diff -u xorg-server-21.1.4/debian/changelog xorg-server-21.1.4/debian/changelog
--- xorg-server-21.1.4/debian/changelog
+++ xorg-server-21.1.4/debian/changelog
@@ -1,3 +1,13 @@
+xorg-server (2:21.1.4-2ubuntu1.7~22.04.10~test.1) jammy-security; urgency=medium
+
+  * SECURITY REGRESSION: Fix for CVE-2024-31083 introduced a potential
+    double-free error, causing X to crash
+    - debian/patches/CVE-2024-31083-regression_fix-MR_1476.patch:
+      render: Avoid possible double-free in ProcRenderAddGlyphs()
+    - LP: #2060354
+
+ -- Steve Beattie <steve.beattie@canonical.com>  Mon, 08 Apr 2024 17:32:45 -0700
+
 xorg-server (2:21.1.4-2ubuntu1.7~22.04.9) jammy-security; urgency=medium
 
   * SECURITY UPDATE: Heap buffer over read
diff -u xorg-server-21.1.4/debian/patches/series xorg-server-21.1.4/debian/patches/series
--- xorg-server-21.1.4/debian/patches/series
+++ xorg-server-21.1.4/debian/patches/series
@@ -59,0 +60 @@
+CVE-2024-31083-regression_fix-MR_1476.patch
only in patch2:
unchanged:
--- xorg-server-21.1.4.orig/debian/patches/CVE-2024-31083-regression_fix-MR_1476.patch
+++ xorg-server-21.1.4/debian/patches/CVE-2024-31083-regression_fix-MR_1476.patch
@@ -0,0 +1,74 @@
+From a5490677c9fe4a783a08cd7c95b13057cf4d3836 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 5 Apr 2024 15:24:49 +0200
+Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
+Origin: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476
+Bug: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
+Bug-Ubuntu: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
+
+ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
+then frees it using FreeGlyph() to decrease the reference count, after
+AddGlyph() has increased it.
+
+AddGlyph() however may chose to reuse an existing glyph if it's already
+in the glyphSet, and free the glyph that was given, in which case the
+caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
+already freed glyph, as reported by ASan:
+
+  READ of size 4 thread T0
+    #0 in FreeGlyph xserver/render/glyph.c:252
+    #1 in ProcRenderAddGlyphs xserver/render/render.c:1174
+    #2 in Dispatch xserver/dix/dispatch.c:546
+    #3 in dix_main xserver/dix/main.c:271
+    #4 in main xserver/dix/stubmain.c:34
+    #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+    #6 in __libc_start_main_impl ../csu/libc-start.c:360
+    #7  (/usr/bin/Xwayland+0x44fe4)
+  Address is located 0 bytes inside of 64-byte region
+  freed by thread T0 here:
+    #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
+    #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
+    #2 in AddGlyph xserver/render/glyph.c:295
+    #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
+    #4 in Dispatch xserver/dix/dispatch.c:546
+    #5 in dix_main xserver/dix/main.c:271
+    #6 in main xserver/dix/stubmain.c:34
+    #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+  previously allocated by thread T0 here:
+    #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
+    #1 in AllocateGlyph xserver/render/glyph.c:355
+    #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
+    #3 in Dispatch xserver/dix/dispatch.c:546
+    #4 in dix_main xserver/dix/main.c:271
+    #5 in main xserver/dix/stubmain.c:34
+    #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+  SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
+
+To avoid that, make sure not to free the given glyph in AddGlyph().
+
+v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
+v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
+
+Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
+Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+---
+ render/glyph.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/render/glyph.c b/render/glyph.c
+index 13991f8a12..5fa7f3b5b4 100644
+--- a/render/glyph.c
++++ b/render/glyph.c
+@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
+     gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
+                       TRUE, glyph->sha1);
+     if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
+-        FreeGlyphPicture(glyph);
+-        dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
+         glyph = gr->glyph;
+     }
+     else if (gr->glyph != glyph) {
+-- 
+GitLab
+