The bdf parser reads a count for the number of properties defined in a font from the font file, and allocates arrays with entries for each property based on that count. It never checked to see if that count was negative, or large enough to overflow when multiplied by the size of the structures being allocated, and could thus allocate the wrong buffer size, leading to out of bounds writes.
A local user could exploit this issue to potentially execute arbitrary code with the privileges of the X.Org server.
Created libXfont tracking bugs for this issue:
Affects: fedora-all [bug 1203720]
libXfont-1.5.1-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 6
Via RHSA-2015:1708 https://rhn.redhat.com/errata/RHSA-2015-1708.html
Does this problem CVE affect libXfont shipped with RHEL5?