From cf688027d61dd6d9677b2031c6c3b56ffb03a656 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Thu, 23 Mar 2023 11:25:56 +0100
Subject: [PATCH] Import Debian changes 2:1.20.11-1+deb11u6

---
 debian/changelog                              |  6 +++
 ...posite-Fix-use-after-free-of-the-COW.patch | 37 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 44 insertions(+)
 create mode 100644 debian/patches/21_composite-Fix-use-after-free-of-the-COW.patch

diff --git a/debian/changelog b/debian/changelog
index 28a8b41..988d80e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xorg-server (2:1.20.11-1+deb11u6) bullseye-security; urgency=high
+
+  * composite: Fix use-after-free of the COW (CVE-2023-1393)
+
+ -- Julien Cristau <jcristau@debian.org>  Thu, 23 Mar 2023 11:25:56 +0100
+
 xorg-server (2:1.20.11-1+deb11u5) bullseye-security; urgency=high
 
   * Xi: fix potential use-after-free in DeepCopyPointerClasses (CVE-2023-0494)
diff --git a/debian/patches/21_composite-Fix-use-after-free-of-the-COW.patch b/debian/patches/21_composite-Fix-use-after-free-of-the-COW.patch
new file mode 100644
index 0000000..2fc9c93
--- /dev/null
+++ b/debian/patches/21_composite-Fix-use-after-free-of-the-COW.patch
@@ -0,0 +1,37 @@
+From 947bd1b3f4a23565bf10879ec41ba06ebe1e1c76 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Mar 2023 11:08:47 +0100
+Subject: [PATCH xserver] composite: Fix use-after-free of the COW
+
+ZDI-CAN-19866/CVE-2023-1393
+
+If a client explicitly destroys the compositor overlay window (aka COW),
+we would leave a dangling pointer to that window in the CompScreen
+structure, which will trigger a use-after-free later.
+
+Make sure to clear the CompScreen pointer to the COW when the latter gets
+destroyed explicitly by the client.
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ composite/compwindow.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/composite/compwindow.c
++++ b/composite/compwindow.c
+@@ -613,6 +613,11 @@ compDestroyWindow(WindowPtr pWin)
+     ret = (*pScreen->DestroyWindow) (pWin);
+     cs->DestroyWindow = pScreen->DestroyWindow;
+     pScreen->DestroyWindow = compDestroyWindow;
++
++    /* Did we just destroy the overlay window? */
++    if (pWin == cs->pOverlayWin)
++        cs->pOverlayWin = NULL;
++
+ /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
+     return ret;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index c31a377..cd23c8f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -20,3 +20,4 @@
 18_Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
 19_xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
 20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
+21_composite-Fix-use-after-free-of-the-COW.patch
-- 
GitLab