X.Org security advisory, May 2nd 2006
Buffer overflow in the Xrender extension of the X.Org server
CVE-ID: CVE-2006-1526 

Overview:

A client of the X server using the X render extension is able to 
send requests that will cause a buffer overflow in the server side of 
the extension. 
This overflow can be exploited by an authorised client to execute 
malicious code inside the X server, which is generally running with 
root privileges.

Vulnerability details:

An unfortunate typo ('&' instead of '*' in an expression) causes the
code computing the size for memory allocation calls in the
XRenderCompositeTriStrip and XRenderCompositeTriFan requests to
allocate a buffer that may be too small for the data that is passed
with the request. On platforms where the ALLOCATE_LOCAL macro is using
alloca(), this is a stack overflow, on other platforms this is a heap
overflow.

Affected versions:

X.Org 6.8.0 and later versions are vulnerable, as well as all individual 
releases of the modular xorg-xserver package. 

To check which version you have, run Xorg -version:
% Xorg -version
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0

Fix:

Apply the patch below to the source tree for the modular xorg-server 
source package:

9a9356f86fe2c10985f1008d459fb272		xorg-server-1.0.x-mitri.diff
d6eba2bddac69f12f21785ea94397b206727ba93	xorg-server-1.0.x-mitri.diff
http://xorg.freedesktop.org/releases/X11R7.0/patches/

For X.Org 6.8.x or 6.9.0, apply one of the patches below:

d666925bfe3d76156c399091578579ae		x11r6.9.0-mitri.diff
3d9da8bb9b28957c464d28ea194d5df50e2a3e5c	x11r6.9.0-mitri.diff
http://xorg.freedesktop.org/releases/X11R6.9.0/patches/

d5b46469a65972786b57ed2b010c3eb2		xorg-68x-CVE-2006-1526.patch
f764a77a0da4e3af88561805c5c8e28d5c5b3058	xorg-68x-CVE-2006-1526.patch
http://xorg.freedesktop.org/releases/X11R6.8.2/patches/

Thanks:

We would like to thank Bart Massey who reported the issue.