DEBIAN-CVE-2025-64503
cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. In cups-filters prior to 1.28.18, by crafting a PDF file with a large `MediaBox` value, an attacker can cause CUPS-Filter 1.x’s `pdftoraster` tool to write beyond the bounds of an array. First, a PDF with a large `MediaBox` width value causes `header.cupsWidth` to become large. Next, the calculation of `bytesPerLine = (header.cupsBitsPerPixel * header.cupsWidth + 7) / 8` overflows, resulting in a small value. Then, `lineBuf` is allocated with the small `bytesPerLine` size. Finally, `convertLineChunked` calls `writePixel8`, which attempts to write to `lineBuf` outside of its buffer size (out of bounds write). In libcupsfilters, the maintainers found the same `bytesPerLine` multiplication without overflow check, but the provided test case does not cause an overflow there, because the values are different. Commit 50d94ca0f2fa6177613c97c59791bde568631865 contains a patch, which is incorporated into cups-filters version 1.28.18.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | cups-filters | 0, 1.28.17-6, 0 |
| Debian:11 | cups-filters | 1.28.7-1, 1.28.7-1, 0 |
| Debian:13 | cups-filters | 1.28.17-6, 0, 1.28.17-6 |
| Debian:13 | libcupsfilters | 0, 2.0.0-3, 0 |
| Debian:12 | cups-filters | 0, 1.28.17-3, 1.28.17-3+deb12u1 |
| Debian:14 | libcupsfilters | 0, 2.1.1-1, 2.0.0-3 |
Timeline
- Nov 12, 2025 CVE Published
- Apr 28, 2026 CVE Updated