{"id":"CVE-2025-57812","summary":"[BIGSLEEP-434612419] CUPS-Filters has heap-buffer-overflow write in `cfImageLut()`","details":"CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. In CUPS-Filters versions up to and including 1.28.17 and libscupsfilters versions 2.0.0 through 2.1.1, CUPS-Filters's `imagetoraster` filter has an out of bounds read/write vulnerability in the processing of TIFF image files.  While the pixel buffer is allocated with the number of pixels times a pre-calculated bytes-per-pixel value, the function which processes these pixels is called with a size of the number of pixels times 3.  When suitable inputs are passed, the bytes-per-pixel value can be set to 1 and bytes outside of the buffer bounds get processed. In order to trigger the bug, an attacker must issue a print job with a crafted TIFF file, and pass appropriate print job options to control the bytes-per-pixel value of the output format. They must choose a printer configuration under which the `imagetoraster` filter or its C-function equivalent `cfFilterImageToRaster()` gets invoked. The vulnerability exists in both CUPS-Filters 1.x and the successor library libcupsfilters (CUPS-Filters 2.x). In CUPS-Filters 2.x, the vulnerable function is `_cfImageReadTIFF() in libcupsfilters`. When this function is invoked as part of `cfFilterImageToRaster()`, the caller passes a look-up-table during whose processing the out of bounds memory access happens. In CUPS-Filters 1.x, the equivalent functions are all found in the cups-filters repository, which is not split into subprojects yet, and the vulnerable code is in `_cupsImageReadTIFF()`, which is called through `cupsImageOpen()` from the `imagetoraster` tool. A patch is available in commit b69dfacec7f176281782e2f7ac44f04bf9633cfa.","aliases":["GHSA-jpxg-qc2c-hgv4"],"modified":"2026-05-19T09:15:51.954699Z","published":"2025-11-12T18:46:52.801Z","related":["SUSE-SU-2025:4158-1","SUSE-SU-2025:4198-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"libcupsfilters \u003e= 2.0.0, \u003c 2.1.1"}],"source":"AFFECTED_FIELD"}],"cwe_ids":["CWE-125","CWE-787"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/57xxx/CVE-2025-57812.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/11/12/1"},{"type":"WEB","url":"https://github.com/OpenPrinting/cups-filters/blob/3c58463e341b12c9d30d7d3807d2bac1bc595a78/cupsfilters/image-tiff.c#L34"},{"type":"WEB","url":"https://github.com/OpenPrinting/cups-filters/blob/3c58463e341b12c9d30d7d3807d2bac1bc595a78/filter/imagetoraster.c#L613"},{"type":"WEB","url":"https://github.com/OpenPrinting/libcupsfilters/blob/33421982e10f6a14bc0bab03b80c9cf4660e8d7d/cupsfilters/image-tiff.c#L32"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/57xxx/CVE-2025-57812.json"},{"type":"ADVISORY","url":"https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-jpxg-qc2c-hgv4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57812"},{"type":"FIX","url":"https://github.com/OpenPrinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openprinting/cups-filters","events":[{"introduced":"0"},{"fixed":"deceb54f7c6935683732de936364eb82c0d32dbb"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.28.17"}],"cpe":"cpe:2.3:a:openprinting:cups-filters:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["1.28.16","1.28.15","1.28.14","1.28.13","1.28.12","1.28.11","1.28.10","1.28.9","1.28.8","1.28.7","1.28.6","1.28.5","1.28.4","1.28.3","1.28.2","1.28.1","1.28.0","release-1-27-5","release-1-27-4","release-1-27-3","release-1-27-2","release-1-27-1","release-1-27-0","release-1-26-2","release-1-26-1","release-1-26-0","release-1-25-13","release-1-25-12","release-1-25-11","release-1-25-10","release-1-25-9","release-1-25-8","release-1-25-7","release-1-25-6","release-1-25-5","release-1-25-4","release-1-25-3","release-1-25-2","release-1-25-1","release-1-25-0","release-1-24-0","release-1-23-0","release-1-22-6","release-1-22-5","release-1-22-4","release-1-22-3","release-1-22-2","release-1-22-1","release-1-22-0","release-1-21-6","release-1-21-5","release-1-21-4","release-1-21-3","release-1-21-2","release-1-21-1","release-1-21-0","release-1-20-4","release-1-20-3","release-1-20-2","release-1-20-1","release-1-20-0","release-1-19-0","release-1-18-0","v1.17.9","release-1-17-9","release-1-17-8","release-1-17-7","release-1-17-6","release-1-17-5","release-1-17-4","release-1-17-3","release-1-17-2","release-1-17-1","release-1-17.0","release-1-16-4","release-1-16-3","release-1-16-2","release-1-16-1","release-1-16-0","release-1-15-0","release-1-14-1","release-1-14-0","release-1-13-5","release-1-13-4","release-1-13-3","release-1-13-2","release-1-13-1","release-1-13-0","release-1-12-0","release-1-11-6","release-1-11-5","release-1-11-4","release-1-11-3","release-1-11-2","release-1-11-1","release-1-11-0","release-1-10-0","release-1-9-0","release-1-8-3","release-1-8-2","release-1-8-1","release-1-8-0","release-1-7-0","release-1-6-0","release-1-5-0","release-1-4-0","release-1-3-0","release-1-2-0","release-1-1-0","release-1-0-76","release-1-0-75","release-1-0-74","release-1-0-73","release-1-0-72","release-1-0-71","release-1-0-70","release-1-0-69","release-1-0-68","release-1-0-67","release-1-0-66","release-1-0-65","release-1-0-63","release-1-0-62","release-1-0-61","release-1-0-60","release-1-0-59","release-1-0-58","release-1-0-57","release-1-0-56","release-1-0-55","release-1-0-54","release-1-0-53","release-1-0-52","release-1-0-51","release-1-0-50","release-1-0-49","release-1-0-48","release-1-0-47","release-1-0-46","release-1-0-45","release-1-0-44","release-1-0-43","release-1-0-42","release-1-0-41","release-1-0-40","release-1-0-39","release-1-0-38","release-1-0-37","release-1-0-36","release-1-0-35","release-1-0-34","release-1-0-33","release-1-0-32","release-1-0-31","release-1-0-30","release-1-0-29","release-1-0-28","release-1-0-27","release-1-0-26","release-1-0-25","release-1-0-24","release-1-0-23","release-1-0-22","release-1-0-21","release-1-0-20","release-1-0-19","release-1-0-18","release-1-0-17","release-1-0-16","release-1-0-15","release-1-0-14","release-1-0-13","release-1-0-12","release-1-0-11","release-1-0-10","release-1-0-9","release-1-0-8","release-1-0-7","release-1-0-6","release-1-0-5","release-1-0-4","release-1-0-3","release-1-0-2","release-1-0-1","release-1-0","release-1-0-b1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-57812.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/openprinting/libcupsfilters","events":[{"introduced":"a75f7e5acb22db5fa8c939889c31ae61c64ce7ad"},{"fixed":"fb2a4a25d90b05dd2b034af0589c13f5856532f2"},{"fixed":"b69dfacec7f176281782e2f7ac44f04bf9633cfa"}],"database_specific":{"extracted_events":[{"introduced":"2.0.0"},{"fixed":"2.1.1"}],"cpe":"cpe:2.3:a:openprinting:libcupsfilters:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"]}}],"versions":["2.1.1","2.1.0","2.1b1","2.0.0"],"database_specific":{"vanir_signatures_modified":"2026-05-19T09:15:51Z","vanir_signatures":[{"deprecated":false,"source":"https://github.com/openprinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa","target":{"file":"cupsfilters/image-tiff.c","function":"_cfImageReadTIFF"},"signature_version":"v1","signature_type":"Function","digest":{"function_hash":"42061243208070445012433084390695591297","length":28354},"id":"CVE-2025-57812-4b514f94"},{"deprecated":false,"source":"https://github.com/openprinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa","target":{"file":"cupsfilters/image-tiff.c"},"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["144092593580005849854924672436864359879","268467096553739066157191709429381230563","73408120116374618912511194460729732022","259688319932037534707326190093504878263","278637253073213825274842409204617117298","328876288284172116653315108458453719210","284318475568752388442543439574439151862","35793819940051320735723399004621636386","276274438708956468648106533399562029955","45298253840901734379500417749883328203","303718138438959447101012788654697268729","287523501029936878676155523795954706719","295531895687332224484492994010739423243","47766084698459693366748869305166719487","234595296254816083432546770438148117004","24016057993650718314721635921641132991","332908557626701948156169608162874374485","255283499068089034843772883205291415346","11202868597098166405204363879487117969","187934681950567824374783233702268724098"]},"id":"CVE-2025-57812-57828aab"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-57812.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"}]}