  {
++    fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! "
++                    "Samples per pixel: %d; Bits per sample: %d\n", samples, bits);
++    TIFFClose(tif);
++    fclose(fp);
++    return (1);
++  }
++
+   //
+   // Get the image orientation...
+   //
+@@ -194,6 +213,23 @@
+     alpha = 0;
+ 
+   //
++  // Check whether number of samples per pixel corresponds with color space
++  //
++
++  if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) ||
++      (photometric == PHOTOMETRIC_SEPARATED && samples != 4))
++  {
++    fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond to color space! "
++                    "Color space: %s; Samples per pixel: %d\n",
++                    (photometric == PHOTOMETRIC_RGB ? "RGB" :
++                     (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : "Unknown")),
++                    samples);
++    TIFFClose(tif);
++    fclose(fp);
++    return (1);
++  }
++
++  //
+   // Check the size of the image...
+   //
+ 
+@@ -265,6 +301,14 @@
+         break;
+   }
+ 
++  if (orientation >= ORIENTATION_LEFTTOP)
++  {
++    fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", stderr);
++    TIFFClose(tif);
++    fclose(fp);
++    return (-1);
++  }
++
+   switch (orientation)
+   {
+     case ORIENTATION_TOPRIGHT :
+@@ -1467,7 +1511,7 @@
+ 	      }
+ 
+ 	      if (lut)
+-	        cfImageLut(out, img->xsize * 3, lut);
++	        cfImageLut(out, img->xsize * bpp, lut);
+ 
+               _cfImagePutRow(img, 0, y, img->xsize, out);
+             }
diff -Nru libcupsfilters-2.0.0/debian/patches/CVE-2025-64503.patch libcupsfilters-2.0.0/debian/patches/CVE-2025-64503.patch
--- libcupsfilters-2.0.0/debian/patches/CVE-2025-64503.patch	1970-01-01 00:00:00.000000000 +0000
+++ libcupsfilters-2.0.0/debian/patches/CVE-2025-64503.patch	2025-11-20 09:45:05.000000000 +0000
@@ -0,0 +1,41 @@
+From fd01543f372ca3ba1f1c27bd3427110fa0094e3f Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <till.kamppeter@gmail.com>
+Date: Mon, 10 Nov 2025 21:10:56 +0100
+Subject: [PATCH] Fix out-of-bounds write in cfFilterPDFToRaster()
+
+PDFs with too large page dimensions could cause an integer overflow and then a too small buffer for the pixel line to be allocated.
+
+Fixed this by cropping the page size to the maximum allowed by the standard, 14400x14400pt, 200x200in, 5x5m
+
+https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
+
+Fixes CVE-2025-64503
+---
+ cupsfilters/pdftoraster.cxx | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+Index: libcupsfilters-2.0.0/cupsfilters/pdftoraster.cxx
+===================================================================
+--- libcupsfilters-2.0.0.orig/cupsfilters/pdftoraster.cxx	2025-11-20 13:30:34.444758465 +0100
++++ libcupsfilters-2.0.0/cupsfilters/pdftoraster.cxx	2025-11-20 13:30:34.440758433 +0100
+@@ -1609,6 +1609,20 @@
+     doc->header.cupsPageSize[0] = l;
+   else
+     doc->header.cupsPageSize[1] = l;
++
++  //
++  // Maximum allowed page size for PDF is 200x200 inches (~ 5x5 m), or 14400x14400 pt
++  // https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
++  //
++  if (doc->header.cupsPageSize[0] > 14400) {
++    fprintf(stderr, "ERROR: Page width is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[0]);
++    doc->header.cupsPageSize[0] = 14400;
++  }
++  if (doc->header.cupsPageSize[1] > 14400) {
++    fprintf(stderr, "ERROR: Page height is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[1]);
++    doc->header.cupsPageSize[1] = 14400;
++  }
++
+   if (rotate == 90 || rotate == 270)
+   {
+     doc->header.cupsImagingBBox[0] =
diff -Nru libcupsfilters-2.0.0/debian/patches/series libcupsfilters-2.0.0/debian/patches/series
--- libcupsfilters-2.0.0/debian/patches/series	2024-09-26 21:45:05.000000000 +0000
+++ libcupsfilters-2.0.0/debian/patches/series	2025-11-20 09:45:05.000000000 +0000
@@ -1 +1,5 @@
 CVE-2024-47076.patch
+
+CVE-2025-57812.patch
+CVE-2025-64503.patch
+