Your message dated Thu, 09 Jul 2026 18:34:01 +0000
with message-id <[email protected]>
and subject line Bug#1141702: fixed in libxfont 1:2.0.8-1
has caused the Debian Bug report #1141702,
regarding libxfont: CVE-2026-56001 CVE-2026-56002 CVE-2026-56003
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141702: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141702
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxfont
Version: 1:2.0.6-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for libxfont.

CVE-2026-56001[0]:
| A heap buffer overflow in BitmapScaleBitmaps in libXfont2 before
| 2.0.8 due to an overflowing 32bit size could be used by attackers
| able to access the X Server to execute code within the X server cont


CVE-2026-56002[1]:
| A heap bufferflow in pcfReadFont() due to missing glyph bounds
| checking in libXfont2 before 2.0.8  allows attackers authenticated
| as X client to execute code within the X server.


CVE-2026-56003[2]:
| A heap buffer overflow due to missing size checking in the property
| buffer when parsing PCF files in libXfont2 ComputeScaledProperties()
| before libXfont2 before 2.0.8 could be used by attackers using
| authenticated X clients to execute code within the X server.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-56001
    https://www.cve.org/CVERecord?id=CVE-2026-56001
[1] https://security-tracker.debian.org/tracker/CVE-2026-56002
    https://www.cve.org/CVERecord?id=CVE-2026-56002
[2] https://security-tracker.debian.org/tracker/CVE-2026-56003
    https://www.cve.org/CVERecord?id=CVE-2026-56003
[3] https://www.openwall.com/lists/oss-security/2026/07/08/1

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: libxfont
Source-Version: 1:2.0.8-1
Done: Timo Aaltonen <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libxfont, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Aaltonen <[email protected]> (supplier of updated libxfont package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 09 Jul 2026 21:12:11 +0300
Source: libxfont
Built-For-Profiles: derivative.ubuntu noudeb
Architecture: source
Version: 1:2.0.8-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <[email protected]>
Changed-By: Timo Aaltonen <[email protected]>
Closes: 1141702
Changes:
 libxfont (1:2.0.8-1) unstable; urgency=medium
 .
   * New upstream release. (Closes: #1141702)
     - CVE-2026-56001
     - CVE-2026-56002
     - CVE-2026-56003
   * upstream: Add key from Peter Hutterer
Checksums-Sha1:
 16b038f06fff923d9c052fe71f1ad8778de3f1c3 2349 libxfont_2.0.8-1.dsc
 ff11100a6ed6cd1510a044457236667682bce2ac 677467 libxfont_2.0.8.orig.tar.gz
 7663fa64e1da790a70612c3e3a5d948c46b9698d 195 libxfont_2.0.8.orig.tar.gz.asc
 fe100a0f5ea8b142e530fc4e5399d420f3e7a9eb 44394 libxfont_2.0.8-1.diff.gz
 14c72117056adb604e03e5d3fec5145bb2402753 8365 libxfont_2.0.8-1_source.buildinfo
Checksums-Sha256:
 c0373b665b8729d4bd374c8c9b14a43d01c1b8661ff641ae6bf06b201868c3c8 2349 
libxfont_2.0.8-1.dsc
 a53d621b6ceb1dcbd05a0b9bd7f13c34efa40401cd5c05af904035c567a30f18 677467 
libxfont_2.0.8.orig.tar.gz
 389848ab99d7db649e28178851795336a8f8204f281a7456ec67917792c1dbce 195 
libxfont_2.0.8.orig.tar.gz.asc
 11bc77569a0c8aeb6ef798722d99e6d74e24312369d04c80cce10e397efc5080 44394 
libxfont_2.0.8-1.diff.gz
 9f62170970e753479ecffc5dd7bdc96518a95d1043ce2cf76e1a37bd6fd5f853 8365 
libxfont_2.0.8-1_source.buildinfo
Files:
 a4dfcbfb432bd4798140f8de955c13cd 2349 x11 optional libxfont_2.0.8-1.dsc
 4fc7930ddec112714b9879cabac58a74 677467 x11 optional libxfont_2.0.8.orig.tar.gz
 2e2df4d60878daeba4e57c9376846766 195 x11 optional 
libxfont_2.0.8.orig.tar.gz.asc
 6afe04fa58e0f7c86874de3324bf3583 44394 x11 optional libxfont_2.0.8-1.diff.gz
 ecc84c270343a997090e574b571cb6ba 8365 x11 optional 
libxfont_2.0.8-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmpP5IUACgkQy3AxZaiJ
hNwTfw/+Opq1mqpupFtrMmjC5kws2bLKuXE6aH3CSl5YpxMGPf/6gZ+enR5cyQbl
fSuljZyJJhOwuWJVjA/lRolSrRdy/+ytRs0veC2RvHhvFWMto3shLi+x/iNExD+d
KYyT8u/fy9mhVQ0zNN/XhtNosMMn2G1DEl60JucU1Zt6PC9e+UKprcCBc42M94JD
wSImJLe/dIwfsaLPPszF3HNSshiG0OBrOJ3/qo5jH1IlfHkMpVXQTNmaC9vcYrgu
l0EbSbkXkf3CGAT6rBXf3P8x70y36CbYW3yeTG2xj6f9WT57xmKmd1kqB1M2tucM
vUWoQ14Iey9a7FoK/nVSnJU8GxwWpTCLu8xbM9cF0I4ofw6YImhjF3ht6HLXdS8m
SPQ9N/90pWafEmFb1khc4RBmx8850fqi58ru5ms506nhKHOG6tmPzGtHKRqTCV1M
Utt87PBJZRwVmRD0UYUxWFYQOQj1GCkDqN2RJ8lTXqPyqduR/UC/BqTnp7o45kO1
YtYkioB0c7vHNRgoygc8dj8taBMkuO935dJSnCVz4FRv1CU4sG7pn22dfOglodYe
pTW5z0L39oOnlndGq3h6WUefYGigFEkT3fV3aJ2UKuaP7kludiuc3KtZEUt6Cua2
lt9/CmHtzPN5DMzEwgTnjFCIPutqAJPoHxvdF8aP0e1gNBvJ2XU=
=IE96
-----END PGP SIGNATURE-----

Attachment: pgp56BoNZ7FCu.pgp
Description: PGP signature


--- End Message ---

Reply via email to