untrusted comment: verify with openbsd-71-base.pub
RWR2eHwZTOEiTQWgtdqynsVaqg6Ly6W5lelWX0xK9JGBt2i5eJgyZs6etxEWPveI5nWaLdhLZXdJOBC9xPg31upyYL0lLo0DRgk=

OpenBSD 7.1 errata 015, December 14, 2022:

In X11 server fix local privileges elevation and and remote code
execution for ssh X forwarding sessions.  This addresses CVE-2022-46340
CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344.

Apply by doing:
    signify -Vep /etc/signify/openbsd-71-base.pub -x 015_xserver.patch.sig \
        -m - | (cd /usr/xenocara && patch -p0)

And then rebuild and install the X server:
    cd /usr/xenocara/xserver
    make -f Makefile.bsd-wrapper obj
    make -f Makefile.bsd-wrapper build

Index: xserver/Xext/saver.c
===================================================================
RCS file: /cvs/xenocara/xserver/Xext/saver.c,v
retrieving revision 1.20
diff -u -p -r1.20 saver.c
--- xserver/Xext/saver.c	14 Dec 2021 13:42:21 -0000	1.20
+++ xserver/Xext/saver.c	5 Dec 2022 18:27:13 -0000
@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr clien
         pVlist++;
     }
     if (pPriv->attr)
-        FreeScreenAttr(pPriv->attr);
+        FreeResource(pPriv->attr->resource, AttrType);
     pPriv->attr = pAttr;
     pAttr->resource = FakeClientID(client->index);
     if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
Index: xserver/Xext/xtest.c
===================================================================
RCS file: /cvs/xenocara/xserver/Xext/xtest.c,v
retrieving revision 1.13
diff -u -p -r1.13 xtest.c
--- xserver/Xext/xtest.c	11 Nov 2021 09:03:02 -0000	1.13
+++ xserver/Xext/xtest.c	5 Dec 2022 18:27:13 -0000
@@ -502,10 +502,11 @@ XTestSwapFakeInput(ClientPtr client, xRe
 
     nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
     for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
+        int evtype = ev->u.u.type & 0x177;
         /* Swap event */
-        proc = EventSwapVector[ev->u.u.type & 0177];
+        proc = EventSwapVector[evtype];
         /* no swapping proc; invalid event type? */
-        if (!proc || proc == NotImplemented) {
+        if (!proc || proc == NotImplemented || evtype == GenericEvent) {
             client->errorValue = ev->u.u.type;
             return BadValue;
         }
Index: xserver/Xext/xvmain.c
===================================================================
RCS file: /cvs/xenocara/xserver/Xext/xvmain.c,v
retrieving revision 1.14
diff -u -p -r1.14 xvmain.c
--- xserver/Xext/xvmain.c	11 Nov 2021 09:03:02 -0000	1.14
+++ xserver/Xext/xvmain.c	5 Dec 2022 18:27:13 -0000
@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, 
         tpn = pn;
         while (tpn) {
             if (tpn->client == client) {
-                if (!onoff)
+                if (!onoff) {
                     tpn->client = NULL;
+                    FreeResource(tpn->id, XvRTVideoNotify);
+                }
                 return Success;
             }
             if (!tpn->client)
Index: xserver/Xi/xipassivegrab.c
===================================================================
RCS file: /cvs/xenocara/xserver/Xi/xipassivegrab.c,v
retrieving revision 1.12
diff -u -p -r1.12 xipassivegrab.c
--- xserver/Xi/xipassivegrab.c	11 Nov 2021 09:03:02 -0000	1.12
+++ xserver/Xi/xipassivegrab.c	5 Dec 2022 18:27:13 -0000
@@ -137,6 +137,12 @@ ProcXIPassiveGrabDevice(ClientPtr client
         return BadValue;
     }
 
+    /* XI2 allows 32-bit keycodes but thanks to XKB we can never
+     * implement this. Just return an error for all keycodes that
+     * cannot work anyway, same for buttons > 255. */
+    if (stuff->detail > 255)
+        return XIAlreadyGrabbed;
+
     if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
                                stuff->mask_len * 4) != Success)
         return BadValue;
@@ -207,14 +213,8 @@ ProcXIPassiveGrabDevice(ClientPtr client
                                 &param, XI2, &mask);
             break;
         case XIGrabtypeKeycode:
-            /* XI2 allows 32-bit keycodes but thanks to XKB we can never
-             * implement this. Just return an error for all keycodes that
-             * cannot work anyway */
-            if (stuff->detail > 255)
-                status = XIAlreadyGrabbed;
-            else
-                status = GrabKey(client, dev, mod_dev, stuff->detail,
-                                 &param, XI2, &mask);
+            status = GrabKey(client, dev, mod_dev, stuff->detail,
+                             &param, XI2, &mask);
             break;
         case XIGrabtypeEnter:
         case XIGrabtypeFocusIn:
@@ -330,6 +330,12 @@ ProcXIPassiveUngrabDevice(ClientPtr clie
     if ((stuff->grab_type == XIGrabtypeEnter ||
          stuff->grab_type == XIGrabtypeFocusIn ||
          stuff->grab_type == XIGrabtypeTouchBegin) && stuff->detail != 0) {
+        client->errorValue = stuff->detail;
+        return BadValue;
+    }
+
+    /* We don't allow passive grabs for details > 255 anyway */
+    if (stuff->detail > 255) {
         client->errorValue = stuff->detail;
         return BadValue;
     }
Index: xserver/Xi/xiproperty.c
===================================================================
RCS file: /cvs/xenocara/xserver/Xi/xiproperty.c,v
retrieving revision 1.12
diff -u -p -r1.12 xiproperty.c
--- xserver/Xi/xiproperty.c	11 Nov 2021 09:03:02 -0000	1.12
+++ xserver/Xi/xiproperty.c	5 Dec 2022 18:27:13 -0000
@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr clie
     REQUEST(xChangeDevicePropertyReq);
     DeviceIntPtr dev;
     unsigned long len;
-    int totalSize;
+    uint64_t totalSize;
     int rc;
 
     REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
@@ -902,6 +902,8 @@ ProcXChangeDeviceProperty(ClientPtr clie
 
     rc = check_change_property(client, stuff->property, stuff->type,
                                stuff->format, stuff->mode, stuff->nUnits);
+    if (rc != Success)
+        return rc;
 
     len = stuff->nUnits;
     if (len > (bytes_to_int32(0xffffffff - sizeof(xChangeDevicePropertyReq))))
@@ -1128,7 +1130,7 @@ ProcXIChangeProperty(ClientPtr client)
 {
     int rc;
     DeviceIntPtr dev;
-    int totalSize;
+    uint64_t totalSize;
     unsigned long len;
 
     REQUEST(xXIChangePropertyReq);
@@ -1141,6 +1143,9 @@ ProcXIChangeProperty(ClientPtr client)
 
     rc = check_change_property(client, stuff->property, stuff->type,
                                stuff->format, stuff->mode, stuff->num_items);
+    if (rc != Success)
+        return rc;
+
     len = stuff->num_items;
     if (len > bytes_to_int32(0xffffffff - sizeof(xXIChangePropertyReq)))
         return BadLength;
Index: xserver/dix/property.c
===================================================================
RCS file: /cvs/xenocara/xserver/dix/property.c,v
retrieving revision 1.14
diff -u -p -r1.14 property.c
--- xserver/dix/property.c	11 Nov 2021 09:03:03 -0000	1.14
+++ xserver/dix/property.c	5 Dec 2022 18:27:13 -0000
@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
     WindowPtr pWin;
     char format, mode;
     unsigned long len;
-    int sizeInBytes, totalSize, err;
+    int sizeInBytes, err;
+    uint64_t totalSize;
 
     REQUEST(xChangePropertyReq);
 
Index: xserver/xkb/xkbUtils.c
===================================================================
RCS file: /cvs/xenocara/xserver/xkb/xkbUtils.c,v
retrieving revision 1.13
diff -u -p -r1.13 xkbUtils.c
--- xserver/xkb/xkbUtils.c	18 Feb 2018 17:16:38 -0000	1.13
+++ xserver/xkb/xkbUtils.c	5 Dec 2022 18:27:15 -0000
@@ -1327,6 +1327,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr
         }
         else {
             free(dst->names->radio_groups);
+            dst->names->radio_groups = NULL;
         }
         dst->names->num_rg = src->names->num_rg;