Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ak2ksdJ1BOEIQBCg@quokka>
Date: Wed, 8 Jul 2026 11:15:52 +1000
From: Peter Hutterer <peter.hutterer@...-t.net>
To: oss-security@...ts.openwall.com
Subject: FW: X.Org Security Advisory: multiple security issues in libXfont2

======================================================================
X.Org Security Advisory: July 08, 2026

Issues in libXfont2 prior to 2.0.8
======================================================================

Multiple issues have been found in the libXfont2 library published by
X.Org for which we are releasing security fixes in libXfont2-2.0.8.

* CVE-2026-56001: BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow

   In libXfont2's BitmapScaleBitmaps() function, a 32-bit variable
   keeps the number of bytes to allocate. If the value overflows due to
   excessive per-glyph byte counts, the resulting calloc() allocates a buffer
   too small for the subsequent operations.
   
   An attacker can trigger this by loading a crafted PCF font via SetFontPath +
   OpenFont at a scale factor that inflates per-glyph byte counts.

   Fixed in: libXfont2-2.0.8
   Fix: https://gitlab.freedesktop.org/xorg/lib/libxfont/-/commit/be0b08e2d354138d3222b4490e2a77c6ee42f778
   Found by: Anonymous working with Trend Micro Zero Day Initiative.
             (ZDI-CAN-30558)

* CVE-2026-56002: PCF Font Parsing Heap Buffer Overflow

   In libXfont2's pcfReadFont() function, the repadded bitmap buffer
   is allocated using a bitmapSizes[] value read directly from the PCF
   file without cross-validation against per-glyph metrics. Writing to
   that array uses the per-glyph metrics from the file also without validation.

   A malicious PCF font can declare a tiny bitmapSizes[] value (e.g. 16
   bytes) for the server's glyph pad index and a per-glyph
   metrics that exceeds this size, causing a write past the end of the
   allocation with attacker-controlled content from the PCF BITMAPS payload. No
   rendering is needed -- the overflow occurs during font parsing itself.

   Fixed in: libXfont2-2.0.8
   Fix: https://gitlab.freedesktop.org/xorg/lib/libxfont/-/commit/b4389e0b1d84a690b819bb27b1439968811a3674
   Found by: Anonymous working with Trend Micro Zero Day Initiative.
             (ZDI-CAN-30559)

* CVE-2026-56003: computeProps Property Buffer Heap Buffer Overflow

   In libXfont2's ComputeScaledProperties() function, a fixed-size
   property buffer of 70 slots (1120 bytes) is allocated. The 
   source font properties then trigger a write of 1 slot per unscaled match or
   2 slots per scaledX/scaledY match, with no bounds check against the buffer
   capacity.

   The PCF parser does not deduplicate properties, so a malicious font
   can include arbitrarily many properties with the same name atom
   (e.g. 40 duplicate MIN_SPACE entries), exceeding the property buffer.

   Fixed in: libXfont2-2.0.8
   Fix: https://gitlab.freedesktop.org/xorg/lib/libxfont/-/commit/dff957a5158da038a282a59a31fe736702732939
   Found by: Anonymous working with Trend Micro Zero Day Initiative.
             (ZDI-CAN-30560)


Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.