Re: Desktop...
X11 only has any use if you're using a unix system as a workstation, which is actually pretty rare... Most unix systems are used as embedded devices or servers, and are unlikely to be running X11.
Also, how would an unprivileged user introduce an arbitrary BDF font to the X11 server?
This isn't quite true. Don't forget that one aspect of the X Window system is that it provides a networked client/server architecture. You talk about embedded systems. I have several Pis and other similar systems that I don't run an X display on, yet I still run X applications on the embedded device (eg, AVR programmer) by using 'ssh -X' and have the apps displayed on my workstation.
I don't know enough about the architecture of X (in terms of whether fonts are local to the client or server side, or whether there's a privileged process at work on the client side when I use 'ssh -X', though probably not) to be able to say, but it looks like the insecurity would also be there if I'm running remote X applications too. As to introducing arbitrary fonts, I'm pretty sure that the font doesn't even have to exist on the system: it seems like all the attacker has to do is to present a specially-crafted filename, and the sscanf will smash the stack before the routine ever gets to checking whether the file actually exists or not...