Version in base suite: 1.20.11-1+deb11u3
Version in overlay suite: 1.20.11-1+deb11u4

Base version: xorg-server_1.20.11-1+deb11u4
Target version: xorg-server_1.20.11-1+deb11u5
Base file: /srv/ftp-master.debian.org/ftp/pool/main/x/xorg-server/xorg-server_1.20.11-1+deb11u4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/x/xorg-server/xorg-server_1.20.11-1+deb11u5.dsc

 debian/patches/20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch |   30 ++++++++++
 xorg-server-1.20.11/debian/changelog                                         |    6 ++
 xorg-server-1.20.11/debian/patches/series                                    |    1 
 3 files changed, 37 insertions(+)

diff -u xorg-server-1.20.11/debian/changelog xorg-server-1.20.11/debian/changelog
--- xorg-server-1.20.11/debian/changelog
+++ xorg-server-1.20.11/debian/changelog
@@ -1,3 +1,9 @@
+xorg-server (2:1.20.11-1+deb11u5) bullseye-security; urgency=high
+
+  * Xi: fix potential use-after-free in DeepCopyPointerClasses (CVE-2023-0494)
+
+ -- Julien Cristau <jcristau@debian.org>  Wed, 01 Feb 2023 15:11:18 +0100
+
 xorg-server (2:1.20.11-1+deb11u4) bullseye-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -u xorg-server-1.20.11/debian/patches/series xorg-server-1.20.11/debian/patches/series
--- xorg-server-1.20.11/debian/patches/series
+++ xorg-server-1.20.11/debian/patches/series
@@ -19,3 +19,4 @@
 17_Xi-return-an-error-from-XI-property-changes-if-verif.patch
 18_Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
 19_xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
+20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
only in patch2:
unchanged:
--- xorg-server-1.20.11.orig/debian/patches/20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
+++ xorg-server-1.20.11/debian/patches/20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
@@ -0,0 +1,30 @@
+From 7150ba655c0cc08fa6ded309b81265bb672f2869 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 25 Jan 2023 11:41:40 +1000
+Subject: [PATCH xserver] Xi: fix potential use-after-free in
+ DeepCopyPointerClasses
+
+CVE-2023-0494, ZDI-CAN 19596
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xi/exevents.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -575,8 +575,10 @@ DeepCopyPointerClasses(DeviceIntPtr from
+             memcpy(to->button->xkb_acts, from->button->xkb_acts,
+                    sizeof(XkbAction));
+         }
+-        else
++        else {
+             free(to->button->xkb_acts);
++            to->button->xkb_acts = NULL;
++        }
+ 
+         memcpy(to->button->labels, from->button->labels,
+                from->button->numButtons * sizeof(Atom));