diff -Nru xserver-xorg-video-qxl-0.0.16/debian/changelog xserver-xorg-video-qxl-0.0.16/debian/changelog
--- xserver-xorg-video-qxl-0.0.16/debian/changelog	2012-02-02 10:26:44.000000000 +0000
+++ xserver-xorg-video-qxl-0.0.16/debian/changelog	2013-02-04 14:43:22.000000000 +0000
@@ -1,3 +1,12 @@
+xserver-xorg-video-qxl (0.0.16-2ubuntu0.1) precise-security; urgency=low
+
+  * SECURITY UPDATE: denial of service via sync i/o commands
+    - debian/patches/CVE-2013-0241.patch: use new async IO calls in
+      src/qxl.h, src/qxl_driver.c, src/qxl_surface.c.
+    - CVE-2013-0241
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 04 Feb 2013 09:41:05 -0500
+
 xserver-xorg-video-qxl (0.0.16-2) unstable; urgency=low
 
   [Serge Hallyn]
diff -Nru xserver-xorg-video-qxl-0.0.16/debian/control xserver-xorg-video-qxl-0.0.16/debian/control
--- xserver-xorg-video-qxl-0.0.16/debian/control	2012-02-02 10:26:44.000000000 +0000
+++ xserver-xorg-video-qxl-0.0.16/debian/control	2013-02-04 14:43:42.000000000 +0000
@@ -1,7 +1,8 @@
 Source: xserver-xorg-video-qxl
 Section: x11
 Priority: optional
-Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
 Uploaders: Liang Guo <bluestonechina@gmail.com>, Cyril Brulebois <kibi@debian.org>
 Build-Depends:
  debhelper (>= 8),
diff -Nru xserver-xorg-video-qxl-0.0.16/debian/patches/CVE-2013-0241.patch xserver-xorg-video-qxl-0.0.16/debian/patches/CVE-2013-0241.patch
--- xserver-xorg-video-qxl-0.0.16/debian/patches/CVE-2013-0241.patch	1970-01-01 00:00:00.000000000 +0000
+++ xserver-xorg-video-qxl-0.0.16/debian/patches/CVE-2013-0241.patch	2013-02-04 14:40:59.000000000 +0000
@@ -0,0 +1,148 @@
+From 30b4b72cdbdf9f0e92a8d1c4e01779f60f15a741 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 06 Oct 2011 15:06:10 +0000
+Subject: support _ASYNC io calls and interrupt handling (busy wait)
+
+rebased with Xspice changes.
+
+Signed-off-by: Alon Levy <alevy@redhat.com>
+---
+Index: xserver-xorg-video-qxl-0.0.16/src/qxl.h
+===================================================================
+--- xserver-xorg-video-qxl-0.0.16.orig/src/qxl.h	2011-07-23 05:47:49.000000000 -0400
++++ xserver-xorg-video-qxl-0.0.16/src/qxl.h	2013-02-04 09:40:56.756397621 -0500
+@@ -410,6 +410,14 @@
+ 					unsigned long           size);
+ int		   qxl_garbage_collect (qxl_screen_t *qxl);
+ 
++/*
++ * I/O port commands
++ */
++void qxl_update_area(qxl_screen_t *qxl);
++void qxl_memslot_add(qxl_screen_t *qxl, uint8_t id);
++void qxl_create_primary(qxl_screen_t *qxl);
++void qxl_notify_oom(qxl_screen_t *qxl);
++
+ #ifdef XSPICE
+ /* device to spice-server, now xspice to spice-server */
+ void ioport_write(qxl_screen_t *qxl, uint32_t io_port, uint32_t val);
+Index: xserver-xorg-video-qxl-0.0.16/src/qxl_driver.c
+===================================================================
+--- xserver-xorg-video-qxl-0.0.16.orig/src/qxl_driver.c	2011-07-23 06:42:34.000000000 -0400
++++ xserver-xorg-video-qxl-0.0.16/src/qxl_driver.c	2013-02-04 09:40:56.756397621 -0500
+@@ -102,6 +102,64 @@
+     { -1, NULL, OPTV_NONE, {0}, FALSE }
+ };
+ 
++static void qxl_wait_for_io_command(qxl_screen_t *qxl)
++{
++    struct QXLRam *ram_header = (void *)(
++        (unsigned long)qxl->ram + qxl->rom->ram_header_offset);
++
++    while (!(ram_header->int_pending & QXL_INTERRUPT_IO_CMD)) {
++        usleep(1);
++    }
++    ram_header->int_pending &= ~QXL_INTERRUPT_IO_CMD;
++}
++
++void qxl_update_area(qxl_screen_t *qxl)
++{
++#ifndef XSPICE
++    if (qxl->pci->revision >= 3) {
++        ioport_write(qxl, QXL_IO_UPDATE_AREA_ASYNC, 0);
++        qxl_wait_for_io_command(qxl);
++    } else {
++        ioport_write(qxl, QXL_IO_UPDATE_AREA, 0);
++    }
++#else
++    ioport_write(qxl, QXL_IO_UPDATE_AREA, 0);
++#endif
++}
++
++void qxl_memslot_add(qxl_screen_t *qxl, uint8_t id)
++{
++#ifndef XSPICE
++    if (qxl->pci->revision >= 3) {
++        ioport_write(qxl, QXL_IO_MEMSLOT_ADD_ASYNC, id);
++        qxl_wait_for_io_command(qxl);
++    } else {
++        ioport_write(qxl, QXL_IO_MEMSLOT_ADD, id);
++    }
++#else
++    ioport_write(qxl, QXL_IO_MEMSLOT_ADD, id);
++#endif
++}
++
++void qxl_create_primary(qxl_screen_t *qxl)
++{
++#ifndef XSPICE
++    if (qxl->pci->revision >= 3) {
++        ioport_write(qxl, QXL_IO_CREATE_PRIMARY_ASYNC, 0);
++        qxl_wait_for_io_command(qxl);
++    } else {
++        ioport_write(qxl, QXL_IO_CREATE_PRIMARY, 0);
++    }
++#else
++    ioport_write(qxl, QXL_IO_CREATE_PRIMARY, 0);
++#endif
++}
++
++void qxl_notify_oom(qxl_screen_t *qxl)
++{
++    ioport_write(qxl, QXL_IO_NOTIFY_OOM, 0);
++}
++
+ int
+ qxl_garbage_collect (qxl_screen_t *qxl)
+ {
+@@ -190,8 +248,8 @@
+ int
+ qxl_handle_oom (qxl_screen_t *qxl)
+ {
+-    ioport_write(qxl, QXL_IO_NOTIFY_OOM, 0);
+-    
++    qxl_notify_oom(qxl);
++
+ #if 0
+     ErrorF (".");
+     qxl_usleep (10000);
+@@ -228,7 +286,7 @@
+ 	ram_header->update_area.right = qxl->virtual_x;
+ 	ram_header->update_surface = 0;		/* Only primary for now */
+ 	
+-	ioport_write(qxl, QXL_IO_UPDATE_AREA, 0);
++        qxl_update_area(qxl);
+ 	
+ #if 0
+  	ErrorF ("eliminated memory (%d)\n", nth_oom++);
+@@ -469,7 +527,7 @@
+     ram_header->mem_slot.mem_start = slot->start_phys_addr;
+     ram_header->mem_slot.mem_end = slot->end_phys_addr;
+ 
+-    ioport_write(qxl, QXL_IO_MEMSLOT_ADD, slot_index);
++    qxl_memslot_add(qxl, slot_index);
+ 
+     slot->generation = qxl->rom->slot_generation;
+     
+Index: xserver-xorg-video-qxl-0.0.16/src/qxl_surface.c
+===================================================================
+--- xserver-xorg-video-qxl-0.0.16.orig/src/qxl_surface.c	2011-07-23 05:46:47.000000000 -0400
++++ xserver-xorg-video-qxl-0.0.16/src/qxl_surface.c	2013-02-04 09:40:56.760397622 -0500
+@@ -378,7 +378,7 @@
+     create->type = QXL_SURF_TYPE_PRIMARY;
+     create->mem = physical_address (cache->qxl, cache->qxl->ram, cache->qxl->main_mem_slot);
+ 
+-    ioport_write(qxl, QXL_IO_CREATE_PRIMARY, 0);
++    qxl_create_primary(qxl);
+ 
+     dev_addr = (uint8_t *)qxl->ram + mode->stride * (mode->y_res - 1);
+ 
+@@ -920,7 +920,7 @@
+     ErrorF ("Issuing update command for %d\n", surface->id);
+ #endif
+ 
+-    ioport_write(surface->cache->qxl, QXL_IO_UPDATE_AREA, 0);
++    qxl_update_area(surface->cache->qxl);
+ 
+     pixman_image_composite (PIXMAN_OP_SRC,
+      			    surface->dev_image,
diff -Nru xserver-xorg-video-qxl-0.0.16/debian/patches/series xserver-xorg-video-qxl-0.0.16/debian/patches/series
--- xserver-xorg-video-qxl-0.0.16/debian/patches/series	2012-02-02 10:26:44.000000000 +0000
+++ xserver-xorg-video-qxl-0.0.16/debian/patches/series	2013-02-04 14:40:54.000000000 +0000
@@ -1 +1,2 @@
 translate-the-access-region.diff
+CVE-2013-0241.patch