Fix: fix CVE-2025-57812 CVE-2025-64503 CVE-2025-64524

debian/changelog

@@ -1,3 +1,9 @@
+cups-filters (1.28.17-3.1~deepin4) unstable; urgency=medium
+
+  * fix CVE-2025-57812 CVE-2025-64503 CVE-2025-64524 
+
+ -- zengwei <[email protected]>  Wed, 24 Dec 2025 16:00:14 +0800
+
 cups-filters (1.28.17-3.1~deepin3) unstable; urgency=medium
 
   * Fix CVE-2024-47076.

debian/patches/CVE-2025-57812-1.patch

@@ -0,0 +1,23 @@
+From 5e5f1c5d46a043c57cbbe6e043aa95896d9c40fa Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <[email protected]>
+Date: Mon, 10 Nov 2025 18:42:52 +0100
+Subject: [PATCH] Fix heap-buffer overflow write in cfImageLut
+
+1. fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index 5fe89071c..5eb29abc3 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -1469,7 +1469,7 @@ _cupsImageReadTIFF(
+ 	      }
+
+ 	      if (lut)
+-	        cupsImageLut(out, img->xsize * 3, lut);
++	        cupsImageLut(out, img->xsize * bpp, lut);
+
+               _cupsImagePutRow(img, 0, y, img->xsize, out);
+             }

debian/patches/CVE-2025-57812-2.patch

@@ -0,0 +1,30 @@
+From 7bd588a1fc5c99ac0b1951beb1b54b438137a7b5 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <[email protected]>
+Date: Mon, 10 Nov 2025 18:44:59 +0100
+Subject: [PATCH] Reject color images with 1 bit per sample
+
+2. fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index 5eb29abc3..48fc8a28b 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -129,6 +129,15 @@ _cupsImageReadTIFF(
+   if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits))
+     bits = 1;
+
++  if (bits == 1 && samples > 1)
++  {
++    fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! "
++                    "Samples per pixel: %d; Bits per sample: %d\n", samples, bits);
++    TIFFClose(tif);
++    fclose(fp);
++    return (-1);
++  }
++
+  /*
+   * Get the image orientation...
+   */

debian/patches/CVE-2025-57812-3.patch

@@ -0,0 +1,39 @@
+From 719c557c9a29db32b855e6e108d7f4e7c5397613 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <[email protected]>
+Date: Mon, 10 Nov 2025 18:46:10 +0100
+Subject: [PATCH] Reject images where the number of samples does not correspond
+ with the color space
+
+3. fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index 48fc8a28b..a207f7ce9 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -204,6 +204,23 @@ _cupsImageReadTIFF(
+   else
+     alpha = 0;
+
++ /*
++  * Check whether number of samples per pixel corresponds with color space
++  */
++
++  if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) ||
++      (photometric == PHOTOMETRIC_SEPARATED && samples != 4))
++  {
++    fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond to color space! "
++                    "Color space: %s; Samples per pixel: %d\n",
++                    (photometric == PHOTOMETRIC_RGB ? "RGB" :
++                     (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : "Unknown")),
++                    samples);
++    TIFFClose(tif);
++    fclose(fp);
++    return (1);
++  }
++
+  /*
+   * Check the size of the image...
+   */

debian/patches/CVE-2025-57812-4.patch

@@ -0,0 +1,38 @@
+From cb927006747b797aa9163cd0cbd41b9bbdf05db0 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <[email protected]>
+Date: Mon, 10 Nov 2025 18:50:10 +0100
+Subject: [PATCH] Reject images with planar color configuration
+
+4. fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index a207f7ce9..04ec0719a 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -43,6 +43,7 @@ _cupsImageReadTIFF(
+   TIFF		*tif;			/* TIFF file */
+   uint32_t	width, height;		/* Size of image */
+   uint16_t	photometric,		/* Colorspace */
++    planar,         /* Color components in separate planes */
+ 		compression,		/* Type of compression */
+ 		orientation,		/* Orientation */
+ 		resunit,		/* Units for resolution */
+@@ -115,6 +116,15 @@ _cupsImageReadTIFF(
+     return (-1);
+   }
+
++  if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) &&
++      planar == PLANARCONFIG_SEPARATE)
++  {
++    fputs("DEBUG: Images with planar color configuration are not supported!\n", stderr);
++    TIFFClose(tif);
++    fclose(fp);
++    return (1);
++  }
++
+   if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression))
+   {
+     fputs("DEBUG: No compression tag in the file!\n", stderr);

debian/patches/CVE-2025-57812-5.patch

@@ -0,0 +1,29 @@
+From 5122052dd8f06949242099401c59f6c3b14e61c3 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <[email protected]>
+Date: Mon, 10 Nov 2025 18:57:07 +0100
+Subject: [PATCH] Reject images with vertical scanlines
+
+5.  fix for CVE-2025-57812
+---
+ cupsfilters/image-tiff.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
+index 04ec0719a..e9a78d3d5 100644
+--- a/cupsfilters/image-tiff.c
++++ b/cupsfilters/image-tiff.c
+@@ -303,6 +303,14 @@ _cupsImageReadTIFF(
+         break;
+   }
+
++  if (orientation >= ORIENTATION_LEFTTOP)
++  {
++    fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", stderr);
++    TIFFClose(tif);
++    fclose(fp);
++    return (-1);
++  }
++
+   switch (orientation)
+   {
+     case ORIENTATION_TOPRIGHT :

debian/patches/CVE-2025-64503.patch

@@ -0,0 +1,39 @@
+From 50d94ca0f2fa6177613c97c59791bde568631865 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter <[email protected]>
+Date: Mon, 10 Nov 2025 18:31:48 +0100
+Subject: [PATCH] Fix out-of-bounds write in pdftoraster
+
+PDFs with too large page dimensions could cause an integer overflow and then a too small buffer for the pixel line to be allocated.
+
+Fixed this by cropping the page size to the maximum allowed by the standard, 14400x14400pt, 200x200in, 5x5m
+
+https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
+
+Fixes CVE-2025-64503
+---
+ filter/pdftoraster.cxx | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/filter/pdftoraster.cxx b/filter/pdftoraster.cxx
+index 7b3af924f..b64b34c62 100755
+--- a/filter/pdftoraster.cxx
++++ b/filter/pdftoraster.cxx
+@@ -1698,6 +1698,18 @@ static void outPage(poppler::document *doc, int pageNo,
+     header.PageSize[0] = (unsigned)l;
+   else
+     header.PageSize[1] = (unsigned)l;
++  /*
++    Maximum allowed page size for PDF is 200x200 inches (~ 5x5 m), or 14400x14400 pt
++    https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
++  */
++  if (header.PageSize[0] > 14400) {
++    fprintf(stderr, "ERROR: Page width is %dpt, too large, cropping to 14400pt\n", header.PageSize[0]);
++    header.PageSize[0] = 14400;
++  }
++  if (header.PageSize[1] > 14400) {
++    fprintf(stderr, "ERROR: Page height is %dpt, too large, cropping to 14400pt\n", header.PageSize[1]);
++    header.PageSize[1] = 14400;
++  }
+
+   memset(paperdimensions, 0, sizeof(paperdimensions));
+   memset(margins, 0, sizeof(margins));

debian/patches/CVE-2025-64524.patch

@@ -0,0 +1,76 @@
+From b03866fd2e251a6d822a5e8c807c8d47b4d2dce2 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <[email protected]>
+Date: Wed, 12 Nov 2025 16:02:20 +0100
+Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file
+
+Infinite loop happened because of crafted input raster file, which led
+into heap buffer overflow of `CompressBuf` array.
+
+Based on comments there should be always some `count` when compressing
+the data, and processing of crafted file ended with offset and count
+being 0.
+
+Fixes CVE-2025-64524
+---
+ filter/rastertopclx.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c
+index 3e7c129da..1015308da 100644
+--- a/filter/rastertopclx.c
++++ b/filter/rastertopclx.c
+@@ -818,10 +818,10 @@ StartPage(ppd_file_t         *ppd,	/* I - PPD file */
+   }
+
+   if (header->cupsCompression)
+-    CompBuffer = malloc(DotBufferSize * 4);
++    CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char));
+
+   if (header->cupsCompression >= 3)
+-    SeedBuffer = malloc(DotBufferSize);
++    SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char));
+
+   SeedInvalid = 1;
+
+@@ -1152,6 +1152,13 @@ CompressData(unsigned char *line,	/* I - Data to compress */
+               seed ++;
+               count ++;
+             }
++
++	    //
++	    // Bail out if we don't have count to compress
++	    //
++
++	    if (count == 0)
++	      break;
+ 	  }
+
+          /*
+@@ -1245,6 +1252,13 @@ CompressData(unsigned char *line,	/* I - Data to compress */
+
+             count = line_ptr - start;
+
++	    //
++	    // Bail out if we don't have count to compress
++	    //
++
++	    if (count == 0)
++	      break;
++
+ #if 0
+             fprintf(stderr, "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n",
+ 	            offset, count, comp_ptr, comp_ptr - CompBuffer,
+@@ -1416,6 +1430,13 @@ CompressData(unsigned char *line,	/* I - Data to compress */
+
+             count = (line_ptr - start) / 3;
+
++	    //
++	    // Bail out if we don't have count to compress
++	    //
++
++	    if (count == 0)
++	      break;
++
+            /*
+             * Place mode 10 compression data in the buffer; each sequence
+ 	    * starts with a command byte that looks like:

debian/patches/series

@@ -3,3 +3,10 @@
 0003-fix-CVE-2023-24805.patch
 0004-fix-CVE-2024-47076.patch
 0005-fix-CVE-2024-47176.patch
+CVE-2025-64503.patch
+CVE-2025-64524.patch
+CVE-2025-57812-1.patch
+CVE-2025-57812-2.patch
+CVE-2025-57812-3.patch
+CVE-2025-57812-4.patch
+CVE-2025-57812-5.patch