Help with a debdiff for tigervnc

[Aaron Rainbolt]

On 1/21/24 05:41, Andrew C Aitchison wrote:
>
> Debian have fixed a security bug in tigervnc which is in universe,
> so someone needs to generate a debdiff for the security team to
>  review it and publish the package:
> https://bugs.launchpad.net/ubuntu/+source/tigervnc/+bug/2048442
>
> Debian have fixed this by building tigervnc 1.13.1 with 
> xorg-server-source
>> = 2:21.1.10, but Ubuntu 23.10 has tigervnc 1.12.0+dfsg-8 and
>> xorg-server-source
> 2:21.1.7-3ubuntu2.6
>
> On a good day I can build a .deb from source, but I am not familiar with
> debdiffs and it is not clear to me that changing the upstream version
> (either for mantic or noble) is a casual thing to do.
>
> What is the next step to get this fix published ?

If all that's necessary is to rebuild tigervnc against a properly 
patched xorg-xserver-source, this shouldn't be too tricky. The versions 
of xorg-xserver with the patch fixed can be seen at 
https://ubuntu.com/security/notices/USN-5986-1. All that would then be 
necessary is to bump the dependency to require a version of 
xorg-xserver-source greater than or equal to the corresponding version 
in each stable release, and bump the dependency to require the newest 
available version of xorg-server-source or greater in the development 
release.

The tricky part here is following the whole Stable Release Updates 
process (https://wiki.ubuntu.com/StableReleaseUpdates), which takes at 
least a week (probably more like a week and a couple of days) and 
requires lot of effort and testing to make work. If you're interested in 
helping to fix this hands-on, I'd be happy to assist, but stable release 
updates are one of the harder parts of Ubuntu development. If you'd 
prefer, I'd also be happy to just take this bug and work on getting it 
fixed.

Thanks for helping make Ubuntu better!

>
> Thanks,
>
-- 
Aaron Rainbolt
Lubuntu Developer
Matrix: @arraybolt3:matrix.org
IRC: arraybolt3 on irc.libera.chat
GitHub: https://github.com/ArrayBolt3