untrusted comment: verify with openbsd-72-base.pub
RWQTKNnK3CZZ8C8LVjSlfPxqXq23hhk/xxKL9ZbxLzhOpe8zePnMvg+UjN8XFxsnWwiKfgnjYRYTZ5i/g5PHsQ9Ap5iFnseXCAc=

OpenBSD 7.2 errata 019, February 7, 2023:

CVE-2023-0494: use after free in the Xinput X server extension.

Apply by doing:
    signify -Vep /etc/signify/openbsd-72-base.pub -x 019_xserver.patch.sig \
        -m - | (cd /usr/xenocara && patch -p0)

And then rebuild and install the X server:
    cd /usr/xenocara/xserver
    make -f Makefile.bsd-wrapper obj
    make -f Makefile.bsd-wrapper build

Index: xserver/Xi/exevents.c
===================================================================
RCS file: /cvs/xenocara/xserver/Xi/exevents.c,v
diff -u -p -u -r1.26 exevents.c
--- xserver/Xi/exevents.c	31 Aug 2022 11:25:19 -0000	1.26
+++ xserver/Xi/exevents.c	30 Jan 2023 11:33:08 -0000
@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from
             memcpy(to->button->xkb_acts, from->button->xkb_acts,
                    sizeof(XkbAction));
         }
-        else
+        else {
             free(to->button->xkb_acts);
+            to->button->xkb_acts = NULL;
+        }
 
         memcpy(to->button->labels, from->button->labels,
                from->button->numButtons * sizeof(Atom));