It looks like NO ONE ever audited X Windows
Many eyes only works when there's at least one person who doesn't assume that someone else has already looked at it!
This is such a basic fail, an unbounded sscanf() is the sort of thing you'd look for when trying to discover buffer overflows. The fact it survived that long demonstrates that no one ever looked at it. Glad someone has, and if he's the first it is not surprising he's got 120 or them.
Hell, you could probably write some code in lex or use cpp to find stuff like this, I'm stunned something as basic as this was never found. Hopefully they'll all be local privilege escalation, as I know that code that touches the external port it uses has been looked at pretty well - or at least better than the rest of it apparently was.