Ubuntu
libxfont package

Change logs for libxfont source package in Trusty

  1. Trusty (14.04)
  2. Change log 
  • libxfont (1:1.4.7-1ubuntu0.4) trusty-security; urgency=medium

  * SECURITY UPDATE: non-privileged arbitrary file access
    - debian/patches/CVE-2017-16611-pre.patch: set close-on-exec for font
      file I/O in src/fontfile/fileio.c, src/fontfile/filewr.c.
    - debian/patches/CVE-2017-16611.patch: open files with O_NOFOLLOW in
      src/fontfile/dirfile.c, src/fontfile/fileio.c.
    - CVE-2017-16611

 -- Marc Deslauriers <email address hidden>  Wed, 29 Nov 2017 09:48:10 -0500
  • libxfont (1:1.4.7-1ubuntu0.3) trusty-security; urgency=medium

  * SECURITY UPDATE: invalid memory read in PatternMatch
    - debian/patches/CVE-2017-13720.patch: check for end of string in
      src/fontfile/fontdir.c.
    - CVE-2017-13720
  * SECURITY UPDATE: DoS or info leak via malformed PCF file
    - debian/patches/CVE-2017-13722.patch: check string boundaries in
      src/bitmap/pcfread.c.
    - CVE-2017-13722

 -- Marc Deslauriers <email address hidden>  Fri, 06 Oct 2017 11:45:05 -0400
  • libxfont (1:1.4.7-1ubuntu0.2) trusty-security; urgency=medium

  * SECURITY UPDATE: arbitrary code exection via invalid property count
    - debian/patches/CVE-2015-1802.patch: check for integer overflow in
      src/bitmap/bdfread.c.
    - CVE-2015-1802
  * SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
    - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
      in src/bitmap/bdfread.c.
    - CVE-2015-1803
  * SECURITY UPDATE: arbitrary code execution via invalid metrics
    - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
      src/bitmap/bdfread.c.
    - CVE-2015-1804
  * Backport some commits from git to solve ftbfs with newer fontsproto:
    - debian/patches/ftbfs-new-fontsproto.patch
    - debian/patches/ftbfs-new-fontsproto-2.patch
 -- Marc Deslauriers <email address hidden>   Wed, 18 Mar 2015 07:32:09 -0400
  • libxfont (1:1.4.7-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible code execution via
    font metadata file parsing
    - debian/patches/CVE-2014-0209.patch: check for overflows in
      src/fontfile/dirfile.c, src/fontfile/fontdir.c.
    - CVE-2014-0209
  * SECURITY UPDATE: denial of service and possible code execution via
    xfs font server replies
    - debian/patches/CVE-2014-021x.patch: check lengths and sizes in
      src/fc/fsconvert.c, src/fc/fserve.c.
    - CVE-2014-0210
    - CVE-2014-0211
 -- Marc Deslauriers <email address hidden>   Tue, 13 May 2014 11:57:20 -0400
  • libxfont (1:1.4.7-1) unstable; urgency=high


  * New upstream release
    + CVE-2013-6462: unlimited sscanf overflows stack buffer in
      bdfReadCharacters()
  * Don't put dbg symbols from the udeb in the dbg package.
  * dev package is no longer Multi-Arch: same (closes: #720026).
  * Disable support for connecting to a font server.  That code is horrible and
    full of holes.

 -- Julien Cristau <email address hidden>  Tue, 07 Jan 2014 17:51:29 +0100
  • libxfont (1:1.4.6-1ubuntu1) trusty; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    stack overflow
    - debian/patches/CVE-2013-6462.patch: limit sscanf field in
      src/bitmap/bdfread.c.
    - CVE-2013-6462
 -- Marc Deslauriers <email address hidden>   Tue, 07 Jan 2014 13:43:15 -0500
  • libxfont (1:1.4.6-1) unstable; urgency=low


  * New upstream release.
  * Build for multiarch (closes: #654252).  Patch by Riku Voipio, thanks!
  * Disable silent build rules.

 -- Julien Cristau <email address hidden>  Mon, 12 Aug 2013 18:28:57 +0200