🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026
Affected versions: SLES 12

πŸ“– ~4 min read  β€’  Source: SUSE advisory SUSE-SU-2014:0774-1 (see also SUSE bugzilla)

Related CVEs: CVE-2014-0210 CVE-2014-0211 CVE-2011-2895 CVE-2013-6462 CVE-2014-0209 CVE-2015-1802 CVE-2015-1803 CVE-2015-1804  +2 more

Upstream summary: Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs protocol reply to the (1) _fs_recv_conn_setup, (2) fs_read_open_font, (3) fs_read_query_info, (4) fs_read_extent_info, (5) fs_read_glyphs, (6) fs_read_list, or (7) fs_read_list_info function.

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On SLES 12 hosts running libXfont1, administrators report behaviour consistent with SUSE advisory SUSE-SU-2014:0774-1: zypper refusing to install or restart affected services, AppArmor profile warnings in journalctl, and β€” for security-rated advisories β€” exposure to the vulnerability set above. In production estates the visible impact ranges from a single service restart to wider availability incidents whenever libXfont1 sits on the serving path.

Environment & Reproduction

Reproduction targets SLES 12. Confirm release with cat /etc/os-release and SUSEConnect --status-text, and the currently installed package with rpm -q libXfont1. Capture system state with supportconfig -R /var/tmp -B libXfont1 if you need to attach evidence to a SUSE support case. Trigger the workflow that exposes libXfont1 β€” multiple vulnerabilities (10 CVEs) β€” patch and remediation guide while collecting journalctl -b, zypper history, and rpm -qa output.

Root Cause Analysis

Root cause is documented in SUSE advisory SUSE-SU-2014:0774-1. Upstream maintainers shipped fixes in the corresponding libXfont1 update for SLES 12; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate journalctl --since timestamps with zypper history entries and any AppArmor denials in /var/log/audit/audit.log to isolate the originating change.

Quick Triage

Quick triage: run systemctl status libXfont1, journalctl -u libXfont1 -n 200, zypper patch-check, zypper lp, firewall-cmd --list-all, and aa-status. If AppArmor is in enforce mode, capture journalctl -k | grep apparmor to surface denials linked to libXfont1 β€” multiple vulnerabilities (10 CVEs) β€” patch and remediation guide.

Step-by-Step Diagnosis

1) Confirm symptom with systemctl --failed. 2) Inspect logs: journalctl -xe and journalctl -u libXfont1. 3) Validate firewall: firewall-cmd --list-all-zones. 4) Check AppArmor: aa-status and journalctl -k | grep apparmor. 5) Verify package integrity: rpm -V libXfont1 and zypper verify. 6) Correlate findings with zypper history, /var/log/zypp/history, and SUSE advisory SUSE-SU-2014:0774-1 to pin the change that introduced libXfont1 β€” multiple vulnerabilities (10 CVEs) β€” patch and remediation guide.

Solution – Primary Fix

Primary fix for libXfont1 β€” multiple vulnerabilities (10 CVEs) β€” patch and remediation guide: apply the corrective zypper transaction described in SUSE advisory SUSE-SU-2014:0774-1, reload the affected systemd unit, and reconcile firewalld and AppArmor state. Typical commands: sudo zypper ref, sudo zypper -n patch or sudo zypper -n update libXfont1, sudo systemctl daemon-reload, sudo systemctl restart libXfont1, then rpm -q libXfont1 to validate the new build is installed. For kernel advisories add sudo systemctl reboot or schedule a Live Patch (kgraft/klp) where covered by your SUSE subscription.

Need help rolling this patch across a SUSE fleet? Our IT Solutions & Services team manages SUSE patch windows with zero-downtime change controls. Get in touch for a free consultation.

Solution – Alternative Approaches

Alternatives include rolling back the offending transaction with sudo zypper history --rollback <id> (Btrfs Snapper snapshots make this safe on SLES 12), locking the package via sudo zypper al libXfont1, switching firewalld backends between nftables and iptables in /etc/firewalld/firewalld.conf, or temporarily disabling the AppArmor profile with sudo aa-disable /etc/apparmor.d/usr.sbin.libXfont1 to confirm policy is the cause before authoring a custom profile. Where Live Patching is licensed, klp patches applies kernel fixes without reboot.

Verification & Acceptance Criteria

Acceptance: rpm -q libXfont1 shows the expected fixed version, systemctl is-active libXfont1 returns active, journalctl -u libXfont1 --since "5 minutes ago" shows no errors, zypper patch-check reports zero open patches for this advisory, firewall-cmd --list-services includes the required services, aa-status reports the intended profile mode, and the original reproduction steps for libXfont1 β€” multiple vulnerabilities (10 CVEs) β€” patch and remediation guide no longer trigger the failure across two consecutive runs.

Rollback Plan

Capture state with zypper history list, snapper list, and rpm -qa > /root/rpm-pre.txt before any change. To revert, run sudo snapper undochange <pre>..<post> on Btrfs deployments or sudo zypper install --oldpackage libXfont1-<old-version> and reload systemctl daemon-reload. Remove custom AppArmor profiles with sudo apparmor_parser -R. Reboot if the kernel or initramfs was changed and re-verify symptoms.

Prevention & Hardening

Prevent recurrence by enabling automatic security patches with zypper-automatic or YaST > Online Update Configuration, subscribing to the SUSE-SU mailing list, mirroring through SUSE Manager / RMT for controlled rollouts, version-locking sensitive packages with zypper al, and monitoring file integrity with aide --check. Apply CIS SLES 12 hardening, enable Snapper rollbacks on Btrfs root, and where supported enable SUSE Live Patching so future advisories like this can be remediated without reboot.

Related issues that commonly surface alongside libXfont1 β€” multiple vulnerabilities (10 CVEs) β€” patch and remediation guide: zypper transaction lock contention, systemd unit ordering cycles, AppArmor denials in journalctl -k, firewalld zone drift, and kernel taint flags shown by cat /proc/sys/kernel/tainted. See sibling common-problem articles in this SLES 12 series for adjacent failure modes.

View all sles-12 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: SUSE advisory SUSE-SU-2014:0774-1 (see also SUSE bugzilla). Supporting docs: SUSE Linux Enterprise Server Administration Guide, man zypper, man systemctl, man firewall-cmd, man aa-status, man snapper, man journalctl, the SUSE patch finder at suse.com/patches/, and the SUSE Live Patching documentation. Review /usr/share/doc/packages/libXfont1/ for component-level notes implicated in libXfont1 β€” multiple vulnerabilities (10 CVEs) β€” patch and remediation guide.