PublicDateAtUSN: 2014-05-13
Candidate: CVE-2014-0210
PublicDate: 2014-05-15 14:55:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0210
 http://lists.x.org/archives/xorg-announce/2014-May/002431.html
 https://ubuntu.com/security/notices/USN-2211-1
Description:
 Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before
 1.4.99.901 allow remote font servers to execute arbitrary code via a
 crafted xfs protocol reply to the (1) _fs_recv_conn_setup, (2)
 fs_read_open_font, (3) fs_read_query_info, (4) fs_read_extent_info, (5)
 fs_read_glyphs, (6) fs_read_list, or (7) fs_read_list_info function.
Ubuntu-Description: 
Notes: 
 mdeslaur> trusty and later are built with --disable-fc, so this shouldn't
 mdeslaur> be an issue. Adding patch anyway for completeness' sake.
Bugs: 
Priority: medium
Discovered-by: Ilja van Sprundel
Assigned-to: mdeslaur
CVSS: 

Patches_libxfont:
 upstream: http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=891e084b26837162b12f841060086a105edde86d
 upstream: http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=cbb64aef35960b2882be721f4b8fbaa0fb649d12
 upstream: http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=491291cabf78efdeec8f18b09e14726a9030cc8f
 upstream: http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=a3f21421537620fc4e1f844a594a4bcd9f7e2bd8
 upstream: http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=520683652564c2a4e42328ae23eef9bb63271565
 upstream: http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=5fa73ac18474be3032ee7af9c6e29deab163ea39
 upstream: http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d338f81df1e188eb16e1d6aeea7f4800f89c1218
upstream_libxfont: released (1.4.8)
lucid_libxfont: released (1:1.4.1-1ubuntu0.3)
precise_libxfont: released (1:1.4.4-1ubuntu0.2)
quantal_libxfont: released (1:1.4.5-2ubuntu0.12.10.2)
saucy_libxfont: released (1:1.4.6-1ubuntu0.2)
trusty_libxfont: not-affected (1:1.4.7-1)
trusty/esm_libxfont: not-affected (1:1.4.7-1)
devel_libxfont: not-affected (1:1.4.7-1)