.gitignore

@@ -1 +1 @@
-SOURCES/libX11-1.7.0.tar.bz2
+SOURCES/libX11-1.6.8.tar.bz2

.libX11.metadata

@@ -1 +1 @@
-48fd27a11572a7d3c1014368e1dc9f40a7b23e7d SOURCES/libX11-1.7.0.tar.bz2
+f1ea96fe472a981d378b4f2eec90dcd063f9a407 SOURCES/libX11-1.6.8.tar.bz2

SOURCES/0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch

@@ -0,0 +1,166 @@
+From 8c92ef59890c6d6e2be456658d3b9c145eda8629 Mon Sep 17 00:00:00 2001
+From: Keith Packard <keithp@keithp.com>
+Date: Sat, 7 Nov 2020 22:22:47 -0800
+Subject: [PATCH libX11] Avoid recursing through _XError due to sequence
+ adjustment
+
+This patch is based on research done by Dmitry Osipenko to uncover the
+cause of a large class of Xlib lockups.
+
+_XError must unlock and re-lock the display around the call to the
+user error handler function. When re-locking the display, two
+functions are called to ensure that the display is ready to generate a request:
+
+    _XIDHandler(dpy);
+    _XSeqSyncFunction(dpy);
+
+The first ensures that there is at least one XID available to use
+(possibly calling _xcb_generate_id to do so). The second makes sure a
+reply is received at least every 65535 requests to keep sequence
+numbers in sync (possibly generating a GetInputFocus request and
+synchronously awaiting the reply).
+
+If the second of these does generate a GetInputFocus request and wait
+for the reply, then a pending error will cause recursion into _XError,
+which deadlocks the display.
+
+One seemingly easy fix is to have _XError avoid those calls by
+invoking InternalLockDisplay instead of LockDisplay. That function
+does everything that LockDisplay does *except* call those final two
+functions which may end up receiving an error.
+
+However, that doesn't protect the system from applications which call
+some legal Xlib function from within their error handler. Any Xlib
+function which cannot generate protocol or wait for events is valid,
+including many which invoke LockDisplay.
+
+What we need to do is make LockDisplay skip these two function calls
+precisely when it is called from within the _XError context for the
+same display.
+
+This patch accomplishes this by creating a list of threads in the
+display which are in _XError, and then having LockDisplay check the
+current thread against those list elements.
+
+Inspired-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+Tested-by: Dmitry Osipenko <digetx@gmail.com>
+Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
+(cherry picked from commit 30ccef3a48029bf4fc31d4abda2d2778d0ad6277)
+---
+ include/X11/Xlibint.h |  2 ++
+ src/OpenDis.c         |  1 +
+ src/XlibInt.c         | 10 ++++++++++
+ src/locking.c         | 12 ++++++++++++
+ src/locking.h         | 12 ++++++++++++
+ 5 files changed, 37 insertions(+)
+
+diff --git a/include/X11/Xlibint.h b/include/X11/Xlibint.h
+index 6b95bcf7..09078e3f 100644
+--- a/include/X11/Xlibint.h
++++ b/include/X11/Xlibint.h
+@@ -202,6 +202,8 @@ struct _XDisplay
+ 	unsigned long last_request_read_upper32bit;
+ 	unsigned long request_upper32bit;
+ #endif
++
++	struct _XErrorThreadInfo *error_threads;
+ };
+ 
+ #define XAllocIDs(dpy,ids,n) (*(dpy)->idlist_alloc)(dpy,ids,n)
+diff --git a/src/OpenDis.c b/src/OpenDis.c
+index 82723578..85901168 100644
+--- a/src/OpenDis.c
++++ b/src/OpenDis.c
+@@ -201,6 +201,7 @@ XOpenDisplay (
+ 	X_DPY_SET_LAST_REQUEST_READ(dpy, 0);
+ 	dpy->default_screen = iscreen;  /* Value returned by ConnectDisplay */
+ 	dpy->last_req = (char *)&_dummy_request;
++	dpy->error_threads = NULL;
+ 
+ 	/* Initialize the display lock */
+ 	if (InitDisplayLock(dpy) != 0) {
+diff --git a/src/XlibInt.c b/src/XlibInt.c
+index 4e45e62b..8771b791 100644
+--- a/src/XlibInt.c
++++ b/src/XlibInt.c
+@@ -1482,6 +1482,11 @@ int _XError (
+     if (_XErrorFunction != NULL) {
+ 	int rtn_val;
+ #ifdef XTHREADS
++	struct _XErrorThreadInfo thread_info = {
++		.error_thread = xthread_self(),
++		.next = dpy->error_threads
++	}, **prev;
++	dpy->error_threads = &thread_info;
+ 	if (dpy->lock)
+ 	    (*dpy->lock->user_lock_display)(dpy);
+ 	UnlockDisplay(dpy);
+@@ -1491,6 +1496,11 @@ int _XError (
+ 	LockDisplay(dpy);
+ 	if (dpy->lock)
+ 	    (*dpy->lock->user_unlock_display)(dpy);
++
++	/* unlink thread_info from the list */
++	for (prev = &dpy->error_threads; *prev != &thread_info; prev = &(*prev)->next)
++		;
++	*prev = thread_info.next;
+ #endif
+ 	return rtn_val;
+     } else {
+diff --git a/src/locking.c b/src/locking.c
+index 9f4fe067..bcadc857 100644
+--- a/src/locking.c
++++ b/src/locking.c
+@@ -453,6 +453,9 @@ static void _XLockDisplay(
+     XTHREADS_FILE_LINE_ARGS
+     )
+ {
++#ifdef XTHREADS
++    struct _XErrorThreadInfo *ti;
++#endif
+ #ifdef XTHREADS_WARN
+     _XLockDisplayWarn(dpy, file, line);
+ #else
+@@ -460,6 +463,15 @@ static void _XLockDisplay(
+ #endif
+     if (dpy->lock->locking_level > 0)
+ 	_XDisplayLockWait(dpy);
++#ifdef XTHREADS
++    /*
++     * Skip the two function calls below which may generate requests
++     * when LockDisplay is called from within _XError.
++     */
++    for (ti = dpy->error_threads; ti; ti = ti->next)
++	    if (ti->error_thread == xthread_self())
++		    return;
++#endif
+     _XIDHandler(dpy);
+     _XSeqSyncFunction(dpy);
+ }
+diff --git a/src/locking.h b/src/locking.h
+index 5251a60c..59fc866e 100644
+--- a/src/locking.h
++++ b/src/locking.h
+@@ -149,6 +149,18 @@ typedef struct _LockInfoRec {
+ 	xmutex_t	lock;
+ } LockInfoRec;
+ 
++/* A list of threads currently invoking error handlers on this display
++ * LockDisplay operates differently for these threads, avoiding
++ * generating any requests or reading any events as that can cause
++ * recursion into the error handling code, which will deadlock the
++ * thread.
++ */
++struct _XErrorThreadInfo
++{
++    struct _XErrorThreadInfo *next;
++    xthread_t error_thread;
++};
++
+ /* XOpenDis.c */
+ extern int (*_XInitDisplayLock_fn)(Display *dpy);
+ extern void (*_XFreeDisplayLock_fn)(Display *dpy);
+-- 
+2.43.0
+

SOURCES/0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch

@@ -0,0 +1,64 @@
+From a515545065ce6e1924de4bc50aaae7ec9b48cfad Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Wed, 11 Dec 2019 11:53:11 -0500
+Subject: [PATCH libX11] Fix XTS regression in XCopyColormapAndFree
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+XCopyColormapAndFree/5 threw an assertion:
+
+    520|4 5 00014017 1 2|Assertion XCopyColormapAndFree-5.(A)
+    520|4 5 00014017 1 3|When a colourmap argument does not name a valid colourmap,
+    520|4 5 00014017 1 4|then a BadColor error occurs.
+    520|4 5 00014017 1 5|METH: Create a bad colourmap by creating and freeing a colourmap.
+    520|4 5 00014017 1 6|METH: Call test function using bad colourmap as the colourmap argument.
+    520|4 5 00014017 1 7|METH: Verify that a BadColor error occurs.
+    520|4 5 00014017 1 8|unexpected signal 6 (SIGABRT) received
+    220|4 5 2 15:05:53|UNRESOLVED
+    410|4 5 1 15:05:53|IC End
+    510|4|system 0: Abandoning testset: caught unexpected signal 11 (SIGSEGV)
+
+More specifically:
+
+    lt-XCopyColormapAndFree: xcb_io.c:533: _XAllocID: Assertion `ret != inval_id' failed.
+
+This bug was introduced (by following my advice, d'oh) in:
+
+    commit 99a2cf1aa0b58391078d5d3edf0a7dab18c7745d
+    Author: Tapani Pälli <tapani.palli@intel.com>
+    Date:   Mon May 13 08:29:49 2019 +0300
+
+        Protect colormap add/removal with display lock
+
+In that patch we moved the call to _XcmsCopyCmapRecAndFree inside the
+display lock. The problem is said routine has side effects, including
+trying to implicitly create a colormap in some cases. Since we don't run
+the XID handler until SyncHandle() we would see inconsistent internal
+xlib state, triggering the above assert.
+
+Fix this by dropping and re-taking the display lock before calling into
+XCMS.
+---
+ src/CopyCmap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/CopyCmap.c b/src/CopyCmap.c
+index b4954b01..b37aba73 100644
+--- a/src/CopyCmap.c
++++ b/src/CopyCmap.c
+@@ -53,6 +53,11 @@ Colormap XCopyColormapAndFree(
+     mid = req->mid = XAllocID(dpy);
+     req->srcCmap = src_cmap;
+ 
++    /* re-lock the display to keep XID handling in sync */
++    UnlockDisplay(dpy);
++    SyncHandle();
++    LockDisplay(dpy);
++
+ #if XCMS
+     _XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
+ #endif
+-- 
+2.23.0
+

SOURCES/0001-Fix-an-integer-overflow-in-init_om.patch

@@ -0,0 +1,37 @@
+From 2c67fab8415a1d32395de87f056bc5f3b37fedb0 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Thu, 13 Aug 2020 18:02:58 +0200
+Subject: [PATCH] Fix an integer overflow in init_om()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2020-14363
+
+This can lead to a double free later, as reported by Jayden Rivers.
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+(cherry picked from commit acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d)
+Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
+---
+ modules/om/generic/omGeneric.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
+index 22f826ec..bcfb9ab8 100644
+--- a/modules/om/generic/omGeneric.c
++++ b/modules/om/generic/omGeneric.c
+@@ -1908,7 +1908,8 @@ init_om(
+     char **required_list;
+     XOrientation *orientation;
+     char **value, buf[BUFSIZ], *bufptr;
+-    int count = 0, num = 0, length = 0;
++    int count = 0, num = 0;
++    unsigned int length = 0;
+ 
+     _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count);
+     if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0)
+-- 
+2.28.0
+

SOURCES/0001-Fix-poll_for_response-race-condition.patch

@@ -0,0 +1,63 @@
+From 77f8517710a724fa1f29de8ad806692782f962bd Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Wed, 29 Jan 2020 09:06:54 +0000
+Subject: [PATCH libX11] Fix poll_for_response race condition
+
+In poll_for_response is it possible that event replies are skipped
+and a more up to date message reply is returned.
+This will cause next poll_for_event call to fail aborting the program.
+
+This was proved using some slow ssh tunnel or using some program
+to slow down server replies (I used a combination of xtrace and strace).
+
+How the race happens:
+- program enters into poll_for_response;
+- poll_for_event is called but the server didn't still send the reply;
+- pending_requests is not NULL because we send a request (see call
+  to  append_pending_request in _XSend);
+- xcb_poll_for_reply64 is called from poll_for_response;
+- xcb_poll_for_reply64 will read from server, at this point
+  server reply with an event (say sequence N) and the reply to our
+  last request (say sequence N+1);
+- xcb_poll_for_reply64 returns the reply for the request we asked;
+- last_request_read is set to N+1 sequence in poll_for_response;
+- poll_for_response returns the response to the request;
+- poll_for_event is called (for instance from another poll_for_response);
+- event with sequence N is retrieved;
+- the N sequence is widen, however, as the "new" number computed from
+  last_request_read is less than N the number is widened to N + 2^32
+  (assuming last_request_read is still contained in 32 bit);
+- poll_for_event enters the nested if statement as req is NULL;
+- we compare the widen N (which now does not fit into 32 bit) with
+  request (which fits into 32 bit) hitting the throw_thread_fail_assert.
+
+I propose to change the widen to not go too far from the wide number
+instead of supposing the result is always bigger than the wide number
+passed.
+
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+---
+ src/xcb_io.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/xcb_io.c b/src/xcb_io.c
+index 6a12d150..2aacbda3 100644
+--- a/src/xcb_io.c
++++ b/src/xcb_io.c
+@@ -201,12 +201,10 @@ static int handle_error(Display *dpy, xError *err, Bool in_XReply)
+ }
+ 
+ /* Widen a 32-bit sequence number into a 64bit (uint64_t) sequence number.
+- * Treating the comparison as a 1 and shifting it avoids a conditional branch.
+  */
+ static void widen(uint64_t *wide, unsigned int narrow)
+ {
+-	uint64_t new = (*wide & ~((uint64_t)0xFFFFFFFFUL)) | narrow;
+-	*wide = new + (((uint64_t)(new < *wide)) << 32);
++	*wide += (int32_t) (narrow - *wide);
+ }
+ 
+ /* Thread-safety rules:
+-- 
+2.23.0
+

SOURCES/0001-imDefLkup-verify-that-a-pointer-isn-t-NULL-before-us.patch

@@ -0,0 +1,40 @@
+From 623b77d4f30b47258a40f89262e5aa5d25e95fa7 Mon Sep 17 00:00:00 2001
+From: Benno Schulenberg <bensberg@telfort.nl>
+Date: Mon, 14 Feb 2022 11:33:25 +0100
+Subject: [PATCH] imDefLkup: verify that a pointer isn't NULL before using it
+
+It is possible for _XimICOfXICID() to return NULL, so it is necessary
+to check this isn't actually the case before dereferencing the pointer.
+All other callers of _XimICOfXICID() do this check too.
+
+(The check itself is ugly, but it follows the style of the code in the
+rest of the module.)
+
+Fixes issue #45.
+
+Reported-by: Bhavi Dhingra
+
+Original-patch-by: Bhavi Dhingra
+
+Signed-off-by: Benno Schulenberg <bensberg@telfort.nl>
+---
+ modules/im/ximcp/imDefLkup.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/modules/im/ximcp/imDefLkup.c b/modules/im/ximcp/imDefLkup.c
+index dea7f66d..dd1adf53 100644
+--- a/modules/im/ximcp/imDefLkup.c
++++ b/modules/im/ximcp/imDefLkup.c
+@@ -88,7 +88,8 @@ _XimSetEventMaskCallback(
+ 
+     if (imid == im->private.proto.imid) {
+ 	if (icid) {
+-	    ic = _XimICOfXICID(im, icid);
++	    if (!(ic = _XimICOfXICID(im, icid)))
++		return False;
+ 	    _XimProcICSetEventMask(ic, (XPointer)&buf_s[2]);
+ 	} else {
+ 	    _XimProcIMSetEventMask(im, (XPointer)&buf_s[2]);
+-- 
+2.46.0
+

SOURCES/0001-makekeys-handle-the-new-_EVDEVK-xorgproto-symbols.patch

@@ -1,43 +0,0 @@
-From e92efc63acd7b377faa9e534f4bf52aaa86be2a9 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Tue, 27 Jul 2021 11:46:19 +1000
-Subject: [PATCH libX11] makekeys: handle the new _EVDEVK xorgproto symbols
-
-These keys are all defined through a macro in the form:
-   #define XF86XK_BrightnessAuto		_EVDEVK(0x0F4)
-
-The _EVDEVK macro is simply an offset of 0x10081000.
-Let's parse these lines correctly so those keysyms end up in our
-hashtables.
-
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- src/util/makekeys.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/src/util/makekeys.c b/src/util/makekeys.c
-index e847ef4c..4896cc53 100644
---- a/src/util/makekeys.c
-+++ b/src/util/makekeys.c
-@@ -78,6 +78,18 @@ parse_line(const char *buf, char *key, KeySym *val, char *prefix)
-         return 1;
-     }
- 
-+    /* See if we can parse one of the _EVDEVK symbols */
-+    i = sscanf(buf, "#define %127s _EVDEVK(0x%lx)", key, val);
-+    if (i == 2 && (tmp = strstr(key, "XK_"))) {
-+        memcpy(prefix, key, (size_t)(tmp - key));
-+        prefix[tmp - key] = '\0';
-+        tmp += 3;
-+        memmove(key, tmp, strlen(tmp) + 1);
-+
-+        *val += 0x10081000;
-+        return 1;
-+    }
-+
-     /* Now try to catch alias (XK_foo XK_bar) definitions, and resolve them
-      * immediately: if the target is in the form XF86XK_foo, we need to
-      * canonicalise this to XF86foo before we do the lookup. */
--- 
-2.31.1
-

SOURCES/CVE-2021-31535.patch

@@ -0,0 +1,411 @@
+From 2714e4478c1262c94de6295cce605c14572968d3 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Fri, 19 Feb 2021 15:30:39 +0100
+Subject: [PATCH libX11] Reject string longer than USHRT_MAX before sending
+ them on the wire
+
+The X protocol uses CARD16 values to represent the length so
+this would overflow.
+
+CVE-2021-31535
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+[mustard: backported 10 1.6.8 by merging the warning fixes from
+upstream commimt 84427130 first - ajax]
+---
+ src/Font.c      | 10 ++++++----
+ src/FontInfo.c  |  5 ++++-
+ src/FontNames.c |  5 ++++-
+ src/GetColor.c  |  6 +++++-
+ src/LoadFont.c  |  6 +++++-
+ src/LookupCol.c |  6 ++++--
+ src/ParseCol.c  |  7 +++++--
+ src/QuExt.c     |  7 ++++++-
+ src/SetFPath.c  | 12 +++++++++---
+ src/SetHints.c  |  9 ++++++++-
+ src/StNColor.c  |  5 ++++-
+ src/StName.c    | 11 ++++++++---
+ 12 files changed, 68 insertions(+), 21 deletions(-)
+
+diff --git a/src/Font.c b/src/Font.c
+index 09d2ae91..1cd89cca 100644
+--- a/src/Font.c
++++ b/src/Font.c
+@@ -102,12 +102,14 @@ XFontStruct *XLoadQueryFont(
+     XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
+ #endif
+ 
++    if (strlen(name) >= USHRT_MAX)
++        return NULL;
+     if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
+       return font_result;
+     LockDisplay(dpy);
+     GetReq(OpenFont, req);
+     seq = dpy->request; /* Can't use extended sequence number here */
+-    nbytes = req->nbytes  = name ? strlen(name) : 0;
++    nbytes = req->nbytes = (CARD16) (name ? strlen(name) : 0);
+     req->fid = fid = XAllocID(dpy);
+     req->length += (nbytes+3)>>2;
+     Data (dpy, name, nbytes);
+@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont(
+ 
+     if (!name)
+ 	return 0;
+-    l = strlen(name);
+-    if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
++    l = (int) strlen(name);
++    if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
+ 	return 0;
+     charset = NULL;
+     /* next three lines stolen from _XkbGetCharset() */
+@@ -679,7 +681,7 @@ int _XF86LoadQueryLocaleFont(
+ 	return 0;
+     if (_XlcNCompareISOLatin1(name + l - 2 - (p - charset), charset, p - charset))
+ 	return 0;
+-    if (strlen(p + 1) + l - 1 >= sizeof(buf) - 1)
++    if (strlen(p + 1) + (size_t) l - 1 >= sizeof(buf) - 1)
+ 	return 0;
+     strcpy(buf, name);
+     strcpy(buf + l - 1, p + 1);
+diff --git a/src/FontInfo.c b/src/FontInfo.c
+index f870e431..6644b3fa 100644
+--- a/src/FontInfo.c
++++ b/src/FontInfo.c
+@@ -58,10 +58,13 @@ XFontStruct **info)	/* RETURN */
+     register xListFontsReq *req;
+     int j;
+ 
++    if (strlen(pattern) >= USHRT_MAX)
++        return NULL;
++
+     LockDisplay(dpy);
+     GetReq(ListFontsWithInfo, req);
+     req->maxNames = maxNames;
+-    nbytes = req->nbytes = pattern ? strlen (pattern) : 0;
++    nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0;
+     req->length += (nbytes + 3) >> 2;
+     _XSend (dpy, pattern, nbytes);
+     /* use _XSend instead of Data, since subsequent _XReply will flush buffer */
+diff --git a/src/FontNames.c b/src/FontNames.c
+index b78792d6..458d80c9 100644
+--- a/src/FontNames.c
++++ b/src/FontNames.c
+@@ -51,10 +51,13 @@ int *actualCount)	/* RETURN */
+     register xListFontsReq *req;
+     unsigned long rlen = 0;
+ 
++    if (strlen(pattern) >= USHRT_MAX)
++        return NULL;
++
+     LockDisplay(dpy);
+     GetReq(ListFonts, req);
+     req->maxNames = maxNames;
+-    nbytes = req->nbytes = pattern ? strlen (pattern) : 0;
++    nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0;
+     req->length += (nbytes + 3) >> 2;
+     _XSend (dpy, pattern, nbytes);
+     /* use _XSend instead of Data, since following _XReply will flush buffer */
+diff --git a/src/GetColor.c b/src/GetColor.c
+index cd0eb9f6..c8178067 100644
+--- a/src/GetColor.c
++++ b/src/GetColor.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */
+     XcmsColor cmsColor_exact;
+     Status ret;
+ 
++    if (strlen(colorname) >= USHRT_MAX)
++        return (0);
++
+ #ifdef XCMS
+     /*
+      * Let's Attempt to use Xcms and i18n approach to Parse Color
+@@ -83,7 +87,7 @@ XColor *exact_def) /* RETURN */
+     GetReq(AllocNamedColor, req);
+ 
+     req->cmap = cmap;
+-    nbytes = req->nbytes = strlen(colorname);
++    nbytes = req->nbytes = (CARD16) strlen(colorname);
+     req->length += (nbytes + 3) >> 2; /* round up to mult of 4 */
+ 
+     _XSend(dpy, colorname, nbytes);
+diff --git a/src/LoadFont.c b/src/LoadFont.c
+index f547976b..3996436f 100644
+--- a/src/LoadFont.c
++++ b/src/LoadFont.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include "Xlibint.h"
+ 
+ Font
+@@ -38,12 +39,15 @@ XLoadFont (
+     Font fid;
+     register xOpenFontReq *req;
+ 
++    if (strlen(name) >= USHRT_MAX)
++        return (0);
++
+     if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
+       return fid;
+ 
+     LockDisplay(dpy);
+     GetReq(OpenFont, req);
+-    nbytes = req->nbytes = name ? strlen(name) : 0;
++    nbytes = req->nbytes = name ? (CARD16) strlen(name) : 0;
+     req->fid = fid = XAllocID(dpy);
+     req->length += (nbytes+3)>>2;
+     Data (dpy, name, nbytes);
+diff --git a/src/LookupCol.c b/src/LookupCol.c
+index f7f969f5..cd9b1368 100644
+--- a/src/LookupCol.c
++++ b/src/LookupCol.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,6 +47,9 @@ XLookupColor (
+ 	XcmsCCC ccc;
+ 	XcmsColor cmsColor_exact;
+ 
++	n = (int) strlen (spec);
++	if (n >= USHRT_MAX)
++            return 0;
+ #ifdef XCMS
+ 	/*
+ 	 * Let's Attempt to use Xcms and i18n approach to Parse Color
+@@ -77,8 +81,6 @@ XLookupColor (
+ 	 * Xcms and i18n methods failed, so lets pass it to the server
+ 	 * for parsing.
+ 	 */
+-
+-	n = strlen (spec);
+ 	LockDisplay(dpy);
+ 	GetReq (LookupColor, req);
+ 	req->cmap = cmap;
+diff --git a/src/ParseCol.c b/src/ParseCol.c
+index e997b1b8..7a84a17b 100644
+--- a/src/ParseCol.c
++++ b/src/ParseCol.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,7 +47,9 @@ XParseColor (
+ 	XcmsColor cmsColor;
+ 
+         if (!spec) return(0);
+-	n = strlen (spec);
++	n = (int) strlen (spec);
++	if (n >= USHRT_MAX)
++            return(0);
+ 	if (*spec == '#') {
+ 	    /*
+ 	     * RGB
+@@ -119,7 +122,7 @@ XParseColor (
+ 	    LockDisplay(dpy);
+ 	    GetReq (LookupColor, req);
+ 	    req->cmap = cmap;
+-	    req->nbytes = n = strlen(spec);
++	    req->nbytes = (CARD16) (n = (int) strlen(spec));
+ 	    req->length += (n + 3) >> 2;
+ 	    Data (dpy, spec, (long)n);
+ 	    if (!_XReply (dpy, (xReply *) &reply, 0, xTrue)) {
+diff --git a/src/QuExt.c b/src/QuExt.c
+index 4e230e77..4cb99fcf 100644
+--- a/src/QuExt.c
++++ b/src/QuExt.c
+@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
++#include <stdbool.h>
+ #include "Xlibint.h"
+ 
+ Bool
+@@ -40,9 +42,12 @@ XQueryExtension(
+     xQueryExtensionReply rep;
+     register xQueryExtensionReq *req;
+ 
++    if (strlen(name) >= USHRT_MAX)
++        return false;
++
+     LockDisplay(dpy);
+     GetReq(QueryExtension, req);
+-    req->nbytes = name ? strlen(name) : 0;
++    req->nbytes = name ? (CARD16) strlen(name) : 0;
+     req->length += (req->nbytes+(unsigned)3)>>2;
+     _XSend(dpy, name, (long)req->nbytes);
+     (void) _XReply (dpy, (xReply *)&rep, 0, xTrue);
+diff --git a/src/SetFPath.c b/src/SetFPath.c
+index 60aaef01..13fce49e 100644
+--- a/src/SetFPath.c
++++ b/src/SetFPath.c
+@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group.
+ 
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
++#include <limits.h>
+ #endif
+ #include "Xlibint.h"
+ 
+@@ -48,7 +49,12 @@ XSetFontPath (
+ 	GetReq (SetFontPath, req);
+ 	req->nFonts = ndirs;
+ 	for (i = 0; i < ndirs; i++) {
+-		n += safestrlen (directories[i]) + 1;
++		n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
++		if (n >= USHRT_MAX) {
++			UnlockDisplay(dpy);
++			SyncHandle();
++			return 0;
++		}
+ 	}
+ 	nbytes = (n + 3) & ~3;
+ 	req->length += nbytes >> 2;
+@@ -59,9 +65,9 @@ XSetFontPath (
+ 		char	*tmp = p;
+ 
+ 		for (i = 0; i < ndirs; i++) {
+-			register int length = safestrlen (directories[i]);
++			register int length = (int) safestrlen (directories[i]);
+ 			*p = length;
+-			memcpy (p + 1, directories[i], length);
++			memcpy (p + 1, directories[i], (size_t)length);
+ 			p += length + 1;
+ 		}
+ 		Data (dpy, tmp, nbytes);
+diff --git a/src/SetHints.c b/src/SetHints.c
+index bc46498a..61cb0684 100644
+--- a/src/SetHints.c
++++ b/src/SetHints.c
+@@ -49,6 +49,7 @@ SOFTWARE.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <X11/Xlibint.h>
+ #include <X11/Xutil.h>
+ #include "Xatomtype.h"
+@@ -214,6 +215,8 @@ XSetCommand (
+ 	register char *buf, *bp;
+ 	for (i = 0, nbytes = 0; i < argc; i++) {
+ 		nbytes += safestrlen(argv[i]) + 1;
++		if (nbytes >= USHRT_MAX)
++                    return 1;
+ 	}
+ 	if ((bp = buf = Xmalloc(nbytes))) {
+ 	    /* copy arguments into single buffer */
+@@ -256,11 +259,13 @@ XSetStandardProperties (
+ 
+ 	if (name != NULL) XStoreName (dpy, w, name);
+ 
++        if (safestrlen(icon_string) >= USHRT_MAX)
++            return 1;
+ 	if (icon_string != NULL) {
+ 	    XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
+                              PropModeReplace,
+                              (_Xconst unsigned char *)icon_string,
+-                             safestrlen(icon_string));
++                             (int)safestrlen(icon_string));
+ 		}
+ 
+ 	if (icon_pixmap != None) {
+@@ -298,6 +303,8 @@ XSetClassHint(
+ 
+ 	len_nm = safestrlen(classhint->res_name);
+ 	len_cl = safestrlen(classhint->res_class);
++        if (len_nm + len_cl >= USHRT_MAX)
++            return 1;
+ 	if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
+ 	    if (len_nm) {
+ 		strcpy(s, classhint->res_name);
+diff --git a/src/StNColor.c b/src/StNColor.c
+index 8b821c3e..16dc9cbc 100644
+--- a/src/StNColor.c
++++ b/src/StNColor.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,6 +47,8 @@ int flags)  /* DoRed, DoGreen, DoBlue */
+     XcmsColor cmsColor_exact;
+     XColor scr_def;
+ 
++    if (strlen(name) >= USHRT_MAX)
++        return 0;
+ #ifdef XCMS
+     /*
+      * Let's Attempt to use Xcms approach to Parse Color
+@@ -76,7 +79,7 @@ int flags)  /* DoRed, DoGreen, DoBlue */
+     req->cmap = cmap;
+     req->flags = flags;
+     req->pixel = pixel;
+-    req->nbytes = nbytes = strlen(name);
++    req->nbytes = (CARD16) (nbytes = (unsigned) strlen(name));
+     req->length += (nbytes + 3) >> 2; /* round up to multiple of 4 */
+     Data(dpy, name, (long)nbytes);
+     UnlockDisplay(dpy);
+diff --git a/src/StName.c b/src/StName.c
+index b4048bff..04bb3aa6 100644
+--- a/src/StName.c
++++ b/src/StName.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <X11/Xlibint.h>
+ #include <X11/Xatom.h>
+ 
+@@ -36,9 +37,11 @@ XStoreName (
+     Window w,
+     _Xconst char *name)
+ {
+-    return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
++    if (strlen(name) >= USHRT_MAX)
++        return 0;
++    return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /*  */
+ 			   8, PropModeReplace, (_Xconst unsigned char *)name,
+-			   name ? strlen(name) : 0);
++			   name ? (int) strlen(name) : 0);
+ }
+ 
+ int
+@@ -47,7 +50,9 @@ XSetIconName (
+     Window w,
+     _Xconst char *icon_name)
+ {
++    if (strlen(icon_name) >= USHRT_MAX)
++        return 0;
+     return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
+                            PropModeReplace, (_Xconst unsigned char *)icon_name,
+-			   icon_name ? strlen(icon_name) : 0);
++			   icon_name ? (int) strlen(icon_name) : 0);
+ }
+-- 
+2.30.1
+

SPECS/libX11.spec

@@ -4,9 +4,10 @@
 
 Summary: Core X11 protocol client library
 Name: libX11
-Version: 1.7.0
+Version: 1.6.8
 Release: 9%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
 License: MIT
+Group: System Environment/Libraries
 URL: http://www.x.org
 
 %if 0%{?gitdate}
@@ -18,22 +19,32 @@ Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.
 %endif
 
 Patch2: dont-forward-keycode-0.patch
-Patch3: 0001-makekeys-handle-the-new-_EVDEVK-xorgproto-symbols.patch
+Patch3: 0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch
+Patch4: 0001-Fix-poll_for_response-race-condition.patch
+
+# CVE-2020-14363
+Patch5: 0001-Fix-an-integer-overflow-in-init_om.patch
+Patch6: CVE-2021-31535.patch
 # CVE-2023-3138
-Patch4: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
+Patch7: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
 
 # CVE-2023-43785
-Patch5: 0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
+Patch8: 0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
 
 # CVE-2023-43786
-Patch6: 0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
-Patch7: 0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
-Patch8: 0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
+Patch9: 0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
+Patch10: 0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
+Patch11: 0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
 
 # CVE-2023-43787
-Patch9: 0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
+Patch12: 0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
+
+# RHEL-23452
+Patch13: 0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch
+
+# https://issues.redhat.com/browse/RHEL-58444
+Patch14: 0001-imDefLkup-verify-that-a-pointer-isn-t-NULL-before-us.patch
 
-BuildRequires: make
 BuildRequires: xorg-x11-util-macros >= 1.11
 BuildRequires: pkgconfig(xproto) >= 7.0.15
 BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4
@@ -48,6 +59,7 @@ Core X11 protocol client library.
 
 %package common
 Summary: Common data for libX11
+Group: System Environment/Libraries
 BuildArch: noarch
 
 %description common
@@ -55,6 +67,7 @@ libX11 common data
 
 %package devel
 Summary: Development files for %{name}
+Group: Development/Libraries
 Requires: %{name} = %{version}-%{release}
 Requires: %{name}-xcb = %{version}-%{release}
 
@@ -63,13 +76,27 @@ X.Org X11 libX11 development package
 
 %package xcb
 Summary: XCB interop for libX11
+Group: System Environment/Libraries
 Conflicts: %{name} < %{version}-%{release}
 
 %description xcb
 libX11/libxcb interoperability library
 
 %prep
-%autosetup -p1 -n %{tarball}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}}
+%setup -q -n %{tarball}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}}
+%patch2 -p1 -b .dont-forward-keycode-0
+%patch3 -p1 -b .copycolormapandfree
+%patch4 -p1 -b .race
+%patch5 -p1 -b .fix-an-integer-overflow-in-init_om
+%patch6 -p1 -b .cve-2021-31535
+%patch7 -p1 -b .cve-2023-3138
+%patch8 -p1 -b .cve-2023-43785
+%patch9 -p1 -b .cve-2023-43786
+%patch10 -p1 -b .xputimage-clip-images-to-maximum-height-width-allowe
+%patch11 -p1 -b .xcreatepixmap-trigger-badvalue-error-for-out-of-rang
+%patch12 -p1 -b .cve-2023-43787
+%patch13 -p1 -b .rhel-23452
+%patch14 -p1 -b .rhel-58444
 
 %build
 autoreconf -v --install --force
@@ -100,7 +127,7 @@ make %{?_smp_mflags} check
 
 %files
 %{_libdir}/libX11.so.6
-%{_libdir}/libX11.so.6.4.0
+%{_libdir}/libX11.so.6.3.0
 
 %files xcb
 %{_libdir}/libX11-xcb.so.1
@@ -126,7 +153,6 @@ make %{?_smp_mflags} check
 %{_includedir}/X11/Xresource.h
 %{_includedir}/X11/Xutil.h
 %{_includedir}/X11/cursorfont.h
-%{_includedir}/X11/extensions/XKBgeom.h
 %{_libdir}/libX11.so
 %{_libdir}/libX11-xcb.so
 %{_libdir}/pkgconfig/x11.pc
@@ -135,79 +161,39 @@ make %{?_smp_mflags} check
 %{_mandir}/man5/*.5*
 
 %changelog
-* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 1.7.0-9
+* Fri Sep 13 2024 José Expósito <jexposit@redhat.com> - 1.6.8-9
+- Backport NULL check to avoid a crash
+  Resolves: https://issues.redhat.com/browse/RHEL-58444
+
+* Tue Jan 30 2024 Olivier Fourdan <ofourdan@redhat.com> - 1.6.8-8
+- Backport fix for Xlib lockups due to recursive XError (RHEL-23452)
+
+* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 1.6.8-7
 - Fix CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
 - Fix CVE-2023-43786: stack exhaustion from infinite recursion in
   PutSubImage()
 - Fix CVE-2023-43787: integer overflow in XCreateImage() leading to
   a heap overflow
 
-* Wed Jul 05 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.7.0-8
+* Wed Jul 05 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.6.8-6
 - CVE fix for: CVE-2023-3138
-  Resolve: rhbz#2213763
+  Resolve: rhbz#2213762
 
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.0-7
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
+* Thu Aug 12 2021 Adam Jackson <ajax@redhat.com> - 1.6.8-5
+- Fix CVE-2021-31535 (#1962439)
 
-* Tue Aug 03 2021 Peter Hutterer <peter.hutterer@redhat.com> - 1.7.0-6
-- Parse the EVDEVK keysyms (#1988944)
+* Tue Nov  3 2020 Michel Dänzer <mdaenzer@redhat.com> - 1.6.8-4
+- Fix CVE-2020-14363 (#1873923)
 
-* Tue May 04 2021 Peter Hutterer <peter.hutterer@redhat.com> 1.7.0-5
-- Rebuild to pick up the new xorgproto keysyms (#1954345)
+* Mon Feb 24 2020 Adam Jackson <ajax@redhat.com> - 1.6.8-3
+- Fix race condition in poll_for_reponse
 
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.0-4
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+* Fri Dec 13 2019 Adam Jackson <ajax@redhat.com> - 1.6.8-2
+- Fix assertion on error in XCopyColormapAndFree
 
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Tue Dec 01 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.7.0-2
-- libX11 1.7.0 (with the tarball this time)
-
-* Tue Dec 01 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.7.0-1
-- libX11 1.7.0
-- switch to using the autosetup rpm macro
-
-* Mon Nov 09 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.6.12-3
-- Fix a race-condition in poll_for_response (#1758384)
-
-* Thu Nov  5 11:12:56 AEST 2020 Peter Hutterer <peter.hutterer@redhat.com> - 1.6.12-2
-- Add BuildRequires for make
-
-* Wed Aug 26 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.6.12-1
-- libX11 1.6.12 (CVE-2020-14363, CVE 2020-14344)
-
-* Fri Jul 31 2020 Adam Jackson <ajax@redhat.com> - 1.6.9-5
-- Fix server reply validation issue in XIM (CVE 2020-14344)
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.9-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.9-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Wed Dec 11 2019 Peter Hutterer <peter.hutterer@redhat.com> 1.6.9-2
-- handle ssharp in XConvertCase
-
-* Wed Oct 09 2019 Adam Jackson <ajax@redhat.com> - 1.6.9-1
-- libX11 1.6.9
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.8-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Thu Jun 20 2019 Peter Hutterer <peter.hutterer@redhat.com> 1.6.8-2
-- rebuild to pick up the new xorgproto keysyms
-
-* Thu Jun 20 2019 Peter Hutterer <peter.hutterer@redhat.com> 1.6.8-1
+* Tue Nov 19 2019 Adam Jackson <ajax@redhat.com> - 1.6.8-1
 - libX11 1.6.8
 
-* Thu Mar 21 2019 Adam Jackson <ajax@redhat.com> - 1.6.7-3
-- Rebuild for xtrans 1.4.0
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.7-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
 * Tue Oct 09 2018 Adam Jackson <ajax@redhat.com> - 1.6.7-1
 - libX11 1.6.7