Amazon Linux 2 : cups-filters, --advisory ALAS2-2025-3082 (ALAS-2025-3082)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2025-3082.
##

include('compat.inc');

if (description)
{
  script_id(277743);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/26");

  script_cve_id("CVE-2025-57812", "CVE-2025-64503", "CVE-2025-64524");

  script_name(english:"Amazon Linux 2 : cups-filters, --advisory ALAS2-2025-3082 (ALAS-2025-3082)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of cups-filters installed on the remote host is prior to 1.0.35-26. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2-2025-3082 advisory.

    CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the
    filters of the former `cups-filters` package as library functions to be used for the data format
    conversion tasks needed in Printer Applications. In CUPS-Filters versions up to and including 1.28.17 and
    libscupsfilters versions 2.0.0 through 2.1.1, CUPS-Filters's `imagetoraster` filter has an out of bounds
    read/write vulnerability in the processing of TIFF image files.  While the pixel buffer is allocated with
    the number of pixels times a pre-calculated bytes-per-pixel value, the function which processes these
    pixels is called with a size of the number of pixels times 3.  When suitable inputs are passed, the bytes-
    per-pixel value can be set to 1 and bytes outside of the buffer bounds get processed. In order to trigger
    the bug, an attacker must issue a print job with a crafted TIFF file, and pass appropriate print job
    options to control the bytes-per-pixel value of the output format. They must choose a printer
    configuration under which the `imagetoraster` filter or its C-function equivalent
    `cfFilterImageToRaster()` gets invoked. The vulnerability exists in both CUPS-Filters 1.x and the
    successor library libcupsfilters (CUPS-Filters 2.x). In CUPS-Filters 2.x, the vulnerable function is
    `_cfImageReadTIFF() in libcupsfilters`. When this function is invoked as part of
    `cfFilterImageToRaster()`, the caller passes a look-up-table during whose processing the out of bounds
    memory access happens. In CUPS-Filters 1.x, the equivalent functions are all found in the cups-filters
    repository, which is not split into subprojects yet, and the vulnerable code is in `_cupsImageReadTIFF()`,
    which is called through `cupsImageOpen()` from the `imagetoraster` tool. A patch is available in commit
    b69dfacec7f176281782e2f7ac44f04bf9633cfa. (CVE-2025-57812)

    cups-filters contains backends, filters, and other software required to get the cups printing service
    working on operating systems other than macos. In cups-filters prior to 1.28.18, by crafting a PDF file
    with a large `MediaBox` value, an attacker can cause CUPS-Filter 1.x's `pdftoraster` tool to write beyond
    the bounds of an array. First, a PDF with a large `MediaBox` width value causes `header.cupsWidth` to
    become large.  Next, the calculation of `bytesPerLine = (header.cupsBitsPerPixel * header.cupsWidth + 7) /
    8` overflows, resulting in a small value. Then, `lineBuf` is allocated with the small `bytesPerLine` size.
    Finally, `convertLineChunked` calls `writePixel8`, which attempts to write to `lineBuf` outside of its
    buffer size (out of bounds write). In libcupsfilters, the maintainers found the same `bytesPerLine`
    multiplication without overflow check, but the provided test case does not cause an overflow there,
    because the values are different. Commit 50d94ca0f2fa6177613c97c59791bde568631865 contains a patch, which
    is incorporated into cups-filters version 1.28.18. (CVE-2025-64503)

    cups-filters contains backends, filters, and other software required to get the cups printing service
    working on operating systems other than macos. In versions 2.0.1 and prior, a heap-buffer-overflow
    vulnerability in the rastertopclx filter causes the program to crash with a segmentation fault when
    processing maliciously crafted input data. This issue can be exploited to trigger memory corruption,
    potentially leading to arbitrary code execution. This issue has been patched via commit 956283c.
    (CVE-2025-64524)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com//AL2/ALAS2-2025-3082.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-57812.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-64503.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2025-64524.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update cups-filters' or
  or 'yum update --advisory ALAS2-2025-3082' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:H/Au:S/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-57812");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/11/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:cups-filters");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:cups-filters-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:cups-filters-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:cups-filters-libs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'cups-filters-1.0.35-26.amzn2.0.2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'cups-filters-1.0.35-26.amzn2.0.2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'cups-filters-1.0.35-26.amzn2.0.2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'cups-filters-debuginfo-1.0.35-26.amzn2.0.2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'cups-filters-debuginfo-1.0.35-26.amzn2.0.2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'cups-filters-debuginfo-1.0.35-26.amzn2.0.2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'cups-filters-devel-1.0.35-26.amzn2.0.2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'cups-filters-devel-1.0.35-26.amzn2.0.2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'cups-filters-devel-1.0.35-26.amzn2.0.2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'cups-filters-libs-1.0.35-26.amzn2.0.2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'cups-filters-libs-1.0.35-26.amzn2.0.2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'cups-filters-libs-1.0.35-26.amzn2.0.2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_NOTE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups-filters / cups-filters-debuginfo / cups-filters-devel / etc");
}