Your message dated Wed, 15 Jul 2026 12:47:06 +0000
with message-id <[email protected]>
and subject line Bug#1141702: fixed in libxfont 1:2.0.6-1+deb13u1
has caused the Debian Bug report #1141702,
regarding libxfont: CVE-2026-56001 CVE-2026-56002 CVE-2026-56003
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1141702: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141702
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxfont
Version: 1:2.0.6-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for libxfont.
CVE-2026-56001[0]:
| A heap buffer overflow in BitmapScaleBitmaps in libXfont2 before
| 2.0.8 due to an overflowing 32bit size could be used by attackers
| able to access the X Server to execute code within the X server cont
CVE-2026-56002[1]:
| A heap bufferflow in pcfReadFont() due to missing glyph bounds
| checking in libXfont2 before 2.0.8 allows attackers authenticated
| as X client to execute code within the X server.
CVE-2026-56003[2]:
| A heap buffer overflow due to missing size checking in the property
| buffer when parsing PCF files in libXfont2 ComputeScaledProperties()
| before libXfont2 before 2.0.8 could be used by attackers using
| authenticated X clients to execute code within the X server.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-56001
https://www.cve.org/CVERecord?id=CVE-2026-56001
[1] https://security-tracker.debian.org/tracker/CVE-2026-56002
https://www.cve.org/CVERecord?id=CVE-2026-56002
[2] https://security-tracker.debian.org/tracker/CVE-2026-56003
https://www.cve.org/CVERecord?id=CVE-2026-56003
[3] https://www.openwall.com/lists/oss-security/2026/07/08/1
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxfont
Source-Version: 1:2.0.6-1+deb13u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libxfont, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libxfont package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 10 Jul 2026 14:32:27 +0200
Source: libxfont
Architecture: source
Version: 1:2.0.6-1+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian X Strike Force <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1141702
Changes:
libxfont (1:2.0.6-1+deb13u1) trixie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* bitscale: fix integer overflow in BitmapScaleBitmaps bytestoalloc
(CVE-2026-56001) (Closes: #1141702)
* pcfread: validate bitmap sizes and offsets against per-glyph metrics
(CVE-2026-56002) (Closes: #1141702)
* bitscale: add bounds check to computeProps for property buffer
(CVE-2026-56003) (Closes: #1141702)
Checksums-Sha1:
36340833ad9b8be9db989076f454a42f45e57e09 2581 libxfont_2.0.6-1+deb13u1.dsc
75bfe18f3c528bfb0de0ec5d10594aa90d609aeb 635826 libxfont_2.0.6.orig.tar.gz
62797fc17e7ba3799a5bacf07d153d5ae65ccb82 801 libxfont_2.0.6.orig.tar.gz.asc
81931f26fffc9c3ac8b7769729ec37954987394b 38890 libxfont_2.0.6-1+deb13u1.diff.gz
0b56bb4c7c15dae227ea42fd31f38d01101bdc13 6431
libxfont_2.0.6-1+deb13u1_source.buildinfo
Checksums-Sha256:
25d131fff652df5f70d16da165ba7f79d360cb52ce5773faa07216036817e7c8 2581
libxfont_2.0.6-1+deb13u1.dsc
a944df7b6837c8fa2067f6a5fc25d89b0acc4011cd0bc085106a03557fb502fc 635826
libxfont_2.0.6.orig.tar.gz
debee1347d3e220968308a87155f7ea517d531a5298e668e54dfab9bf2813d1e 801
libxfont_2.0.6.orig.tar.gz.asc
ed42ef32c50c805cb420c9c96acc61af5ec297658d4e59735ab2e83b96243552 38890
libxfont_2.0.6-1+deb13u1.diff.gz
e18be910a922781865aac0ecc5f196370f9f99c78bd3b52fe9a8e680da33ec21 6431
libxfont_2.0.6-1+deb13u1_source.buildinfo
Files:
752cc5f67d38803a61a52ed4ed8afeb0 2581 x11 optional libxfont_2.0.6-1+deb13u1.dsc
f3dc322ffcf16db5cedccbb41423b2da 635826 x11 optional libxfont_2.0.6.orig.tar.gz
4942e38ca467c1801cfd7407e6687f21 801 x11 optional
libxfont_2.0.6.orig.tar.gz.asc
0857e14d77702a7208248c510628c7f2 38890 x11 optional
libxfont_2.0.6-1+deb13u1.diff.gz
7d61402d9ed50abd86c205490566569e 6431 x11 optional
libxfont_2.0.6-1+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmpT8WVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E+nIP/00kwzyvxaOddQk+3xba6Ov9NMdKBpK6
VTqOZF1y5AwwE4VBRCHHAXozbPWfHIX5Xy+2TCK0VMAUtujHqNqQeNXCyHsHsfMI
JjcYkC+1YllKbSLHft2DxCsMdUj/mWtseEfBHaCB6nULfRnlMwAAF6zruDGjN6+I
ImEasCmJyaxCe3ud5cy6cSXjjp7tHEfNOKLWOvFg098kHagfbDVLYUEelTnC2j66
vl9dhpTB9NBxjtcuXLdHpZwQJy0Kyl9KJrdO9VXcTqsk0quvmpEbuuy2WwSpLg3p
iP0wrgdCut2elR2VAajTK4UPaezqTkMJeM+YsIVQ9EVOlNjnX4r5dSNfOfwgtmKV
Mns4eds3Djln/oM1KcdnUHkHbqX4PJNwGWRX023muD0vg+yO+fv3RW1rsTU/QWYF
QyrTF0zQS5rNKuTJL42ZMz/B4ZveDPy7srmO48wkkaa7hZ/3QdDBlxw1CUXqKMGa
lolJ6bVz501i6yWNH2ooAQJqpisHUiGhPJzrNPa9F/Rg43751Y5yIznKg3MVkBft
LmIULz8V2vfJmpJuKuyFOBL5WFaS6WRSdPAcAD7jtDy/zXFwm464SugdTR8sQkvF
PRtWARRV4ChDgbttkX5sLKKERnjI+fOodTcxxN5nFGkagrsdgH7i22Ks5z88/CHl
h+YN9VgACQfy
=GMfo
-----END PGP SIGNATURE-----
pgpdFi60YqZNq.pgp
Description: PGP signature
--- End Message ---