I wonder why the Linux Kernel would allow code execution from a font in the first place. User programs, be them Libreoffice or not, should never touch the Kernel. Ever.
It doesn't. This is not a kernel vulnerability. It is strictly userspace, will not bypass mandatory access control, and does not provide root privileges out of the box (unless you like to browse as root). Also, the Softpedia article is wrong. This vulnerability cannot "crash your system", only the target application. (Which is not necessarily a good thing, since that makes it more reliable as compromise instead of DoS.) Please refer to the original advisory from Cisco. Thx.
@amarildojr re fonts being executable: this is because TrueType font bytecode is Turing-complete. (And the above vulnerability is an example of why you only want to run that bytecode in userspace.)
How does one determine what version of (lib)graphite they have/are running on their system? And if it's the vulnerable one, how does one update to the newer version?... Or is this something that they (automatically) update at the server-end??
