some additional information, I have *not* done a trhougfully code review. Just two thoughs on two of the mentioned CVEs.
Re CVE-2017-14685 might not be present in jessie. But the code is quite different. There is no xps_load_links_in_glyphs function and the only xps_lookup_font loading is done in source/xps/xps-glyphs.c For CVE-2017-14686 the missing checks seem to be in source/xps/xps-zip.c and source/cbz/mucbz.c Regards, Salvatore
