Your message dated Thu, 09 Apr 2026 07:48:35 +0000
with message-id <[email protected]>
and subject line Bug#1130747: fixed in lexbor 3.0.0-1
has caused the Debian Bug report #1130747,
regarding lexbor: CVE-2026-29078 CVE-2026-29079
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130747: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130747
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: lexbor
Version: 2.6.0-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for lexbor.
CVE-2026-29078[0]:
| Lexbor is a web browser engine library. Prior to 2.7.0, the
| ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size
| variable between iterations. The statement ctx->buffer_used -= size
| with a stale size = 3 causes an integer underflow that wraps to
| SIZE_MAX. Afterwards, memcpy is called with a negative length,
| leading to an out‑of‑bounds read from the stack and an out‑of‑bounds
| write to the heap. The source data is partially controllable via the
| contents of the DOM tree. This vulnerability is fixed in 2.7.0.
CVE-2026-29079[1]:
| Lexbor is a web browser engine library. Prior to 2.7.0, a
| type‑confusion vulnerability exists in Lexbor’s HTML fragment
| parser. When ns = UNDEF, a comment is created using the “unknown
| element” constructor. The comment’s data are written into the
| element’s fields via an unsafe cast, corrupting the qualified_name
| field. That corrupted value is later used as a pointer and
| dereferenced near the zero page. This vulnerability is fixed in
| 2.7.0.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-29078
https://www.cve.org/CVERecord?id=CVE-2026-29078
https://github.com/lexbor/lexbor/security/advisories/GHSA-mrwr-xh7f-96v3
[1] https://security-tracker.debian.org/tracker/CVE-2026-29079
https://www.cve.org/CVERecord?id=CVE-2026-29079
https://github.com/lexbor/lexbor/security/advisories/GHSA-mrpr-v36q-2vp8
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: lexbor
Source-Version: 3.0.0-1
Done: Karsten Schöke <[email protected]>
We believe that the bug you reported is fixed in the latest version of
lexbor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Karsten Schöke <[email protected]> (supplier of updated lexbor
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 09 Apr 2026 09:11:00 +0200
Source: lexbor
Architecture: source
Version: 3.0.0-1
Distribution: unstable
Urgency: medium
Maintainer: Karsten Schöke <[email protected]>
Changed-By: Karsten Schöke <[email protected]>
Closes: 1130747
Changes:
lexbor (3.0.0-1) unstable; urgency=medium
.
[ Carsten Schoenert ]
* [0730de0] Update upstream source from tag 'upstream/3.0.0'
(Closes: #1130747)
Fixes CVE-2026-29078, CVE-2026-29079
.
[ Karsten Schöke ]
* [85e0a1e] d/copyright: Adjustment to the current year
* [cf2edc1] d/liblexbor-dev.install: .pc file is now delivered from upstream.
* [37fbdb7] SONAME: Change from liblexbor2 to liblexbor3
* [608c010] d/control: Bump Standards-Version to 4.7.4
No further changes needed.
* [197f0fb] d/liblexbor3.lintian-override: Ignore one warning
Checksums-Sha1:
589ddb940b4f90c00b3dd7f4c15d3229556141e0 1960 lexbor_3.0.0-1.dsc
cd37796d4b7afeac524600289dbdb0fc9774450f 5586367 lexbor_3.0.0.orig.tar.gz
176fa5282315d73172b9f4e3db1ab4f24ceeb2ca 14660 lexbor_3.0.0-1.debian.tar.xz
7fc78d6aa10ad7524ab389569ba12542a3b8deb3 7092 lexbor_3.0.0-1_amd64.buildinfo
Checksums-Sha256:
637b94af75a7362a9fff9e9de930d9d1b40f4eff83b50faae1754db5b0e8b86d 1960
lexbor_3.0.0-1.dsc
6c10e42eff581a7996ac91764a394f2375f1dae8a583634169343725e29fa770 5586367
lexbor_3.0.0.orig.tar.gz
1632947b21d0797757baa729b15ade4485ece504cd44ecf003b4b161c4df3827 14660
lexbor_3.0.0-1.debian.tar.xz
0ae1e4d4825bdcd3013d3c1206dca85a5efa8e6394f59f63f985475cc655b36f 7092
lexbor_3.0.0-1_amd64.buildinfo
Files:
3a6c27e21c58b393d4bef8557813c931 1960 libs optional lexbor_3.0.0-1.dsc
b72d04015e6633fe2c16727668460f98 5586367 libs optional lexbor_3.0.0.orig.tar.gz
828b990f5d446fa6acd75e1f03344803 14660 libs optional
lexbor_3.0.0-1.debian.tar.xz
1ffce29f38202df2f0d392b3fe11960c 7092 libs optional
lexbor_3.0.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEESJcY4TbXsC5S1RQ8jT4KJgRDZUgFAmnXVo0ACgkQjT4KJgRD
ZUj0MxAArWTdGC5iJvU9IUwdUtsh6vdcjgjt6XuaxMu4hyc4dVurzJj0rsAvZODM
uYsdBVtXjHwlNOqV8/O72cTEkwKSPOUVFMqYzAXemH3ONFpa3mCituu3oOg8DYCv
wAjs/4ARWKVvU+Pk1iRtPMAPSnQbP0qR7pdc64hU8ak1M0M/d6lnnK2h//NU7D9g
F3rmmkr2+VeXyrllybBpwRZijNCFdGYS/XZPKnAEDvJc6vkmSzeeMVGMgw3udO7q
qMj+TIO0EDepMw+46mq+9A0kLes2Lvf+2yeS0tiyFiCXa88abgL5iqdT/G3tDtXz
di7jOXEAUavVYjkffAtKGz5FtOczpZT/i3zUAcaelTHRhO5swdbCPhDJsTvlQq6b
T7DqJCmdWz1xbJYkjvhslADm0cyPHS8gFHefSc4ZsXjoRQ2vTUYd/9aLNmmReOFK
hKshqh1sgRAhpFoc63/MhZCZxrqxcPlbWzLZcWj40jh3h1sw0TeyNjAnQ9yUM6+4
ul/tYzXvRF8Wc3etdiGUuFdo208wj9+7O6d3RoVKGueJDkoUvzW9OKZ1/Q7YWWOA
lqBzhBKqZVydhFsfRA0C8amjCsc9w8NX9PkZwnWlpJxDq7dh31q8mqYFeDUwl9NX
t3f57MbCAc+8S+wY5jPf+NP4/egSM2VZj2f7gQZW8WQbOh5K4tY=
=S1YG
-----END PGP SIGNATURE-----
pgpmKLthfjJac.pgp
Description: PGP signature
--- End Message ---
