CVE-2025-57812

Source
https://cve.org/CVERecord?id=CVE-2025-57812
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57812.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-57812
Aliases
  • GHSA-jpxg-qc2c-hgv4
Downstream
Related
Published
2025-11-12T18:46:52.801Z
Modified
2026-07-15T01:49:19.557383056Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[BIGSLEEP-434612419] CUPS-Filters has heap-buffer-overflow write in `cfImageLut()`
Details

CUPS is a standards-based, open-source printing system, and libcupsfilters contains the code of the filters of the former cups-filters package as library functions to be used for the data format conversion tasks needed in Printer Applications. In CUPS-Filters versions up to and including 1.28.17 and libscupsfilters versions 2.0.0 through 2.1.1, CUPS-Filters's imagetoraster filter has an out of bounds read/write vulnerability in the processing of TIFF image files. While the pixel buffer is allocated with the number of pixels times a pre-calculated bytes-per-pixel value, the function which processes these pixels is called with a size of the number of pixels times 3. When suitable inputs are passed, the bytes-per-pixel value can be set to 1 and bytes outside of the buffer bounds get processed. In order to trigger the bug, an attacker must issue a print job with a crafted TIFF file, and pass appropriate print job options to control the bytes-per-pixel value of the output format. They must choose a printer configuration under which the imagetoraster filter or its C-function equivalent cfFilterImageToRaster() gets invoked. The vulnerability exists in both CUPS-Filters 1.x and the successor library libcupsfilters (CUPS-Filters 2.x). In CUPS-Filters 2.x, the vulnerable function is _cfImageReadTIFF() in libcupsfilters. When this function is invoked as part of cfFilterImageToRaster(), the caller passes a look-up-table during whose processing the out of bounds memory access happens. In CUPS-Filters 1.x, the equivalent functions are all found in the cups-filters repository, which is not split into subprojects yet, and the vulnerable code is in _cupsImageReadTIFF(), which is called through cupsImageOpen() from the imagetoraster tool. A patch is available in commit b69dfacec7f176281782e2f7ac44f04bf9633cfa.

Database specific
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/57xxx/CVE-2025-57812.json",
    "cwe_ids": [
        "CWE-125",
        "CWE-787"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "libcupsfilters >= 2.0.0, < 2.1.1"
                },
                {
                    "last_affected": "libcupsfilters >= 2.0.0, < 2.1.1"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/openprinting/cups-filters

Affected ranges

Type
GIT
Repo
https://github.com/openprinting/cups-filters
Events
Database specific
{
    "cpe": "cpe:2.3:a:openprinting:cups-filters:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "cups-filters <= 1.28.17"
        },
        {
            "last_affected": "cups-filters <= 1.28.17"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "1.28.17"
        }
    ]
}
Type
GIT
Repo
https://github.com/openprinting/libcupsfilters
Events
Database specific
{
    "cpe": "cpe:2.3:a:openprinting:libcupsfilters:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.1.1"
        }
    ]
}

Affected versions

2.*
2.0.0
2.1.0
2.1.1
2.1b1
cups-filters <= 1.*
cups-filters <= 1.28.17

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57812.json"