diff --git a/debian/changelog b/debian/changelog
index e6851d32ab8091e6cf89558e0e2c27a7635809af..883f50fe20b1ddf0a3e1cecc3c94eb09e3064143 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+xorg-server (2:1.20.11-1+deb11u8) bullseye-security; urgency=high
+
+ * 0003-mi-fix-CloseScreen-initialization-order.patch,
+ 0004-fb-properly-wrap-unwrap-CloseScreen.patch: drop, causes other
+ bugs that are worse than CVE-2023-5574.
+
+ -- Julien Cristau <jcristau@debian.org> Wed, 25 Oct 2023 09:47:13 +0200
+
+xorg-server (2:1.20.11-1+deb11u7) bullseye-security; urgency=high
+
+ * Xi/randr: fix handling of PropModeAppend/Prepend (CVE-2023-5367)
+ * mi: reset the PointerWindows reference on screen switch (CVE-2023-5380)
+ * mi: fix CloseScreen initialization order
+ * fb: properly wrap/unwrap CloseScreen (CVE-2023-5574)
+
+ -- Julien Cristau <jcristau@debian.org> Mon, 23 Oct 2023 19:26:14 +0200
+
xorg-server (2:1.20.11-1+deb11u6+apertis1) apertis; urgency=medium
* Sync updates from Debian Bullseye Security.
diff --git a/debian/patches/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch b/debian/patches/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
new file mode 100644
index 0000000000000000000000000000000000000000..59e5440f726d06420dd86d8ec9ededb342cfce34
--- /dev/null
+++ b/debian/patches/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
@@ -0,0 +1,80 @@
+From 69ceb12e9c9dc42175aba48bb86f2842423d7082 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 3 Oct 2023 11:53:05 +1000
+Subject: [PATCH xserver 1/4] Xi/randr: fix handling of PropModeAppend/Prepend
+
+The handling of appending/prepending properties was incorrect, with at
+least two bugs: the property length was set to the length of the new
+part only, i.e. appending or prepending N elements to a property with P
+existing elements always resulted in the property having N elements
+instead of N + P.
+
+Second, when pre-pending a value to a property, the offset for the old
+values was incorrect, leaving the new property with potentially
+uninitalized values and/or resulting in OOB memory writes.
+For example, prepending a 3 element value to a 5 element property would
+result in this 8 value array:
+ [N, N, N, ?, ?, P, P, P ] P, P
+ ^OOB write
+
+The XI2 code is a copy/paste of the RandR code, so the bug exists in
+both.
+
+CVE-2023-5367, ZDI-CAN-22153
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xi/xiproperty.c | 4 ++--
+ randr/rrproperty.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 066ba21fba..d315f04d0e 100644
+--- a/Xi/xiproperty.c
++++ b/Xi/xiproperty.c
+@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+ XIDestroyDeviceProperty(prop);
+ return BadAlloc;
+ }
+- new_value.size = len;
++ new_value.size = total_len;
+ new_value.type = type;
+ new_value.format = format;
+
+@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+ case PropModePrepend:
+ new_data = new_value.data;
+ old_data = (void *) (((char *) new_value.data) +
+- (prop_value->size * size_in_bytes));
++ (len * size_in_bytes));
+ break;
+ }
+ if (new_data)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb9585c6..25469f57b2 100644
+--- a/randr/rrproperty.c
++++ b/randr/rrproperty.c
+@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+ RRDestroyOutputProperty(prop);
+ return BadAlloc;
+ }
+- new_value.size = len;
++ new_value.size = total_len;
+ new_value.type = type;
+ new_value.format = format;
+
+@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+ case PropModePrepend:
+ new_data = new_value.data;
+ old_data = (void *) (((char *) new_value.data) +
+- (prop_value->size * size_in_bytes));
++ (len * size_in_bytes));
+ break;
+ }
+ if (new_data)
+--
+2.41.0
+
diff --git a/debian/patches/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch b/debian/patches/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch
new file mode 100644
index 0000000000000000000000000000000000000000..01a0295fcff3a4211ea97d59990326b7d403757f
--- /dev/null
+++ b/debian/patches/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch
@@ -0,0 +1,90 @@
+From 344bdc9b8075bc98ddad46439f04f17b8a681cc5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 5 Oct 2023 12:19:45 +1000
+Subject: [PATCH xserver 2/4] mi: reset the PointerWindows reference on screen
+ switch
+
+PointerWindows[] keeps a reference to the last window our sprite
+entered - changes are usually handled by CheckMotion().
+
+If we switch between screens via XWarpPointer our
+dev->spriteInfo->sprite->win is set to the new screen's root window.
+If there's another window at the cursor location CheckMotion() will
+trigger the right enter/leave events later. If there is not, it skips
+that process and we never trigger LeaveWindow() - PointerWindows[] for
+the device still refers to the previous window.
+
+If that window is destroyed we have a dangling reference that will
+eventually cause a use-after-free bug when checking the window hierarchy
+later.
+
+To trigger this, we require:
+- two protocol screens
+- XWarpPointer to the other screen's root window
+- XDestroyWindow before entering any other window
+
+This is a niche bug so we hack around it by making sure we reset the
+PointerWindows[] entry so we cannot have a dangling pointer. This
+doesn't handle Enter/Leave events correctly but the previous code didn't
+either.
+
+CVE-2023-5380, ZDI-CAN-21608
+
+This vulnerability was discovered by:
+Sri working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ dix/enterleave.h | 2 --
+ include/eventstr.h | 3 +++
+ mi/mipointer.c | 17 +++++++++++++++--
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+
+--- a/dix/enterleave.h
++++ b/dix/enterleave.h
+@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPt
+
+ extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
+
+-extern void LeaveWindow(DeviceIntPtr dev);
+-
+ extern void CoreFocusEvent(DeviceIntPtr kbd,
+ int type, int mode, int detail, WindowPtr pWin);
+
+--- a/include/eventstr.h
++++ b/include/eventstr.h
+@@ -296,4 +296,7 @@ union _InternalEvent {
+ #endif
+ };
+
++extern void
++LeaveWindow(DeviceIntPtr dev);
++
+ #endif
+--- a/mi/mipointer.c
++++ b/mi/mipointer.c
+@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, S
+ #ifdef PANORAMIX
+ && noPanoramiXExtension
+ #endif
+- )
+- UpdateSpriteForScreen(pDev, pScreen);
++ ) {
++ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
++ /* Hack for CVE-2023-5380: if we're moving
++ * screens PointerWindows[] keeps referring to the
++ * old window. If that gets destroyed we have a UAF
++ * bug later. Only happens when jumping from a window
++ * to the root window on the other screen.
++ * Enter/Leave events are incorrect for that case but
++ * too niche to fix.
++ */
++ LeaveWindow(pDev);
++ if (master)
++ LeaveWindow(master);
++ UpdateSpriteForScreen(pDev, pScreen);
++ }
+ }
+
+ /**
diff --git a/debian/patches/02_kbsd-input-devd.diff b/debian/patches/02_kbsd-input-devd.diff
index 6c5cedf29cb66dd631e384848c5fca47b664f5ca..4dd42627a52724a3084d8aafb0576af312eb2dab 100644
--- a/debian/patches/02_kbsd-input-devd.diff
+++ b/debian/patches/02_kbsd-input-devd.diff
@@ -448,7 +448,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
+}
--- a/configure.ac
+++ b/configure.ac
-@@ -566,6 +566,7 @@ AC_ARG_ENABLE(dpms, AS_HELP_ST
+@@ -568,6 +568,7 @@ AC_ARG_ENABLE(dpms, AS_HELP_ST
AC_ARG_ENABLE(config-udev, AS_HELP_STRING([--enable-config-udev], [Build udev support (default: auto)]), [CONFIG_UDEV=$enableval], [CONFIG_UDEV=auto])
AC_ARG_ENABLE(config-udev-kms, AS_HELP_STRING([--enable-config-udev-kms], [Build udev kms support (default: auto)]), [CONFIG_UDEV_KMS=$enableval], [CONFIG_UDEV_KMS=auto])
AC_ARG_ENABLE(config-hal, AS_HELP_STRING([--disable-config-hal], [Build HAL support (default: auto)]), [CONFIG_HAL=$enableval], [CONFIG_HAL=auto])
@@ -456,7 +456,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
AC_ARG_ENABLE(config-wscons, AS_HELP_STRING([--enable-config-wscons], [Build wscons config support (default: auto)]), [CONFIG_WSCONS=$enableval], [CONFIG_WSCONS=auto])
AC_ARG_ENABLE(xfree86-utils, AS_HELP_STRING([--enable-xfree86-utils], [Build xfree86 DDX utilities (default: enabled)]), [XF86UTILS=$enableval], [XF86UTILS=yes])
AC_ARG_ENABLE(vgahw, AS_HELP_STRING([--enable-vgahw], [Build Xorg with vga access (default: enabled)]), [VGAHW=$enableval], [VGAHW=yes])
-@@ -950,6 +951,21 @@ if test "x$CONFIG_WSCONS" = xyes; then
+@@ -949,6 +950,21 @@ if test "x$CONFIG_WSCONS" = xyes; then
AC_DEFINE(CONFIG_WSCONS, 1, [Use wscons for input auto configuration])
fi
@@ -489,7 +489,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
Neither HAL nor udev backend will be enabled.
--- a/hw/xfree86/common/xf86Config.c
+++ b/hw/xfree86/common/xf86Config.c
-@@ -1257,15 +1257,18 @@ checkCoreInputDevices(serverLayoutPtr se
+@@ -1264,15 +1264,18 @@ checkCoreInputDevices(serverLayoutPtr se
}
if (!xf86Info.forceInputDevices && !(foundPointer && foundKeyboard)) {
@@ -512,7 +512,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
"input devices.\n\tIf no devices become available, "
--- a/hw/xfree86/common/xf86Globals.c
+++ b/hw/xfree86/common/xf86Globals.c
-@@ -117,7 +117,8 @@ xf86InfoRec xf86Info = {
+@@ -119,7 +119,8 @@ xf86InfoRec xf86Info = {
.miscModInDevEnabled = TRUE,
.miscModInDevAllowNonLocal = FALSE,
.pmFlag = TRUE,
@@ -524,7 +524,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
.autoEnableDevices = TRUE,
--- a/include/dix-config.h.in
+++ b/include/dix-config.h.in
-@@ -433,6 +433,9 @@
+@@ -424,6 +424,9 @@
/* Enable systemd-logind integration */
#undef SYSTEMD_LOGIND 1
diff --git a/debian/patches/03_static-nettle.diff b/debian/patches/03_static-nettle.diff
index 7831fcf8d45c9f0c1dfb7efa66c9d761fd3e2d07..c9326223447189f65e308b4d431c42f4f3374cc3 100644
--- a/debian/patches/03_static-nettle.diff
+++ b/debian/patches/03_static-nettle.diff
@@ -4,7 +4,7 @@ There's no libnettle udeb.
--- a/configure.ac
+++ b/configure.ac
-@@ -1634,7 +1634,7 @@ fi
+@@ -1597,7 +1597,7 @@ fi
if test "x$with_sha1" = xlibnettle; then
AC_DEFINE([HAVE_SHA1_IN_LIBNETTLE], [1],
[Use libnettle SHA1 functions])
diff --git a/debian/patches/08_xkb-switch-to-array-index-loops-to-moving-pointers.patch b/debian/patches/08_xkb-switch-to-array-index-loops-to-moving-pointers.patch
index dce12808da9c1a72fe6c01653d10275655038f2e..4ae9c7dded4ec5f4e2b15bb166d49118595eefbb 100644
--- a/debian/patches/08_xkb-switch-to-array-index-loops-to-moving-pointers.patch
+++ b/debian/patches/08_xkb-switch-to-array-index-loops-to-moving-pointers.patch
@@ -14,11 +14,9 @@ Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
xkb/xkb.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index a29262c24..64e52611e 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
-@@ -5368,16 +5368,16 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5369,16 +5369,16 @@ _CheckSetSections(XkbGeometryPtr geom,
row->left = rWire->left;
row->vertical = rWire->vertical;
kWire = (xkbKeyWireDesc *) &rWire[1];
@@ -40,7 +38,7 @@ index a29262c24..64e52611e 100644
if (key->shape_ndx >= geom->num_shapes) {
client->errorValue = _XkbErrCode3(0x10, key->shape_ndx,
geom->num_shapes);
-@@ -5389,7 +5389,7 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5390,7 +5390,7 @@ _CheckSetSections(XkbGeometryPtr geom,
return BadMatch;
}
}
@@ -49,7 +47,7 @@ index a29262c24..64e52611e 100644
}
wire = (char *) rWire;
if (sWire->nDoodads > 0) {
-@@ -5454,16 +5454,16 @@ _CheckSetShapes(XkbGeometryPtr geom,
+@@ -5455,16 +5455,16 @@ _CheckSetShapes(XkbGeometryPtr geom,
return BadAlloc;
ol->corner_radius = olWire->cornerRadius;
ptWire = (xkbPointWireDesc *) &olWire[1];
@@ -70,6 +68,3 @@ index a29262c24..64e52611e 100644
}
if (shapeWire->primaryNdx != XkbNoShape)
shape->primary = &shape->outlines[shapeWire->primaryNdx];
---
-2.30.2
-
diff --git a/debian/patches/09_xkb-add-request-length-validation-for-XkbSetGeometry.patch b/debian/patches/09_xkb-add-request-length-validation-for-XkbSetGeometry.patch
index 72c33153c56377d9a4902345e6e005b50f5893ac..65a679fb8b5f7095cb2594411afb97de9b86b0a8 100644
--- a/debian/patches/09_xkb-add-request-length-validation-for-XkbSetGeometry.patch
+++ b/debian/patches/09_xkb-add-request-length-validation-for-XkbSetGeometry.patch
@@ -20,11 +20,9 @@ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
xkb/xkb.c | 43 ++++++++++++++++++++++++++++++++++++++-----
1 file changed, 38 insertions(+), 5 deletions(-)
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index 34b2c290b..4692895db 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
-@@ -5156,7 +5156,7 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+@@ -5157,7 +5157,7 @@ _GetCountedString(char **wire_inout, Cli
}
static Status
@@ -33,7 +31,7 @@ index 34b2c290b..4692895db 100644
XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client)
{
char *wire;
-@@ -5167,6 +5167,9 @@ _CheckSetDoodad(char **wire_inout,
+@@ -5168,6 +5168,9 @@ _CheckSetDoodad(char **wire_inout,
Status status;
dWire = (xkbDoodadWireDesc *) (*wire_inout);
@@ -43,7 +41,7 @@ index 34b2c290b..4692895db 100644
any = dWire->any;
wire = (char *) &dWire[1];
if (client->swapped) {
-@@ -5269,7 +5272,7 @@ _CheckSetDoodad(char **wire_inout,
+@@ -5270,7 +5273,7 @@ _CheckSetDoodad(char **wire_inout,
}
static Status
@@ -52,7 +50,7 @@ index 34b2c290b..4692895db 100644
XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client)
{
register int r;
-@@ -5280,6 +5283,9 @@ _CheckSetOverlay(char **wire_inout,
+@@ -5281,6 +5284,9 @@ _CheckSetOverlay(char **wire_inout,
wire = *wire_inout;
olWire = (xkbOverlayWireDesc *) wire;
@@ -62,7 +60,7 @@ index 34b2c290b..4692895db 100644
if (client->swapped) {
swapl(&olWire->name);
}
-@@ -5291,6 +5297,9 @@ _CheckSetOverlay(char **wire_inout,
+@@ -5292,6 +5298,9 @@ _CheckSetOverlay(char **wire_inout,
xkbOverlayKeyWireDesc *kWire;
XkbOverlayRowPtr row;
@@ -72,7 +70,7 @@ index 34b2c290b..4692895db 100644
if (rWire->rowUnder > section->num_rows) {
client->errorValue = _XkbErrCode4(0x20, r, section->num_rows,
rWire->rowUnder);
-@@ -5299,6 +5308,9 @@ _CheckSetOverlay(char **wire_inout,
+@@ -5300,6 +5309,9 @@ _CheckSetOverlay(char **wire_inout,
row = XkbAddGeomOverlayRow(ol, rWire->rowUnder, rWire->nKeys);
kWire = (xkbOverlayKeyWireDesc *) &rWire[1];
for (k = 0; k < rWire->nKeys; k++, kWire++) {
@@ -82,7 +80,7 @@ index 34b2c290b..4692895db 100644
if (XkbAddGeomOverlayKey(ol, row,
(char *) kWire->over,
(char *) kWire->under) == NULL) {
-@@ -5332,6 +5344,9 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5333,6 +5345,9 @@ _CheckSetSections(XkbGeometryPtr geom,
register int r;
xkbRowWireDesc *rWire;
@@ -92,7 +90,7 @@ index 34b2c290b..4692895db 100644
if (client->swapped) {
swapl(&sWire->name);
swaps(&sWire->top);
-@@ -5357,6 +5372,9 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5358,6 +5373,9 @@ _CheckSetSections(XkbGeometryPtr geom,
XkbRowPtr row;
xkbKeyWireDesc *kWire;
@@ -102,7 +100,7 @@ index 34b2c290b..4692895db 100644
if (client->swapped) {
swaps(&rWire->top);
swaps(&rWire->left);
-@@ -5371,6 +5389,9 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5372,6 +5390,9 @@ _CheckSetSections(XkbGeometryPtr geom,
for (k = 0; k < rWire->nKeys; k++, kWire++) {
XkbKeyPtr key;
@@ -112,7 +110,7 @@ index 34b2c290b..4692895db 100644
key = XkbAddGeomKey(row);
if (!key)
return BadAlloc;
-@@ -5396,7 +5417,7 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5397,7 +5418,7 @@ _CheckSetSections(XkbGeometryPtr geom,
register int d;
for (d = 0; d < sWire->nDoodads; d++) {
@@ -121,7 +119,7 @@ index 34b2c290b..4692895db 100644
if (status != Success)
return status;
}
-@@ -5405,7 +5426,7 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5406,7 +5427,7 @@ _CheckSetSections(XkbGeometryPtr geom,
register int o;
for (o = 0; o < sWire->nOverlays; o++) {
@@ -130,7 +128,7 @@ index 34b2c290b..4692895db 100644
if (status != Success)
return status;
}
-@@ -5439,6 +5460,9 @@ _CheckSetShapes(XkbGeometryPtr geom,
+@@ -5440,6 +5461,9 @@ _CheckSetShapes(XkbGeometryPtr geom,
xkbOutlineWireDesc *olWire;
XkbOutlinePtr ol;
@@ -140,7 +138,7 @@ index 34b2c290b..4692895db 100644
shape =
XkbAddGeomShape(geom, shapeWire->name, shapeWire->nOutlines);
if (!shape)
-@@ -5449,12 +5473,18 @@ _CheckSetShapes(XkbGeometryPtr geom,
+@@ -5450,12 +5474,18 @@ _CheckSetShapes(XkbGeometryPtr geom,
XkbPointPtr pt;
xkbPointWireDesc *ptWire;
@@ -159,7 +157,7 @@ index 34b2c290b..4692895db 100644
pt->x = ptWire->x;
pt->y = ptWire->y;
if (client->swapped) {
-@@ -5560,12 +5590,15 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
+@@ -5561,12 +5591,15 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe
return status;
for (i = 0; i < req->nDoodads; i++) {
@@ -176,6 +174,3 @@ index 34b2c290b..4692895db 100644
if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL)
return BadAlloc;
wire += 2 * XkbKeyNameLength;
---
-2.30.2
-
diff --git a/debian/patches/10_xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch b/debian/patches/10_xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch
index b4e7a017ab544525abd80f24cc97ae23a84b8e65..6a111afda652781b96f9a2c31d5d956c8816935b 100644
--- a/debian/patches/10_xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch
+++ b/debian/patches/10_xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch
@@ -35,11 +35,9 @@ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
xkb/xkb.c | 46 +++++++++++++++++++++++++---------------------
1 file changed, 25 insertions(+), 21 deletions(-)
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index 64e52611e..34b2c290b 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
-@@ -6550,7 +6550,8 @@ ProcXkbGetDeviceInfo(ClientPtr client)
+@@ -6584,7 +6584,8 @@ ProcXkbGetDeviceInfo(ClientPtr client)
static char *
CheckSetDeviceIndicators(char *wire,
DeviceIntPtr dev,
@@ -49,7 +47,7 @@ index 64e52611e..34b2c290b 100644
{
xkbDeviceLedsWireDesc *ledWire;
int i;
-@@ -6558,6 +6559,11 @@ CheckSetDeviceIndicators(char *wire,
+@@ -6592,6 +6593,11 @@ CheckSetDeviceIndicators(char *wire,
ledWire = (xkbDeviceLedsWireDesc *) wire;
for (i = 0; i < num; i++) {
@@ -61,7 +59,7 @@ index 64e52611e..34b2c290b 100644
if (client->swapped) {
swaps(&ledWire->ledClass);
swaps(&ledWire->ledID);
-@@ -6585,6 +6591,11 @@ CheckSetDeviceIndicators(char *wire,
+@@ -6619,6 +6625,11 @@ CheckSetDeviceIndicators(char *wire,
atomWire = (CARD32 *) &ledWire[1];
if (nNames > 0) {
for (n = 0; n < nNames; n++) {
@@ -73,7 +71,7 @@ index 64e52611e..34b2c290b 100644
if (client->swapped) {
swapl(atomWire);
}
-@@ -6596,6 +6607,10 @@ CheckSetDeviceIndicators(char *wire,
+@@ -6630,6 +6641,10 @@ CheckSetDeviceIndicators(char *wire,
mapWire = (xkbIndicatorMapWireDesc *) atomWire;
if (nMaps > 0) {
for (n = 0; n < nMaps; n++) {
@@ -84,7 +82,7 @@ index 64e52611e..34b2c290b 100644
if (client->swapped) {
swaps(&mapWire->virtualMods);
swapl(&mapWire->ctrls);
-@@ -6647,11 +6662,6 @@ SetDeviceIndicators(char *wire,
+@@ -6681,11 +6696,6 @@ SetDeviceIndicators(char *wire,
xkbIndicatorMapWireDesc *mapWire;
XkbSrvLedInfoPtr sli;
@@ -96,7 +94,7 @@ index 64e52611e..34b2c290b 100644
namec = mapc = statec = 0;
sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID,
XkbXI_IndicatorMapsMask);
-@@ -6670,10 +6680,6 @@ SetDeviceIndicators(char *wire,
+@@ -6704,10 +6714,6 @@ SetDeviceIndicators(char *wire,
memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom));
for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
if (ledWire->namesPresent & bit) {
@@ -107,7 +105,7 @@ index 64e52611e..34b2c290b 100644
sli->names[n] = (Atom) *atomWire;
if (sli->names[n] == None)
ledWire->namesPresent &= ~bit;
-@@ -6691,10 +6697,6 @@ SetDeviceIndicators(char *wire,
+@@ -6725,10 +6731,6 @@ SetDeviceIndicators(char *wire,
if (ledWire->mapsPresent) {
for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
if (ledWire->mapsPresent & bit) {
@@ -118,7 +116,7 @@ index 64e52611e..34b2c290b 100644
sli->maps[n].flags = mapWire->flags;
sli->maps[n].which_groups = mapWire->whichGroups;
sli->maps[n].groups = mapWire->groups;
-@@ -6730,13 +6732,17 @@ SetDeviceIndicators(char *wire,
+@@ -6764,13 +6766,17 @@ SetDeviceIndicators(char *wire,
}
static int
@@ -137,7 +135,7 @@ index 64e52611e..34b2c290b 100644
if (!dev->button) {
client->errorValue = _XkbErrCode2(XkbErr_BadClass, ButtonClass);
return XkbKeyboardErrorCode;
-@@ -6747,13 +6753,13 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
+@@ -6781,13 +6787,13 @@ _XkbSetDeviceInfo(ClientPtr client, Devi
dev->button->numButtons);
return BadMatch;
}
@@ -153,7 +151,7 @@ index 64e52611e..34b2c290b 100644
if (status != Success)
return status;
}
-@@ -6764,8 +6770,8 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
+@@ -6798,8 +6804,8 @@ _XkbSetDeviceInfo(ClientPtr client, Devi
}
static int
@@ -164,7 +162,7 @@ index 64e52611e..34b2c290b 100644
{
char *wire;
xkbExtensionDeviceNotify ed;
-@@ -6789,8 +6795,6 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
+@@ -6823,8 +6829,6 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
if (stuff->firstBtn + stuff->nBtns > nBtns)
return BadValue;
sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
@@ -173,6 +171,3 @@ index 64e52611e..34b2c290b 100644
memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
wire += sz;
ed.reason |= XkbXI_ButtonActionsMask;
---
-2.30.2
-
diff --git a/debian/patches/11_xkb-proof-GetCountedString-against-request-length-at.patch b/debian/patches/11_xkb-proof-GetCountedString-against-request-length-at.patch
index 79b171ee6141fd12c20aff0393a5714d2a7505db..d20cdc20f62431d0dc7e487f1a286ee157f8be2b 100644
--- a/debian/patches/11_xkb-proof-GetCountedString-against-request-length-at.patch
+++ b/debian/patches/11_xkb-proof-GetCountedString-against-request-length-at.patch
@@ -13,11 +13,9 @@ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
xkb/xkb.c | 5 +++++
1 file changed, 5 insertions(+)
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index f42f59ef3..1841cff26 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
-@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+@@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, Cli
CARD16 len;
wire = *wire_inout;
@@ -29,6 +27,3 @@ index f42f59ef3..1841cff26 100644
len = *(CARD16 *) wire;
if (client->swapped) {
swaps(&len);
---
-2.30.2
-
diff --git a/debian/patches/12_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch b/debian/patches/12_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
index 1173d6706d4267f9baa286c34b25eb1e3acfa14d..7bc68f0ebffeab121856e71de546112471c0a965 100644
--- a/debian/patches/12_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
+++ b/debian/patches/12_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
@@ -11,11 +11,9 @@ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
xkb/xkb.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index 4692895db..b79a269e3 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
-@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
+@@ -5941,18 +5941,32 @@ ProcXkbGetKbdByName(ClientPtr client)
xkb = dev->key->xkbInfo->desc;
status = Success;
str = (unsigned char *) &stuff[1];
@@ -54,6 +52,3 @@ index 4692895db..b79a269e3 100644
CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
---
-2.30.2
-
diff --git a/debian/patches/13_Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch b/debian/patches/13_Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch
index 98c86f41c9aa72d866b4e0a44481ede61857139e..9bee88be040409aa5157f1f341c3b819565acbcf 100644
--- a/debian/patches/13_Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch
+++ b/debian/patches/13_Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch
@@ -31,11 +31,9 @@ Acked-by: Olivier Fourdan <ofourdan@redhat.com>
Xext/xtest.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
-diff --git a/Xext/xtest.c b/Xext/xtest.c
-index 540d270a1c0d..e5d38aa61253 100644
--- a/Xext/xtest.c
+++ b/Xext/xtest.c
-@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
+@@ -501,10 +501,11 @@ XTestSwapFakeInput(ClientPtr client, xRe
nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
@@ -49,6 +47,3 @@ index 540d270a1c0d..e5d38aa61253 100644
client->errorValue = ev->u.u.type;
return BadValue;
}
---
-2.39.0
-
diff --git a/debian/patches/14_Xi-disallow-passive-grabs-with-a-detail-255.patch b/debian/patches/14_Xi-disallow-passive-grabs-with-a-detail-255.patch
index 0b93121293cf919d33475e8dfa2a9bd98eb80c3d..5746a56140494f7e2ddf9944d1987e22b5d812d7 100644
--- a/debian/patches/14_Xi-disallow-passive-grabs-with-a-detail-255.patch
+++ b/debian/patches/14_Xi-disallow-passive-grabs-with-a-detail-255.patch
@@ -33,11 +33,9 @@ Acked-by: Olivier Fourdan <ofourdan@redhat.com>
Xi/xipassivegrab.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
-diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
-index 2769fb7c940d..c9ac2f855379 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
-@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+@@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client
return BadValue;
}
@@ -50,7 +48,7 @@ index 2769fb7c940d..c9ac2f855379 100644
if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
stuff->mask_len * 4) != Success)
return BadValue;
-@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+@@ -203,14 +209,8 @@ ProcXIPassiveGrabDevice(ClientPtr client
¶m, XI2, &mask);
break;
case XIGrabtypeKeycode:
@@ -67,19 +65,16 @@ index 2769fb7c940d..c9ac2f855379 100644
break;
case XIGrabtypeEnter:
case XIGrabtypeFocusIn:
-@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
+@@ -318,6 +318,12 @@ ProcXIPassiveUngrabDevice(ClientPtr clie
+ client->errorValue = stuff->detail;
return BadValue;
}
-
++
+ /* We don't allow passive grabs for details > 255 anyway */
+ if (stuff->detail > 255) {
+ client->errorValue = stuff->detail;
+ return BadValue;
+ }
-+
+
rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
if (rc != Success)
- return rc;
---
-2.39.0
-
diff --git a/debian/patches/series b/debian/patches/series
index 0128192c98f61947210b939a1b3a0f3439137776..83e6d3f4d8bbedf63cb6af6f84c1c53f3163226c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,5 @@ disable-libgl-in-xwayland.patch
19_xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
21_composite-Fix-use-after-free-of-the-COW.patch
+0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
+0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch