Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libXfont2 for openSUSE:Factory checked in at 2026-07-09 22:18:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libXfont2 (Old) and /work/SRC/openSUSE:Factory/.libXfont2.new.1991 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXfont2" Thu Jul 9 22:18:21 2026 rev:9 rq:1364445 version:2.0.7 Changes: -------- --- /work/SRC/openSUSE:Factory/libXfont2/libXfont2.changes 2024-08-06 09:07:34.923858316 +0200 +++ /work/SRC/openSUSE:Factory/.libXfont2.new.1991/libXfont2.changes 2026-07-09 22:18:33.004432268 +0200 @@ -1,0 +2,10 @@ +Wed Jul 1 13:33:57 UTC 2026 - Stefan Dirsch <[email protected]> + +- bsc1269018_CVE-2026-56001_0001-bitscale-fix-integer-overflow-in-BitmapScaleBitmaps-.patch + * BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow (CVE-2026-56001, bsc#1269018) +- bsc1269019_CVE-2026-56002_0002-pcfread-validate-bitmap-sizes-and-offsets-against-pe.patch + * PCF Font Parsing Heap Buffer Overflow (CVE-2026-56002, bsc#1269019) +- bsc1269020_CVE-2026-56003_0003-bitscale-add-bounds-check-to-computeProps-for-proper.patch + * computeProps Property Buffer Heap Buffer Overflow (CVE-2026-56003, bsc#1269020) + +------------------------------------------------------------------- New: ---- bsc1269018_CVE-2026-56001_0001-bitscale-fix-integer-overflow-in-BitmapScaleBitmaps-.patch bsc1269019_CVE-2026-56002_0002-pcfread-validate-bitmap-sizes-and-offsets-against-pe.patch bsc1269020_CVE-2026-56003_0003-bitscale-add-bounds-check-to-computeProps-for-proper.patch ----------(New B)---------- New: - bsc1269018_CVE-2026-56001_0001-bitscale-fix-integer-overflow-in-BitmapScaleBitmaps-.patch * BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow (CVE-2026-56001, bsc#1269018) New: * BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow (CVE-2026-56001, bsc#1269018) - bsc1269019_CVE-2026-56002_0002-pcfread-validate-bitmap-sizes-and-offsets-against-pe.patch * PCF Font Parsing Heap Buffer Overflow (CVE-2026-56002, bsc#1269019) New: * PCF Font Parsing Heap Buffer Overflow (CVE-2026-56002, bsc#1269019) - bsc1269020_CVE-2026-56003_0003-bitscale-add-bounds-check-to-computeProps-for-proper.patch * computeProps Property Buffer Heap Buffer Overflow (CVE-2026-56003, bsc#1269020) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXfont2.spec ++++++ --- /var/tmp/diff_new_pack.X3K3An/_old 2026-07-09 22:18:33.648454193 +0200 +++ /var/tmp/diff_new_pack.X3K3An/_new 2026-07-09 22:18:33.652454329 +0200 @@ -1,7 +1,7 @@ # # spec file for package libXfont2 # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,9 @@ #Git-Web: http://cgit.freedesktop.org/xorg/lib/libXfont/ Source: %{name}-%{version}.tar.xz Source1: baselibs.conf +Patch1269018: bsc1269018_CVE-2026-56001_0001-bitscale-fix-integer-overflow-in-BitmapScaleBitmaps-.patch +Patch1269019: bsc1269019_CVE-2026-56002_0002-pcfread-validate-bitmap-sizes-and-offsets-against-pe.patch +Patch1269020: bsc1269020_CVE-2026-56003_0003-bitscale-add-bounds-check-to-computeProps-for-proper.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #git#BuildRequires: autoconf >= 2.60, automake, libtool BuildRequires: pkgconfig @@ -81,7 +84,7 @@ in %lname. %prep -%setup -q +%autosetup -p 1 %build %configure --disable-static ++++++ bsc1269018_CVE-2026-56001_0001-bitscale-fix-integer-overflow-in-BitmapScaleBitmaps-.patch ++++++ @@ -, +, @@ bytestoalloc --- src/bitmap/bitscale.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) --- a/src/bitmap/bitscale.c +++ a/src/bitmap/bitscale.c @@ -1456,7 +1456,7 @@ BitmapScaleBitmaps(FontPtr pf, /* scaled font */ opci; FontInfoPtr pfi; int glyph; - unsigned bytestoalloc = 0; + size_t bytestoalloc = 0; int firstCol, lastCol, firstRow, lastRow; double xform[4], inv_xform[4]; @@ -1483,8 +1483,25 @@ BitmapScaleBitmaps(FontPtr pf, /* scaled font */ glyph = pf->glyph; for (i = 0; i < nchars; i++) { - if ((pci = ACCESSENCODING(bitmapFont->encoding, i))) - bytestoalloc += BYTES_FOR_GLYPH(pci, glyph); + if ((pci = ACCESSENCODING(bitmapFont->encoding, i))) { + size_t glyphsize = BYTES_FOR_GLYPH(pci, glyph); + if (bytestoalloc > SIZE_MAX - glyphsize) { + fprintf(stderr, + "Error: bitmap allocation overflow for scaled font\n"); + goto bail; + } + bytestoalloc += glyphsize; + } + } + + /* Reject unreasonably large bitmap allocations that could result + * from malicious fonts with extreme scale factors. 256 MiB is + * far beyond any legitimate scaled bitmap font. */ +#define BITMAP_SCALE_MAX_ALLOC (256 * 1024 * 1024) + if (bytestoalloc > BITMAP_SCALE_MAX_ALLOC) { + fprintf(stderr, + "Error: scaled bitmap size %zu exceeds limit\n", bytestoalloc); + goto bail; } /* Do we add the font malloc stuff for VALUE ADDED ? */ -- ++++++ bsc1269019_CVE-2026-56002_0002-pcfread-validate-bitmap-sizes-and-offsets-against-pe.patch ++++++ @@ -, +, @@ per-glyph metrics Anonymous working with TrendAI Zero Day Initiative --- src/bitmap/pcfread.c | 59 +++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 56 insertions(+), 3 deletions(-) --- a/src/bitmap/pcfread.c +++ a/src/bitmap/pcfread.c @@ -532,25 +532,74 @@ pcfReadFont(FontPtr pFont, FontFilePtr file, int old, new; xCharInfo *metric; + int srcPad = PCF_GLYPH_PAD(format); - sizepadbitmaps = bitmapSizes[PCF_SIZE_TO_INDEX(glyph)]; - padbitmaps = malloc(sizepadbitmaps); + /* Compute the actual required size from per-glyph metrics instead + * of trusting the file's bitmapSizes[] value, which may be smaller + * than the actual data written by RepadBitmap. */ + sizepadbitmaps = 0; + for (i = 0; i < nbitmaps; i++) { + int w, h, glyphBytes; + metric = &metrics[i].metrics; + w = metric->rightSideBearing - metric->leftSideBearing; + h = metric->ascent + metric->descent; + glyphBytes = BYTES_PER_ROW(w, glyph) * h; + if (glyphBytes < 0 || (glyphBytes > 0 && sizepadbitmaps > INT_MAX - glyphBytes)) { + pcfError("pcfReadFont(): bitmap size overflow\n"); + goto Bail; + } + sizepadbitmaps += glyphBytes; + } + padbitmaps = malloc(sizepadbitmaps ? sizepadbitmaps : 1); if (!padbitmaps) { pcfError("pcfReadFont(): Couldn't allocate padbitmaps (%d)\n", sizepadbitmaps); goto Bail; } new = 0; for (i = 0; i < nbitmaps; i++) { + int srcGlyphBytes; + old = offsets[i]; metric = &metrics[i].metrics; + + /* Validate source offset and source glyph size against the + * source bitmap buffer to prevent out-of-bounds reads. */ + srcGlyphBytes = BYTES_PER_ROW( + metric->rightSideBearing - metric->leftSideBearing, + srcPad) * (metric->ascent + metric->descent); + if (old < 0 || old > sizebitmaps || + srcGlyphBytes < 0 || srcGlyphBytes > sizebitmaps - old) { + pcfError("pcfReadFont(): bitmap offset/size out of bounds\n"); + free(padbitmaps); + goto Bail; + } + offsets[i] = new; new += RepadBitmap(bitmaps + old, padbitmaps + new, - PCF_GLYPH_PAD(format), glyph, + srcPad, glyph, metric->rightSideBearing - metric->leftSideBearing, metric->ascent + metric->descent); } free(bitmaps); bitmaps = padbitmaps; + } else { + /* Validate offsets and full glyph extents against bitmap buffer */ + for (i = 0; i < nbitmaps; i++) { + int glyphBytes; + xCharInfo *metric = &metrics[i].metrics; + + glyphBytes = BYTES_PER_ROW( + metric->rightSideBearing - metric->leftSideBearing, + glyph) * (metric->ascent + metric->descent); + if (offsets[i] >= (CARD32)sizebitmaps || + glyphBytes < 0 || + glyphBytes > sizebitmaps - (int)offsets[i]) { + pcfError("pcfReadFont(): bitmap offset/size out of bounds " + "(offset %u, size %d, total %d)\n", + offsets[i], glyphBytes, sizebitmaps); + goto Bail; + } + } } for (i = 0; i < nbitmaps; i++) metrics[i].bits = bitmaps + offsets[i]; @@ -625,6 +674,10 @@ pcfReadFont(FontPtr pFont, FontFilePtr file, if (IS_EOF(file)) goto Bail; if (encodingOffset == 0xFFFF) { pFont->info.allExist = FALSE; + } else if (encodingOffset >= nmetrics) { + pcfError("pcfReadFont(): encoding offset %d out of range (nmetrics=%d)\n", + encodingOffset, nmetrics); + goto Bail; } else { if(!encoding[SEGMENT_MAJOR(i)]) { encoding[SEGMENT_MAJOR(i)]= -- ++++++ bsc1269020_CVE-2026-56003_0003-bitscale-add-bounds-check-to-computeProps-for-proper.patch ++++++ @@ -, +, @@ property buffer --- src/bitmap/bitscale.c | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) --- a/src/bitmap/bitscale.c +++ a/src/bitmap/bitscale.c @@ -507,7 +507,8 @@ static int computeProps(FontPropPtr pf, char *wasStringProp, FontPropPtr npf, char *isStringProp, unsigned int nprops, double xfactor, double yfactor, - double sXfactor, double sYfactor) + double sXfactor, double sYfactor, + int maxprops) { int n; int count; @@ -522,14 +523,26 @@ computeProps(FontPropPtr pf, char *wasStringProp, switch (t->type) { case scaledX: - npf->value = doround(xfactor * (double)pf->value); - rawfactor = sXfactor; - break; case scaledY: - npf->value = doround(yfactor * (double)pf->value); - rawfactor = sYfactor; + if (count + 2 > maxprops) + continue; + npf->value = (t->type == scaledX) + ? doround(xfactor * (double)pf->value) + : doround(yfactor * (double)pf->value); + rawfactor = (t->type == scaledX) ? sXfactor : sYfactor; + npf->name = pf->name; + npf++; + count++; + npf->value = doround(rawfactor * (double)pf->value); + npf->name = rawFontPropTable[t - fontPropTable].atom; + npf++; + count++; + *isStringProp++ = *wasStringProp; + *isStringProp++ = *wasStringProp; break; case unscaled: + if (count + 1 > maxprops) + continue; npf->value = pf->value; npf->name = pf->name; npf++; @@ -539,18 +552,6 @@ computeProps(FontPropPtr pf, char *wasStringProp, default: break; } - if (t->type != unscaled) - { - npf->name = pf->name; - npf++; - count++; - npf->value = doround(rawfactor * (double)pf->value); - npf->name = rawFontPropTable[t - fontPropTable].atom; - npf++; - count++; - *isStringProp++ = *wasStringProp; - *isStringProp++ = *wasStringProp; - } } return count; } @@ -667,7 +668,7 @@ ComputeScaledProperties(FontInfoPtr sourceFontInfo, /* the font to be scaled */ n = NPROPS; n += computeProps(sourceFontInfo->props, sourceFontInfo->isStringProp, fp, isStringProp, sourceFontInfo->nprops, dx, dy, - sdx, sdy); + sdx, sdy, nProps - NPROPS); return n; } --
