diff -u xorg-server-1.20.13/debian/changelog xorg-server-1.20.13/debian/changelog
--- xorg-server-1.20.13/debian/changelog
+++ xorg-server-1.20.13/debian/changelog
@@ -1,3 +1,19 @@
+xorg-server (2:1.20.13-1ubuntu1~20.04.8) focal-security; urgency=medium
+
+  * SECURITY UPDATE: Overlay Window Use-After-Free
+    - debian/patches/CVE-2023-1393.patch: fix use-after-free of the COW in
+      composite/compwindow.c.
+    - CVE-2023-1393
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 29 Mar 2023 08:53:02 -0400
+
+xorg-server (2:1.20.13-1ubuntu1~20.04.7) focal; urgency=medium
+
+  * d/p/lp2007746-fix-pdev-null-deref.patch: fix potential pdev null
+    deref in xf86platformBus.c (LP: #2007746)
+
+ -- Mustafa Kemal GILOR <mustafa.gilor@canonical.com>  Sat, 18 Feb 2023 15:17:01 +0300
+
 xorg-server (2:1.20.13-1ubuntu1~20.04.6) focal-security; urgency=medium
 
   * SECURITY UPDATE: DeepCopyPointerClasses use-after-free
diff -u xorg-server-1.20.13/debian/patches/series xorg-server-1.20.13/debian/patches/series
--- xorg-server-1.20.13/debian/patches/series
+++ xorg-server-1.20.13/debian/patches/series
@@ -49,0 +50,2 @@
+lp2007746-fix-pdev-null-deref.patch
+CVE-2023-1393.patch
only in patch2:
unchanged:
--- xorg-server-1.20.13.orig/debian/patches/CVE-2023-1393.patch
+++ xorg-server-1.20.13/debian/patches/CVE-2023-1393.patch
@@ -0,0 +1,37 @@
+From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Mar 2023 11:08:47 +0100
+Subject: [PATCH] composite: Fix use-after-free of the COW
+
+ZDI-CAN-19866/CVE-2023-1393
+
+If a client explicitly destroys the compositor overlay window (aka COW),
+we would leave a dangling pointer to that window in the CompScreen
+structure, which will trigger a use-after-free later.
+
+Make sure to clear the CompScreen pointer to the COW when the latter gets
+destroyed explicitly by the client.
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ composite/compwindow.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/composite/compwindow.c
++++ b/composite/compwindow.c
+@@ -613,6 +613,11 @@ compDestroyWindow(WindowPtr pWin)
+     ret = (*pScreen->DestroyWindow) (pWin);
+     cs->DestroyWindow = pScreen->DestroyWindow;
+     pScreen->DestroyWindow = compDestroyWindow;
++
++    /* Did we just destroy the overlay window? */
++    if (pWin == cs->pOverlayWin)
++        cs->pOverlayWin = NULL;
++
+ /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
+     return ret;
+ }
only in patch2:
unchanged:
--- xorg-server-1.20.13.orig/debian/patches/lp2007746-fix-pdev-null-deref.patch
+++ xorg-server-1.20.13/debian/patches/lp2007746-fix-pdev-null-deref.patch
@@ -0,0 +1,55 @@
+From 0d93bbfa2cfacbb73741f8bed0e32fa1a656b928 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Fri, 26 Mar 2021 00:51:02 +0200
+Subject: [PATCH] xfree86: Fix potentially NULL reference to platform device's
+ PCI device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+xf86_platform_devices[i].pdev may be NULL in cases we fail to parse the
+busid in config_udev_odev_setup_attribs() (see also [1], [2]) such as
+when udev does not give use ID_PATH. This in turn leads to
+platform_find_pci_info() being not called and pdev being NULL.
+
+[1]: https://gitlab.freedesktop.org/xorg/xserver/-/issues/993
+[2]: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1076
+
+Reviewed-by: Zoltán Böszörményi <zboszor@gmail.com>
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+---
+ hw/xfree86/common/xf86platformBus.c        | 10 ++++++----
+ hw/xfree86/os-support/linux/lnx_platform.c |  3 +++
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/hw/xfree86/common/xf86platformBus.c
++++ b/hw/xfree86/common/xf86platformBus.c
+@@ -365,10 +365,12 @@
+         break;
+     case BUS_PCI:
+         for (i = 0; i < xf86_num_platform_devices; i++) {
+-            if (MATCH_PCI_DEVICES(xf86_platform_devices[i].pdev,
+-                                  entity->bus.id.pci)) {
+-                dev = &xf86_platform_devices[i];
+-                break;
++            if (xf86_platform_devices[i].pdev) {
++                if (MATCH_PCI_DEVICES(xf86_platform_devices[i].pdev,
++                                      entity->bus.id.pci)) {
++                    dev = &xf86_platform_devices[i];
++                    break;
++                }
+             }
+         }
+         break;
+--- a/hw/xfree86/os-support/linux/lnx_platform.c
++++ b/hw/xfree86/os-support/linux/lnx_platform.c
+@@ -101,6 +101,9 @@
+     bustype = StringToBusType(busid, &id);
+     if (bustype == BUS_PCI) {
+         struct pci_device *pPci = device->pdev;
++        if (!pPci)
++            return FALSE;
++
+         if (xf86ComparePciBusString(busid,
+                                     ((pPci->domain << 8)
+                                      | pPci->bus),