libXfont provides the core of the legacy X11 font system, handling the index files (fonts.dir, fonts.alias, fonts.scale), the various font file formats, and rasterizing them. It is used by the X servers, the X Font Server (xfs), and some font utilities (bdftopcf for instance), but should not be used by normal X11 clients. X11 clients access fonts via either the new API's in libXft, or the legacy API's in libX11. This release is overflowing with security fixes and code cleanups, including the fixes for CVE-2014-0209, CVE-2014-0210, & CVE-2014-0211 for the security advisory published earlier this week: http://lists.x.org/archives/xorg-announce/2014-May/002431.html This release works with fontsproto 2.1.2 or earlier and is for use with the existing stable releases of xorg-server - 1.15 & earlier. libXfont 1.5 will be released later this year to support fontsproto 2.1.3 and xorg-server 1.16. It will also change the compile time defaults to stop building SNF font format support by default, taking the next step in the deprecation of this file format that was used prior to X11R5, and has been on the way out since 1991. In the unlikely event that you still need to support old SNF format fonts, get in the habit of adding --enable-snfformat to your configure flags when building. Alan Coopersmith (24): Fix unused variable 'dir' warnings Remove redundant declaration of FontFileStartListFonts() Initialize (unused) data field in fsListCataloguesReq before sending it. Remove redundant setting of 'len' in SPropRecValList_add_by_font_cap Correct comment in configure.ac about scalable font support Add notes to README about various font formats & configure options Add note to README declaring snf fonts to be deprecated Check if pointer returned by BufFileCreate is NULL before writing to it Require fontsproto < 2.1.3 for matching function prototypes Allow enabling src/fc DEBUG helpers via CPPFLAGS Clean up warnings when src/fc is built with -DDEBUG CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry() CVE-2014-0209: integer overflow of realloc() size in lexAlias() CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() CVE-2014-0210: unvalidated lengths when reading replies from font server CVE-2014-0211: Integer overflow in fs_get_reply/_fs_start_read CVE-2014-0210: unvalidated length fields in fs_read_query_info() CVE-2014-0211: integer overflow in fs_read_extent_info() CVE-2014-0211: integer overflow in fs_alloc_glyphs() CVE-2014-0210: unvalidated length fields in fs_read_extent_info() CVE-2014-0210: unvalidated length fields in fs_read_glyphs() CVE-2014-0210: unvalidated length fields in fs_read_list() CVE-2014-0210: unvalidated length fields in fs_read_list_info() libXfont 1.4.8 Peter Harris (1): Fix buffer read overrun git tag: libXfont-1.4.8 http://xorg.freedesktop.org/archive/individual/lib/libXfont-1.4.8.tar.bz2 MD5: a7cbc4128c244d9c54fdf21cd517ac8c SHA1: 687746ba7e6d6064cb2b930e2dfe744603a5f85b SHA256: 5568d4febf790fb250fb8d4ecf1f389a428eb545a79fb2abe9c82f652d14d005 http://xorg.freedesktop.org/archive/individual/lib/libXfont-1.4.8.tar.gz MD5: a9d9ee8e322a85c24a862bd9b38064a2 SHA1: 8d043e212b174e778ed10958b9ca00e6151e29ac SHA256: 5fea8a7ac72322646656d5956b664763d824a214f77d5a7b6fdef439ddbfe90d -- -Alan Coopersmith- alan.coopersmith at oracle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 832 bytes Desc: not available URL: <http://lists.x.org/archives/xorg-announce/attachments/20140515/a38259c3/attachment.sig>