Debian 10992 Published by

Debian Long Term Support released two security advisories, addressing critical flaws in Chromium and libxfont. The Chromium update patches 27 vulnerabilities that could allow attackers to run arbitrary code or leak sensitive data, urging Debian 12 users to upgrade to version 150.0.7871.114-1~deb12u1. The libxfont advisory targets three heap overflow flaws in its bitmap and PCF parser, which enable authenticated attackers to execute commands within the X server context, and resolves them in packages for both Debian 11 and Debian 12.

[DLA 4677-1] chromium security update
[DLA 4678-1] libxfont security update




[SECURITY] [DLA 4677-1] chromium security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4677-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
July 12, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : chromium
Version : 150.0.7871.114-1~deb12u1
CVE ID : CVE-2026-15107 CVE-2026-15108 CVE-2026-15109 CVE-2026-15110
CVE-2026-15111 CVE-2026-15112 CVE-2026-15113 CVE-2026-15114
CVE-2026-15115 CVE-2026-15116 CVE-2026-15117 CVE-2026-15118
CVE-2026-15119 CVE-2026-15120 CVE-2026-15121 CVE-2026-15122
CVE-2026-15123 CVE-2026-15124 CVE-2026-15125 CVE-2026-15126
CVE-2026-15127 CVE-2026-15128 CVE-2026-15129 CVE-2026-15130
CVE-2026-15131 CVE-2026-15132 CVE-2026-15133

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For Debian 12 bookworm, these problems have been fixed in version
150.0.7871.114-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4678-1] libxfont security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4678-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
July 12, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libxfont
Version : 1:2.0.4-1+deb11u1 1:2.0.6-1+deb12u1
CVE ID : CVE-2026-56001 CVE-2026-56002 CVE-2026-56003

A series of heap overflows in bitmap/PCF parser code could be used by
authenticated attackers to execute code in the X server context.

CVE-2026-56001

A heap buffer overflow in BitmapScaleBitmaps in due to an overflowing
32-bit size.

CVE-2026-56002

A heap bufferflow in pcfReadFont() due to missing glyph bounds
checking.

CVE-2026-56003

A heap buffer overflow due to missing size checking in the property
buffer when parsing PCF files in ComputeScaledProperties().

For Debian 11 bullseye, these problems have been fixed in version
1:2.0.4-1+deb11u1.

For Debian 12 bookworm, these problems have been fixed in version
1:2.0.6-1+deb12u1.

We recommend that you upgrade your libxfont packages.

For the detailed security status of libxfont please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxfont

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS