OpenBSD Journal

libXfont Errata

Contributed by tbert on from the tell-X-where-you-marked-the-spot dept.

Patches are now available to fix buffer overflows in libXfont. This issue affects 5.5, 5.6, and the forthcoming 5.7 release.

For more details, refer to the advisory:

5.5 patch:

5.6 patch:

untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhnSKDBy7WgkNZrLujusI8Qvntb9/tVW0P3tfc0eRZ37NLCk0qcu5lurRs5aKGI6y5kGCXgAGE6tos5xwEjWbiw8= OpenBSD 5.6 errata 19, March 18, 2015

More BDF file parsing issues in libXfont

Afer IOActive's Ilja van Sprundel who found a number of issues in 2014, additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files.

Apply patch using:

    signify -Vep /etc/signify/ -x 019_libxfont.patch.sig \
        -m - | (cd /usr/xenocara && patch -p0)

Then build and install a new libXfont:

    cd /usr/xenocara/lib/libXont
    make -f Makefile.bsd-wrapper obj
    make -f Makefile.bsd-wrapper build

(Comments are closed)

  1. By Anonymous Coward ( on

    There is a typographical error in this patch. The patch contains the following line

        cd /usr/xenocara/lib/libXont

    But the letter "f" is missing. It should be

        cd /usr/xenocara/lib/libXfont


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]