Hi all,

we have embargoed CVE-2025-64524 in cups-filters project regarding heap
buffer overflow in rastertopclx reported by frostb1ten.

Since the issue requires user to have additional permissions to install
printer with PPD file calling rastertopclx filter and the filter is run
under lp user which does not have root permissions, the vulnerability is
Low with CVSS score 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L .

More details from the advisory:

Details
The vulnerability exists in the CompressData function of the
rastertopclx filter, specifically at line 1474 in rastertopclx.c, where
an unvalidated length parameter is used, leading to a write beyond
allocated memory.
The code in question:
```
1474  *comp_ptr++ = (offset << 3) | (count - 1);
```
This occurs in the following context, where comp_ptr is the pointer used
for compressed data and can cause the write beyond the allocated buffer:
```
void CompressData(unsigned char *line, int length, int plane, int pend,
int type) {
  unsigned char *comp_ptr = CompBuffer;
  // ... compression logic ...
  *comp_ptr++ = (offset << 3) | (count - 1);  // Vulnerable write
}
```
The malloc call in StartPage at line 828 allocates insufficient memory
for the subsequent operations:
```
828  CompBuffer = malloc(DotBufferSize * 4);
```
As the buffer overflows, the AddressSanitizer output confirms the issue
at this location:
```
==479967==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x5140000001ec at pc 0x55cd75225cec bp 0x7ffe1bb7bba0 sp 0x7ffe1bb7bb90
WRITE of size 1 at 0x5140000001ec thread T0
    #0 0x55cd75225ceb in CompressData filter/rastertopclx.c:1474
```

Stack trace of the crash:
```
#0  CompressData (line=0x43d780 '\377' <repeats 107 times>, length=0x23,
plane=0x0, pend=0x56, type=0xa) at filter/rastertopclx.c:1474
#1  0x0000000000407039 in OutputLine (ppd=0x0, header=0x7fffffffdc10) at
filter/rastertopclx.c:1644
#2  0x0000000000407945 in main (argc=0x7, argv=0x7fffffffe498) at
filter/rastertopclx.c:1959
```

PoC
To reproduce the issue:
1. Compile and run the CUPS filter (With or without ASAN)
2. Unzip the provided crash.zip and execute the following command with
the crafted job:
```
/usr/lib/cups/filter/rastertopclx 1234 user "Test Print Job" 1
"option=value" ./crash
```
3. The program will crash with a segmentation fault due to the
heap-buffer overflow.
The crafted input manipulates the length and other parameters to trigger
the overflow in the CompressData function.

Impact
This is a heap-buffer-overflow vulnerability. An attacker with control
over the input data sent to the CUPS server (e.g., through print job
parameters) could exploit this flaw to corrupt memory, potentially
leading to arbitrary code execution on the system running the vulnerable
CUPS instance.
Exploitation via CUPS Web Interface
This vulnerability can be exploited remotely through CUPS on port 631 by
adding a printer with a PPD file configured to use the vulnerable
rastertopclx filter. Below are the steps to replicate the attack:
1. Add the Printer with a Custom PPD File: This step configures a
printer named frost to use the specified PPD file( from exploit.zip),
which points to the vulnerable rastertopclx filter. The command used:
```
lpadmin -p frost -E -v ipp://localhost/ -P ./exploit.ppd
```
This sets up the printer and enables it, using the PPD file that
configures it to process jobs with rastertopclx.

2. Send the Malicious Print Job: After setting up the printer, you can
send the crafted crash.zip as a print job to exploit the vulnerability:
```
lp -d frost -h localhost:631 ./crash
```

This command sends the crash file to the printer, causing rastertopclx
to process the file and subsequently trigger the buffer overflow.

==================================================================================================

Proposed public date: November 20th 15:00 UTC

Proposed patches attached.