diff --git a/tigervnc.spec b/tigervnc.spec
index fd01dbe28c64fd47e9a6f378408e11fe538de53c..e271a76dcf41895486ed46a9671e846bb81a058a 100644
--- a/tigervnc.spec
+++ b/tigervnc.spec
@@ -5,7 +5,7 @@
 
 Name:           tigervnc
 Version:        1.12.0
-Release:        16%{?dist}
+Release:        17%{?dist}
 Summary:        A TigerVNC remote display system
 
 %global _hardened_build 1
@@ -46,6 +46,9 @@ Patch110:       xorg-x11-server-composite-Fix-use-after-free-of-the-COW.patch
 # https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
 Patch111:       xorg-x11-server-CVE-2023-5367.patch
 
+# https://github.com/arter97/xorg-server/commit/a7bda3080d2b44eae668cdcec7a93095385b9652
+Patch112:       xorg-CVE-2023-6377.patch
+
 BuildRequires:  gcc-c++
 BuildRequires:  libX11-devel, automake, autoconf, libtool, gettext, gettext-autopoint
 BuildRequires:  libXext-devel, xorg-x11-server-source, libXi-devel
@@ -169,6 +172,7 @@ done
 %patch101 -p1 -b .rpath
 %patch110 -p1 -b .composite-Fix-use-after-free-of-the-COW
 %patch111 -p1 -b .CVE-2023-5367
+%patch112 -p1 -b .CVE-2023-6377
 popd
 
 %patch1 -p1 -b .use-gnome-as-default-session
@@ -336,6 +340,9 @@ fi
 %ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
 
 %changelog
+* Fri Jan 05 2024 niuyachen <niuyachen@inspur.com> - 1.12.0-17
+- Fix CVE-2023-6377 Xi: allocate enough XkbActions for our buttons
+
 * Wed Jan 03 2024 Bo Liu <liubo03@inspur.com> - 1.12.0-16
 - Fix CVE-2023-5367
 
diff --git a/xorg-CVE-2023-6377.patch b/xorg-CVE-2023-6377.patch
new file mode 100644
index 0000000000000000000000000000000000000000..cf5e17095cb7efd2d3e12bfca9d5b37bf3c6caaf
--- /dev/null
+++ b/xorg-CVE-2023-6377.patch
@@ -0,0 +1,74 @@
+From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 28 Nov 2023 15:19:04 +1000
+Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
+
+button->xkb_acts is supposed to be an array sufficiently large for all
+our buttons, not just a single XkbActions struct. Allocating
+insufficient memory here means when we memcpy() later in
+XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
+leading to the usual security ooopsiedaisies.
+
+CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+---
+ Xi/exevents.c | 12 ++++++------
+ dix/devices.c | 10 ++++++++++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index dcd4efb3bc..54ea11a938 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+         }
+
+         if (from->button->xkb_acts) {
+-            if (!to->button->xkb_acts) {
+-                to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+-                if (!to->button->xkb_acts)
+-                    FatalError("[Xi] not enough memory for xkb_acts.\n");
+-            }
++            size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
++            to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
++                                                   maxbuttons,
++                                                   sizeof(XkbAction));
++            memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
+             memcpy(to->button->xkb_acts, from->button->xkb_acts,
+-                   sizeof(XkbAction));
++                   from->button->numButtons * sizeof(XkbAction));
+         }
+         else {
+             free(to->button->xkb_acts);
+diff --git a/dix/devices.c b/dix/devices.c
+index b063128df0..3f3224d626 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+
+     if (master->button && master->button->numButtons != maxbuttons) {
+         int i;
++        int last_num_buttons = master->button->numButtons;
++
+         DeviceChangedEvent event = {
+             .header = ET_Internal,
+             .type = ET_DeviceChanged,
+@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+         };
+
+         master->button->numButtons = maxbuttons;
++        if (last_num_buttons < maxbuttons) {
++            master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
++                                                       maxbuttons,
++                                                       sizeof(XkbAction));
++            memset(&master->button->xkb_acts[last_num_buttons],
++                   0,
++                   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
++        }
+
+         memcpy(&event.buttons.names, master->button->labels, maxbuttons *
+                sizeof(Atom));
+--
+GitLab