diff -u xorg-server-21.1.3/debian/changelog xorg-server-21.1.3/debian/changelog
--- xorg-server-21.1.3/debian/changelog
+++ xorg-server-21.1.3/debian/changelog
@@ -1,3 +1,19 @@
+xorg-server (2:21.1.3-2ubuntu2.7) jammy-security; urgency=medium
+
+  * SECURITY UPDATE: DeepCopyPointerClasses use-after-free
+    - debian/patches/CVE-2023-0494.patch: fix potential use-after-free in
+      Xi/exevents.c.
+    - CVE-2023-0494
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 07 Feb 2023 07:47:22 -0500
+
+xorg-server (2:21.1.3-2ubuntu2.6) jammy; urgency=medium
+
+  * re-calculate-the-clock-and-refresh-rate.diff: Import v3, fix a
+    crash. (LP: #1999008)
+
+ -- Timo Aaltonen <tjaalton@debian.org>  Wed, 07 Dec 2022 11:32:56 +0200
+
 xorg-server (2:21.1.3-2ubuntu2.5) jammy-security; urgency=medium
 
   * SECURITY UPDATE: XTestSwapFakeInput stack overflow
diff -u xorg-server-21.1.3/debian/patches/re-calculate-the-clock-and-refresh-rate.diff xorg-server-21.1.3/debian/patches/re-calculate-the-clock-and-refresh-rate.diff
--- xorg-server-21.1.3/debian/patches/re-calculate-the-clock-and-refresh-rate.diff
+++ xorg-server-21.1.3/debian/patches/re-calculate-the-clock-and-refresh-rate.diff
@@ -1,4 +1,4 @@
-From 973bbc7d5f0596827ca07126af789b6940331e0f Mon Sep 17 00:00:00 2001
+From 2dabb85f8dfeb9a2afcc1fd297f202cab583936e Mon Sep 17 00:00:00 2001
 From: "Chia-Lin Kao (AceLan)" <acelan.kao@canonical.com>
 Date: Tue, 8 Nov 2022 08:11:50 +0800
 Subject: [PATCH] hw/xfree86: re-calculate the clock and refresh rate
@@ -14,13 +14,18 @@
 clock and refresh rate from the existing resolution table and this
 works for the issue.
 
+v2. xf86ModeVRefresh might return 0, need to check it before use it.
+v3. reported by Markus on launchpad that the issue is not devided by 0,
+it's the "preferred" being accessed unconditionally.
+BugLink: https://launchpad.net/bugs/1999852
+
 Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1388
 Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
 ---
  hw/xfree86/common/xf86Mode.c                     |  2 ++
- hw/xfree86/drivers/modesetting/drmmode_display.c | 11 ++++++++++-
+ hw/xfree86/drivers/modesetting/drmmode_display.c | 13 ++++++++++++-
  include/displaymode.h                            |  1 +
- 3 files changed, 13 insertions(+), 1 deletion(-)
+ 3 files changed, 15 insertions(+), 1 deletion(-)
 
 diff --git a/hw/xfree86/common/xf86Mode.c b/hw/xfree86/common/xf86Mode.c
 index 16dd529e3..136cd15d0 100644
@@ -36,7 +41,7 @@
          return "unknown reason";
      case MODE_ERROR:
 diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
-index 65e8e6335..63bd93ecf 100644
+index 65e8e6335..2ce90ba6f 100644
 --- a/hw/xfree86/drivers/modesetting/drmmode_display.c
 +++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
 @@ -2641,7 +2641,7 @@ static DisplayModePtr
@@ -48,12 +53,14 @@
      int max_x = 0, max_y = 0;
      float max_vrefresh = 0.0;
  
-@@ -2673,6 +2673,15 @@ drmmode_output_add_gtf_modes(xf86OutputPtr output, DisplayModePtr Modes)
+@@ -2673,6 +2673,17 @@ drmmode_output_add_gtf_modes(xf86OutputPtr output, DisplayModePtr Modes)
              i->VDisplay >= preferred->VDisplay &&
              xf86ModeVRefresh(i) >= xf86ModeVRefresh(preferred))
              i->status = MODE_VSYNC;
-+        i->Clock = i->Clock * xf86ModeVRefresh(preferred) / xf86ModeVRefresh(i);
-+        i->VRefresh = xf86ModeVRefresh(preferred);
++        if (preferred && xf86ModeVRefresh(i) > 0.0) {
++            i->Clock = i->Clock * xf86ModeVRefresh(preferred) / xf86ModeVRefresh(i);
++            i->VRefresh = xf86ModeVRefresh(preferred);
++        }
 +        for (j = m; j != i; j = j->next) {
 +            if (!strcmp(i->name, j->name) &&
 +                xf86ModeVRefresh(i) * (1 + SYNC_TOLERANCE) >= xf86ModeVRefresh(j) &&
@@ -79,3 +86,3 @@
 -- 
-GitLab
+2.34.1
 
diff -u xorg-server-21.1.3/debian/patches/series xorg-server-21.1.3/debian/patches/series
--- xorg-server-21.1.3/debian/patches/series
+++ xorg-server-21.1.3/debian/patches/series
@@ -41,0 +42 @@
+CVE-2023-0494.patch
only in patch2:
unchanged:
--- xorg-server-21.1.3.orig/debian/patches/CVE-2023-0494.patch
+++ xorg-server-21.1.3/debian/patches/CVE-2023-0494.patch
@@ -0,0 +1,34 @@
+From 0ba6d8c37071131a49790243cdac55392ecf71ec Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 25 Jan 2023 11:41:40 +1000
+Subject: [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses
+
+CVE-2023-0494, ZDI-CAN-19596
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xi/exevents.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index 217baa956..dcd4efb3b 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+             memcpy(to->button->xkb_acts, from->button->xkb_acts,
+                    sizeof(XkbAction));
+         }
+-        else
++        else {
+             free(to->button->xkb_acts);
++            to->button->xkb_acts = NULL;
++        }
+ 
+         memcpy(to->button->labels, from->button->labels,
+                from->button->numButtons * sizeof(Atom));
+-- 
+GitLab
+