15 changed files with 713 additions and 175 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/libX11-1.7.0.tar.bz2
+SOURCES/libX11-1.8.7.tar.xz
--- a/.libX11.metadata
+++ b/.libX11.metadata
@ -1 +1 @@
-48fd27a11572a7d3c1014368e1dc9f40a7b23e7d SOURCES/libX11-1.7.0.tar.bz2
+034271312467ea99699fb8d926118d395e33a663 SOURCES/libX11-1.8.7.tar.xz
--- a/SOURCES/0001-Fix-deadlock-in-XRebindKeysym.patch
+++ b/SOURCES/0001-Fix-deadlock-in-XRebindKeysym.patch
@ -0,0 +1,52 @@
 From 751fbc59c30604980fdd19cb4b333d3cf2eccb24 Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Fri, 21 Jun 2024 14:37:24 +0200
 Subject: [PATCH] Fix deadlock in XRebindKeysym()
 Xlib is now built with threading support enabled from the constructor
 by default.
 XRebindKeysym() acquires the display lock, then calls:
 | XRebindKeysym()
 |  LockDisplay()
 |  ComputeMaskFromKeytrans()
 |    -> XkbKeysymToModifiers()
 |        -> _XkbLoadDpy()
 |            -> XkbGetMap()
 |                -> XkbGetUpdatedMap()
 |                   LockDisplay()
 And the dead lock:
 | Xlib ERROR: XKBGetMap.c line 575 thread 1fc6e580: locking display already
 | locked at KeyBind.c line 937
 To avoid the issue, call ComputeMaskFromKeytrans() from outside the display
 lock.
 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
 Closes: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/216
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/256>
 ---
 src/KeyBind.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/KeyBind.c b/src/KeyBind.c
 index a8181b91..a5e22131 100644
 --- a/src/KeyBind.c
 +++ b/src/KeyBind.c
@@ -958,8 +958,9 @@ XRebindKeysym (
     memcpy ((char *) p->modifiers, (char *) mlist, (size_t) nb);
     p->key = keysym;
     p->mlen = nm;
 -    ComputeMaskFromKeytrans(dpy, p);
     UnlockDisplay(dpy);
 +    ComputeMaskFromKeytrans(dpy, p);
 +
     return 0;
 }
 -- 
 2.45.2
--- a/SOURCES/0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch
+++ b/SOURCES/0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch
@ -0,0 +1,49 @@
 From 4f5541193dd5a004ed5ea44c12fc25e227113c9b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
 Date: Tue, 30 Apr 2024 16:37:21 +0200
 Subject: [PATCH 1/6] Fix use of uninitialized variable in _XimTriggerNotify
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 `_XimRead()` is being called with `reply` as target buffer instead of
 using `preply`, accessing uninitialized memory a few lines later.
 This error has been found by a static analysis tool. This is the report:
    Error: UNINIT (CWE-457):
    libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: alloc_fn:
      Calling "malloc" which returns uninitialized memory.
    libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: assign:
      Assigning: "preply" = "malloc((size_t)((len == 0) ? 1 : len))",
      which points to uninitialized data.
    libX11-1.8.7/modules/im/ximcp/imDefLkup.c:573: uninit_use:
      Using uninitialized value "*((CARD8 *)preply)".
    #  571|       }
    #  572|       buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE);
    #  573|->     if (*((CARD8 *)preply) == XIM_ERROR) {
    #  574|           _XimProcError(im, 0, (XPointer)&buf_s[3]);
    #  575|           if(reply != preply)
 Signed-off-by: José Expósito <jexposit@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
 ---
 modules/im/ximcp/imDefLkup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/modules/im/ximcp/imDefLkup.c b/modules/im/ximcp/imDefLkup.c
 index 2e53ab23..8ccaee26 100644
 --- a/modules/im/ximcp/imDefLkup.c
 +++ b/modules/im/ximcp/imDefLkup.c
@@ -635,7 +635,7 @@ _XimTriggerNotify(
 	} else {
 	    buf_size = len;
 	    preply = Xmalloc(len);
 -	    ret_code = _XimRead(im, &len, (XPointer)reply, buf_size,
 +	    ret_code = _XimRead(im, &len, preply, buf_size,
 				_XimTriggerNotifyCheck, (XPointer)ic);
 	    if(ret_code != XIM_TRUE) {
 		Xfree(preply);
 -- 
 2.45.2
--- a/SOURCES/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
+++ b/SOURCES/0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
@ -1,108 +0,0 @@
 From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Sat, 10 Jun 2023 16:30:07 -0700
 Subject: [PATCH libX11] InitExt.c: Add bounds checks for extension request,
 event, & error codes
 Fixes CVE-2023-3138: X servers could return values from XQueryExtension
 that would cause Xlib to write entries out-of-bounds of the arrays to
 store them, though this would only overwrite other parts of the Display
 struct, not outside the bounds allocated for that structure.
 Reported-by: Gregory James DUCK <gjduck@gmail.com>
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 diff --git a/src/InitExt.c b/src/InitExt.c
 index 4de46f15..afc00a6b 100644
 --- a/src/InitExt.c
 +++ b/src/InitExt.c
@@ -33,6 +33,18 @@ from The Open Group.
 #include <X11/Xos.h>
 #include <stdio.h>
 +/* The X11 protocol spec reserves events 64 through 127 for extensions */
 +#ifndef LastExtensionEvent
 +#define LastExtensionEvent 127
 +#endif
 +
 +/* The X11 protocol spec reserves requests 128 through 255 for extensions */
 +#ifndef LastExtensionRequest
 +#define FirstExtensionRequest 128
 +#define LastExtensionRequest 255
 +#endif
 +
 +
 /*
  * This routine is used to link a extension in so it will be called
  * at appropriate times.
@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
 	WireToEventType proc)	/* routine to call when converting event */
 {
 	register WireToEventType oldproc;
 +	if (event_number < 0 ||
 +	    event_number > LastExtensionEvent) {
 +	    fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
 +		    event_number);
 +	    return (WireToEventType)_XUnknownWireEvent;
 +	}
 	if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
 	LockDisplay (dpy);
 	oldproc = dpy->event_vec[event_number];
@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
     )
 {
 	WireToEventCookieType oldproc;
 +	if (extension < FirstExtensionRequest ||
 +	    extension > LastExtensionRequest) {
 +	    fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
 +		    extension);
 +	    return (WireToEventCookieType)_XUnknownWireEventCookie;
 +	}
 	if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
 	LockDisplay (dpy);
 	oldproc = dpy->generic_event_vec[extension & 0x7F];
@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
     )
 {
 	CopyEventCookieType oldproc;
 +	if (extension < FirstExtensionRequest ||
 +	    extension > LastExtensionRequest) {
 +	    fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
 +		    extension);
 +	    return (CopyEventCookieType)_XUnknownCopyEventCookie;
 +	}
 	if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
 	LockDisplay (dpy);
 	oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
 	EventToWireType proc)	/* routine to call when converting event */
 {
 	register EventToWireType oldproc;
 +	if (event_number < 0 ||
 +	    event_number > LastExtensionEvent) {
 +	    fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
 +		    event_number);
 +	    return (EventToWireType)_XUnknownNativeEvent;
 +	}
 	if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
 	LockDisplay (dpy);
 	oldproc = dpy->wire_vec[event_number];
@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
 	WireToErrorType proc)	/* routine to call when converting error */
 {
 	register WireToErrorType oldproc = NULL;
 +	if (error_number < 0 ||
 +	    error_number > LastExtensionError) {
 +	   fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
 +		    error_number);
 +	   return (WireToErrorType)_XDefaultWireError;
 +	}
 	if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
 	LockDisplay (dpy);
 	if (!dpy->error_vec) {
 -- 
 2.41.0
--- a/SOURCES/0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch
+++ b/SOURCES/0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch
@ -0,0 +1,34 @@
 From 5dfedaf4aa1a032ea6cb4e871abd2e065f798129 Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Thu, 6 Jun 2024 16:25:26 +0200
 Subject: [PATCH 1/3] Revert "Fix XTS regression in XCopyColormapAndFree"
 This change was to fix the next change that we are to revert as well.
 This reverts commit 68c72a7341b114277ab232f2499ee3bd035af8a0.
 Reviewed-by: Adam Jackson <ajax@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/254>
 ---
 src/CopyCmap.c | 5 -----
 1 file changed, 5 deletions(-)
 diff --git a/src/CopyCmap.c b/src/CopyCmap.c
 index b37aba73..b4954b01 100644
 --- a/src/CopyCmap.c
 +++ b/src/CopyCmap.c
@@ -53,11 +53,6 @@ Colormap XCopyColormapAndFree(
     mid = req->mid = XAllocID(dpy);
     req->srcCmap = src_cmap;
 -    /* re-lock the display to keep XID handling in sync */
 -    UnlockDisplay(dpy);
 -    SyncHandle();
 -    LockDisplay(dpy);
 -
 #if XCMS
     _XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
 #endif
 -- 
 2.45.2
--- a/SOURCES/0001-makekeys-handle-the-new-_EVDEVK-xorgproto-symbols.patch
+++ b/SOURCES/0001-makekeys-handle-the-new-_EVDEVK-xorgproto-symbols.patch
@ -1,43 +0,0 @@
 From e92efc63acd7b377faa9e534f4bf52aaa86be2a9 Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer@who-t.net>
 Date: Tue, 27 Jul 2021 11:46:19 +1000
 Subject: [PATCH libX11] makekeys: handle the new _EVDEVK xorgproto symbols
 These keys are all defined through a macro in the form:
   #define XF86XK_BrightnessAuto		_EVDEVK(0x0F4)
 The _EVDEVK macro is simply an offset of 0x10081000.
 Let's parse these lines correctly so those keysyms end up in our
 hashtables.
 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
 ---
 src/util/makekeys.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 diff --git a/src/util/makekeys.c b/src/util/makekeys.c
 index e847ef4c..4896cc53 100644
 --- a/src/util/makekeys.c
 +++ b/src/util/makekeys.c
@@ -78,6 +78,18 @@ parse_line(const char *buf, char *key, KeySym *val, char *prefix)
         return 1;
     }
 +    /* See if we can parse one of the _EVDEVK symbols */
 +    i = sscanf(buf, "#define %127s _EVDEVK(0x%lx)", key, val);
 +    if (i == 2 && (tmp = strstr(key, "XK_"))) {
 +        memcpy(prefix, key, (size_t)(tmp - key));
 +        prefix[tmp - key] = '\0';
 +        tmp += 3;
 +        memmove(key, tmp, strlen(tmp) + 1);
 +
 +        *val += 0x10081000;
 +        return 1;
 +    }
 +
     /* Now try to catch alias (XK_foo XK_bar) definitions, and resolve them
      * immediately: if the target is in the form XF86XK_foo, we need to
      * canonicalise this to XF86foo before we do the lookup. */
 -- 
 2.31.1
--- a/SOURCES/0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch
+++ b/SOURCES/0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch
@ -0,0 +1,49 @@
 From eaad761e24722b1743d3edee3383294bfb4947d6 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
 Date: Tue, 30 Apr 2024 16:41:40 +0200
 Subject: [PATCH 2/6] Fix use of uninitialized variable in _XimExtension
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 `_XimRead()` is being called with `reply` as target buffer instead of
 using `preply`, accessing uninitialized memory a few lines later.
 This error has been found by a static analysis tool. This is the report:
    Error: UNINIT (CWE-457):
    libX11-1.8.7/modules/im/ximcp/imExten.c:468: alloc_fn:
      Calling "malloc" which returns uninitialized memory.
    libX11-1.8.7/modules/im/ximcp/imExten.c:468: assign:
      Assigning: "preply" = "malloc((size_t)((buf_size == 0) ? 1 : buf_size))",
      which points to uninitialized data.
    libX11-1.8.7/modules/im/ximcp/imExten.c:479: uninit_use:
      Using uninitialized value "*((CARD8 *)preply)".
    #  477|           return False;
    #  478|       buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE);
    #  479|->     if (*((CARD8 *)preply) == XIM_ERROR) {
    #  480|           _XimProcError(im, 0, (XPointer)&buf_s[3]);
    #  481|               if(reply != preply)
 Signed-off-by: José Expósito <jexposit@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
 ---
 modules/im/ximcp/imExten.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/modules/im/ximcp/imExten.c b/modules/im/ximcp/imExten.c
 index c2e48a89..a25f00d0 100644
 --- a/modules/im/ximcp/imExten.c
 +++ b/modules/im/ximcp/imExten.c
@@ -466,7 +466,7 @@ _XimExtension(
     	} else {
     	    buf_size = len;
 	    preply = Xmalloc(buf_size);
 -    	    ret_code = _XimRead(im, &len, reply, buf_size,
 +    	    ret_code = _XimRead(im, &len, preply, buf_size,
     					_XimQueryExtensionCheck, 0);
     	    if(ret_code != XIM_TRUE) {
 		Xfree(preply);
 -- 
 2.45.2
--- a/SOURCES/0002-Revert-Protect-colormap-add-removal-with-display-loc.patch
+++ b/SOURCES/0002-Revert-Protect-colormap-add-removal-with-display-loc.patch
@ -0,0 +1,92 @@
 From 739fce4c12c7aa39112353d80c8a3bf25bdd5274 Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Fri, 7 Jun 2024 09:07:39 +0200
 Subject: [PATCH 2/3] Revert "Protect colormap add/removal with display lock"
 That commit 99a2cf1aa was moving the calls to the _Xcms*CmapRec*()
 family of functions within a display lock to make the XCMS colormap
 functions thread safe.
 Unfortunately, that causes a deadlock in XCopyColormapAndFree(), because
 _XcmsCopyCmapRecAndFree() calls CmapRecForColormap() which calls
 XGetVisualInfo() which also tries to acquire the display lock.
 So, instead of moving the entire functions within the display lock,
 let's try to make the functions themselves thread safe in the following
 commit, and revert this change which causes a deadlock.
 This reverts commit 99a2cf1aa0b58391078d5d3edf0a7dab18c7745d.
 Fixes: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/215
 See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/94
 Reviewed-by: Adam Jackson <ajax@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/254>
 ---
 src/CopyCmap.c | 6 +++---
 src/CrCmap.c   | 6 +++---
 src/FreeCmap.c | 6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)
 diff --git a/src/CopyCmap.c b/src/CopyCmap.c
 index b4954b01..5444550c 100644
 --- a/src/CopyCmap.c
 +++ b/src/CopyCmap.c
@@ -53,12 +53,12 @@ Colormap XCopyColormapAndFree(
     mid = req->mid = XAllocID(dpy);
     req->srcCmap = src_cmap;
 +    UnlockDisplay(dpy);
 +    SyncHandle();
 +
 #if XCMS
     _XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
 #endif
 -    UnlockDisplay(dpy);
 -    SyncHandle();
 -
     return(mid);
 }
 diff --git a/src/CrCmap.c b/src/CrCmap.c
 index 1b18a15b..9904c7dd 100644
 --- a/src/CrCmap.c
 +++ b/src/CrCmap.c
@@ -48,12 +48,12 @@ Colormap XCreateColormap(
     if (visual == CopyFromParent) req->visual = CopyFromParent;
     else req->visual = visual->visualid;
 +    UnlockDisplay(dpy);
 +    SyncHandle();
 +
 #ifdef XCMS
     _XcmsAddCmapRec(dpy, mid, w, visual);
 #endif
 -    UnlockDisplay(dpy);
 -    SyncHandle();
 -
     return(mid);
 }
 diff --git a/src/FreeCmap.c b/src/FreeCmap.c
 index 68496dd8..e2b76fa6 100644
 --- a/src/FreeCmap.c
 +++ b/src/FreeCmap.c
@@ -41,12 +41,12 @@ XFreeColormap(
     LockDisplay(dpy);
     GetResReq(FreeColormap, cmap, req);
 +    UnlockDisplay(dpy);
 +    SyncHandle();
 +
 #ifdef XCMS
     _XcmsDeleteCmapRec(dpy, cmap);
 #endif
 -    UnlockDisplay(dpy);
 -    SyncHandle();
 -
     return 1;
 }
 -- 
 2.45.2
--- a/SOURCES/0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch
+++ b/SOURCES/0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch
@ -0,0 +1,47 @@
 From 836a8f2cf5e930c8a56b512273fdf9890282ba04 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
 Date: Tue, 30 Apr 2024 16:49:26 +0200
 Subject: [PATCH 3/6] Fix use of uninitialized variable in
 _XimEncodeICATTRIBUTE
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 In the `res->resource_size == XimType_NEST` code path, if
 `res->xrm_name != pre_quark` and `res->xrm_name != sts_quark`, `len` can
 be used uninitialized.
 This error has been found by a static analysis tool. This is the report:
    Error: UNINIT (CWE-457):
    libX11-1.8.7/modules/im/ximcp/imRmAttr.c:1106: var_decl:
      Declaring variable "len" without initializer.
    libX11-1.8.7/modules/im/ximcp/imRmAttr.c:1179: uninit_use:
      Using uninitialized value "len".
    # 1177|           }
    # 1178|
    # 1179|->         if (len == 0) {
    # 1180|               continue;
    # 1181|           } else if (len < 0) {
 Signed-off-by: José Expósito <jexposit@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
 ---
 modules/im/ximcp/imRmAttr.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
 index 709e64ab..c56bd62e 100644
 --- a/modules/im/ximcp/imRmAttr.c
 +++ b/modules/im/ximcp/imRmAttr.c
@@ -1115,6 +1115,7 @@ _XimEncodeICATTRIBUTE(
     *ret_len = 0;
     for (p = arg; p && p->name; p++) {
 +	len = 0;
 	buf_s = (CARD16 *)buf;
 	if (!(res = _XimGetResourceListRec(res_list, res_num, p->name))) {
 	    if (_XimSetInnerICAttributes(ic, top, p, mode))
 -- 
 2.45.2
--- a/SOURCES/0003-Make-colormap-private-interfaces-thread-safe.patch
+++ b/SOURCES/0003-Make-colormap-private-interfaces-thread-safe.patch
@ -0,0 +1,92 @@
 From 1472048b7a02d1b7fc25cfeda761db23fba21eac Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Fri, 7 Jun 2024 09:05:55 +0200
 Subject: [PATCH 3/3] Make colormap private interfaces thread safe.
 Protect access to the dpy structure by a display lock, so that these can
 be called outside of a global display lock.
 That allows the XCMS colormap functions to be thread safe without having
 the whole functions within a display lock, to avoid deadlocks.
 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
 See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/215
 See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/94
 Reviewed-by: Adam Jackson <ajax@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/254>
 ---
 src/xcms/cmsCmap.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 diff --git a/src/xcms/cmsCmap.c b/src/xcms/cmsCmap.c
 index c7087ecb..4b229477 100644
 --- a/src/xcms/cmsCmap.c
 +++ b/src/xcms/cmsCmap.c
@@ -87,12 +87,17 @@ CmapRecForColormap(
     _XAsyncHandler async;
     _XAsyncErrorState async_state;
 +    LockDisplay(dpy);
     for (pRec = (XcmsCmapRec *)dpy->cms.clientCmaps; pRec != NULL;
 	    pRec = pRec->pNext) {
 	if (pRec->cmapID == cmap) {
 +            UnlockDisplay(dpy);
 +            SyncHandle();
 	    return(pRec);
 	}
     }
 +    UnlockDisplay(dpy);
 +    SyncHandle();
     /*
      * Can't find an XcmsCmapRec associated with cmap in our records.
@@ -258,9 +263,12 @@ _XcmsAddCmapRec(
     pNew->dpy = dpy;
     pNew->windowID = windowID;
     pNew->visual = visual;
 +    LockDisplay(dpy);
     pNew->pNext = (XcmsCmapRec *)dpy->cms.clientCmaps;
     dpy->cms.clientCmaps = (XPointer)pNew;
     dpy->free_funcs->clientCmaps = _XcmsFreeClientCmaps;
 +    UnlockDisplay(dpy);
 +    SyncHandle();
     /*
      * Note, we don't create the XcmsCCC for pNew->ccc here because
@@ -342,6 +350,7 @@ _XcmsDeleteCmapRec(
     }
     /* search for it in the list */
 +    LockDisplay(dpy);
     pPrevPtr = (XcmsCmapRec **)&dpy->cms.clientCmaps;
     while ((pRec = *pPrevPtr) && (pRec->cmapID != cmap)) {
 	pPrevPtr = &pRec->pNext;
@@ -354,6 +363,8 @@ _XcmsDeleteCmapRec(
 	*pPrevPtr = pRec->pNext;
 	Xfree(pRec);
     }
 +    UnlockDisplay(dpy);
 +    SyncHandle();
 }
@@ -378,6 +389,7 @@ _XcmsFreeClientCmaps(
 {
     XcmsCmapRec *pRecNext, *pRecFree;
 +    LockDisplay(dpy);
     pRecNext = (XcmsCmapRec *)dpy->cms.clientCmaps;
     while (pRecNext != NULL) {
 	pRecFree = pRecNext;
@@ -390,6 +402,8 @@ _XcmsFreeClientCmaps(
 	Xfree(pRecFree);
     }
     dpy->cms.clientCmaps = (XPointer)NULL;
 +    UnlockDisplay(dpy);
 +    SyncHandle();
 }
 -- 
 2.45.2
--- a/SOURCES/0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch
+++ b/SOURCES/0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch
@ -0,0 +1,62 @@
 From af1312d2873d2ce49b18708a5029895aed477392 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
 Date: Tue, 30 Apr 2024 17:37:39 +0200
 Subject: [PATCH 4/6] XKBMAlloc: Check that needed is >= 0 in
 XkbResizeKeyActions
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Passing a negative value in `needed` to the `XkbResizeKeyActions()`
 function can create a `newActs` array of an unespected size.
 Check the value and return if it is invalid.
 This error has been found by a static analysis tool. This is the report:
    Error: OVERRUN (CWE-119):
    libX11-1.8.7/src/xkb/XKBMAlloc.c:811: cond_const:
      Checking "xkb->server->size_acts == 0" implies that
      "xkb->server->size_acts" is 0 on the true branch.
    libX11-1.8.7/src/xkb/XKBMAlloc.c:811: buffer_alloc:
      "calloc" allocates 8 bytes dictated by parameters
      "(size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts)"
      and "8UL".
    libX11-1.8.7/src/xkb/XKBMAlloc.c:811: var_assign:
      Assigning: "newActs" = "calloc((size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts), 8UL)".
    libX11-1.8.7/src/xkb/XKBMAlloc.c:815: assignment:
      Assigning: "nActs" = "1".
    libX11-1.8.7/src/xkb/XKBMAlloc.c:829: cond_at_least:
      Checking "nCopy > 0" implies that "nCopy" is at least 1 on the
      true branch.
    libX11-1.8.7/src/xkb/XKBMAlloc.c:830: overrun-buffer-arg:
      Overrunning buffer pointed to by "&newActs[nActs]" of 8 bytes by
      passing it to a function which accesses it at byte offset 15
      using argument "nCopy * 8UL" (which evaluates to 8).
    #  828|
    #  829|           if (nCopy > 0)
    #  830|->             memcpy(&newActs[nActs], XkbKeyActionsPtr(xkb, i),
    #  831|                      nCopy * sizeof(XkbAction));
    #  832|           if (nCopy < nKeyActs)
 Signed-off-by: José Expósito <jexposit@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
 ---
 src/xkb/XKBMAlloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/xkb/XKBMAlloc.c b/src/xkb/XKBMAlloc.c
 index 8b3be303..0563a688 100644
 --- a/src/xkb/XKBMAlloc.c
 +++ b/src/xkb/XKBMAlloc.c
@@ -795,7 +795,7 @@ XkbResizeKeyActions(XkbDescPtr xkb, int key, int needed)
     register int i, nActs;
     XkbAction *newActs;
 -    if (needed == 0) {
 +    if (needed <= 0) {
         xkb->server->key_acts[key] = 0;
         return NULL;
     }
 -- 
 2.45.2
--- a/SOURCES/0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch
+++ b/SOURCES/0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch
@ -0,0 +1,64 @@
 From f67a87dad40141f50f4da35b28a92a974bfdf7e1 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
 Date: Tue, 30 Apr 2024 18:04:35 +0200
 Subject: [PATCH 5/6] Fix memory leak in _XimProtoSetIMValues
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 This error has been found by a static analysis tool. This is the report:
    Error: RESOURCE_LEAK (CWE-772):
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1316: alloc_fn:
      Storage is returned from allocation function "calloc".
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1316: var_assign:
      Assigning: "tmp" = storage returned from
      "calloc((size_t)((buf_size + data_len == 0) ? 1 : (buf_size + data_len)), 1UL)".
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1319: noescape:
      Resource "tmp" is not freed or pointed-to in "memcpy".
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1320: var_assign:
      Assigning: "buf" = "tmp".
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1302: var_assign:
      Assigning: "data" = "buf".
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1303: noescape:
      Resource "data" is not freed or pointed-to in
      "_XimEncodeIMATTRIBUTE".
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
      Variable "data" going out of scope leaks the storage it points to.
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
      Variable "buf" going out of scope leaks the storage it points to.
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
      Variable "tmp" going out of scope leaks the storage it points to.
    # 1331|
    # 1332|       if (!total)
    # 1333|->         return (char *)NULL;
    # 1334|
    # 1335|       buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
 Signed-off-by: José Expósito <jexposit@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
 ---
 modules/im/ximcp/imDefIm.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
 diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c
 index a12d2970..e3075398 100644
 --- a/modules/im/ximcp/imDefIm.c
 +++ b/modules/im/ximcp/imDefIm.c
@@ -1327,8 +1327,11 @@ _XimProtoSetIMValues(
     }
     _XimSetCurrentIMValues(im, &im_values);
 -    if (!total)
 -	return (char *)NULL;
 +    if (!total) {
 +        if (buf != tmp_buf)
 +	    Xfree(buf);
 +        return (char *)NULL;
 +    }
     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
     buf_s[0] = im->private.proto.imid;
 -- 
 2.45.2
--- a/SOURCES/0006-Fix-buffer-overrun-in-parse_omit_name.patch
+++ b/SOURCES/0006-Fix-buffer-overrun-in-parse_omit_name.patch
@ -0,0 +1,57 @@
 From 97fb5bda3d0777380cd4b964f48771a82ef3f2a7 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
 Date: Tue, 30 Apr 2024 18:21:08 +0200
 Subject: [PATCH 6/6] Fix buffer overrun in parse_omit_name
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 When `num_fields == 12`, if the last character of the pattern is '-',
 the `buf` array is overrun.
 This error has been found by a static analysis tool. This is the report:
    Error: OVERRUN (CWE-119):
    libX11-1.8.7/modules/om/generic/omGeneric.c:691: cond_at_most:
      Checking "length > 255" implies that "length" may be up to 255 on
      the false branch.
    libX11-1.8.7/modules/om/generic/omGeneric.c:695: alias:
      Assigning: "last" = "buf + length - 1". "last" may now point to as
      high as byte 254 of "buf" (which consists of 256 bytes).
    libX11-1.8.7/modules/om/generic/omGeneric.c:718: ptr_incr:
      Incrementing "last". "last" may now point to as high as byte 255
      of "buf" (which consists of 256 bytes).
    libX11-1.8.7/modules/om/generic/omGeneric.c:720: ptr_incr:
      Incrementing "last". "last" may now point to as high as byte 256
      of "buf" (which consists of 256 bytes).
    libX11-1.8.7/modules/om/generic/omGeneric.c:720: overrun-local:
      Overrunning array of 256 bytes at byte offset 256 by
      dereferencing pointer "++last".
    #  718|               *++last = '*';
    #  719|
    #  720|->         *++last = '-';
    #  721|           break;
    #  722|       case 13:
 Signed-off-by: José Expósito <jexposit@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
 ---
 modules/om/generic/omGeneric.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
 index 406cec93..370072f3 100644
 --- a/modules/om/generic/omGeneric.c
 +++ b/modules/om/generic/omGeneric.c
@@ -688,7 +688,7 @@ parse_omit_name(
     length = strlen (pattern);
 -    if (length > XLFD_MAX_LEN)
 +    if (length > XLFD_MAX_LEN - 1)
 	return -1;
     strcpy(buf, pattern);
 -- 
 2.45.2
--- a/SPECS/libX11.spec
+++ b/SPECS/libX11.spec
@ -1,12 +1,12 @@
 %global tarball libX11
 #global gitdate 20130524
-%global gitversion a3bdd2b09
+#global gitversion a3bdd2b09
 Summary: Core X11 protocol client library
 Name: libX11
-Version: 1.7.0
+Version: 1.8.7
-Release: 8%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
+Release: 7%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
-License: MIT
+License: MIT AND X11
 URL: http://www.x.org
 %if 0%{?gitdate}
@ -14,14 +14,29 @@ Source0:    %{tarball}-%{gitdate}.tar.bz2
 Source1:    make-git-snapshot.sh
 Source2:    commitid
 %else
-Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.bz2
+Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.xz
 %endif
 Patch2: dont-forward-keycode-0.patch
 Patch3: 0001-makekeys-handle-the-new-_EVDEVK-xorgproto-symbols.patch
 # CVE-2023-3138
 Patch4: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
 Patch02: dont-forward-keycode-0.patch
 # https://issues.redhat.com/browse/RHEL-40132
 Patch03: 0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch
 Patch04: 0002-Revert-Protect-colormap-add-removal-with-display-loc.patch
 Patch05: 0003-Make-colormap-private-interfaces-thread-safe.patch
 # https://issues.redhat.com/browse/RHEL-34918
 Patch06: 0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch
 Patch07: 0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch
 Patch08: 0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch
 Patch09: 0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch
 Patch10: 0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch
 Patch11: 0006-Fix-buffer-overrun-in-parse_omit_name.patch
 # https://issues.redhat.com/browse/RHEL-45855
 Patch12: 0001-Fix-deadlock-in-XRebindKeysym.patch
 BuildRequires: libtool
 BuildRequires: make
 BuildRequires: xorg-x11-util-macros >= 1.11
 BuildRequires: pkgconfig(xproto) >= 7.0.15
@ -96,7 +111,7 @@ make %{?_smp_mflags} check
 %{_libdir}/libX11-xcb.so.1.0.0
 %files common
-%doc AUTHORS COPYING README.md NEWS
+%doc AUTHORS COPYING README.md
 %{_datadir}/X11/locale/
 %{_datadir}/X11/XErrorDB
 %dir /var/cache/libX11
@ -124,22 +139,98 @@ make %{?_smp_mflags} check
 %{_mandir}/man5/*.5*
 %changelog
-* Wed Jul 05 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.7.0-8
+* Tue Nov 26 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 1.8.7-7
- CVE fix for: CVE-2023-3138
+- Rebuilt for MSVSphere 10
-  Resolve: rhbz#2213763
+
 * Fri Jul 05 2024 José Expósito <jexposit@redhat.com> - 1.8.7-7
 - Fix deadlock in XRebindKeysym()
  Resolves: https://issues.redhat.com/browse/RHEL-45855
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.8.7-6
 - Bump release for June 2024 mass rebuild
 * Thu Jun 20 2024 José Expósito <jexposit@redhat.com> - 1.8.7-5
 - Add gating.yaml
 * Thu Jun 20 2024 José Expósito <jexposit@redhat.com> - 1.8.7-4
 - Fix XTS test XCopyColormapAndFree/5 hangs
  Resolves: https://issues.redhat.com/browse/RHEL-40132
 - Fix RHEL SAST Automation errors
  Resolves: https://issues.redhat.com/browse/RHEL-34918
 * Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.7-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.7-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Wed Oct 04 2023 Peter Hutterer <peter.hutterer@redhat.com> - 1.8.7-1
 - libX11 1.8.7
  - CVE-2023-43785 libX11: out-of-bounds memory access in _XkbReadKeySyms()
  - CVE-2023-43786 libX11: stack exhaustion from infinite recursion in
    PutSubImage()
  - CVE-2023-43787 libX11: integer overflow in XCreateImage() leading to
   a heap overflow
  - CVE-2023-43788 libXpm: out of bounds read in XpmCreateXpmImageFromBuffer()
  - CVE-2023-43789 libXpm: out of bounds read on XPM with corrupted colormap
 * Thu Sep 07 2023 José Expósito <jexposit@redhat.com> - 1.8.6-3
 - SPDX Migration
 * Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.6-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Fri Jun 16 2023 Peter Hutterer <peter.hutterer@redhat.com> - 1.8.6-1
 - libX11 1.8.6 (CVE-2023-3138)
 * Mon Jun 05 2023 Peter Hutterer <peter.hutterer@redhat.com> 1.8.5-1
 - libX11 1.8.5
 * Wed Feb 08 2023 Peter Hutterer <peter.hutterer@redhat.com> - 1.8.4-1
 - libX11 1.8.4
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Mon Jan 16 2023 Peter Hutterer <peter.hutterer@redhat.com> - 1.8.3-2
 - Fix XPutBackEvent() issues (#2161020)
 * Fri Jan 06 2023 Peter Hutterer <peter.hutterer@redhat.com> - 1.8.3-1
 - libX11 1.8.3
 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Thu Jun 16 2022 Peter Hutterer <peter.hutterer@redhat.com> - 1.8.1-1
 - libX11 1.8.1
 * Mon Apr 04 2022 Peter Hutterer <peter.hutterer@redhat.com> - 1.7.5-1
 - libX11 1.7.5
 * Thu Mar 31 2022 Peter Hutterer <peter.hutterer@redhat.com> - 1.7.4-1
 - libX11 1.7.4
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.3.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 * Fri Dec 10 2021 Peter Hutterer <peter.hutterer@redhat.com> - 1.7.3.1-1
 - libX11 1.7.3.1
 * Tue Dec 07 2021 Peter Hutterer <peter.hutterer@redhat.com> - 1.7.3-1
 - libX11 1.7.3
 - manually add ax_gcc_builtin, it's missing from the tarball
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.0-7
+* Tue Jul 27 2021 Peter Hutterer <peter.hutterer@redhat.com> - 1.7.2-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- Parse the new _EVDEVK symbols
  Related: rhbz#1991688
-* Tue Aug 03 2021 Peter Hutterer <peter.hutterer@redhat.com> - 1.7.0-6
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.2-2
- Parse the EVDEVK keysyms (#1988944)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-* Tue May 04 2021 Peter Hutterer <peter.hutterer@redhat.com> 1.7.0-5
+* Wed Jun 09 2021 Peter Hutterer <peter.hutterer@redhat.com> 1.7.2-1
- Rebuild to pick up the new xorgproto keysyms (#1954345)
+- libX11 1.7.2
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.0-4
+* Tue May 18 2021 Adam Jackson <ajax@redhat.com> - 1.7.1-1
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- libX11 1.7.1 (CVE-2021-31535)
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
`@ -1 +1 @@`
	`SOURCES/libX11-1.7.0.tar.bz2`	`SOURCES/libX11-1.8.7.tar.xz`
`@ -1 +1 @@`
	`48fd27a11572a7d3c1014368e1dc9f40a7b23e7d SOURCES/libX11-1.7.0.tar.bz2`	`034271312467ea99699fb8d926118d395e33a663 SOURCES/libX11-1.8.7.tar.xz`