| Name | CVE-2025-57812 |
| Description | CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. In CUPS-Filters versions up to and including 1.28.17 and libscupsfilters versions 2.0.0 through 2.1.1, CUPS-Filters's `imagetoraster` filter has an out of bounds read/write vulnerability in the processing of TIFF image files. While the pixel buffer is allocated with the number of pixels times a pre-calculated bytes-per-pixel value, the function which processes these pixels is called with a size of the number of pixels times 3. When suitable inputs are passed, the bytes-per-pixel value can be set to 1 and bytes outside of the buffer bounds get processed. In order to trigger the bug, an attacker must issue a print job with a crafted TIFF file, and pass appropriate print job options to control the bytes-per-pixel value of the output format. They must choose a printer configuration under which the `imagetoraster` filter or its C-function equivalent `cfFilterImageToRaster()` gets invoked. The vulnerability exists in both CUPS-Filters 1.x and the successor library libcupsfilters (CUPS-Filters 2.x). In CUPS-Filters 2.x, the vulnerable function is `_cfImageReadTIFF() in libcupsfilters`. When this function is invoked as part of `cfFilterImageToRaster()`, the caller passes a look-up-table during whose processing the out of bounds memory access happens. In CUPS-Filters 1.x, the equivalent functions are all found in the cups-filters repository, which is not split into subprojects yet, and the vulnerable code is in `_cupsImageReadTIFF()`, which is called through `cupsImageOpen()` from the `imagetoraster` tool. A patch is available in commit b69dfacec7f176281782e2f7ac44f04bf9633cfa. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-4380-1 |
| Debian Bugs | 1120703, 1120704 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| cups-filters (PTS) | bullseye | 1.28.7-1+deb11u2 | vulnerable |
| bullseye (security) | 1.28.7-1+deb11u4 | fixed | |
| bookworm, bookworm (security) | 1.28.17-3+deb12u1 | vulnerable | |
| trixie | 1.28.17-6 | vulnerable | |
| forky, sid | 1.28.17-7 | fixed | |
| libcupsfilters (PTS) | trixie | 2.0.0-3 | vulnerable |
| forky, sid | 2.1.1-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| cups-filters | source | bullseye | 1.28.7-1+deb11u4 | DLA-4380-1 | ||
| cups-filters | source | (unstable) | 1.28.17-7 | 1120704 | ||
| libcupsfilters | source | (unstable) | 2.1.1-2 | 1120703 |
[trixie] - libcupsfilters <no-dsa> (Minor issue)
[trixie] - cups-filters <no-dsa> (Minor issue)
[bookworm] - cups-filters <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2025/11/12/1
https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-jpxg-qc2c-hgv4
https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-rc6w-jmvv-v7gx
https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-fmvr-45mx-43c6
Fixed by: https://github.com/OpenPrinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa
Fixed by: https://github.com/OpenPrinting/cups-filters/commit/5122052dd8f06949242099401c59f6c3b14e61c3
Fixed by: https://github.com/OpenPrinting/cups-filters/commit/cb927006747b797aa9163cd0cbd41b9bbdf05db0
Fixed by: https://github.com/OpenPrinting/cups-filters/commit/719c557c9a29db32b855e6e108d7f4e7c5397613
Fixed by: https://github.com/OpenPrinting/cups-filters/commit/7bd588a1fc5c99ac0b1951beb1b54b438137a7b5
Fixed by: https://github.com/OpenPrinting/cups-filters/commit/5e5f1c5d46a043c57cbbe6e043aa95896d9c40fa