Author: Julien Cristau
Revision Date: 2015-03-17 16:55:21 UTC

* New upstream release
  + bdfReadProperties: property count needs range check [CVE-2015-1802]
  + bdfReadCharacters: bailout if a char's bitmap cannot be read
    [CVE-2015-1803]
  + bdfReadCharacters: ensure metrics fit into xCharInfo struct
    [CVE-2015-1804]

Author: Julien Cristau
Revision Date: 2015-03-17 16:55:21 UTC

* New upstream release
  + bdfReadProperties: property count needs range check [CVE-2015-1802]
  + bdfReadCharacters: bailout if a char's bitmap cannot be read
    [CVE-2015-1803]
  + bdfReadCharacters: ensure metrics fit into xCharInfo struct
    [CVE-2015-1804]

Author: Marc Deslauriers
Revision Date: 2015-03-18 07:30:31 UTC

* SECURITY UPDATE: arbitrary code exection via invalid property count
  - debian/patches/CVE-2015-1802.patch: check for integer overflow in
    src/bitmap/bdfread.c.
  - CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
  - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
    in src/bitmap/bdfread.c.
  - CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
  - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
    src/bitmap/bdfread.c.
  - CVE-2015-1804

Author: Marc Deslauriers
Revision Date: 2015-03-18 07:30:31 UTC

* SECURITY UPDATE: arbitrary code exection via invalid property count
  - debian/patches/CVE-2015-1802.patch: check for integer overflow in
    src/bitmap/bdfread.c.
  - CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
  - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
    in src/bitmap/bdfread.c.
  - CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
  - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
    src/bitmap/bdfread.c.
  - CVE-2015-1804

Author: Marc Deslauriers
Revision Date: 2015-03-18 07:26:08 UTC

* SECURITY UPDATE: arbitrary code exection via invalid property count
  - debian/patches/CVE-2015-1802.patch: check for integer overflow in
    src/bitmap/bdfread.c.
  - CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
  - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
    in src/bitmap/bdfread.c.
  - CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
  - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
    src/bitmap/bdfread.c.
  - CVE-2015-1804

Author: Marc Deslauriers
Revision Date: 2015-03-18 07:33:52 UTC

* SECURITY UPDATE: arbitrary code exection via invalid property count
  - debian/patches/CVE-2015-1802.patch: check for integer overflow in
    src/bitmap/bdfread.c.
  - CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
  - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
    in src/bitmap/bdfread.c.
  - CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
  - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
    src/bitmap/bdfread.c.
  - CVE-2015-1804

Author: Marc Deslauriers
Revision Date: 2015-03-18 07:33:52 UTC

* SECURITY UPDATE: arbitrary code exection via invalid property count
  - debian/patches/CVE-2015-1802.patch: check for integer overflow in
    src/bitmap/bdfread.c.
  - CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
  - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
    in src/bitmap/bdfread.c.
  - CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
  - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
    src/bitmap/bdfread.c.
  - CVE-2015-1804

Author: Marc Deslauriers
Revision Date: 2015-03-18 07:33:04 UTC

* SECURITY UPDATE: arbitrary code exection via invalid property count
  - debian/patches/CVE-2015-1802.patch: check for integer overflow in
    src/bitmap/bdfread.c.
  - CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
  - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
    in src/bitmap/bdfread.c.
  - CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
  - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
    src/bitmap/bdfread.c.
  - CVE-2015-1804

Author: Marc Deslauriers
Revision Date: 2015-03-18 07:33:04 UTC

* SECURITY UPDATE: arbitrary code exection via invalid property count
  - debian/patches/CVE-2015-1802.patch: check for integer overflow in
    src/bitmap/bdfread.c.
  - CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
  - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
    in src/bitmap/bdfread.c.
  - CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
  - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
    src/bitmap/bdfread.c.
  - CVE-2015-1804

Author: Marc Deslauriers
Revision Date: 2015-03-18 07:32:09 UTC

* SECURITY UPDATE: arbitrary code exection via invalid property count
  - debian/patches/CVE-2015-1802.patch: check for integer overflow in
    src/bitmap/bdfread.c.
  - CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
  - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
    in src/bitmap/bdfread.c.
  - CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
  - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
    src/bitmap/bdfread.c.
  - CVE-2015-1804
* Backport some commits from git to solve ftbfs with newer fontsproto:
  - debian/patches/ftbfs-new-fontsproto.patch
  - debian/patches/ftbfs-new-fontsproto-2.patch

Author: Marc Deslauriers
Revision Date: 2015-03-18 07:32:09 UTC

* SECURITY UPDATE: arbitrary code exection via invalid property count
  - debian/patches/CVE-2015-1802.patch: check for integer overflow in
    src/bitmap/bdfread.c.
  - CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
  - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
    in src/bitmap/bdfread.c.
  - CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
  - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
    src/bitmap/bdfread.c.
  - CVE-2015-1804
* Backport some commits from git to solve ftbfs with newer fontsproto:
  - debian/patches/ftbfs-new-fontsproto.patch
  - debian/patches/ftbfs-new-fontsproto-2.patch

Author: Marc Deslauriers
Revision Date: 2015-03-18 07:26:08 UTC

* SECURITY UPDATE: arbitrary code exection via invalid property count
  - debian/patches/CVE-2015-1802.patch: check for integer overflow in
    src/bitmap/bdfread.c.
  - CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
  - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
    in src/bitmap/bdfread.c.
  - CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
  - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
    src/bitmap/bdfread.c.
  - CVE-2015-1804

Author: Julien Cristau
Revision Date: 2014-07-12 17:44:11 UTC

* New upstream release candidate.
  + includes the CVE-2014-{0209,0210,0211} patches
* Remove Cyril from Uploaders.
* Allow uscan to verify tarball signature.

Author: Julien Cristau
Revision Date: 2014-07-12 17:44:11 UTC

* New upstream release candidate.
  + includes the CVE-2014-{0209,0210,0211} patches
* Remove Cyril from Uploaders.
* Allow uscan to verify tarball signature.

Author: Marc Deslauriers
Revision Date: 2014-05-13 12:04:55 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  font metadata file parsing
  - debian/patches/CVE-2014-0209.patch: check for overflows in
    src/fontfile/dirfile.c, src/fontfile/fontdir.c.
  - CVE-2014-0209
* SECURITY UPDATE: denial of service and possible code execution via
  xfs font server replies
  - debian/patches/CVE-2014-021x.patch: check lengths and sizes in
    src/fc/fsconvert.c, src/fc/fserve.c.
  - CVE-2014-0210
  - CVE-2014-0211

Author: Marc Deslauriers
Revision Date: 2014-05-13 12:04:55 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  font metadata file parsing
  - debian/patches/CVE-2014-0209.patch: check for overflows in
    src/fontfile/dirfile.c, src/fontfile/fontdir.c.
  - CVE-2014-0209
* SECURITY UPDATE: denial of service and possible code execution via
  xfs font server replies
  - debian/patches/CVE-2014-021x.patch: check lengths and sizes in
    src/fc/fsconvert.c, src/fc/fserve.c.
  - CVE-2014-0210
  - CVE-2014-0211

Author: Marc Deslauriers
Revision Date: 2014-05-13 12:03:42 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  font metadata file parsing
  - debian/patches/CVE-2014-0209.patch: check for overflows in
    src/fontfile/dirfile.c, src/fontfile/fontdir.c.
  - CVE-2014-0209
* SECURITY UPDATE: denial of service and possible code execution via
  xfs font server replies
  - debian/patches/CVE-2014-021x.patch: check lengths and sizes in
    src/fc/fsconvert.c, src/fc/fserve.c.
  - CVE-2014-0210
  - CVE-2014-0211

Author: Marc Deslauriers
Revision Date: 2014-05-13 12:03:42 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  font metadata file parsing
  - debian/patches/CVE-2014-0209.patch: check for overflows in
    src/fontfile/dirfile.c, src/fontfile/fontdir.c.
  - CVE-2014-0209
* SECURITY UPDATE: denial of service and possible code execution via
  xfs font server replies
  - debian/patches/CVE-2014-021x.patch: check lengths and sizes in
    src/fc/fsconvert.c, src/fc/fserve.c.
  - CVE-2014-0210
  - CVE-2014-0211

Author: Julien Cristau
Revision Date: 2014-01-07 17:51:29 UTC

* New upstream release
  + CVE-2013-6462: unlimited sscanf overflows stack buffer in
    bdfReadCharacters()
* Don't put dbg symbols from the udeb in the dbg package.
* dev package is no longer Multi-Arch: same (closes: #720026).
* Disable support for connecting to a font server. That code is horrible and
  full of holes.

Author: Marc Deslauriers
Revision Date: 2013-12-30 17:35:09 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  stack overflow
  - debian/patches/CVE-2013-6462.patch: limit sscanf field in
    src/bitmap/bdfread.c.
  - CVE-2013-6462

Author: Marc Deslauriers
Revision Date: 2013-12-30 17:35:09 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  stack overflow
  - debian/patches/CVE-2013-6462.patch: limit sscanf field in
    src/bitmap/bdfread.c.
  - CVE-2013-6462

Author: Julien Cristau
Revision Date: 2014-01-07 17:51:29 UTC

* New upstream release
  + CVE-2013-6462: unlimited sscanf overflows stack buffer in
    bdfReadCharacters()
* Don't put dbg symbols from the udeb in the dbg package.
* dev package is no longer Multi-Arch: same (closes: #720026).
* Disable support for connecting to a font server. That code is horrible and
  full of holes.

Author: Julien Cristau
Revision Date: 2013-08-12 18:28:57 UTC

* New upstream release.
* Build for multiarch (closes: #654252). Patch by Riku Voipio, thanks!
* Disable silent build rules.

Author: Julien Cristau
Revision Date: 2013-08-12 18:28:57 UTC

* New upstream release.
* Build for multiarch (closes: #654252). Patch by Riku Voipio, thanks!
* Disable silent build rules.

Author: Cyril Brulebois
Revision Date: 2012-05-03 19:59:46 UTC

Ease sync for Ubuntu: strip -Bsymbolic-functions from LDFLAGS
(LP: #992745).

Author: Cyril Brulebois
Revision Date: 2012-05-03 19:59:46 UTC

Ease sync for Ubuntu: strip -Bsymbolic-functions from LDFLAGS
(LP: #992745).

Author: Cyril Brulebois
Revision Date: 2011-08-11 11:11:28 UTC

[ Julien Cristau ]
* Drop Pre-Depends on x11-common (only needed for upgrades from the
  monolith) and Replaces on xlibs-static-dev (hasn't existed in forever).

[ Cyril Brulebois ]
* New upstream release:
  - LZW decompress: fix for CVE-2011-2895. From the commit message:
    “Specially crafted LZW stream can crash an application using libXfont
     that is used to open untrusted font files. With X server, this may
     allow privilege escalation when exploited.”
* Set urgency to “high” accordingly.
* Update debian/copyright from upstream COPYING.
* Bump xorg-sgml-doctools build-dep.
* Drop xorg.css from .install, no longer shipped upstream.

Author: Marc Deslauriers
Revision Date: 2011-08-11 10:23:56 UTC

* SECURITY UPDATE: arbitrary code execution via overflow
  - debian/patches/CVE-2011-2895.patch: check remaining length in
    src/fontfile/decompress.c.
  - CVE-2011-2895

Author: Marc Deslauriers
Revision Date: 2011-08-11 10:23:56 UTC

* SECURITY UPDATE: arbitrary code execution via overflow
  - debian/patches/CVE-2011-2895.patch: check remaining length in
    src/fontfile/decompress.c.
  - CVE-2011-2895

Author: Marc Deslauriers
Revision Date: 2011-08-11 10:30:10 UTC

* SECURITY UPDATE: arbitrary code execution via overflow
  - debian/patches/CVE-2011-2895.patch: check remaining length in
    src/fontfile/decompress.c.
  - CVE-2011-2895

Author: Marc Deslauriers
Revision Date: 2011-08-11 10:30:10 UTC

* SECURITY UPDATE: arbitrary code execution via overflow
  - debian/patches/CVE-2011-2895.patch: check remaining length in
    src/fontfile/decompress.c.
  - CVE-2011-2895

Author: Cyril Brulebois
Revision Date: 2011-08-11 11:11:28 UTC

[ Julien Cristau ]
* Drop Pre-Depends on x11-common (only needed for upgrades from the
  monolith) and Replaces on xlibs-static-dev (hasn't existed in forever).

[ Cyril Brulebois ]
* New upstream release:
  - LZW decompress: fix for CVE-2011-2895. From the commit message:
    “Specially crafted LZW stream can crash an application using libXfont
     that is used to open untrusted font files. With X server, this may
     allow privilege escalation when exploited.”
* Set urgency to “high” accordingly.
* Update debian/copyright from upstream COPYING.
* Bump xorg-sgml-doctools build-dep.
* Drop xorg.css from .install, no longer shipped upstream.

Author: Cyril Brulebois
Revision Date: 2011-02-05 11:48:49 UTC

Upload to unstable.

Author: Julien Cristau
Revision Date: 2010-07-07 18:25:15 UTC

* New upstream release.
* Bump xutils-dev build-dep for new xorg-macros.
* Bump shlibs for register_fpe_functions().
* Update debian/copyright.
* Bump Standards-Version to 3.9.0, no changes.

Author: Julien Cristau
Revision Date: 2009-12-02 11:12:13 UTC

* New upstream release.
* Bump xutils-dev build-dep for new util-macros.
* Build documentation, install it in libxfont-dev.
* Enable support for bzip2 compressed bitmap fonts.
* Don't use LDFLAGS from the environment. Ubuntu sets that to
  -Bsymbolic-functions, which breaks libXfont's weak symbols usage.

Author: StefanPotyra
Revision Date: 2008-08-23 22:27:29 UTC

Merge from unstable (LP: #260727), remaining change:
debian/rules: explicitely unset LDFLAGS in order to avoid that
"-Bsymbolic-functions" will get set: libxfont contains a number
of weak symbols, which are meant to be overridden (cf. LP 226156).

Author: StefanPotyra
Revision Date: 2008-08-23 22:27:29 UTC

Merge from unstable (LP: #260727), remaining change:
debian/rules: explicitely unset LDFLAGS in order to avoid that
"-Bsymbolic-functions" will get set: libxfont contains a number
of weak symbols, which are meant to be overridden (cf. LP 226156).

Author: Julien Cristau
Revision Date: 2008-01-17 00:09:38 UTC

* High urgency upload for security fix.
* Fix a buffer overflow in the PCF font parser (CVE-2008-0006).
* debian/control updates
  + add myself to Uploaders, and remove Branden and Fabio with their
    permission
  + s/^XS-Vcs/Vcs/
  + bump Standards-Version to 3.7.3 (no changes)
  + libxfont1 is Section: libs
  + libxfont-dev and libxfont1-dbg are Section: libdevel

Author: Kees Cook
Revision Date: 2008-01-17 14:53:31 UTC

* SECURITY UPDATE: overflow in PCF font handling.
* Added fix_CVE-2008-0006.patch: backported from upstream commit
  (b76df66d2c507898472bba0f9986ef5700029a36)

Author: Kees Cook
Revision Date: 2008-01-17 14:53:31 UTC

* SECURITY UPDATE: overflow in PCF font handling.
* Added fix_CVE-2008-0006.patch: backported from upstream commit
  (b76df66d2c507898472bba0f9986ef5700029a36)

Author: Bryce Harrington
Revision Date: 2007-07-18 16:46:59 UTC

* New upstream release.
* debian/control:
  - Maintainer field updated
* debian/copyright:
  - Added packaging copyright

Author: Kees Cook
Revision Date: 2008-01-17 14:53:31 UTC

* SECURITY UPDATE: overflow in PCF font handling.
* Added fix_CVE-2008-0006.patch: backported from upstream commit
  (b76df66d2c507898472bba0f9986ef5700029a36)

Author: Kees Cook
Revision Date: 2008-01-17 14:53:31 UTC

* SECURITY UPDATE: overflow in PCF font handling.
* Added fix_CVE-2008-0006.patch: backported from upstream commit
  (b76df66d2c507898472bba0f9986ef5700029a36)

Author: Kees Cook
Revision Date: 2007-03-29 17:54:06 UTC

* SECURITY UPDATE: BDF font integer overflows.
* Add debian/patches/50_bdf_overflows.patch: upstream fix.
* References
  CVE-2007-1351 CVE-2007-1352

Author: Kees Cook
Revision Date: 2008-01-17 14:53:31 UTC

* SECURITY UPDATE: overflow in PCF font handling.
* Added fix_CVE-2008-0006.patch: backported from upstream commit
  (b76df66d2c507898472bba0f9986ef5700029a36)

Author: Kees Cook
Revision Date: 2008-01-17 14:53:31 UTC

* SECURITY UPDATE: overflow in PCF font handling.
* Added fix_CVE-2008-0006.patch: backported from upstream commit
  (b76df66d2c507898472bba0f9986ef5700029a36)

Author: Martin Pitt
Revision Date: 2006-09-11 14:21:10 UTC

* SECURITY UPDATE: Root privilege escalation with crafted Type1 CID fonts.
* Add debian/patches/cid-int-overflows.diff:
  - lib/font/Type1/afm.c: Fix integer overflow in CIDAFM(). [CVE-2006-3739]
  - lib/font/Type1/scanfont.c: Fix integer overflow in scan_cidfont().
    [CVE-2006-3740]

Author: Kees Cook
Revision Date: 2008-01-17 14:58:07 UTC

* SECURITY UPDATE: overflow in PCF font handling.
* src/bitmap/pcfread.c: patched inline from upstream commit
  (b76df66d2c507898472bba0f9986ef5700029a36) CVE-2008-0006

Author: Kees Cook
Revision Date: 2008-01-17 14:58:07 UTC

* SECURITY UPDATE: overflow in PCF font handling.
* src/bitmap/pcfread.c: patched inline from upstream commit
  (b76df66d2c507898472bba0f9986ef5700029a36) CVE-2008-0006

Author: Daniel Stone
Revision Date: 2006-01-19 18:26:04 UTC

Change dependency on x-common to x11-common.

Author: Kees Cook
Revision Date: 2007-03-29 18:08:59 UTC

* SECURITY UPDATE: root privilege escalation with BDF font overflows.
* src/bitmap/bdfread.c, src/fontfile/fontdir.c: upstream fixes to stop
  integer overflows.
* References
  CVE-2007-1351 CVE-2007-1352

Author: Daniel Stone
Revision Date: 2005-09-09 15:39:57 UTC

Fix the XFONT_FONTCACHE/FONTCACHE define in configure.ac (close:
Ubuntu#14319).

Author: StefanPotyra
Revision Date: 2009-05-09 12:11:53 UTC

* Rebase to unstable, remaining change:
  + debian/rules: unset LDFLAGS to not be hit by -Bsymbolic-functions,
    as libxfont contains weak symbols which are meant to be overriden
    (cf. LP #226156).