untrusted comment: verify with openbsd-71-base.pub
RWR2eHwZTOEiTY8NLyQrp9w6Zi+QU3O9Hhe2ioG9YNFbWjzBpT6V086jgGdaKURBH6AzY7VdzTlLHe/H5N7hqHccaKwQBBHKoQQ=

OpenBSD 7.1 errata 023, February 7, 2023:

CVE-2023-0494: use after free in the Xinput X server extension.

Apply by doing:
    signify -Vep /etc/signify/openbsd-71-base.pub -x 023_xserver.patch.sig \
        -m - | (cd /usr/xenocara && patch -p0)

And then rebuild and install the X server:
    cd /usr/xenocara/xserver
    make -f Makefile.bsd-wrapper obj
    make -f Makefile.bsd-wrapper build

Index: xserver/Xi/exevents.c
===================================================================
RCS file: /cvs/xenocara/xserver/Xi/exevents.c,v
diff -u -p -u -r1.25 exevents.c
--- xserver/Xi/exevents.c	17 Nov 2021 19:46:39 -0000	1.25
+++ xserver/Xi/exevents.c	30 Jan 2023 11:35:52 -0000
@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from
             memcpy(to->button->xkb_acts, from->button->xkb_acts,
                    sizeof(XkbAction));
         }
-        else
+        else {
             free(to->button->xkb_acts);
+            to->button->xkb_acts = NULL;
+        }
 
         memcpy(to->button->labels, from->button->labels,
                from->button->numButtons * sizeof(Atom));