Import Debian changes 2:1.20.11-1+deb11u8

debian/changelog

+xorg-server (2:1.20.11-1+deb11u8) bullseye-security; urgency=high
+
+  * 0003-mi-fix-CloseScreen-initialization-order.patch,
+    0004-fb-properly-wrap-unwrap-CloseScreen.patch: drop, causes other
+    bugs that are worse than CVE-2023-5574.
+
+ -- Julien Cristau <jcristau@debian.org>  Wed, 25 Oct 2023 09:47:13 +0200
+
+xorg-server (2:1.20.11-1+deb11u7) bullseye-security; urgency=high
+
+  * Xi/randr: fix handling of PropModeAppend/Prepend (CVE-2023-5367)
+  * mi: reset the PointerWindows reference on screen switch (CVE-2023-5380)
+  * mi: fix CloseScreen initialization order
+  * fb: properly wrap/unwrap CloseScreen (CVE-2023-5574)
+
+ -- Julien Cristau <jcristau@debian.org>  Mon, 23 Oct 2023 19:26:14 +0200
+
 xorg-server (2:1.20.11-1+deb11u6) bullseye-security; urgency=high
 
   * composite: Fix use-after-free of the COW (CVE-2023-1393)

debian/patches/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch

+From 69ceb12e9c9dc42175aba48bb86f2842423d7082 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 3 Oct 2023 11:53:05 +1000
+Subject: [PATCH xserver 1/4] Xi/randr: fix handling of PropModeAppend/Prepend
+
+The handling of appending/prepending properties was incorrect, with at
+least two bugs: the property length was set to the length of the new
+part only, i.e. appending or prepending N elements to a property with P
+existing elements always resulted in the property having N elements
+instead of N + P.
+
+Second, when pre-pending a value to a property, the offset for the old
+values was incorrect, leaving the new property with potentially
+uninitalized values and/or resulting in OOB memory writes.
+For example, prepending a 3 element value to a 5 element property would
+result in this 8 value array:
+  [N, N, N, ?, ?, P, P, P ] P, P
+                            ^OOB write
+
+The XI2 code is a copy/paste of the RandR code, so the bug exists in
+both.
+
+CVE-2023-5367, ZDI-CAN-22153
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xi/xiproperty.c    | 4 ++--
+ randr/rrproperty.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 066ba21fba..d315f04d0e 100644
+--- a/Xi/xiproperty.c
++++ b/Xi/xiproperty.c
+@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+                 XIDestroyDeviceProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
++        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
++                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb9585c6..25469f57b2 100644
+--- a/randr/rrproperty.c
++++ b/randr/rrproperty.c
+@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+                 RRDestroyOutputProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
++        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
++                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+-- 
+2.41.0
+

debian/patches/0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch

+From 344bdc9b8075bc98ddad46439f04f17b8a681cc5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 5 Oct 2023 12:19:45 +1000
+Subject: [PATCH xserver 2/4] mi: reset the PointerWindows reference on screen
+ switch
+
+PointerWindows[] keeps a reference to the last window our sprite
+entered - changes are usually handled by CheckMotion().
+
+If we switch between screens via XWarpPointer our
+dev->spriteInfo->sprite->win is set to the new screen's root window.
+If there's another window at the cursor location CheckMotion() will
+trigger the right enter/leave events later. If there is not, it skips
+that process and we never trigger LeaveWindow() - PointerWindows[] for
+the device still refers to the previous window.
+
+If that window is destroyed we have a dangling reference that will
+eventually cause a use-after-free bug when checking the window hierarchy
+later.
+
+To trigger this, we require:
+- two protocol screens
+- XWarpPointer to the other screen's root window
+- XDestroyWindow before entering any other window
+
+This is a niche bug so we hack around it by making sure we reset the
+PointerWindows[] entry so we cannot have a dangling pointer. This
+doesn't handle Enter/Leave events correctly but the previous code didn't
+either.
+
+CVE-2023-5380, ZDI-CAN-21608
+
+This vulnerability was discovered by:
+Sri working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ dix/enterleave.h   |  2 --
+ include/eventstr.h |  3 +++
+ mi/mipointer.c     | 17 +++++++++++++++--
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+
+--- a/dix/enterleave.h
++++ b/dix/enterleave.h
+@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPt
+ 
+ extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
+ 
+-extern void LeaveWindow(DeviceIntPtr dev);
+-
+ extern void CoreFocusEvent(DeviceIntPtr kbd,
+                            int type, int mode, int detail, WindowPtr pWin);
+ 
+--- a/include/eventstr.h
++++ b/include/eventstr.h
+@@ -296,4 +296,7 @@ union _InternalEvent {
+ #endif
+ };
+ 
++extern void
++LeaveWindow(DeviceIntPtr dev);
++
+ #endif
+--- a/mi/mipointer.c
++++ b/mi/mipointer.c
+@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, S
+ #ifdef PANORAMIX
+         && noPanoramiXExtension
+ #endif
+-        )
+-        UpdateSpriteForScreen(pDev, pScreen);
++        ) {
++            DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
++            /* Hack for CVE-2023-5380: if we're moving
++             * screens PointerWindows[] keeps referring to the
++             * old window. If that gets destroyed we have a UAF
++             * bug later. Only happens when jumping from a window
++             * to the root window on the other screen.
++             * Enter/Leave events are incorrect for that case but
++             * too niche to fix.
++             */
++            LeaveWindow(pDev);
++            if (master)
++                LeaveWindow(master);
++            UpdateSpriteForScreen(pDev, pScreen);
++    }
+ }
+ 
+ /**

debian/patches/02_kbsd-input-devd.diff

@@ -448,7 +448,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
 +}
 --- a/configure.ac
 +++ b/configure.ac
-@@ -566,6 +566,7 @@ AC_ARG_ENABLE(dpms,           AS_HELP_ST
+@@ -568,6 +568,7 @@ AC_ARG_ENABLE(dpms,           AS_HELP_ST
  AC_ARG_ENABLE(config-udev,    AS_HELP_STRING([--enable-config-udev], [Build udev support (default: auto)]), [CONFIG_UDEV=$enableval], [CONFIG_UDEV=auto])
  AC_ARG_ENABLE(config-udev-kms,    AS_HELP_STRING([--enable-config-udev-kms], [Build udev kms support (default: auto)]), [CONFIG_UDEV_KMS=$enableval], [CONFIG_UDEV_KMS=auto])
  AC_ARG_ENABLE(config-hal,     AS_HELP_STRING([--disable-config-hal], [Build HAL support (default: auto)]), [CONFIG_HAL=$enableval], [CONFIG_HAL=auto])
@@ -456,7 +456,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
  AC_ARG_ENABLE(config-wscons,  AS_HELP_STRING([--enable-config-wscons], [Build wscons config support (default: auto)]), [CONFIG_WSCONS=$enableval], [CONFIG_WSCONS=auto])
  AC_ARG_ENABLE(xfree86-utils,     AS_HELP_STRING([--enable-xfree86-utils], [Build xfree86 DDX utilities (default: enabled)]), [XF86UTILS=$enableval], [XF86UTILS=yes])
  AC_ARG_ENABLE(vgahw,          AS_HELP_STRING([--enable-vgahw], [Build Xorg with vga access (default: enabled)]), [VGAHW=$enableval], [VGAHW=yes])
-@@ -950,6 +951,21 @@ if test "x$CONFIG_WSCONS" = xyes; then
+@@ -949,6 +950,21 @@ if test "x$CONFIG_WSCONS" = xyes; then
  	AC_DEFINE(CONFIG_WSCONS, 1, [Use wscons for input auto configuration])
  fi
  
@@ -489,7 +489,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
               Neither HAL nor udev backend will be enabled.
 --- a/hw/xfree86/common/xf86Config.c
 +++ b/hw/xfree86/common/xf86Config.c
-@@ -1257,15 +1257,18 @@ checkCoreInputDevices(serverLayoutPtr se
+@@ -1264,15 +1264,18 @@ checkCoreInputDevices(serverLayoutPtr se
      }
  
      if (!xf86Info.forceInputDevices && !(foundPointer && foundKeyboard)) {
@@ -512,7 +512,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
                  "input devices.\n\tIf no devices become available, "
 --- a/hw/xfree86/common/xf86Globals.c
 +++ b/hw/xfree86/common/xf86Globals.c
-@@ -117,7 +117,8 @@ xf86InfoRec xf86Info = {
+@@ -119,7 +119,8 @@ xf86InfoRec xf86Info = {
      .miscModInDevEnabled = TRUE,
      .miscModInDevAllowNonLocal = FALSE,
      .pmFlag = TRUE,
@@ -524,7 +524,7 @@ v2 - Emilio Pozuelo Monfort <pochu@debian.org>
      .autoEnableDevices = TRUE,
 --- a/include/dix-config.h.in
 +++ b/include/dix-config.h.in
-@@ -433,6 +433,9 @@
+@@ -424,6 +424,9 @@
  /* Enable systemd-logind integration */
  #undef SYSTEMD_LOGIND 1
  

debian/patches/03_static-nettle.diff

@@ -4,7 +4,7 @@ There's no libnettle udeb.
 
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1634,7 +1634,7 @@ fi
+@@ -1597,7 +1597,7 @@ fi
  if test "x$with_sha1" = xlibnettle; then
  	AC_DEFINE([HAVE_SHA1_IN_LIBNETTLE], [1],
  	          [Use libnettle SHA1 functions])

debian/patches/08_xkb-switch-to-array-index-loops-to-moving-pointers.patch

@@ -14,11 +14,9 @@ Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
  xkb/xkb.c | 20 ++++++++++----------
  1 file changed, 10 insertions(+), 10 deletions(-)
 
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index a29262c24..64e52611e 100644
 --- a/xkb/xkb.c
 +++ b/xkb/xkb.c
-@@ -5368,16 +5368,16 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5369,16 +5369,16 @@ _CheckSetSections(XkbGeometryPtr geom,
              row->left = rWire->left;
              row->vertical = rWire->vertical;
              kWire = (xkbKeyWireDesc *) &rWire[1];
@@ -40,7 +38,7 @@ index a29262c24..64e52611e 100644
                  if (key->shape_ndx >= geom->num_shapes) {
                      client->errorValue = _XkbErrCode3(0x10, key->shape_ndx,
                                                        geom->num_shapes);
-@@ -5389,7 +5389,7 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5390,7 +5390,7 @@ _CheckSetSections(XkbGeometryPtr geom,
                      return BadMatch;
                  }
              }
@@ -49,7 +47,7 @@ index a29262c24..64e52611e 100644
          }
          wire = (char *) rWire;
          if (sWire->nDoodads > 0) {
-@@ -5454,16 +5454,16 @@ _CheckSetShapes(XkbGeometryPtr geom,
+@@ -5455,16 +5455,16 @@ _CheckSetShapes(XkbGeometryPtr geom,
                      return BadAlloc;
                  ol->corner_radius = olWire->cornerRadius;
                  ptWire = (xkbPointWireDesc *) &olWire[1];
@@ -70,6 +68,3 @@ index a29262c24..64e52611e 100644
              }
              if (shapeWire->primaryNdx != XkbNoShape)
                  shape->primary = &shape->outlines[shapeWire->primaryNdx];
--- 
-2.30.2
-

debian/patches/09_xkb-add-request-length-validation-for-XkbSetGeometry.patch

@@ -20,11 +20,9 @@ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  xkb/xkb.c | 43 ++++++++++++++++++++++++++++++++++++++-----
  1 file changed, 38 insertions(+), 5 deletions(-)
 
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index 34b2c290b..4692895db 100644
 --- a/xkb/xkb.c
 +++ b/xkb/xkb.c
-@@ -5156,7 +5156,7 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+@@ -5157,7 +5157,7 @@ _GetCountedString(char **wire_inout, Cli
  }
  
  static Status
@@ -33,7 +31,7 @@ index 34b2c290b..4692895db 100644
                  XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client)
  {
      char *wire;
-@@ -5167,6 +5167,9 @@ _CheckSetDoodad(char **wire_inout,
+@@ -5168,6 +5168,9 @@ _CheckSetDoodad(char **wire_inout,
      Status status;
  
      dWire = (xkbDoodadWireDesc *) (*wire_inout);
@@ -43,7 +41,7 @@ index 34b2c290b..4692895db 100644
      any = dWire->any;
      wire = (char *) &dWire[1];
      if (client->swapped) {
-@@ -5269,7 +5272,7 @@ _CheckSetDoodad(char **wire_inout,
+@@ -5270,7 +5273,7 @@ _CheckSetDoodad(char **wire_inout,
  }
  
  static Status
@@ -52,7 +50,7 @@ index 34b2c290b..4692895db 100644
                   XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client)
  {
      register int r;
-@@ -5280,6 +5283,9 @@ _CheckSetOverlay(char **wire_inout,
+@@ -5281,6 +5284,9 @@ _CheckSetOverlay(char **wire_inout,
  
      wire = *wire_inout;
      olWire = (xkbOverlayWireDesc *) wire;
@@ -62,7 +60,7 @@ index 34b2c290b..4692895db 100644
      if (client->swapped) {
          swapl(&olWire->name);
      }
-@@ -5291,6 +5297,9 @@ _CheckSetOverlay(char **wire_inout,
+@@ -5292,6 +5298,9 @@ _CheckSetOverlay(char **wire_inout,
          xkbOverlayKeyWireDesc *kWire;
          XkbOverlayRowPtr row;
  
@@ -72,7 +70,7 @@ index 34b2c290b..4692895db 100644
          if (rWire->rowUnder > section->num_rows) {
              client->errorValue = _XkbErrCode4(0x20, r, section->num_rows,
                                                rWire->rowUnder);
-@@ -5299,6 +5308,9 @@ _CheckSetOverlay(char **wire_inout,
+@@ -5300,6 +5309,9 @@ _CheckSetOverlay(char **wire_inout,
          row = XkbAddGeomOverlayRow(ol, rWire->rowUnder, rWire->nKeys);
          kWire = (xkbOverlayKeyWireDesc *) &rWire[1];
          for (k = 0; k < rWire->nKeys; k++, kWire++) {
@@ -82,7 +80,7 @@ index 34b2c290b..4692895db 100644
              if (XkbAddGeomOverlayKey(ol, row,
                                       (char *) kWire->over,
                                       (char *) kWire->under) == NULL) {
-@@ -5332,6 +5344,9 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5333,6 +5345,9 @@ _CheckSetSections(XkbGeometryPtr geom,
          register int r;
          xkbRowWireDesc *rWire;
  
@@ -92,7 +90,7 @@ index 34b2c290b..4692895db 100644
          if (client->swapped) {
              swapl(&sWire->name);
              swaps(&sWire->top);
-@@ -5357,6 +5372,9 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5358,6 +5373,9 @@ _CheckSetSections(XkbGeometryPtr geom,
              XkbRowPtr row;
              xkbKeyWireDesc *kWire;
  
@@ -102,7 +100,7 @@ index 34b2c290b..4692895db 100644
              if (client->swapped) {
                  swaps(&rWire->top);
                  swaps(&rWire->left);
-@@ -5371,6 +5389,9 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5372,6 +5390,9 @@ _CheckSetSections(XkbGeometryPtr geom,
              for (k = 0; k < rWire->nKeys; k++, kWire++) {
                  XkbKeyPtr key;
  
@@ -112,7 +110,7 @@ index 34b2c290b..4692895db 100644
                  key = XkbAddGeomKey(row);
                  if (!key)
                      return BadAlloc;
-@@ -5396,7 +5417,7 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5397,7 +5418,7 @@ _CheckSetSections(XkbGeometryPtr geom,
              register int d;
  
              for (d = 0; d < sWire->nDoodads; d++) {
@@ -121,7 +119,7 @@ index 34b2c290b..4692895db 100644
                  if (status != Success)
                      return status;
              }
-@@ -5405,7 +5426,7 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5406,7 +5427,7 @@ _CheckSetSections(XkbGeometryPtr geom,
              register int o;
  
              for (o = 0; o < sWire->nOverlays; o++) {
@@ -130,7 +128,7 @@ index 34b2c290b..4692895db 100644
                  if (status != Success)
                      return status;
              }
-@@ -5439,6 +5460,9 @@ _CheckSetShapes(XkbGeometryPtr geom,
+@@ -5440,6 +5461,9 @@ _CheckSetShapes(XkbGeometryPtr geom,
              xkbOutlineWireDesc *olWire;
              XkbOutlinePtr ol;
  
@@ -140,7 +138,7 @@ index 34b2c290b..4692895db 100644
              shape =
                  XkbAddGeomShape(geom, shapeWire->name, shapeWire->nOutlines);
              if (!shape)
-@@ -5449,12 +5473,18 @@ _CheckSetShapes(XkbGeometryPtr geom,
+@@ -5450,12 +5474,18 @@ _CheckSetShapes(XkbGeometryPtr geom,
                  XkbPointPtr pt;
                  xkbPointWireDesc *ptWire;
  
@@ -159,7 +157,7 @@ index 34b2c290b..4692895db 100644
                      pt->x = ptWire->x;
                      pt->y = ptWire->y;
                      if (client->swapped) {
-@@ -5560,12 +5590,15 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
+@@ -5561,12 +5591,15 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe
          return status;
  
      for (i = 0; i < req->nDoodads; i++) {
@@ -176,6 +174,3 @@ index 34b2c290b..4692895db 100644
          if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL)
              return BadAlloc;
          wire += 2 * XkbKeyNameLength;
--- 
-2.30.2
-

debian/patches/10_xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch

@@ -35,11 +35,9 @@ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  xkb/xkb.c | 46 +++++++++++++++++++++++++---------------------
  1 file changed, 25 insertions(+), 21 deletions(-)
 
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index 64e52611e..34b2c290b 100644
 --- a/xkb/xkb.c
 +++ b/xkb/xkb.c
-@@ -6550,7 +6550,8 @@ ProcXkbGetDeviceInfo(ClientPtr client)
+@@ -6584,7 +6584,8 @@ ProcXkbGetDeviceInfo(ClientPtr client)
  static char *
  CheckSetDeviceIndicators(char *wire,
                           DeviceIntPtr dev,
@@ -49,7 +47,7 @@ index 64e52611e..34b2c290b 100644
  {
      xkbDeviceLedsWireDesc *ledWire;
      int i;
-@@ -6558,6 +6559,11 @@ CheckSetDeviceIndicators(char *wire,
+@@ -6592,6 +6593,11 @@ CheckSetDeviceIndicators(char *wire,
  
      ledWire = (xkbDeviceLedsWireDesc *) wire;
      for (i = 0; i < num; i++) {
@@ -61,7 +59,7 @@ index 64e52611e..34b2c290b 100644
          if (client->swapped) {
              swaps(&ledWire->ledClass);
              swaps(&ledWire->ledID);
-@@ -6585,6 +6591,11 @@ CheckSetDeviceIndicators(char *wire,
+@@ -6619,6 +6625,11 @@ CheckSetDeviceIndicators(char *wire,
              atomWire = (CARD32 *) &ledWire[1];
              if (nNames > 0) {
                  for (n = 0; n < nNames; n++) {
@@ -73,7 +71,7 @@ index 64e52611e..34b2c290b 100644
                      if (client->swapped) {
                          swapl(atomWire);
                      }
-@@ -6596,6 +6607,10 @@ CheckSetDeviceIndicators(char *wire,
+@@ -6630,6 +6641,10 @@ CheckSetDeviceIndicators(char *wire,
              mapWire = (xkbIndicatorMapWireDesc *) atomWire;
              if (nMaps > 0) {
                  for (n = 0; n < nMaps; n++) {
@@ -84,7 +82,7 @@ index 64e52611e..34b2c290b 100644
                      if (client->swapped) {
                          swaps(&mapWire->virtualMods);
                          swapl(&mapWire->ctrls);
-@@ -6647,11 +6662,6 @@ SetDeviceIndicators(char *wire,
+@@ -6681,11 +6696,6 @@ SetDeviceIndicators(char *wire,
          xkbIndicatorMapWireDesc *mapWire;
          XkbSrvLedInfoPtr sli;
  
@@ -96,7 +94,7 @@ index 64e52611e..34b2c290b 100644
          namec = mapc = statec = 0;
          sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID,
                                  XkbXI_IndicatorMapsMask);
-@@ -6670,10 +6680,6 @@ SetDeviceIndicators(char *wire,
+@@ -6704,10 +6714,6 @@ SetDeviceIndicators(char *wire,
              memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom));
              for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
                  if (ledWire->namesPresent & bit) {
@@ -107,7 +105,7 @@ index 64e52611e..34b2c290b 100644
                      sli->names[n] = (Atom) *atomWire;
                      if (sli->names[n] == None)
                          ledWire->namesPresent &= ~bit;
-@@ -6691,10 +6697,6 @@ SetDeviceIndicators(char *wire,
+@@ -6725,10 +6731,6 @@ SetDeviceIndicators(char *wire,
          if (ledWire->mapsPresent) {
              for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
                  if (ledWire->mapsPresent & bit) {
@@ -118,7 +116,7 @@ index 64e52611e..34b2c290b 100644
                      sli->maps[n].flags = mapWire->flags;
                      sli->maps[n].which_groups = mapWire->whichGroups;
                      sli->maps[n].groups = mapWire->groups;
-@@ -6730,13 +6732,17 @@ SetDeviceIndicators(char *wire,
+@@ -6764,13 +6766,17 @@ SetDeviceIndicators(char *wire,
  }
  
  static int
@@ -137,7 +135,7 @@ index 64e52611e..34b2c290b 100644
          if (!dev->button) {
              client->errorValue = _XkbErrCode2(XkbErr_BadClass, ButtonClass);
              return XkbKeyboardErrorCode;
-@@ -6747,13 +6753,13 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
+@@ -6781,13 +6787,13 @@ _XkbSetDeviceInfo(ClientPtr client, Devi
                               dev->button->numButtons);
              return BadMatch;
          }
@@ -153,7 +151,7 @@ index 64e52611e..34b2c290b 100644
          if (status != Success)
              return status;
      }
-@@ -6764,8 +6770,8 @@ _XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
+@@ -6798,8 +6804,8 @@ _XkbSetDeviceInfo(ClientPtr client, Devi
  }
  
  static int
@@ -164,7 +162,7 @@ index 64e52611e..34b2c290b 100644
  {
      char *wire;
      xkbExtensionDeviceNotify ed;
-@@ -6789,8 +6795,6 @@ _XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
+@@ -6823,8 +6829,6 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
          if (stuff->firstBtn + stuff->nBtns > nBtns)
              return BadValue;
          sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
@@ -173,6 +171,3 @@ index 64e52611e..34b2c290b 100644
          memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
          wire += sz;
          ed.reason |= XkbXI_ButtonActionsMask;
--- 
-2.30.2
-

debian/patches/11_xkb-proof-GetCountedString-against-request-length-at.patch

@@ -13,11 +13,9 @@ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  xkb/xkb.c | 5 +++++
  1 file changed, 5 insertions(+)
 
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index f42f59ef3..1841cff26 100644
 --- a/xkb/xkb.c
 +++ b/xkb/xkb.c
-@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+@@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, Cli
      CARD16 len;
  
      wire = *wire_inout;
@@ -29,6 +27,3 @@ index f42f59ef3..1841cff26 100644
      len = *(CARD16 *) wire;
      if (client->swapped) {
          swaps(&len);
--- 
-2.30.2
-

debian/patches/12_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch

@@ -11,11 +11,9 @@ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  xkb/xkb.c | 26 ++++++++++++++++++++------
  1 file changed, 20 insertions(+), 6 deletions(-)
 
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index 4692895db..b79a269e3 100644
 --- a/xkb/xkb.c
 +++ b/xkb/xkb.c
-@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client)
+@@ -5941,18 +5941,32 @@ ProcXkbGetKbdByName(ClientPtr client)
      xkb = dev->key->xkbInfo->desc;
      status = Success;
      str = (unsigned char *) &stuff[1];
@@ -54,6 +52,3 @@ index 4692895db..b79a269e3 100644
  
      CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
      CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
--- 
-2.30.2
-

debian/patches/13_Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch

@@ -31,11 +31,9 @@ Acked-by: Olivier Fourdan <ofourdan@redhat.com>
  Xext/xtest.c | 5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)
 
-diff --git a/Xext/xtest.c b/Xext/xtest.c
-index 540d270a1c0d..e5d38aa61253 100644
 --- a/Xext/xtest.c
 +++ b/Xext/xtest.c
-@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
+@@ -501,10 +501,11 @@ XTestSwapFakeInput(ClientPtr client, xRe
  
      nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
      for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
@@ -49,6 +47,3 @@ index 540d270a1c0d..e5d38aa61253 100644
              client->errorValue = ev->u.u.type;
              return BadValue;
          }
--- 
-2.39.0
-

debian/patches/14_Xi-disallow-passive-grabs-with-a-detail-255.patch

@@ -33,11 +33,9 @@ Acked-by: Olivier Fourdan <ofourdan@redhat.com>
  Xi/xipassivegrab.c | 22 ++++++++++++++--------
  1 file changed, 14 insertions(+), 8 deletions(-)
 
-diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
-index 2769fb7c940d..c9ac2f855379 100644
 --- a/Xi/xipassivegrab.c
 +++ b/Xi/xipassivegrab.c
-@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+@@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client
          return BadValue;
      }
  
@@ -50,7 +48,7 @@ index 2769fb7c940d..c9ac2f855379 100644
      if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
                                 stuff->mask_len * 4) != Success)
          return BadValue;
-@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+@@ -203,14 +209,8 @@ ProcXIPassiveGrabDevice(ClientPtr client
                                  &param, XI2, &mask);
              break;
          case XIGrabtypeKeycode:
@@ -67,19 +65,16 @@ index 2769fb7c940d..c9ac2f855379 100644
              break;
          case XIGrabtypeEnter:
          case XIGrabtypeFocusIn:
-@@ -334,6 +334,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
+@@ -318,6 +318,12 @@ ProcXIPassiveUngrabDevice(ClientPtr clie
+         client->errorValue = stuff->detail;
          return BadValue;
      }
- 
++
 +    /* We don't allow passive grabs for details > 255 anyway */
 +    if (stuff->detail > 255) {
 +        client->errorValue = stuff->detail;
 +        return BadValue;
 +    }
-+
+ 
      rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
      if (rc != Success)
-         return rc;
--- 
-2.39.0
-

debian/patches/series

@@ -21,3 +21,5 @@
 19_xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
 20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
 21_composite-Fix-use-after-free-of-the-COW.patch
+0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
+0002-mi-reset-the-PointerWindows-reference-on-screen-swit.patch