Package: src:xorg-server Version: 2:1.20.4-1+deb10u3 Severity: serious Control: tags -1 patch
Hi,the source tarball of xorg-server shipped via bin:pkg xorg-server-source in Debian buster is in some broken state. The reason for this is that quilt patches don't get applied before the tarball gets created during package build.
Additionally, the xorg-server src:pkg is in some weird patch management state (which probably is not fixable for buster): it applies some changes to the upstream code via a .diff.gz file (source format 1.0) and other patches via quilt. Even more broken the source tarball becomes because of some changes being applied to xkb/xkb.c via the diff.gz file, some others via debian/patches/09_Correct-bounds-checking-in-XkbSetNames.patch.
So, at the moment my 3rd party project depending on the availability of the xorg-server-source package is not buildable. As a work around, I provided a fixed 2:1.20.4-1+deb10u3.1 version in a 3rd party repo outside of Debian.
See the attached .debdiff that fixes the FTBFS issue, but that also excludes the tarball from itself (#930405) and also applies some reproducibility fixes.
Please get this change into buster. If help is required, I am happy to do the upload. Thanks.
The attached fix probably also needs forward porting for the quilt push/pop -a part. In my changelog (in the .debdiff), I don't close #930405, so that should be added when uploading.
Thanks! Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
diff -u xorg-server-1.20.4/debian/changelog xorg-server-1.20.4/debian/changelog
--- xorg-server-1.20.4/debian/changelog
+++ xorg-server-1.20.4/debian/changelog
@@ -1,3 +1,17 @@
+xorg-server (2:1.20.4-1+deb10u3.1) UNRELEASED; urgency=medium
+
+ [ Mike Gabriel ]
+ * Non-maintainer upload.
+ * Apply quilt patches before generating xorg-server-source tarball.
+ Unapply patches again after source tarball has been created (to
+ not confuse the rest of the build).
+
+ [ Sven Joachim ]
+ * Exlude the build-source directory from xorg-server.tar.xz.
+ * Fix reproducibility problems in the xorg-server-source package.
+
+ -- Mike Gabriel <sunwea...@debian.org> Mon, 14 Jun 2021 11:56:53 +0200
+
xorg-server (2:1.20.4-1+deb10u3) buster-security; urgency=high
* Fix XChangeFeedbackControl() request underflow (CVE-2021-3472)
diff -u xorg-server-1.20.4/debian/rules xorg-server-1.20.4/debian/rules
--- xorg-server-1.20.4/debian/rules
+++ xorg-server-1.20.4/debian/rules
@@ -8,14 +8,21 @@
dh $@ --with quilt,autoreconf --parallel
build-source-stamp:
+ QUILT_PATCHES=debian/patches quilt push -a
mkdir -p build-source
tar \
--owner=0 --group=0 \
- --transform 's,^,xorg-server/,' \
+ --transform 's,^,xorg-server/,' \
--exclude=debian \
--exclude=autom4te.cache \
- -cf - * | xz > build-source/xorg-server.tar.xz
+ --exclude=build-source \
+ --sort=name \
+ --mtime=@$(SOURCE_DATE_EPOCH) \
+ --clamp-mtime \
+ --mode=u+rw,go+r,go-w,a-s \
+ -cf - * | xz > build-source/xorg-server.tar.xz
>$@
+ QUILT_PATCHES=debian/patches quilt pop -a
override_dh_auto_configure:
dh_auto_configure --builddirectory=debian/build/main -- \
pgpBPSeK1QB1e.pgp
Description: Digitale PGP-Signatur
