- Fix CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083

- dix: Fix use after free in input device shutdown

.gitignore

@@ -1 +1 @@
-SOURCES/tigervnc-1.12.0.tar.gz
+SOURCES/tigervnc-1.13.1.tar.gz

.tigervnc.metadata

@@ -1 +1 @@
-44db63993d8ad04f730b0b48e8aca32933bff15a SOURCES/tigervnc-1.12.0.tar.gz
+6f7a23f14833f552c88523da1a5e102f3b8d35c2 SOURCES/tigervnc-1.13.1.tar.gz

SOURCES/CVE-2023-5367.patch

@@ -0,0 +1,80 @@
+From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 3 Oct 2023 11:53:05 +1000
+Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
+
+The handling of appending/prepending properties was incorrect, with at
+least two bugs: the property length was set to the length of the new
+part only, i.e. appending or prepending N elements to a property with P
+existing elements always resulted in the property having N elements
+instead of N + P.
+
+Second, when pre-pending a value to a property, the offset for the old
+values was incorrect, leaving the new property with potentially
+uninitalized values and/or resulting in OOB memory writes.
+For example, prepending a 3 element value to a 5 element property would
+result in this 8 value array:
+  [N, N, N, ?, ?, P, P, P ] P, P
+                            ^OOB write
+
+The XI2 code is a copy/paste of the RandR code, so the bug exists in
+both.
+
+CVE-2023-5367, ZDI-CAN-22153
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xi/xiproperty.c    | 4 ++--
+ randr/rrproperty.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 066ba21fba..d315f04d0e 100644
+--- a/Xi/xiproperty.c
++++ b/Xi/xiproperty.c
+@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+                 XIDestroyDeviceProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
++        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
++                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb9585c6..25469f57b2 100644
+--- a/randr/rrproperty.c
++++ b/randr/rrproperty.c
+@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+                 RRDestroyOutputProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
++        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
++                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+-- 
+GitLab
+

SOURCES/CVE-2023-5380.patch

@@ -0,0 +1,98 @@
+From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 5 Oct 2023 12:19:45 +1000
+Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
+
+PointerWindows[] keeps a reference to the last window our sprite
+entered - changes are usually handled by CheckMotion().
+
+If we switch between screens via XWarpPointer our
+dev->spriteInfo->sprite->win is set to the new screen's root window.
+If there's another window at the cursor location CheckMotion() will
+trigger the right enter/leave events later. If there is not, it skips
+that process and we never trigger LeaveWindow() - PointerWindows[] for
+the device still refers to the previous window.
+
+If that window is destroyed we have a dangling reference that will
+eventually cause a use-after-free bug when checking the window hierarchy
+later.
+
+To trigger this, we require:
+- two protocol screens
+- XWarpPointer to the other screen's root window
+- XDestroyWindow before entering any other window
+
+This is a niche bug so we hack around it by making sure we reset the
+PointerWindows[] entry so we cannot have a dangling pointer. This
+doesn't handle Enter/Leave events correctly but the previous code didn't
+either.
+
+CVE-2023-5380, ZDI-CAN-21608
+
+This vulnerability was discovered by:
+Sri working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ dix/enterleave.h   |  2 --
+ include/eventstr.h |  3 +++
+ mi/mipointer.c     | 17 +++++++++++++++--
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/dix/enterleave.h b/dix/enterleave.h
+index 4b833d8a3b..e8af924c68 100644
+--- a/dix/enterleave.h
++++ b/dix/enterleave.h
+@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
+ 
+ extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
+ 
+-extern void LeaveWindow(DeviceIntPtr dev);
+-
+ extern void CoreFocusEvent(DeviceIntPtr kbd,
+                            int type, int mode, int detail, WindowPtr pWin);
+ 
+diff --git a/include/eventstr.h b/include/eventstr.h
+index 93308f9b24..a9926eaeef 100644
+--- a/include/eventstr.h
++++ b/include/eventstr.h
+@@ -296,4 +296,7 @@ union _InternalEvent {
+ #endif
+ };
+ 
++extern void
++LeaveWindow(DeviceIntPtr dev);
++
+ #endif
+diff --git a/mi/mipointer.c b/mi/mipointer.c
+index a638f25d4a..8cf0035140 100644
+--- a/mi/mipointer.c
++++ b/mi/mipointer.c
+@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
+ #ifdef PANORAMIX
+         && noPanoramiXExtension
+ #endif
+-        )
+-        UpdateSpriteForScreen(pDev, pScreen);
++        ) {
++            DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
++            /* Hack for CVE-2023-5380: if we're moving
++             * screens PointerWindows[] keeps referring to the
++             * old window. If that gets destroyed we have a UAF
++             * bug later. Only happens when jumping from a window
++             * to the root window on the other screen.
++             * Enter/Leave events are incorrect for that case but
++             * too niche to fix.
++             */
++            LeaveWindow(pDev);
++            if (master)
++                LeaveWindow(master);
++            UpdateSpriteForScreen(pDev, pScreen);
++    }
+ }
+ 
+ /**
+-- 
+GitLab
+

SOURCES/CVE-2023-6377.patch

@@ -0,0 +1,74 @@
+From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 28 Nov 2023 15:19:04 +1000
+Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
+
+button->xkb_acts is supposed to be an array sufficiently large for all
+our buttons, not just a single XkbActions struct. Allocating
+insufficient memory here means when we memcpy() later in
+XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
+leading to the usual security ooopsiedaisies.
+
+CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+---
+ Xi/exevents.c | 12 ++++++------
+ dix/devices.c | 10 ++++++++++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index dcd4efb3bc..54ea11a938 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+         }
+
+         if (from->button->xkb_acts) {
+-            if (!to->button->xkb_acts) {
+-                to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+-                if (!to->button->xkb_acts)
+-                    FatalError("[Xi] not enough memory for xkb_acts.\n");
+-            }
++            size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
++            to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
++                                                   maxbuttons,
++                                                   sizeof(XkbAction));
++            memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
+             memcpy(to->button->xkb_acts, from->button->xkb_acts,
+-                   sizeof(XkbAction));
++                   from->button->numButtons * sizeof(XkbAction));
+         }
+         else {
+             free(to->button->xkb_acts);
+diff --git a/dix/devices.c b/dix/devices.c
+index b063128df0..3f3224d626 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+
+     if (master->button && master->button->numButtons != maxbuttons) {
+         int i;
++        int last_num_buttons = master->button->numButtons;
++
+         DeviceChangedEvent event = {
+             .header = ET_Internal,
+             .type = ET_DeviceChanged,
+@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+         };
+
+         master->button->numButtons = maxbuttons;
++        if (last_num_buttons < maxbuttons) {
++            master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
++                                                       maxbuttons,
++                                                       sizeof(XkbAction));
++            memset(&master->button->xkb_acts[last_num_buttons],
++                   0,
++                   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
++        }
+
+         memcpy(&event.buttons.names, master->button->labels, maxbuttons *
+                sizeof(Atom));
+--
+GitLab

SOURCES/CVE-2023-6478.patch

@@ -0,0 +1,59 @@
+From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 27 Nov 2023 16:27:49 +1000
+Subject: [PATCH] randr: avoid integer truncation in length check of
+ ProcRRChange*Property
+
+Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
+See also xserver@8f454b79 where this same bug was fixed for the core
+protocol and XI.
+
+This fixes an OOB read and the resulting information disclosure.
+
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->nUnits value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->nUnits bytes, i.e. 4GB.
+
+CVE-2023-6478, ZDI-CAN-22561
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+---
+ randr/rrproperty.c         | 2 +-
+ randr/rrproviderproperty.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index 25469f57b2..c4fef8a1f6 100644
+--- a/randr/rrproperty.c
++++ b/randr/rrproperty.c
+@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
++    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index b79c17f9bf..90c5a9a933 100644
+--- a/randr/rrproviderproperty.c
++++ b/randr/rrproviderproperty.c
+@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
++    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
+-- 
+GitLab
+

SOURCES/CVE-2023-6816.patch

@@ -0,0 +1,51 @@
+From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 14 Dec 2023 11:29:49 +1000
+Subject: [PATCH] dix: allocate enough space for logical button maps
+
+Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
+each logical button currently down. Since buttons can be arbitrarily mapped
+to anything up to 255 make sure we have enough bits for the maximum mapping.
+
+CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+---
+ Xi/xiquerypointer.c | 3 +--
+ dix/enterleave.c    | 5 +++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
+index 5b77b1a444..2b05ac5f39 100644
+--- a/Xi/xiquerypointer.c
++++ b/Xi/xiquerypointer.c
+@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
+     if (pDev->button) {
+         int i;
+ 
+-        rep.buttons_len =
+-            bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
++        rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
+         rep.length += rep.buttons_len;
+         buttons = calloc(rep.buttons_len, 4);
+         if (!buttons)
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 867ec74363..ded8679d76 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
+ 
+     mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
+ 
+-    /* XI 2 event */
+-    btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
++    /* XI 2 event contains the logical button map - maps are CARD8
++     * so we need 256 bits for the possibly maximum mapping */
++    btlen = (mouse->button) ? bits_to_bytes(256) : 0;
+     btlen = bytes_to_int32(btlen);
+     len = sizeof(xXIFocusInEvent) + btlen * 4;
+ 
+-- 
+GitLab
+

SOURCES/CVE-2024-0229-1.patch

@@ -0,0 +1,83 @@
+From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 18 Dec 2023 14:27:50 +1000
+Subject: [PATCH 2/9] dix: Allocate sufficient xEvents for our
+ DeviceStateNotify
+
+If a device has both a button class and a key class and numButtons is
+zero, we can get an OOB write due to event under-allocation.
+
+This function seems to assume a device has either keys or buttons, not
+both. It has two virtually identical code paths, both of which assume
+they're applying to the first event in the sequence.
+
+A device with both a key and button class triggered a logic bug - only
+one xEvent was allocated but the deviceStateNotify pointer was pushed on
+once per type. So effectively this logic code:
+
+   int count = 1;
+   if (button && nbuttons > 32) count++;
+   if (key && nbuttons > 0) count++;
+   if (key && nkeys > 32) count++; // this is basically always true
+   // count is at 2 for our keys + zero button device
+
+   ev = alloc(count * sizeof(xEvent));
+   FixDeviceStateNotify(ev);
+   if (button)
+     FixDeviceStateNotify(ev++);
+   if (key)
+     FixDeviceStateNotify(ev++);   // santa drops into the wrong chimney here
+
+If the device has more than 3 valuators, the OOB is pushed back - we're
+off by one so it will happen when the last deviceValuator event is
+written instead.
+
+Fix this by allocating the maximum number of events we may allocate.
+Note that the current behavior is not protocol-correct anyway, this
+patch fixes only the allocation issue.
+
+Note that this issue does not trigger if the device has at least one
+button. While the server does not prevent a button class with zero
+buttons, it is very unlikely.
+
+CVE-2024-0229, ZDI-CAN-22678
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+---
+ dix/enterleave.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index ded8679d76..17964b00a4 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -675,7 +675,8 @@ static void
+ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ {
+     int evcount = 1;
+-    deviceStateNotify *ev, *sev;
++    deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
++    deviceStateNotify *ev;
+     deviceKeyStateNotify *kev;
+     deviceButtonStateNotify *bev;
+ 
+@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+         }
+     }
+ 
+-    sev = ev = xallocarray(evcount, sizeof(xEvent));
++    ev = sev;
+     FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
+ 
+     if (b != NULL) {
+@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ 
+     DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
+                           DeviceStateNotifyMask, NullGrab);
+-    free(sev);
+ }
+ 
+ void
+-- 
+GitLab

SOURCES/CVE-2024-0229-2.patch

@@ -0,0 +1,216 @@
+From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 18 Dec 2023 12:26:20 +1000
+Subject: [PATCH 3/9] dix: fix DeviceStateNotify event calculation
+
+The previous code only made sense if one considers buttons and keys to
+be mutually exclusive on a device. That is not necessarily true, causing
+a number of issues.
+
+This function allocates and fills in the number of xEvents we need to
+send the device state down the wire.  This is split across multiple
+32-byte devices including one deviceStateNotify event and optional
+deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
+deviceValuator events.
+
+The previous behavior would instead compose a sequence
+of [state, buttonstate, state, keystate, valuator...]. This is not
+protocol correct, and on top of that made the code extremely convoluted.
+
+Fix this by streamlining: add both button and key into the deviceStateNotify
+and then append the key state and button state, followed by the
+valuators. Finally, the deviceValuator events contain up to 6 valuators
+per event but we only ever sent through 3 at a time. Let's double that
+troughput.
+
+CVE-2024-0229, ZDI-CAN-22678
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+---
+ dix/enterleave.c | 121 ++++++++++++++++++++---------------------------
+ 1 file changed, 52 insertions(+), 69 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 17964b00a4..7b7ba1098b 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+ 
+     ev->type = DeviceValuator;
+     ev->deviceid = dev->id;
+-    ev->num_valuators = nval < 3 ? nval : 3;
++    ev->num_valuators = nval < 6 ? nval : 6;
+     ev->first_valuator = first;
+     switch (ev->num_valuators) {
++    case 6:
++        ev->valuator2 = v->axisVal[first + 5];
++    case 5:
++        ev->valuator2 = v->axisVal[first + 4];
++    case 4:
++        ev->valuator2 = v->axisVal[first + 3];
+     case 3:
+         ev->valuator2 = v->axisVal[first + 2];
+     case 2:
+@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+         ev->valuator0 = v->axisVal[first];
+         break;
+     }
+-    first += ev->num_valuators;
+ }
+ 
+ static void
+@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
+         ev->num_buttons = b->numButtons;
+         memcpy((char *) ev->buttons, (char *) b->down, 4);
+     }
+-    else if (k) {
++    if (k) {
+         ev->classes_reported |= (1 << KeyClass);
+         ev->num_keys = k->xkbInfo->desc->max_key_code -
+             k->xkbInfo->desc->min_key_code;
+@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
+     }
+ }
+ 
+-
++/**
++ * The device state notify event is split across multiple 32-byte events.
++ * The first one contains the first 32 button state bits, the first 32
++ * key state bits, and the first 3 valuator values.
++ *
++ * If a device has more than that, the server sends out:
++ * - one deviceButtonStateNotify for buttons 32 and above
++ * - one deviceKeyStateNotify for keys 32 and above
++ * - one deviceValuator event per 6 valuators above valuator 4
++ *
++ * All events but the last one have the deviceid binary ORed with MORE_EVENTS,
++ */
+ static void
+ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ {
++    /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify
++     * and one deviceValuator for each 6 valuators */
++    deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6];
+     int evcount = 1;
+-    deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
+-    deviceStateNotify *ev;
+-    deviceKeyStateNotify *kev;
+-    deviceButtonStateNotify *bev;
++    deviceStateNotify *ev = sev;
+ 
+     KeyClassPtr k;
+     ButtonClassPtr b;
+@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ 
+     if ((b = dev->button) != NULL) {
+         nbuttons = b->numButtons;
+-        if (nbuttons > 32)
++        if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */
+             evcount++;
+     }
+     if ((k = dev->key) != NULL) {
+         nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code;
+-        if (nkeys > 32)
++        if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */
+             evcount++;
+-        if (nbuttons > 0) {
+-            evcount++;
+-        }
+     }
+     if ((v = dev->valuator) != NULL) {
+         nval = v->numAxes;
+-
+-        if (nval > 3)
+-            evcount++;
+-        if (nval > 6) {
+-            if (!(k && b))
+-                evcount++;
+-            if (nval > 9)
+-                evcount += ((nval - 7) / 3);
+-        }
++        /* first three are encoded in deviceStateNotify, then
++         * it's 6 per deviceValuator event */
++        evcount += ((nval - 3) + 6)/6;
+     }
+ 
+-    ev = sev;
+-    FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
+-
+-    if (b != NULL) {
+-        FixDeviceStateNotify(dev, ev++, NULL, b, v, first);
+-        first += 3;
+-        nval -= 3;
+-        if (nbuttons > 32) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            bev = (deviceButtonStateNotify *) ev++;
+-            bev->type = DeviceButtonStateNotify;
+-            bev->deviceid = dev->id;
+-            memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
+-                   DOWN_LENGTH - 4);
+-        }
+-        if (nval > 0) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+-            first += 3;
+-            nval -= 3;
+-        }
++    BUG_RETURN(evcount <= ARRAY_SIZE(sev));
++
++    FixDeviceStateNotify(dev, ev, k, b, v, first);
++
++    if (b != NULL && nbuttons > 32) {
++        deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev;
++        (ev - 1)->deviceid |= MORE_EVENTS;
++        bev->type = DeviceButtonStateNotify;
++        bev->deviceid = dev->id;
++        memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
++               DOWN_LENGTH - 4);
+     }
+ 
+-    if (k != NULL) {
+-        FixDeviceStateNotify(dev, ev++, k, NULL, v, first);
+-        first += 3;
+-        nval -= 3;
+-        if (nkeys > 32) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            kev = (deviceKeyStateNotify *) ev++;
+-            kev->type = DeviceKeyStateNotify;
+-            kev->deviceid = dev->id;
+-            memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
+-        }
+-        if (nval > 0) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+-            first += 3;
+-            nval -= 3;
+-        }
++    if (k != NULL && nkeys > 32) {
++        deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev;
++        (ev - 1)->deviceid |= MORE_EVENTS;
++        kev->type = DeviceKeyStateNotify;
++        kev->deviceid = dev->id;
++        memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
+     }
+ 
++    first = 3;
++    nval -= 3;
+     while (nval > 0) {
+-        FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first);
+-        first += 3;
+-        nval -= 3;
+-        if (nval > 0) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+-            first += 3;
+-            nval -= 3;
+-        }
++        ev->deviceid |= MORE_EVENTS;
++        FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first);
++        first += 6;
++        nval -= 6;
+     }
+ 
+     DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
+-- 
+GitLab

SOURCES/CVE-2024-0229-3.patch

@@ -0,0 +1,36 @@
+From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 21 Dec 2023 13:48:10 +1000
+Subject: [PATCH 4/9] Xi: when creating a new ButtonClass, set the number of
+ buttons
+
+There's a racy sequence where a master device may copy the button class
+from the slave, without ever initializing numButtons. This leads to a
+device with zero buttons but a button class which is invalid.
+
+Let's copy the numButtons value from the source - by definition if we
+don't have a button class yet we do not have any other slave devices
+with more than this number of buttons anyway.
+
+CVE-2024-0229, ZDI-CAN-22678
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+---
+ Xi/exevents.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index 54ea11a938..e161714682 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+                 to->button = calloc(1, sizeof(ButtonClassRec));
+                 if (!to->button)
+                     FatalError("[Xi] no memory for class shift.\n");
++                to->button->numButtons = from->button->numButtons;
+             }
+             else
+                 classes->button = NULL;
+-- 
+GitLab

SOURCES/CVE-2024-21885.patch

@@ -0,0 +1,108 @@
+From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 4 Jan 2024 10:01:24 +1000
+Subject: [PATCH 5/9] Xi: flush hierarchy events after adding/removing master
+ devices
+
+The `XISendDeviceHierarchyEvent()` function allocates space to store up
+to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
+
+If a device with a given ID was removed and a new device with the same
+ID added both in the same operation, the single device ID will lead to
+two info structures being written to `info`.
+
+Since this case can occur for every device ID at once, a total of two
+times `MAXDEVICES` info structures might be written to the allocation.
+
+To avoid it, once one add/remove master is processed, send out the
+device hierarchy event for the current state and continue. That event
+thus only ever has exactly one of either added/removed in it (and
+optionally slave attached/detached).
+
+CVE-2024-21885, ZDI-CAN-22744
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+---
+ Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index d2d985848d..72d00451e3 100644
+--- a/Xi/xichangehierarchy.c
++++ b/Xi/xichangehierarchy.c
+@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client)
+     size_t len;			/* length of data remaining in request */
+     int rc = Success;
+     int flags[MAXDEVICES] = { 0 };
++    enum {
++        NO_CHANGE,
++        FLUSH,
++        CHANGED,
++    } changes = NO_CHANGE;
+ 
+     REQUEST(xXIChangeHierarchyReq);
+     REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
+@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = add_master(client, c, flags);
+             if (rc != Success)
+                 goto unwind;
+-        }
++            changes = FLUSH;
+             break;
++        }
+         case XIRemoveMaster:
+         {
+             xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
+@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = remove_master(client, r, flags);
+             if (rc != Success)
+                 goto unwind;
+-        }
++            changes = FLUSH;
+             break;
++        }
+         case XIDetachSlave:
+         {
+             xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
+@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = detach_slave(client, c, flags);
+             if (rc != Success)
+                 goto unwind;
+-        }
++            changes = CHANGED;
+             break;
++        }
+         case XIAttachSlave:
+         {
+             xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
+@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = attach_slave(client, c, flags);
+             if (rc != Success)
+                 goto unwind;
++            changes = CHANGED;
++            break;
+         }
++        default:
+             break;
+         }
+ 
++        if (changes == FLUSH) {
++            XISendDeviceHierarchyEvent(flags);
++            memset(flags, 0, sizeof(flags));
++            changes = NO_CHANGE;
++        }
++
+         len -= any->length * 4;
+         any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
+     }
+ 
+  unwind:
+-
+-    XISendDeviceHierarchyEvent(flags);
++    if (changes != NO_CHANGE)
++        XISendDeviceHierarchyEvent(flags);
+     return rc;
+ }
+-- 
+GitLab

SOURCES/CVE-2024-21886-1.patch

@@ -0,0 +1,69 @@
+From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
+Date: Fri, 22 Dec 2023 18:28:31 +0100
+Subject: [PATCH 6/9] Xi: do not keep linked list pointer during recursion
+
+The `DisableDevice()` function is called whenever an enabled device
+is disabled and it moves the device from the `inputInfo.devices` linked
+list to the `inputInfo.off_devices` linked list.
+
+However, its link/unlink operation has an issue during the recursive
+call to `DisableDevice()` due to the `prev` pointer pointing to a
+removed device.
+
+This issue leads to a length mismatch between the total number of
+devices and the number of device in the list, leading to a heap
+overflow and, possibly, to local privilege escalation.
+
+Simplify the code that checked whether the device passed to
+`DisableDevice()` was in `inputInfo.devices` or not and find the
+previous device after the recursion.
+
+CVE-2024-21886, ZDI-CAN-22840
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+---
+ dix/devices.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index dca98c8d1b..389d28a23c 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+ {
+     DeviceIntPtr *prev, other;
+     BOOL enabled;
++    BOOL dev_in_devices_list = FALSE;
+     int flags[MAXDEVICES] = { 0 };
+ 
+     if (!dev->enabled)
+         return TRUE;
+ 
+-    for (prev = &inputInfo.devices;
+-         *prev && (*prev != dev); prev = &(*prev)->next);
+-    if (*prev != dev)
++    for (other = inputInfo.devices; other; other = other->next) {
++        if (other == dev) {
++            dev_in_devices_list = TRUE;
++            break;
++        }
++    }
++
++    if (!dev_in_devices_list)
+         return FALSE;
+ 
+     TouchEndPhysicallyActiveTouches(dev);
+@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+     LeaveWindow(dev);
+     SetFocusOut(dev);
+ 
++    for (prev = &inputInfo.devices;
++         *prev && (*prev != dev); prev = &(*prev)->next);
++
+     *prev = dev->next;
+     dev->next = inputInfo.off_devices;
+     inputInfo.off_devices = dev;
+-- 
+GitLab

SOURCES/CVE-2024-21886-2.patch

@@ -0,0 +1,52 @@
+From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Fri, 5 Jan 2024 09:40:27 +1000
+Subject: [PATCH 7/9] dix: when disabling a master, float disabled slaved
+ devices too
+
+Disabling a master device floats all slave devices but we didn't do this
+to already-disabled slave devices. As a result those devices kept their
+reference to the master device resulting in access to already freed
+memory if the master device was removed before the corresponding slave
+device.
+
+And to match this behavior, also forcibly reset that pointer during
+CloseDownDevices().
+
+Related to CVE-2024-21886, ZDI-CAN-22840
+---
+ dix/devices.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index 389d28a23c..84a6406d13 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+                 flags[other->id] |= XISlaveDetached;
+             }
+         }
++
++        for (other = inputInfo.off_devices; other; other = other->next) {
++            if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
++                AttachDevice(NULL, other, NULL);
++                flags[other->id] |= XISlaveDetached;
++            }
++        }
+     }
+     else {
+         for (other = inputInfo.devices; other; other = other->next) {
+@@ -1088,6 +1095,11 @@ CloseDownDevices(void)
+             dev->master = NULL;
+     }
+ 
++    for (dev = inputInfo.off_devices; dev; dev = dev->next) {
++        if (!IsMaster(dev) && !IsFloating(dev))
++            dev->master = NULL;
++    }
++
+     CloseDeviceList(&inputInfo.devices);
+     CloseDeviceList(&inputInfo.off_devices);
+ 
+-- 
+GitLab

SOURCES/CVE-2024-31080.patch

@@ -0,0 +1,44 @@
+From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 18:51:45 -0700
+Subject: [PATCH 1/4] Xi: ProcXIGetSelectedEvents needs to use unswapped length
+ to send reply
+
+CVE-2024-31080
+
+Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
+Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+---
+ Xi/xiselectev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
+index edcb8a0d36..ac14949871 100644
+--- a/Xi/xiselectev.c
++++ b/Xi/xiselectev.c
+@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
+     InputClientsPtr others = NULL;
+     xXIEventMask *evmask = NULL;
+     DeviceIntPtr dev;
++    uint32_t length;
+ 
+     REQUEST(xXIGetSelectedEventsReq);
+     REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
+@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
+         }
+     }
+ 
++    /* save the value before SRepXIGetSelectedEvents swaps it */
++    length = reply.length;
+     WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+ 
+     if (reply.num_masks)
+-        WriteToClient(client, reply.length * 4, buffer);
++        WriteToClient(client, length * 4, buffer);
+ 
+     free(buffer);
+     return Success;
+-- 
+GitLab

SOURCES/CVE-2024-31081.patch

@@ -0,0 +1,42 @@
+From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 18:56:27 -0700
+Subject: [PATCH 2/4] Xi: ProcXIPassiveGrabDevice needs to use unswapped length
+ to send reply
+
+CVE-2024-31081
+
+Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+---
+ Xi/xipassivegrab.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index c9ac2f8553..896233bec2 100644
+--- a/Xi/xipassivegrab.c
++++ b/Xi/xipassivegrab.c
+@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+     GrabParameters param;
+     void *tmp;
+     int mask_len;
++    uint32_t length;
+ 
+     REQUEST(xXIPassiveGrabDeviceReq);
+     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+         }
+     }
+ 
++    /* save the value before SRepXIPassiveGrabDevice swaps it */
++    length = rep.length;
+     WriteReplyToClient(client, sizeof(rep), &rep);
+     if (rep.num_modifiers)
+-        WriteToClient(client, rep.length * 4, modifiers_failed);
++        WriteToClient(client, length * 4, modifiers_failed);
+ 
+  out:
+     free(modifiers_failed);
+-- 
+GitLab

SOURCES/CVE-2024-31082.patch

@@ -0,0 +1,46 @@
+From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 19:07:34 -0700
+Subject: [PATCH 3/4] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped
+ length to send reply
+
+CVE-2024-31082
+
+Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+---
+ hw/xquartz/xpr/appledri.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c
+index 77574655b2..40422b61a9 100644
+--- a/hw/xquartz/xpr/appledri.c
++++ b/hw/xquartz/xpr/appledri.c
+@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
+     xAppleDRICreatePixmapReply rep;
+     int width, height, pitch, bpp;
+     void *ptr;
++    CARD32 stringLength;
+ 
+     REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
+ 
+@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
+     if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
+         ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
+ 
++    stringLength = rep.stringLength;  /* save unswapped value */
+     if (client->swapped) {
+         swaps(&rep.sequenceNumber);
+         swapl(&rep.length);
+@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
+     }
+ 
+     WriteToClient(client, sizeof(rep), &rep);
+-    WriteToClient(client, rep.stringLength, path);
++    WriteToClient(client, stringLength, path);
+ 
+     return Success;
+ }
+-- 
+GitLab

SOURCES/CVE-2024-31083.patch

@@ -0,0 +1,111 @@
+From bdca6c3d1f5057eeb31609b1280fc93237b00c77 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 30 Jan 2024 13:13:35 +1000
+Subject: [PATCH 4/4] render: fix refcounting of glyphs during
+ ProcRenderAddGlyphs
+
+Previously, AllocateGlyph would return a new glyph with refcount=0 and a
+re-used glyph would end up not changing the refcount at all. The
+resulting glyph_new array would thus have multiple entries pointing to
+the same non-refcounted glyphs.
+
+AddGlyph may free a glyph, resulting in a UAF when the same glyph
+pointer is then later used.
+
+Fix this by returning a refcount of 1 for a new glyph and always
+incrementing the refcount for a re-used glyph, followed by dropping that
+refcount back down again when we're done with it.
+
+CVE-2024-31083, ZDI-CAN-22880
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+---
+ render/glyph.c         |  5 +++--
+ render/glyphstr_priv.h |  1 +
+ render/render.c        | 15 +++++++++++----
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/render/glyph.c b/render/glyph.c
+index 850ea8440..13991f8a1 100644
+--- a/render/glyph.c
++++ b/render/glyph.c
+@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph)
+     }
+ }
+ 
+-static void
++void
+ FreeGlyph(GlyphPtr glyph, int format)
+ {
+     CheckDuplicates(&globalGlyphs[format], "FreeGlyph");
++    BUG_RETURN(glyph->refcnt == 0);
+     if (--glyph->refcnt == 0) {
+         GlyphRefPtr gr;
+         int i;
+@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth)
+     glyph = (GlyphPtr) malloc(size);
+     if (!glyph)
+         return 0;
+-    glyph->refcnt = 0;
++    glyph->refcnt = 1;
+     glyph->size = size + sizeof(xGlyphInfo);
+     glyph->info = *gi;
+     dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH);
+diff --git a/render/glyphstr.h b/render/glyphstr.h
+index 2f51bd244..3b1d806d1 100644
+--- a/render/glyphstr.h
++++ b/render/glyphstr.h
+@@ -108,6 +108,7 @@ extern Bool
+ extern GlyphPtr FindGlyph(GlyphSetPtr glyphSet, Glyph id);
+ 
+ extern GlyphPtr AllocateGlyph(xGlyphInfo * gi, int format);
++extern void FreeGlyph(GlyphPtr glyph, int format);
+ 
+ extern Bool
+  ResizeGlyphSet(GlyphSetPtr glyphSet, CARD32 change);
+diff --git a/render/render.c b/render/render.c
+index 29c5055c6..fe5e37dd9 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client)
+ 
+         if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) {
+             glyph_new->found = TRUE;
++            ++glyph_new->glyph->refcnt;
+         }
+         else {
+             GlyphPtr glyph;
+@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client)
+         err = BadAlloc;
+         goto bail;
+     }
+-    for (i = 0; i < nglyphs; i++)
++    for (i = 0; i < nglyphs; i++) {
+         AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id);
++        FreeGlyph(glyphs[i].glyph, glyphSet->fdepth);
++    }
+ 
+     if (glyphsBase != glyphsLocal)
+         free(glyphsBase);
+@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client)
+         FreePicture((void *) pSrc, 0);
+     if (pSrcPix)
+         FreeScratchPixmapHeader(pSrcPix);
+-    for (i = 0; i < nglyphs; i++)
+-        if (glyphs[i].glyph && !glyphs[i].found)
+-            free(glyphs[i].glyph);
++    for (i = 0; i < nglyphs; i++) {
++        if (glyphs[i].glyph) {
++            --glyphs[i].glyph->refcnt;
++            if (!glyphs[i].found)
++                free(glyphs[i].glyph);
++        }
++    }
+     if (glyphsBase != glyphsLocal)
+         free(glyphsBase);
+     return err;
+-- 
+2.44.0

SOURCES/dix-fix-use-after-free-in-input-device-shutdown.patch

@@ -0,0 +1,77 @@
+From 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Sun, 19 Dec 2021 18:11:07 +0200
+Subject: [PATCH] dix: Fix use after free in input device shutdown
+
+This fixes access to freed heap memory via dev->master. E.g. when
+running BarrierNotify.ReceivesNotifyEvents/7 test from
+xorg-integration-tests:
+
+==24736==ERROR: AddressSanitizer: heap-use-after-free on address
+0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10
+READ of size 4 at 0x619000065020 thread T0
+    #0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722
+    #1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346
+    #2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525
+../../../Xi/xichangehierarchy.c:95
+    #4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204
+../../../hw/xfree86/common/xf86Xinput.c:1142
+    #6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
+    #7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
+    #8 0x55c450e837ef in dix_main ../../../dix/main.c:302
+    #9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+    #11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d)
+
+0x619000065020 is located 160 bytes inside of 912-byte region
+[0x619000064f80,0x619000065310)
+freed by thread T0 here:
+(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
+    #1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014
+    #2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186
+../../../hw/xfree86/common/xf86Xinput.c:1142
+    #4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
+    #5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
+    #6 0x55c450e837ef in dix_main ../../../dix/main.c:302
+    #7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+
+previously allocated by thread T0 here:
+(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
+    #1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259
+    #2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755
+    #3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152
+../../../Xi/xichangehierarchy.c:465
+    #5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390
+    #6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551
+    #7 0x55c450e834b7 in dix_main ../../../dix/main.c:272
+    #8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
+(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
+
+The problem is caused by dev->master being not reset when disabling the
+device, which then causes dangling pointer when the master device itself
+is being deleted when exiting whole server.
+
+Note that RecalculateMasterButtons() requires dev->master to be still
+valid, so we can reset it only at the end of function.
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+---
+ dix/devices.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index e62c34c55e..5f9ce1678f 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+     }
+ 
+     RecalculateMasterButtons(dev);
++    dev->master = NULL;
+ 
+     return TRUE;
+ }
+-- 
+GitLab
+

SOURCES/tigervnc-add-new-keycodes-for-unknown-keysyms.patch

@@ -1,199 +0,0 @@
-From ccbd491fa48f1c43daeb1a6c5ee91a1a8fa3db88 Mon Sep 17 00:00:00 2001
-From: Jan Grulich <jgrulich@redhat.com>
-Date: Tue, 9 Aug 2022 14:31:07 +0200
-Subject: [PATCH] x0vncserver: add new keysym in case we don't find a matching
- keycode
-
-We might often fail to find a matching X11 keycode when the client has
-a different keyboard layout and end up with no key event. To avoid a
-failure we add it as a new keysym/keycode pair so the next time a keysym
-from the client that is unknown to the server is send, we will find a
-match and proceed with key event. This is same behavior used in Xvnc or
-x11vnc, although Xvnc has more advanced mapping from keysym to keycode.
----
- unix/x0vncserver/XDesktop.cxx | 121 +++++++++++++++++++++++++++++++++-
- unix/x0vncserver/XDesktop.h   |   4 ++
- 2 files changed, 122 insertions(+), 3 deletions(-)
-
-diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx
-index f2046e43e..933998f05 100644
---- a/unix/x0vncserver/XDesktop.cxx
-+++ b/unix/x0vncserver/XDesktop.cxx
-@@ -31,6 +31,7 @@
- #include <x0vncserver/XDesktop.h>
-
- #include <X11/XKBlib.h>
-+#include <X11/Xutil.h>
- #ifdef HAVE_XTEST
- #include <X11/extensions/XTest.h>
- #endif
-@@ -50,6 +51,7 @@ void vncSetGlueContext(Display *dpy, void *res);
- #include <x0vncserver/Geometry.h>
- #include <x0vncserver/XPixelBuffer.h>
-
-+using namespace std;
- using namespace rfb;
-
- extern const unsigned short code_map_qnum_to_xorgevdev[];
-@@ -264,6 +266,9 @@ void XDesktop::start(VNCServer* vs) {
- void XDesktop::stop() {
-   running = false;
-
-+  // Delete added keycodes
-+  deleteAddedKeysyms(dpy);
-+
- #ifdef HAVE_XDAMAGE
-   if (haveDamage)
-     XDamageDestroy(dpy, damage);
-@@ -383,6 +388,118 @@ KeyCode XDesktop::XkbKeysymToKeycode(Display* dpy, KeySym keysym) {
- }
- #endif
-
-+KeyCode XDesktop::addKeysym(Display* dpy, KeySym keysym)
-+{
-+  int types[1];
-+  unsigned int key;
-+  XkbDescPtr xkb;
-+  XkbMapChangesRec changes;
-+  KeySym *syms;
-+  KeySym upper, lower;
-+
-+  xkb = XkbGetMap(dpy, XkbAllComponentsMask, XkbUseCoreKbd);
-+
-+  if (!xkb)
-+    return 0;
-+
-+  for (key = xkb->max_key_code; key >= xkb->min_key_code; key--) {
-+    if (XkbKeyNumGroups(xkb, key) == 0)
-+      break;
-+  }
-+
-+  if (key < xkb->min_key_code)
-+    return 0;
-+
-+  memset(&changes, 0, sizeof(changes));
-+
-+  XConvertCase(keysym, &lower, &upper);
-+
-+  if (upper == lower)
-+    types[XkbGroup1Index] = XkbOneLevelIndex;
-+  else
-+    types[XkbGroup1Index] = XkbAlphabeticIndex;
-+
-+  XkbChangeTypesOfKey(xkb, key, 1, XkbGroup1Mask, types, &changes);
-+
-+  syms = XkbKeySymsPtr(xkb,key);
-+  if (upper == lower)
-+    syms[0] = keysym;
-+  else {
-+    syms[0] = lower;
-+    syms[1] = upper;
-+  }
-+
-+  changes.changed |= XkbKeySymsMask;
-+  changes.first_key_sym = key;
-+  changes.num_key_syms = 1;
-+
-+  if (XkbChangeMap(dpy, xkb, &changes)) {
-+    vlog.info("Added unknown keysym %s to keycode %d", XKeysymToString(keysym), key);
-+    addedKeysyms[keysym] = key;
-+    return key;
-+  }
-+
-+  return 0;
-+}
-+
-+void XDesktop::deleteAddedKeysyms(Display* dpy) {
-+  XkbDescPtr xkb;
-+  xkb = XkbGetMap(dpy, XkbAllComponentsMask, XkbUseCoreKbd);
-+
-+  if (!xkb)
-+    return;
-+
-+  XkbMapChangesRec changes;
-+  memset(&changes, 0, sizeof(changes));
-+
-+  KeyCode lowestKeyCode = xkb->max_key_code;
-+  KeyCode highestKeyCode = xkb->min_key_code;
-+  std::map<KeySym, KeyCode>::iterator it;
-+  for (it = addedKeysyms.begin(); it != addedKeysyms.end(); it++) {
-+    if (XkbKeyNumGroups(xkb, it->second) != 0) {
-+      // Check if we are removing keysym we added ourself
-+      if (XkbKeysymToKeycode(dpy, it->first) != it->second)
-+        continue;
-+
-+      XkbChangeTypesOfKey(xkb, it->second, 0, XkbGroup1Mask, NULL, &changes);
-+
-+      if (it->second < lowestKeyCode)
-+        lowestKeyCode = it->second;
-+
-+      if (it->second > highestKeyCode)
-+        highestKeyCode = it->second;
-+    }
-+  }
-+
-+  changes.changed |= XkbKeySymsMask;
-+  changes.first_key_sym = lowestKeyCode;
-+  changes.num_key_syms = highestKeyCode - lowestKeyCode + 1;
-+  XkbChangeMap(dpy, xkb, &changes);
-+
-+  addedKeysyms.clear();
-+}
-+
-+KeyCode XDesktop::keysymToKeycode(Display* dpy, KeySym keysym) {
-+  int keycode = 0;
-+
-+  // XKeysymToKeycode() doesn't respect state, so we have to use
-+  // something slightly more complex
-+  keycode = XkbKeysymToKeycode(dpy, keysym);
-+
-+  if (keycode != 0)
-+    return keycode;
-+
-+  // TODO: try to further guess keycode with all possible mods as Xvnc does
-+
-+  keycode = addKeysym(dpy, keysym);
-+
-+  if (keycode == 0)
-+    vlog.error("Failure adding new keysym 0x%lx", keysym);
-+
-+  return keycode;
-+}
-+
-+
- void XDesktop::keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down) {
- #ifdef HAVE_XTEST
-   int keycode = 0;
-@@ -398,9 +515,7 @@ void XDesktop::keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down) {
-     if (pressedKeys.find(keysym) != pressedKeys.end())
-       keycode = pressedKeys[keysym];
-     else {
--      // XKeysymToKeycode() doesn't respect state, so we have to use
--      // something slightly more complex
--      keycode = XkbKeysymToKeycode(dpy, keysym);
-+      keycode = keysymToKeycode(dpy, keysym);
-     }
-   }
-
-diff --git a/unix/x0vncserver/XDesktop.h b/unix/x0vncserver/XDesktop.h
-index 840d43316..6ebcd9f8a 100644
---- a/unix/x0vncserver/XDesktop.h
-+++ b/unix/x0vncserver/XDesktop.h
-@@ -55,6 +55,9 @@ class XDesktop : public rfb::SDesktop,
-                                const char* userName);
-   virtual void pointerEvent(const rfb::Point& pos, int buttonMask);
-   KeyCode XkbKeysymToKeycode(Display* dpy, KeySym keysym);
-+  KeyCode addKeysym(Display* dpy, KeySym keysym);
-+  void deleteAddedKeysyms(Display* dpy);
-+  KeyCode keysymToKeycode(Display* dpy, KeySym keysym);
-   virtual void keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down);
-   virtual void clientCutText(const char* str);
-   virtual unsigned int setScreenLayout(int fb_width, int fb_height,
-@@ -78,6 +81,7 @@ class XDesktop : public rfb::SDesktop,
-   bool haveXtest;
-   bool haveDamage;
-   int maxButtons;
-+  std::map<KeySym, KeyCode> addedKeysyms;
-   std::map<KeySym, KeyCode> pressedKeys;
-   bool running;
- #ifdef HAVE_XDAMAGE

SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch

@@ -0,0 +1,13 @@
+diff --git a/unix/xserver/hw/vnc/vncInput.c b/unix/xserver/hw/vnc/vncInput.c
+index b3d0926d..d36a096f 100644
+--- a/unix/xserver/hw/vnc/vncInput.c
++++ b/unix/xserver/hw/vnc/vncInput.c
+@@ -167,7 +167,7 @@ void vncPointerMove(int x, int y)
+ 
+ void vncGetPointerPos(int *x, int *y)
+ {
+-	if (vncPointerDev != NULL) {
++	if (vncPointerDev != NULL && !IsFloating(vncPointerDev)) {
+ 		ScreenPtr ptrScreen;
+ 
+ 		miPointerGetPosition(vncPointerDev, &cursorPosX, &cursorPosY);

SOURCES/tigervnc-dont-install-appstream-metadata-file.patch

@@ -0,0 +1,51 @@
+diff --git a/po/CMakeLists.txt b/po/CMakeLists.txt
+index 052cfb3..c84fb0e 100644
+--- a/po/CMakeLists.txt
++++ b/po/CMakeLists.txt
+@@ -14,7 +14,6 @@ if (GETTEXT_XGETTEXT_EXECUTABLE)
+     ${PROJECT_SOURCE_DIR}/vncviewer/*.h
+     ${PROJECT_SOURCE_DIR}/vncviewer/*.cxx
+     ${PROJECT_SOURCE_DIR}/vncviewer/*.desktop.in.in
+-    ${PROJECT_SOURCE_DIR}/vncviewer/*.metainfo.xml.in
+   )
+ 
+   add_custom_target(translations_update
+diff --git a/vncviewer/CMakeLists.txt b/vncviewer/CMakeLists.txt
+index 15eac66..450b732 100644
+--- a/vncviewer/CMakeLists.txt
++++ b/vncviewer/CMakeLists.txt
+@@ -100,34 +100,6 @@ if(UNIX)
+   add_custom_target(desktop ALL DEPENDS vncviewer.desktop)
+   install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncviewer.desktop DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/applications)
+ 
+-  if("${GETTEXT_VERSION_STRING}" VERSION_GREATER 0.19.6)
+-    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
+-      COMMAND ${GETTEXT_MSGFMT_EXECUTABLE}
+-                --xml --template ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
+-                -d ${CMAKE_SOURCE_DIR}/po -o org.tigervnc.vncviewer.metainfo.xml
+-      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
+-    )
+-  elseif(INTLTOOL_MERGE_EXECUTABLE)
+-    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
+-      COMMAND sed -e 's@<name>@<_name>@\;s@</name>@</_name>@'
+-                  -e 's@<summary>@<_summary>@\;s@</summary>@</_summary>@'
+-                  -e 's@<caption>@<_caption>@\;s@</caption>@</_caption>@'
+-                  -e 's@<p>@<_p>@g\;s@</p>@</_p>@g'
+-                ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in > org.tigervnc.vncviewer.metainfo.xml.intl
+-      COMMAND ${INTLTOOL_MERGE_EXECUTABLE}
+-                -x ${CMAKE_SOURCE_DIR}/po
+-                org.tigervnc.vncviewer.metainfo.xml.intl org.tigervnc.vncviewer.metainfo.xml
+-      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
+-    )
+-  else()
+-    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
+-      COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in org.tigervnc.vncviewer.metainfo.xml
+-      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
+-    )
+-  endif()
+-  add_custom_target(appstream ALL DEPENDS org.tigervnc.vncviewer.metainfo.xml)
+-  install(FILES ${CMAKE_CURRENT_BINARY_DIR}/org.tigervnc.vncviewer.metainfo.xml DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/metainfo)
+-
+   foreach(res 16 22 24 32 48 64 128)
+     install(FILES ../media/icons/tigervnc_${res}.png DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/icons/hicolor/${res}x${res}/apps RENAME tigervnc.png)
+   endforeach()

SOURCES/tigervnc-fix-ghost-cursor-in-zaphod-mode.patch

@@ -1,117 +0,0 @@
-From f783d5c8b567199178b6690f347e060a69d2aa36 Mon Sep 17 00:00:00 2001
-From: Jan Grulich <jgrulich@redhat.com>
-Date: Thu, 11 Aug 2022 13:15:29 +0200
-Subject: [PATCH] x0vncserver: update/display cursor only on correct screen in
- zaphod mode
-
-We have to check whether we update cursor position/shape only in case
-the cursor is on our display, otherwise in zaphod mode, ie. when having
-two instances of x0vncserver on screens :0.0 and :0.1 we would be having
-the cursor duplicated and actually not funcional (aka ghost cursor) as
-it would be actually not present. We also additionally watch EnterNotify
-and LeaveNotify events in order to show/hide cursor accordingly.
-
-Change made with help from Olivier Fourdan <ofourdan@redhat.com>
----
- unix/x0vncserver/XDesktop.cxx | 60 +++++++++++++++++++++++++++++++----
- 1 file changed, 53 insertions(+), 7 deletions(-)
-
-diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx
-index f2046e43e..f07fd78bf 100644
---- a/unix/x0vncserver/XDesktop.cxx
-+++ b/unix/x0vncserver/XDesktop.cxx
-@@ -192,7 +192,8 @@ XDesktop::XDesktop(Display* dpy_, Geometry *geometry_)
-                    RRScreenChangeNotifyMask | RRCrtcChangeNotifyMask);
-     /* Override TXWindow::init input mask */
-     XSelectInput(dpy, DefaultRootWindow(dpy),
--                 PropertyChangeMask | StructureNotifyMask | ExposureMask);
-+                 PropertyChangeMask | StructureNotifyMask |
-+                 ExposureMask | EnterWindowMask | LeaveWindowMask);
-   } else {
- #endif
-     vlog.info("RANDR extension not present");
-@@ -217,11 +218,13 @@ void XDesktop::poll() {
-     Window root, child;
-     int x, y, wx, wy;
-     unsigned int mask;
--    XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child,
--                  &x, &y, &wx, &wy, &mask);
--    x -= geometry->offsetLeft();
--    y -= geometry->offsetTop();
--    server->setCursorPos(rfb::Point(x, y), false);
-+
-+    if (XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child,
-+                      &x, &y, &wx, &wy, &mask)) {
-+      x -= geometry->offsetLeft();
-+      y -= geometry->offsetTop();
-+      server->setCursorPos(rfb::Point(x, y), false);
-+    }
-   }
- }
-
-@@ -253,7 +256,14 @@ void XDesktop::start(VNCServer* vs) {
- #endif
-
- #ifdef HAVE_XFIXES
--  setCursor();
-+  Window root, child;
-+  int x, y, wx, wy;
-+  unsigned int mask;
-+  // Check whether the cursor is initially on our screen
-+  if (XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child,
-+                    &x, &y, &wx, &wy, &mask))
-+    setCursor();
-+
- #endif
-
-   server->setLEDState(ledState);
-@@ -701,6 +711,15 @@ bool XDesktop::handleGlobalEvent(XEvent* ev) {
-     if (cev->subtype != XFixesDisplayCursorNotify)
-       return false;
-
-+    Window root, child;
-+    int x, y, wx, wy;
-+    unsigned int mask;
-+
-+    // Check whether the cursor is initially on our screen
-+    if (!XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child,
-+                      &x, &y, &wx, &wy, &mask))
-+      return false;
-+
-     return setCursor();
- #endif
- #ifdef HAVE_XRANDR
-@@ -753,6 +772,33 @@ bool XDesktop::handleGlobalEvent(XEvent* ev) {
-
-     return true;
- #endif
-+#ifdef HAVE_XFIXES
-+  } else if (ev->type == EnterNotify) {
-+    XCrossingEvent* cev;
-+
-+    if (!running)
-+      return true;
-+
-+    cev = (XCrossingEvent*)ev;
-+
-+    if (cev->window != cev->root)
-+      return false;
-+
-+    return setCursor();
-+  } else if (ev->type == LeaveNotify) {
-+    XCrossingEvent* cev;
-+
-+    if (!running)
-+      return true;
-+
-+    cev = (XCrossingEvent*)ev;
-+
-+    if (cev->window == cev->root)
-+      return false;
-+
-+    server->setCursor(0, 0, Point(), NULL);
-+    return true;
-+#endif
-   }
-
-   return false;

SOURCES/tigervnc-fix-typo-in-mirror-monitor-detection.patch

@@ -1,34 +0,0 @@
-From 2daf4126882f82b6e392dfbae87205dbdc559c3d Mon Sep 17 00:00:00 2001
-From: Pierre Ossman <ossman@cendio.se>
-Date: Thu, 23 Dec 2021 15:58:00 +0100
-Subject: [PATCH] Fix typo in mirror monitor detection
-
-Bug introduced in fb561eb but still somehow passed manual testing.
-Resulted in some stray reads off the end of the stack, which were
-hopefully harmless.
----
- vncviewer/MonitorIndicesParameter.cxx | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/vncviewer/MonitorIndicesParameter.cxx b/vncviewer/MonitorIndicesParameter.cxx
-index 5130831cb..4ac74dd1a 100644
---- a/vncviewer/MonitorIndicesParameter.cxx
-+++ b/vncviewer/MonitorIndicesParameter.cxx
-@@ -211,13 +211,13 @@ std::vector<MonitorIndicesParameter::Monitor> MonitorIndicesParameter::fetchMoni
-         // Only keep a single entry for mirrored screens
-         match = false;
-         for (int j = 0; j < ((int) monitors.size()); j++) {
--            if (monitors[i].x != monitor.x)
-+            if (monitors[j].x != monitor.x)
-                 continue;
--            if (monitors[i].y != monitor.y)
-+            if (monitors[j].y != monitor.y)
-                 continue;
--            if (monitors[i].w != monitor.w)
-+            if (monitors[j].w != monitor.w)
-                 continue;
--            if (monitors[i].h != monitor.h)
-+            if (monitors[j].h != monitor.h)
-                 continue;
-
-             match = true;

SOURCES/tigervnc-root-user-selinux-context.patch

@@ -1,25 +0,0 @@
-From faf81b4b238e24fe29eb53f885a25367e212dd7b Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Mon, 7 Feb 2022 10:45:41 +0100
-Subject: [PATCH] SELinux: use /root/.vnc in file context specification
-
-Instead of HOME_ROOT/.vnc, /root/.vnc should be used
-for user root's home to specify default file context
-as HOME_ROOT actually means base for home dirs (usually /home).
----
- unix/vncserver/selinux/vncsession.fc | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc
-index 6aaf4b1f4..bc81f8f25 100644
---- a/unix/vncserver/selinux/vncsession.fc
-+++ b/unix/vncserver/selinux/vncsession.fc
-@@ -18,7 +18,7 @@
- #
-
- HOME_DIR/\.vnc(/.*)?      gen_context(system_u:object_r:vnc_home_t,s0)
--HOME_ROOT/\.vnc(/.*)?      gen_context(system_u:object_r:vnc_home_t,s0)
-+/root/\.vnc(/.*)?      gen_context(system_u:object_r:vnc_home_t,s0)
-
- /usr/sbin/vncsession			--	gen_context(system_u:object_r:vnc_session_exec_t,s0)
- /usr/libexec/vncsession-start		--	gen_context(system_u:object_r:vnc_session_exec_t,s0)

SOURCES/tigervnc-sanity-check-when-cleaning-up-keymap-changes.patch

@@ -1,28 +0,0 @@
-From 774c6bcf33b5c9b94c1ff12895775e77c555decc Mon Sep 17 00:00:00 2001
-From: Pierre Ossman <ossman@cendio.se>
-Date: Thu, 9 Feb 2023 11:30:37 +0100
-Subject: [PATCH] Sanity check when cleaning up keymap changes
-
-Make sure we don't send a bogus request to the X server in the (common)
-case that we don't actually have anything to restore.
-
-(cherry picked from commit 1e3484f2017f038dd5149cd50741feaf39a680e4)
----
- unix/x0vncserver/XDesktop.cxx | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx
-index d5c6b2db9..f9c810968 100644
---- a/unix/x0vncserver/XDesktop.cxx
-+++ b/unix/x0vncserver/XDesktop.cxx
-@@ -481,6 +481,10 @@ void XDesktop::deleteAddedKeysyms(Display* dpy) {
-     }
-   }
-
-+  // Did we actually find something to remove?
-+  if (highestKeyCode < lowestKeyCode)
-+    return;
-+
-   changes.changed |= XkbKeySymsMask;
-   changes.first_key_sym = lowestKeyCode;
-   changes.num_key_syms = highestKeyCode - lowestKeyCode + 1;

SOURCES/tigervnc-selinux-allow-vncsession-create-vnc-directory.patch

@@ -1,31 +0,0 @@
-From 717d787de8f913070446444e37d552b51f05515e Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Mon, 16 Jan 2023 12:35:40 +0100
-Subject: [PATCH] SELinux: Allow vncsession create ~/.vnc directory
-
-Addresses the following AVC denial:
-
-type=PROCTITLE msg=audit(01/12/2023 02:58:12.648:696) : proctitle=/usr/sbin/vncsession fedora :1
-type=PATH msg=audit(01/12/2023 02:58:12.648:696) : item=1 name=/home/fedora/.vnc nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
-type=PATH msg=audit(01/12/2023 02:58:12.648:696) : item=0 name=/home/fedora/ inode=262145 dev=fc:02 mode=dir,700 ouid=fedora ogid=fedora rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
-type=CWD msg=audit(01/12/2023 02:58:12.648:696) : cwd=/home/fedora
-type=SYSCALL msg=audit(01/12/2023 02:58:12.648:696) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x7fff47d52540 a1=0755 a2=0x0 a3=0x0 items=2 ppid=2869 pid=2880 auid=fedora uid=fedora gid=fedora euid=fedora suid=fedora fsuid=fedora egid=fedora sgid=fedora fsgid=fedora tty=(none) ses=8 comm=vncsession exe=/usr/sbin/vncsession subj=system_u:system_r:vnc_session_t:s0 key=(null)
-type=AVC msg=audit(01/12/2023 02:58:12.648:696) : avc:  denied  { create } for  pid=2880 comm=vncsession name=.vnc scontext=system_u:system_r:vnc_session_t:s0 tcontext=system_u:object_r:vnc_home_t:s0 tclass=dir permissive=0
-
-Resolves: rhbz#2143704
----
- unix/vncserver/selinux/vncsession.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
-index fb966c14b..680be8ea1 100644
---- a/unix/vncserver/selinux/vncsession.te
-+++ b/unix/vncserver/selinux/vncsession.te
-@@ -37,6 +37,7 @@ allow vnc_session_t self:fifo_file rw_fifo_file_perms;
- allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
- files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
-
-+create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
- manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
- manage_fifo_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
- manage_sock_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)

SOURCES/tigervnc-selinux-restore-context-in-case-of-different-policies.patch

@@ -1,81 +0,0 @@
-From d2d52704624ce841f4a392fccd82079d87ff13b6 Mon Sep 17 00:00:00 2001
-From: Jan Grulich <jgrulich@redhat.com>
-Date: Thu, 11 Nov 2021 13:52:41 +0100
-Subject: [PATCH] SELinux: restore SELinux context in case of different
- policies
-
----
- CMakeLists.txt                | 13 +++++++++++++
- unix/vncserver/CMakeLists.txt |  2 +-
- unix/vncserver/vncsession.c   | 16 ++++++++++++++++
- 3 files changed, 30 insertions(+), 1 deletion(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 50247c7da..1708eb3d8 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -268,6 +268,19 @@ if(UNIX AND NOT APPLE)
-   endif()
- endif()
-
-+# Check for SELinux library
-+if(UNIX AND NOT APPLE)
-+  check_include_files(selinux/selinux.h HAVE_SELINUX_H)
-+  if(HAVE_SELINUX_H)
-+    set(CMAKE_REQUIRED_LIBRARIES -lselinux)
-+    set(CMAKE_REQUIRED_LIBRARIES)
-+    set(SELINUX_LIBS selinux)
-+    add_definitions("-DHAVE_SELINUX")
-+  else()
-+    message(WARNING "Could not find SELinux development files")
-+  endif()
-+endif()
-+
- # Generate config.h and make sure the source finds it
- configure_file(config.h.in config.h)
- add_definitions(-DHAVE_CONFIG_H)
-diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
-index f65ccc7db..ae69dc098 100644
---- a/unix/vncserver/CMakeLists.txt
-+++ b/unix/vncserver/CMakeLists.txt
-@@ -1,5 +1,5 @@
- add_executable(vncsession vncsession.c)
--target_link_libraries(vncsession ${PAM_LIBS})
-+target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
-
- configure_file(vncserver@.service.in vncserver@.service @ONLY)
- configure_file(vncsession-start.in vncsession-start @ONLY)
-diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
-index 3573e5e9b..f6d2fd59e 100644
---- a/unix/vncserver/vncsession.c
-+++ b/unix/vncserver/vncsession.c
-@@ -37,6 +37,11 @@
- #include <sys/types.h>
- #include <sys/wait.h>
-
-+#ifdef HAVE_SELINUX
-+#include <selinux/selinux.h>
-+#include <selinux/restorecon.h>
-+#endif
-+
- extern char **environ;
-
- // PAM service name
-@@ -360,6 +365,17 @@ redir_stdio(const char *homedir, const char *display)
-             syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
-             _exit(EX_OSERR);
-         }
-+
-+#ifdef HAVE_SELINUX
-+        int result;
-+        if (selinux_file_context_verify(logfile, 0) == 0) {
-+            result = selinux_restorecon(logfile, SELINUX_RESTORECON_RECURSE);
-+
-+            if (result < 0) {
-+                syslog(LOG_WARNING, "Failure restoring SELinux context for \"%s\": %s", logfile, strerror(errno));
-+            }
-+        }
-+#endif
-     }
-
-     hostlen = sysconf(_SC_HOST_NAME_MAX);

SOURCES/vncserver

@@ -121,7 +121,7 @@ if ($fontPath eq "") {
 # Check command line options
 
 &ParseOptions("-geometry",1,"-depth",1,"-pixelformat",1,"-name",1,"-kill",1,
-	      "-help",0,"-h",0,"--help",0,"-fp",1,"-list",0,"-fg",0,"-autokill",0,"-noxstartup",0,"-xstartup",1);
+	      "-help",0,"-h",0,"--help",0,"-fp",1,"-list",0,"-fg",0,"-autokill",0,"-noxstartup",0,"-xstartup",1,"-fallbacktofreeport",0);
 
 &Usage() if ($opt{'-help'} || $opt{'-h'} || $opt{'--help'});
 
@@ -168,8 +168,13 @@ if ((@ARGV > 0) && ($ARGV[0] =~ /^:(\d+)$/)) {
     $displayNumber = $1;
     shift(@ARGV);
     if (!&CheckDisplayNumber($displayNumber)) {
-        warn "A VNC server is already running as :$displayNumber\n";
-        $displayNumber = &GetDisplayNumber();
+        if ($opt{'-fallbacktofreeport'}) {
+            warn "A VNC server is already running as :$displayNumber\n";
+            $displayNumber = &GetDisplayNumber();
+            warn "Using port :$displayNumber as fallback\n";
+        } else {
+            die "A VNC server is already running as :$displayNumber\n";
+        }
     }
 } elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) {
     &Usage();
@@ -675,6 +680,7 @@ sub Usage
 	"                 [-autokill]\n".
 	"                 [-noxstartup]\n".
 	"                 [-xstartup <file>]\n".
+	"                 [-fallbacktofreeport]\n".
 	"                 <Xvnc-options>...\n\n".
 	"       $prog -kill <X-display>\n\n".
 	"       $prog -list\n\n");

SOURCES/xorg-CVE-2024-31083-followup.patch

@@ -0,0 +1,72 @@
+From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 5 Apr 2024 15:24:49 +0200
+Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
+
+ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
+then frees it using FreeGlyph() to decrease the reference count, after
+AddGlyph() has increased it.
+
+AddGlyph() however may chose to reuse an existing glyph if it's already
+in the glyphSet, and free the glyph that was given, in which case the
+caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
+already freed glyph, as reported by ASan:
+
+  READ of size 4 thread T0
+    #0 in FreeGlyph xserver/render/glyph.c:252
+    #1 in ProcRenderAddGlyphs xserver/render/render.c:1174
+    #2 in Dispatch xserver/dix/dispatch.c:546
+    #3 in dix_main xserver/dix/main.c:271
+    #4 in main xserver/dix/stubmain.c:34
+    #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+    #6 in __libc_start_main_impl ../csu/libc-start.c:360
+    #7  (/usr/bin/Xwayland+0x44fe4)
+  Address is located 0 bytes inside of 64-byte region
+  freed by thread T0 here:
+    #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
+    #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
+    #2 in AddGlyph xserver/render/glyph.c:295
+    #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
+    #4 in Dispatch xserver/dix/dispatch.c:546
+    #5 in dix_main xserver/dix/main.c:271
+    #6 in main xserver/dix/stubmain.c:34
+    #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+  previously allocated by thread T0 here:
+    #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
+    #1 in AllocateGlyph xserver/render/glyph.c:355
+    #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
+    #3 in Dispatch xserver/dix/dispatch.c:546
+    #4 in dix_main xserver/dix/main.c:271
+    #5 in main xserver/dix/stubmain.c:34
+    #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+  SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
+
+To avoid that, make sure not to free the given glyph in AddGlyph().
+
+v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
+v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
+
+Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
+Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
+---
+ render/glyph.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/render/glyph.c b/render/glyph.c
+index 13991f8a1..5fa7f3b5b 100644
+--- a/render/glyph.c
++++ b/render/glyph.c
+@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
+     gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
+                       TRUE, glyph->sha1);
+     if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
+-        FreeGlyphPicture(glyph);
+-        dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
+         glyph = gr->glyph;
+     }
+     else if (gr->glyph != glyph) {
+-- 
+2.44.0
+

SOURCES/xorg-x11-server-composite-Fix-use-after-free-of-the-COW.patch

@@ -1,42 +0,0 @@
-From 947bd1b3f4a23565bf10879ec41ba06ebe1e1c76 Mon Sep 17 00:00:00 2001
-From: Olivier Fourdan <ofourdan@redhat.com>
-Date: Mon, 13 Mar 2023 11:08:47 +0100
-Subject: [PATCH xserver] composite: Fix use-after-free of the COW
-
-ZDI-CAN-19866/CVE-2023-1393
-
-If a client explicitly destroys the compositor overlay window (aka COW),
-we would leave a dangling pointer to that window in the CompScreen
-structure, which will trigger a use-after-free later.
-
-Make sure to clear the CompScreen pointer to the COW when the latter gets
-destroyed explicitly by the client.
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
----
- composite/compwindow.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/composite/compwindow.c b/composite/compwindow.c
-index 4e2494b86..b30da589e 100644
---- a/composite/compwindow.c
-+++ b/composite/compwindow.c
-@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
-     ret = (*pScreen->DestroyWindow) (pWin);
-     cs->DestroyWindow = pScreen->DestroyWindow;
-     pScreen->DestroyWindow = compDestroyWindow;
-+
-+    /* Did we just destroy the overlay window? */
-+    if (pWin == cs->pOverlayWin)
-+        cs->pOverlayWin = NULL;
-+
- /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
-     return ret;
- }
--- 
-2.40.0
-

SPECS/tigervnc.spec

@@ -4,8 +4,8 @@
 %global modulename vncsession
 
 Name:           tigervnc
-Version:        1.12.0
-Release:        15%{?dist}
+Version:        1.13.1
+Release:        2%{?dist}.10.alma.1
 Summary:        A TigerVNC remote display system
 
 %global _hardened_build 1
@@ -21,50 +21,98 @@ Source3:        10-libvnc.conf
 # Backwards compatibility
 Source5:        vncserver
 
+# Downstream patches
 Patch1:         tigervnc-use-gnome-as-default-session.patch
+Patch2:         tigervnc-vncsession-restore-script-systemd-service.patch
+Patch3:         tigervnc-dont-install-appstream-metadata-file.patch
+
+# https://gitlab.com/redhat/centos-stream/rpms/tigervnc/-/commit/75082cdb91390f66637d1dcacbb291181afbc9af
+Patch4:         tigervnc-dont-get-pointer-position-for-floating-device.patch
 
 # Upstream patches
-Patch50:        tigervnc-selinux-restore-context-in-case-of-different-policies.patch
-Patch51:        tigervnc-fix-typo-in-mirror-monitor-detection.patch
-Patch52:        tigervnc-root-user-selinux-context.patch
-Patch53:        tigervnc-vncsession-restore-script-systemd-service.patch
-# https://github.com/TigerVNC/tigervnc/pull/1513
-Patch54:        tigervnc-fix-ghost-cursor-in-zaphod-mode.patch
-# https://github.com/TigerVNC/tigervnc/pull/1510
-Patch55:        tigervnc-add-new-keycodes-for-unknown-keysyms.patch
-Patch56:        tigervnc-sanity-check-when-cleaning-up-keymap-changes.patch
-Patch57:        tigervnc-selinux-allow-vncsession-create-vnc-directory.patch
 
 # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
 Patch100:       tigervnc-xserver120.patch
 # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
 Patch101:       0001-rpath-hack.patch
 
-# CVE-2023-1393 tigervnc: xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege Escalation Vulnerability
-Patch110:       xorg-x11-server-composite-Fix-use-after-free-of-the-COW.patch
+# Patches were taken from:
+# https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
+Patch102:       CVE-2023-5367.patch
+# https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7
+Patch103:       CVE-2023-5380.patch
+# https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
+Patch104:       CVE-2023-6377.patch
+# https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632
+Patch105:       CVE-2023-6478.patch
+# https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3
+Patch106:        CVE-2023-6816.patch
+# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1245?commit_id=ece23be888a93b741aa1209d1dbf64636109d6a5
+Patch107:        CVE-2024-0229-1.patch
+Patch108:        CVE-2024-0229-2.patch
+Patch109:        CVE-2024-0229-3.patch
+Patch110:        CVE-2024-21885.patch
+Patch111:        CVE-2024-21886-1.patch
+Patch112:        CVE-2024-21886-2.patch
+Patch113:        dix-fix-use-after-free-in-input-device-shutdown.patch
+# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463
+Patch114:        CVE-2024-31080.patch
+Patch115:        CVE-2024-31081.patch
+Patch116:        CVE-2024-31082.patch
+# https://gitlab.com/redhat/centos-stream/rpms/tigervnc/-/commit/d8901da5473c0a9ecac606bbab22198c5470d805
+Patch117:        xorg-CVE-2024-31083-followup.patch
+# https://gitlab.com/redhat/centos-stream/rpms/tigervnc/-/commit/ea7d05a24189766c4fc7f2346b4a63c3dca57169
+Patch118:        CVE-2024-31083.patch
 
+# Upstreamable patches
+
+BuildRequires:  make
 BuildRequires:  gcc-c++
-BuildRequires:  libX11-devel, automake, autoconf, libtool, gettext, gettext-autopoint
-BuildRequires:  libXext-devel, xorg-x11-server-source, libXi-devel
-BuildRequires:  xorg-x11-xtrans-devel, xorg-x11-util-macros, libXtst-devel
-BuildRequires:  libxkbfile-devel, openssl-devel, libpciaccess-devel
-BuildRequires:  mesa-libGL-devel, libXinerama-devel, xorg-x11-font-utils
-BuildRequires:  freetype-devel, libXdmcp-devel, libxshmfence-devel
-BuildRequires:  libjpeg-turbo-devel, gnutls-devel, pam-devel
-BuildRequires:  libdrm-devel, libXt-devel, pixman-devel
-BuildRequires:  systemd, cmake, desktop-file-utils
-BuildRequires:  libselinux-devel, selinux-policy-devel
-BuildRequires:  libXfixes-devel, libXdamage-devel, libXrandr-devel
-%if 0%{?fedora} > 24 || 0%{?rhel} >= 7
-BuildRequires:  libXfont2-devel
-%else
-BuildRequires:  libXfont-devel
-%endif
+BuildRequires:  gettext
+BuildRequires:  cmake
+
+BuildRequires:  gnutls-devel
+BuildRequires:  desktop-file-utils
+BuildRequires:  libappstream-glib
+BuildRequires:  libjpeg-turbo-devel
+BuildRequires:  openssl-devel
+BuildRequires:  pam-devel
+BuildRequires:  zlib-devel
 
 # TigerVNC 1.4.x requires fltk 1.3.3 for keyboard handling support
 # See https://github.com/TigerVNC/tigervnc/issues/8, also bug #1208814
 BuildRequires:  fltk-devel >= 1.3.3
+BuildRequires:  libX11-devel
+BuildRequires:  libXext-devel
+BuildRequires:  libXi-devel
+BuildRequires:  libXrandr-devel
+BuildRequires:  libXrender-devel
+BuildRequires:  pixman-devel
+
+# X11/graphics dependencies
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  gettext-autopoint
+BuildRequires:  libXdamage-devel
+BuildRequires:  libXdmcp-devel
+BuildRequires:  libXfixes-devel
+BuildRequires:  libXfont2-devel
+BuildRequires:  libXinerama-devel
+BuildRequires:  libXt-devel
+BuildRequires:  libXtst-devel
+BuildRequires:  libdrm-devel
+BuildRequires:  libtool
+BuildRequires:  libxkbfile-devel
+BuildRequires:  libxshmfence-devel
+BuildRequires:  mesa-libGL-devel
+BuildRequires:  xorg-x11-font-utils
 BuildRequires:  xorg-x11-server-devel
+BuildRequires:  xorg-x11-server-source
+BuildRequires:  xorg-x11-util-macros
+BuildRequires:  xorg-x11-xtrans-devel
+
+# SELinux
+BuildRequires:  libselinux-devel, selinux-policy-devel, systemd
 
 Requires(post): coreutils
 Requires(postun):coreutils
@@ -144,11 +192,20 @@ BuildRequires:  selinux-policy-devel
 Requires:       selinux-policy-%{selinuxtype}
 Requires(post): selinux-policy-%{selinuxtype}
 BuildRequires:  selinux-policy-devel
+BuildRequires:  pkgconfig(systemd)	
+BuildRequires:  selinux-policy
 # Required for matchpathcon
 Requires:       libselinux-utils
 # Required for restorecon
 Requires:       policycoreutils
-%{?selinux_requires}
+Requires:       libselinux-utils	
+Requires:       selinux-policy	
+Requires:       selinux-policy-%{selinuxtype}	
+Requires(post): selinux-policy-base	
+Requires(post): selinux-policy-%{selinuxtype}	
+Requires(post): libselinux-utils	
+Requires(post): policycoreutils	
+Requires(post): policycoreutils-python-utils
 
 %description selinux
 This package provides the SELinux policy module to ensure TigerVNC
@@ -164,20 +221,29 @@ for all in `find . -type f -perm -001`; do
 done
 %patch100 -p1 -b .xserver120-rebased
 %patch101 -p1 -b .rpath
-%patch110 -p1 -b .composite-Fix-use-after-free-of-the-COW
+%patch102 -p1 -b .CVE-2023-5367
+%patch103 -p1 -b .CVE-2023-5380
+%patch104 -p1 -b .CVE-2023-6377
+%patch105 -p1 -b .CVE-2023-6478
+%patch106 -p1 -b .CVE-2023-6816	
+%patch107 -p1 -b .CVE-2024-0229-1	
+%patch108 -p1 -b .CVE-2024-0229-2	
+%patch109 -p1 -b .CVE-2024-0229-3	
+%patch110 -p1 -b .CVE-2024-21885	
+%patch111 -p1 -b .CVE-2024-21886-1	
+%patch112 -p1 -b .CVE-2024-21886-2	
+%patch113 -p1 -b .dix-fix-use-after-free-in-input-device-shutdown
+%patch114 -p1 -b .CVE-2024-31080
+%patch115 -p1 -b .CVE-2024-31081
+%patch116 -p1 -b .CVE-2024-31082
+%patch117 -p1 -b .xorg-CVE-2024-31083-followup
+%patch118 -p1 -b .CVE-2024-31083
 popd
 
 %patch1 -p1 -b .use-gnome-as-default-session
-
-# Upstream patches
-%patch50 -p1 -b .selinux-restore-context-in-case-of-different-policies
-%patch51 -p1 -b .fix-typo-in-mirror-monitor-detection
-%patch52 -p1 -b .root-user-selinux-context
-%patch53 -p1 -b .vncsession-restore-script-systemd-service
-%patch54 -p1 -b .fix-ghost-cursor-in-zaphod-mode
-%patch55 -p1 -b .add-new-keycodes-for-unknown-keysyms
-%patch56 -p1 -b .sanity-check-when-cleaning-up-keymap-changes
-%patch57 -p1 -b .selinux-allow-vncsession-create-vnc-directory
+%patch2 -p1 -b .vncsession-restore-script-systemd-service
+%patch3 -p1 -b .dont-install-appstream-metadata-file.patch
+%patch4 -p1 -b .dont-get-pointer-position-for-floating-device
 
 %build
 %ifarch sparcv9 sparc64 s390 s390x
@@ -243,7 +309,7 @@ install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket
 mkdir -p %{buildroot}%{_datadir}/icons/hicolor/{16x16,24x24,48x48}/apps
 
 pushd media/icons
-for s in 16 24 48; do
+for s in 16 22 24 32 48 64 128; do
 install -m644 tigervnc_$s.png %{buildroot}%{_datadir}/icons/hicolor/${s}x$s/apps/tigervnc.png
 done
 popd
@@ -329,36 +395,29 @@ fi
 
 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
-%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
 
 %changelog
-*Mon Mar 27 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-15
-- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege Escalation Vulnerability
-  Resolves: bz#2180305
+* Mon Apr 29 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1.13.1-2.10.alma.1
+- Fix CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083
+ 
+* Wed Jan 31 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1.13.1-2.7.alma.1
+- CVE-2023-6816, CVE-2024-0029, CVE-2024-21885, CVE-2024-21886
+- dix: Fix use after free in input device shutdown
 
-* Tue Feb 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-14
-- SELinux: allow vncsession create .vnc directory
-  Resolves: bz#2164704
+* Thu Jan 04 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1.13.1-2.4.alma.1
+- CVE-2023-5367, CVE-2023-5380, CVE-2023-6377, CVE-2023-6478
 
-* Wed Feb 15 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-13
-- Add sanity check when cleaning up keymap changes
-  Resolves: bz#2169960
+* Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2
+- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
+  Escalation Vulnerability
+  Resolves: bz#2180306
 
-* Mon Feb 06 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-12
-- xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege elevation
-  Resolves: bz#2167058
-
-* Tue Dec 20 2022 Tomas Popela <tpopela@redhat.com> - 1.12.0-11
-- Rebuild for xorg-x11-server CVE-2022-46340 follow up fix
-
-* Fri Dec 16 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-10
-- Rebuild for xorg-x11-server CVEs
-  Resolves: CVE-2022-4283 (bz#2154233)
-  Resolves: CVE-2022-46340 (bz#2154220)
-  Resolves: CVE-2022-46341 (bz#2154223)
-  Resolves: CVE-2022-46342 (bz#2154225)
-  Resolves: CVE-2022-46343 (bz#2154227)
-  Resolves: CVE-2022-46344 (bz#2154229)
+* Tue Mar 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-1
+- 1.13.1
+  Resolves: bz#2175748
+- Restore "--fallbacktofreeport" option in the vncserver script
+  Resolves: bz#2174398
 
 * Thu Dec 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-9
 - Bump build version to fix upgrade path