Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package libXfont2 for openSUSE:Factory 
checked in at 2026-07-09 22:18:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libXfont2 (Old)
 and      /work/SRC/openSUSE:Factory/.libXfont2.new.1991 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libXfont2"

Thu Jul  9 22:18:21 2026 rev:9 rq:1364445 version:2.0.7

Changes:
--------
--- /work/SRC/openSUSE:Factory/libXfont2/libXfont2.changes      2024-08-06 
09:07:34.923858316 +0200
+++ /work/SRC/openSUSE:Factory/.libXfont2.new.1991/libXfont2.changes    
2026-07-09 22:18:33.004432268 +0200
@@ -1,0 +2,10 @@
+Wed Jul  1 13:33:57 UTC 2026 - Stefan Dirsch <[email protected]>
+
+- 
bsc1269018_CVE-2026-56001_0001-bitscale-fix-integer-overflow-in-BitmapScaleBitmaps-.patch
+  * BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow (CVE-2026-56001, 
bsc#1269018)
+- 
bsc1269019_CVE-2026-56002_0002-pcfread-validate-bitmap-sizes-and-offsets-against-pe.patch
+  * PCF Font Parsing Heap Buffer Overflow (CVE-2026-56002, bsc#1269019)
+- 
bsc1269020_CVE-2026-56003_0003-bitscale-add-bounds-check-to-computeProps-for-proper.patch
+  * computeProps Property Buffer Heap Buffer Overflow (CVE-2026-56003, 
bsc#1269020)
+
+-------------------------------------------------------------------

New:
----
  
bsc1269018_CVE-2026-56001_0001-bitscale-fix-integer-overflow-in-BitmapScaleBitmaps-.patch
  
bsc1269019_CVE-2026-56002_0002-pcfread-validate-bitmap-sizes-and-offsets-against-pe.patch
  
bsc1269020_CVE-2026-56003_0003-bitscale-add-bounds-check-to-computeProps-for-proper.patch

----------(New B)----------
  New:
- 
bsc1269018_CVE-2026-56001_0001-bitscale-fix-integer-overflow-in-BitmapScaleBitmaps-.patch
  * BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow (CVE-2026-56001, 
bsc#1269018)
  New:  * BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow 
(CVE-2026-56001, bsc#1269018)
- 
bsc1269019_CVE-2026-56002_0002-pcfread-validate-bitmap-sizes-and-offsets-against-pe.patch
  * PCF Font Parsing Heap Buffer Overflow (CVE-2026-56002, bsc#1269019)
  New:  * PCF Font Parsing Heap Buffer Overflow (CVE-2026-56002, bsc#1269019)
- 
bsc1269020_CVE-2026-56003_0003-bitscale-add-bounds-check-to-computeProps-for-proper.patch
  * computeProps Property Buffer Heap Buffer Overflow (CVE-2026-56003, 
bsc#1269020)
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libXfont2.spec ++++++
--- /var/tmp/diff_new_pack.X3K3An/_old  2026-07-09 22:18:33.648454193 +0200
+++ /var/tmp/diff_new_pack.X3K3An/_new  2026-07-09 22:18:33.652454329 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package libXfont2
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -29,6 +29,9 @@
 #Git-Web:      http://cgit.freedesktop.org/xorg/lib/libXfont/
 Source:         %{name}-%{version}.tar.xz
 Source1:        baselibs.conf
+Patch1269018:   
bsc1269018_CVE-2026-56001_0001-bitscale-fix-integer-overflow-in-BitmapScaleBitmaps-.patch
+Patch1269019:   
bsc1269019_CVE-2026-56002_0002-pcfread-validate-bitmap-sizes-and-offsets-against-pe.patch
+Patch1269020:   
bsc1269020_CVE-2026-56003_0003-bitscale-add-bounds-check-to-computeProps-for-proper.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #git#BuildRequires:    autoconf >= 2.60, automake, libtool
 BuildRequires:  pkgconfig
@@ -81,7 +84,7 @@
 in %lname.
 
 %prep
-%setup -q
+%autosetup -p 1
 
 %build
 %configure --disable-static

++++++ 
bsc1269018_CVE-2026-56001_0001-bitscale-fix-integer-overflow-in-BitmapScaleBitmaps-.patch
 ++++++
@@ -, +, @@ 
 bytestoalloc
---
 src/bitmap/bitscale.c | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)
--- a/src/bitmap/bitscale.c     
+++ a/src/bitmap/bitscale.c     
@@ -1456,7 +1456,7 @@ BitmapScaleBitmaps(FontPtr pf,          /* scaled font */
                opci;
     FontInfoPtr pfi;
     int         glyph;
-    unsigned    bytestoalloc = 0;
+    size_t      bytestoalloc = 0;
     int                firstCol, lastCol, firstRow, lastRow;
 
     double     xform[4], inv_xform[4];
@@ -1483,8 +1483,25 @@ BitmapScaleBitmaps(FontPtr pf,          /* scaled font */
     glyph = pf->glyph;
     for (i = 0; i < nchars; i++)
     {
-       if ((pci = ACCESSENCODING(bitmapFont->encoding, i)))
-           bytestoalloc += BYTES_FOR_GLYPH(pci, glyph);
+       if ((pci = ACCESSENCODING(bitmapFont->encoding, i))) {
+           size_t glyphsize = BYTES_FOR_GLYPH(pci, glyph);
+           if (bytestoalloc > SIZE_MAX - glyphsize) {
+               fprintf(stderr,
+                       "Error: bitmap allocation overflow for scaled font\n");
+               goto bail;
+           }
+           bytestoalloc += glyphsize;
+       }
+    }
+
+    /* Reject unreasonably large bitmap allocations that could result
+     * from malicious fonts with extreme scale factors.  256 MiB is
+     * far beyond any legitimate scaled bitmap font. */
+#define BITMAP_SCALE_MAX_ALLOC (256 * 1024 * 1024)
+    if (bytestoalloc > BITMAP_SCALE_MAX_ALLOC) {
+       fprintf(stderr,
+               "Error: scaled bitmap size %zu exceeds limit\n", bytestoalloc);
+       goto bail;
     }
 
     /* Do we add the font malloc stuff for VALUE ADDED ? */
-- 

++++++ 
bsc1269019_CVE-2026-56002_0002-pcfread-validate-bitmap-sizes-and-offsets-against-pe.patch
 ++++++
@@ -, +, @@ 
 per-glyph metrics
  Anonymous working with TrendAI Zero Day Initiative
---
 src/bitmap/pcfread.c | 59 +++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 56 insertions(+), 3 deletions(-)
--- a/src/bitmap/pcfread.c      
+++ a/src/bitmap/pcfread.c      
@@ -532,25 +532,74 @@ pcfReadFont(FontPtr pFont, FontFilePtr file,
        int         old,
                    new;
        xCharInfo  *metric;
+       int         srcPad = PCF_GLYPH_PAD(format);
 
-       sizepadbitmaps = bitmapSizes[PCF_SIZE_TO_INDEX(glyph)];
-       padbitmaps = malloc(sizepadbitmaps);
+       /* Compute the actual required size from per-glyph metrics instead
+        * of trusting the file's bitmapSizes[] value, which may be smaller
+        * than the actual data written by RepadBitmap. */
+       sizepadbitmaps = 0;
+       for (i = 0; i < nbitmaps; i++) {
+           int w, h, glyphBytes;
+           metric = &metrics[i].metrics;
+           w = metric->rightSideBearing - metric->leftSideBearing;
+           h = metric->ascent + metric->descent;
+           glyphBytes = BYTES_PER_ROW(w, glyph) * h;
+           if (glyphBytes < 0 || (glyphBytes > 0 && sizepadbitmaps > INT_MAX - 
glyphBytes)) {
+               pcfError("pcfReadFont(): bitmap size overflow\n");
+               goto Bail;
+           }
+           sizepadbitmaps += glyphBytes;
+       }
+       padbitmaps = malloc(sizepadbitmaps ? sizepadbitmaps : 1);
        if (!padbitmaps) {
           pcfError("pcfReadFont(): Couldn't allocate padbitmaps (%d)\n", 
sizepadbitmaps);
            goto Bail;
        }
        new = 0;
        for (i = 0; i < nbitmaps; i++) {
+           int srcGlyphBytes;
+
            old = offsets[i];
            metric = &metrics[i].metrics;
+
+           /* Validate source offset and source glyph size against the
+            * source bitmap buffer to prevent out-of-bounds reads. */
+           srcGlyphBytes = BYTES_PER_ROW(
+               metric->rightSideBearing - metric->leftSideBearing,
+               srcPad) * (metric->ascent + metric->descent);
+           if (old < 0 || old > sizebitmaps ||
+               srcGlyphBytes < 0 || srcGlyphBytes > sizebitmaps - old) {
+               pcfError("pcfReadFont(): bitmap offset/size out of bounds\n");
+               free(padbitmaps);
+               goto Bail;
+           }
+
            offsets[i] = new;
            new += RepadBitmap(bitmaps + old, padbitmaps + new,
-                              PCF_GLYPH_PAD(format), glyph,
+                              srcPad, glyph,
                          metric->rightSideBearing - metric->leftSideBearing,
                               metric->ascent + metric->descent);
        }
        free(bitmaps);
        bitmaps = padbitmaps;
+    } else {
+       /* Validate offsets and full glyph extents against bitmap buffer */
+       for (i = 0; i < nbitmaps; i++) {
+           int glyphBytes;
+           xCharInfo *metric = &metrics[i].metrics;
+
+           glyphBytes = BYTES_PER_ROW(
+               metric->rightSideBearing - metric->leftSideBearing,
+               glyph) * (metric->ascent + metric->descent);
+           if (offsets[i] >= (CARD32)sizebitmaps ||
+               glyphBytes < 0 ||
+               glyphBytes > sizebitmaps - (int)offsets[i]) {
+               pcfError("pcfReadFont(): bitmap offset/size out of bounds "
+                        "(offset %u, size %d, total %d)\n",
+                        offsets[i], glyphBytes, sizebitmaps);
+               goto Bail;
+           }
+       }
     }
     for (i = 0; i < nbitmaps; i++)
        metrics[i].bits = bitmaps + offsets[i];
@@ -625,6 +674,10 @@ pcfReadFont(FontPtr pFont, FontFilePtr file,
        if (IS_EOF(file)) goto Bail;
        if (encodingOffset == 0xFFFF) {
            pFont->info.allExist = FALSE;
+       } else if (encodingOffset >= nmetrics) {
+           pcfError("pcfReadFont(): encoding offset %d out of range 
(nmetrics=%d)\n",
+                    encodingOffset, nmetrics);
+           goto Bail;
        } else {
             if(!encoding[SEGMENT_MAJOR(i)]) {
                 encoding[SEGMENT_MAJOR(i)]=
-- 

++++++ 
bsc1269020_CVE-2026-56003_0003-bitscale-add-bounds-check-to-computeProps-for-proper.patch
 ++++++
@@ -, +, @@ 
 property buffer
---
 src/bitmap/bitscale.c | 39 ++++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 19 deletions(-)
--- a/src/bitmap/bitscale.c     
+++ a/src/bitmap/bitscale.c     
@@ -507,7 +507,8 @@ static int
 computeProps(FontPropPtr pf, char *wasStringProp,
             FontPropPtr npf, char *isStringProp,
             unsigned int nprops, double xfactor, double yfactor,
-            double sXfactor, double sYfactor)
+            double sXfactor, double sYfactor,
+            int maxprops)
 {
     int         n;
     int         count;
@@ -522,14 +523,26 @@ computeProps(FontPropPtr pf, char *wasStringProp,
 
        switch (t->type) {
        case scaledX:
-           npf->value = doround(xfactor * (double)pf->value);
-           rawfactor = sXfactor;
-           break;
        case scaledY:
-           npf->value = doround(yfactor * (double)pf->value);
-           rawfactor = sYfactor;
+           if (count + 2 > maxprops)
+               continue;
+           npf->value = (t->type == scaledX)
+               ? doround(xfactor * (double)pf->value)
+               : doround(yfactor * (double)pf->value);
+           rawfactor = (t->type == scaledX) ? sXfactor : sYfactor;
+           npf->name = pf->name;
+           npf++;
+           count++;
+           npf->value = doround(rawfactor * (double)pf->value);
+           npf->name = rawFontPropTable[t - fontPropTable].atom;
+           npf++;
+           count++;
+           *isStringProp++ = *wasStringProp;
+           *isStringProp++ = *wasStringProp;
            break;
        case unscaled:
+           if (count + 1 > maxprops)
+               continue;
            npf->value = pf->value;
            npf->name = pf->name;
            npf++;
@@ -539,18 +552,6 @@ computeProps(FontPropPtr pf, char *wasStringProp,
        default:
            break;
        }
-       if (t->type != unscaled)
-       {
-           npf->name = pf->name;
-           npf++;
-           count++;
-           npf->value = doround(rawfactor * (double)pf->value);
-           npf->name = rawFontPropTable[t - fontPropTable].atom;
-           npf++;
-           count++;
-           *isStringProp++ = *wasStringProp;
-           *isStringProp++ = *wasStringProp;
-       }
     }
     return count;
 }
@@ -667,7 +668,7 @@ ComputeScaledProperties(FontInfoPtr sourceFontInfo, /* the 
font to be scaled */
     n = NPROPS;
     n += computeProps(sourceFontInfo->props, sourceFontInfo->isStringProp,
                      fp, isStringProp, sourceFontInfo->nprops, dx, dy,
-                     sdx, sdy);
+                     sdx, sdy, nProps - NPROPS);
     return n;
 }
 
-- 

Reply via email to