Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <59bf2e19-e8b4-4277-a52e-11efa6c07af9@redhat.com>
Date: Thu, 20 Nov 2025 16:02:46 +0100
From: Zdenek Dohnal <zdohnal@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-64524 cups-filters: Heap Buffer Overflow in rastertopclx
 Filter Leading to Potential Arbitrary Code Execution

Hi all,

we have CVE-2025-64524 in cups-filters project regarding heap buffer 
overflow in rastertopclx reported by frostb1ten.

Since the issue requires user to have additional permissions to install 
printer with PPD file calling rastertopclx filter and the filter is run 
under lp user which does not have root permissions, the vulnerability is 
Low with CVSS score 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L .

More details in the advisory: 
https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-rq44-2q5p-x3hv

Commits with fixes in the project:

master: 
https://github.com/OpenPrinting/cups-filters/commit/0fe46c511e81062575b05936f804eb18c9f0a011

1.x: 
https://github.com/OpenPrinting/cups-filters/commit/b03866fd2e251a6d822a5e8c807c8d47b4d2dce2


Have a nice day!


Zdenek

-- 
Zdenek Dohnal
Senior Software Engineer
Red Hat, BRQ-TPBC

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.