======================================================================
X.Org Security Advisory: July 08, 2026

Issues in libXfont2 prior to 2.0.8
======================================================================

Multiple issues have been found in the libXfont2 library published by
X.Org for which we are releasing security fixes in libXfont2-2.0.8.

* CVE-2026-56001: BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow

   In libXfont2's BitmapScaleBitmaps() function, a 32-bit variable
   keeps the number of bytes to allocate. If the value overflows due to
   excessive per-glyph byte counts, the resulting calloc() allocates a buffer
   too small for the subsequent operations.
   
   An attacker can trigger this by loading a crafted PCF font via SetFontPath +
   OpenFont at a scale factor that inflates per-glyph byte counts.

   Fixed in: libXfont2-2.0.8
   Fix: 
https://gitlab.freedesktop.org/xorg/lib/libxfont/-/commit/be0b08e2d354138d3222b4490e2a77c6ee42f778
   Found by: Anonymous working with Trend Micro Zero Day Initiative.
             (ZDI-CAN-30558)

* CVE-2026-56002: PCF Font Parsing Heap Buffer Overflow

   In libXfont2's pcfReadFont() function, the repadded bitmap buffer
   is allocated using a bitmapSizes[] value read directly from the PCF
   file without cross-validation against per-glyph metrics. Writing to
   that array uses the per-glyph metrics from the file also without validation.

   A malicious PCF font can declare a tiny bitmapSizes[] value (e.g. 16
   bytes) for the server's glyph pad index and a per-glyph
   metrics that exceeds this size, causing a write past the end of the
   allocation with attacker-controlled content from the PCF BITMAPS payload. No
   rendering is needed -- the overflow occurs during font parsing itself.

   Fixed in: libXfont2-2.0.8
   Fix: 
https://gitlab.freedesktop.org/xorg/lib/libxfont/-/commit/b4389e0b1d84a690b819bb27b1439968811a3674
   Found by: Anonymous working with Trend Micro Zero Day Initiative.
             (ZDI-CAN-30559)

* CVE-2026-56003: computeProps Property Buffer Heap Buffer Overflow

   In libXfont2's ComputeScaledProperties() function, a fixed-size
   property buffer of 70 slots (1120 bytes) is allocated. The 
   source font properties then trigger a write of 1 slot per unscaled match or
   2 slots per scaledX/scaledY match, with no bounds check against the buffer
   capacity.

   The PCF parser does not deduplicate properties, so a malicious font
   can include arbitrarily many properties with the same name atom
   (e.g. 40 duplicate MIN_SPACE entries), exceeding the property buffer.

   Fixed in: libXfont2-2.0.8
   Fix: 
https://gitlab.freedesktop.org/xorg/lib/libxfont/-/commit/dff957a5158da038a282a59a31fe736702732939
   Found by: Anonymous working with Trend Micro Zero Day Initiative.
             (ZDI-CAN-30560)

Attachment: signature.asc
Description: PGP signature

Reply via email to